Using the Spotlight Vulnerabilities service collection
This service collection has code examples posted to the repository.
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria. | ||||
| Get details on remediation by providing one or more IDs. | ||||
| Get details on vulnerabilities by providing one or more IDs. | ||||
| Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria. | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
combinedQueryVulnerabilities
Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.
PEP8 method name
query_vulnerabilities_combined
Endpoint
| Method | Route |
|---|---|
 | /spotlight/combined/vulnerabilities/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |  | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| facet | | | query | string | Select various detail blocks to be returned for each vulnerability. Supported values:
|
| filter | | | query | string | FQL Syntax formatted filter that should be used to limit the results. Wildcards * are unsupported.You must provide a filter, either via this keyword or as part of a parameters payload in order to use this method. Review the available filters table below for more detail. |
| limit | | | query | integer | Maximum number of results to return. (Max: 5000, Default: 100) |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | FQL Syntax formatted sort filter. Common sort options include:
|
Available filters
| Name | Description |
|---|---|
| aid | Unique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. For more info, see Asset Management APIs. Get vulnerabilities for a specific AID: filter="aid:'abcde6b9a3427d8c4a1af416424d6231'" |
| apps.remediation.ids | Unique identifier of a remediation. This filter supports multiple values and negation. Get the vulnerability ID for a specific remediation ID: filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'"Get vulnerabilities for multiple remediation IDs: filter="apps.remediation.ids:['ID1','ID2','ID3']" |
| cid | Unique system-generated customer identifier (CID) of the account. In multi-CID environments:
filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'" |
| closed_timestamp | Date and time a vulnerability was set to a status of CLOSED Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC: filter="closed_timestamp:>'2021-06-25T10:32'"Get vulnerabilities that were marked as closed before October 18, 2021: filter="closed_timestamp:<'2021-10-18'" |
| confidence | Whether or not the vulnerability has been confirmed:confirmedpotentialGet vulnerabilities with a potential confidence level: filter="confidence:<'potential'" |
| created_timestamp | Date and time when this vulnerability was found in your environment. Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on. Get vulnerabilities created before September 30, 2021 at 13:22 UTC: filter="created_timestamp:<'2021-09-25T13:22'"Get vulnerabilities created after February 12, 2021: filter="created_timestamp:>'2021-02-12'" |
| cve.cwes | Unique identifier for a vulnerability from the Common Weakness Enumeration (CWE) listfilter="cve.cwes:>['CWE-787','CWE-699']" |
| cve.exploit_status | Numeric value of the most severe known exploit. This filter supports multiple values and negation. Possible values:
filter="cve.exploit_status:'60'"Get vulnerabilities with an exploit status of 30, 60, or 90: filter="cve.exploit_status:!'0'"or filter="cve.exploit_status:['30','60','90']" |
| cve.exprt_rating | ExPRT rating assigned by CrowdStrike's predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation. Possible values:
filter="cve.exprt_rating:'HIGH'"Get vulnerabilities with an ExPRT rating of high or critical: filter="cve.exprt_rating:['HIGH','CRITICAL']"Get vulnerabilities with any ExPRT rating other than unknown: filter="cve.exprt_rating:!'UNKNOWN'" |
| cve.id | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities with a specific single CVE ID: filter="cve.id:['CVE-2022-1234']"Get vulnerabilities for multiple CVE IDs: filter="cve.id:['CVE-2022-1234','CVE-2023-1234']"Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']" |
| cve.is_cisa_kev | Filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or falseThis filter supports negation. Get vulnerabilities that are in the CISA KEV catalog: filter="cve.is_cisa_kev:true" |
| cve.remediation_level | CVSS remediation level of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with an official fix: filter="cve.remediation_level:'O'"Get vulnerabilities no available fix: filter="cve.remediation_level:'U'" |
| cve.severity | CVSS severity rating of the vulnerability. The value must be entered in all caps. This filter supports multiple values and negation. Possible values:
filter="cve.severity:'LOW'"Get vulnerabilities with any CVE severity but UNKNOWN: filter="cve.severity:!'UNKNOWN'"Get vulnerabilities with a CVE severity of LOW and MEDIUM: filter="cve.severity:['LOW','MEDIUM']" |
| cve.types | Vulnerability type:
filter="cve.types:!'Misconfiguration'" |
| data_providers.ports | Ports on the host where the vulnerability was found by the third-party provider Get vulnerabilities found on port 53: filter="data_providers.ports:'53'"Get vulnerabilities found on any port: filter="data_providers.ports:!'0'" |
| data_providers.provider | Name of the data provider Get vulnerabilities for a specific third-party provider: filter="data_providers.provider:'{provider name}'" |
| data_providers.rating | Possible values:
CRITICAL:filter="data_providers.rating:'CRITICAL'" |
| data_providers.scan_time | UTC date and time when the vulnerability was most recently identified by the third-party provider Get vulnerabilities scanned by a third-party provider after August 3, 2023: filter="data_providers.scan_time:>'023-08-03'" |
| data_providers.scanner_id | ID of the third-party scanner that identified the vulnerability Get vulnerabilities found by a specific scanner: filter="data_providers.scanner_id:'{scanner id}'" |
| host_info.asset_criticality | Assigned criticality level of the asset Possible values:
filter="host_info.asset_criticality:['Critical','High']"Get vulnerabilities on hosts without an assigned asset criticality level: filter="host_info.asset_criticality:!'Unassigned'" |
| host_info.groups | Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs. For more info, see Host and Host Group Management APIs. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts in a specific host group ID: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']"Get vulnerabilities on hosts in all host groups except a specific host group ID: filter="host_info.groups:!['03f0b54af2692e99c4cec945818fbef7']"Get vulnerabilities on hosts in multiple host group IDs: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7','1676624bb307f5054406a3c343d40212']" |
| host_info.has_run_container | Whether or not the host is running Kubernetes containers: true or falseGet vulnerabilities on hosts running Kubernetes containers: filter="host_info.has_run_container:'true'" |
| host_info.internet_exposure | Whether or not the asset is internet-facing:
filter="host_info.internet_exposure:'Yes'" |
| host_info.managed_by | Indicates if the asset has the Falcon sensor installed:
Get vulnerabilities on assets without a Falcon sensor installed: filter="host_info.managed_by:'Unmanaged'" |
| host_info.platform_name | Operating system platform. This filter supports negation. Possible values:
filter="host_info.platform_name:'Windows'"Get Windows OS and macOS vulnerabilities: filter="host_info.platform_name:!'Linux'" |
| host_info.product_type_desc | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Type of host a sensor is running on. This filter supports multiple values and negation. Enter values as shown with the first letter capitalized. Possible values:
filter="host_info.product_type_desc:'Workstation'"Get vulnerabilities on server and domain controller hosts: filter="host_info.product_type_desc:!'Workstation'"or filter="host_info.product_type_desc:['Domain Controller','Server']" |
| host_info.tags | Name of a tag assigned to a host. Retrieve tags from Host Tags APIs. For more info, see Host and Host Group Management APIs. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts tagged with “ephemeral”: filter="host_info.tags:['ephemeral']"Get vulnerabilities on hosts with any tag but “search” or “ephemeral”: filter="host_info.tags:!['search','ephemeral']"Get vulnerabilities on hosts tagged with “workstation” or “main”: filter="host_info.tags:['workstation','main']" |
| host_info.third_party_asset_ids | Asset IDs assigned to the host by third-party providers in the format: {data_provider}: {data_provider_asset_id} This filter supports multiple values and negation. Get vulnerabilities for a specific third-party asset: filter="host_info.third_party_asset_ids:'{data_provider}: {data_provider_asset_id}'" |
| last_seen_within | Filter for vulnerabilities based on the number of days since a host last connected to Falcon. Enter a numeric value from 3 to 45 to indicate the number of days you want to look back. All active hosts seen up to the specified number of days are returned with a host_last_seen_timestamp response field populated as follows: A UTC timestamp of the most recent connection displays for hosts that were last seen online more than 3 days ago Null for hosts that have been online in the last 3 days Possible values: Integer, from 3–45 Note: Values less than 3 and greater than 45 are not supported and will result in an error. Get vulnerabilities for hosts that last connected to Falcon within the last 10 days: filter="last_seen_within:'10'"The host_last_seen_timestamp in the response shows:
|
| services.port | Port on the host where a vulnerability was found by Falcon EASM or a third-party providerfilter="services.port:'443'" |
| services.protocol | Network protocols recognized by Falcon EASMfilter="services.protocol:'pop3'" |
| services.transport | Transport methods recognized by Falcon EASMfilter="services.transport:'tcp'" |
| status | Status of a vulnerability. The value must be entered in all lowercase letters. This filter supports multiple values and negation. Possible values:
Get vulnerabilities with a status of open: filter="status:'open'"Get vulnerabilities with any status except closed: filter="status:!'closed'"Get vulnerabilities with a status of open or reopen: filter="status:['open','reopen']"or filter="status:!['closed','expired']" |
| suppression_info.is_suppressed | Indicates if the vulnerability is suppressed by a suppression rule or not Get suppressed vulnerabilities: filter="suppression_info.is_suppressed:true" |
| suppression_info.reason | Attribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE.This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get suppressed vulnerabilities where the reason for the rule is “accept risk”: filter="suppression_info.reason:['ACCEPT_RISK']"Get suppressed vulnerabilities where the reason for the rule is anything except “false positive”: filter="suppression_info.reason:!['FALSE_POSITIVE']"Get suppressed vulnerabilities where the reason for the rule is “compensating control” or “false positive”: filter="suppression_info.reason:['COMPENSATING_CONTROL','FALSE_POSITIVE']" |
| updated_timestamp | UTC date and time of the last update made on a vulnerability Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC: filter="updated_timestamp:<'2021-10-20T22:36'"Get vulnerabilities that were last updated after September 15, 2021: filter="updated_timestamp:>'2021-09-15'" |
| vulnerability_id | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability For more info, see Asset Management APIs. This filter supports multiple values and negation. Get vulnerabilities with a specific single CVE ID: filter="vulnerability_id:['CVE-2022-1234']"Get vulnerabilities for multiple CVE IDs: filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']"Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']" |
Usage
You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.
Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_vulnerabilities_combined(filter="string",
facet="string",
limit=integer,
sort="string",
after="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combinedQueryVulnerabilities(filter="string",
facet="string",
limit=integer,
sort="string",
after="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combinedQueryVulnerabilities",
filter="string",
facet="string",
limit=integer,
sort="string",
after="string"
)
print(response)
getRemediationsV2
Get details on remediation by providing one or more IDs
PEP8 method name
get_remediations_v2
Endpoint
| Method | Route |
|---|---|
| /spotlight/entities/remediations/v2 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more remediation IDs. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_remediations_v2(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getRemediationsV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getRemediationsV2", ids=id_list)
print(response)
getVulnerabilities
Get details on vulnerabilities by providing one or more IDs
PEP8 method name
get_vulnerabilities
Endpoint
| Method | Route |
|---|---|
| /spotlight/entities/vulnerabilities/v2 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more vulnerability IDs (max: 400). Find vulnerability IDs with queryVulnerabilities. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vulnerabilities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getVulnerabilities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getVulnerabilities", ids=id_list)
print(response)
queryVulnerabilities
Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria
PEP8 method name
query_vulnerabilities
Endpoint
| Method | Route |
|---|---|
| /spotlight/queries/vulnerabilities/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after | | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
| limit | | | query | integer | The number of items to return in this response (default: 100, max: 400). Use with the after parameter to manage pagination of results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort vulnerabilities by their properties. Common sort options include:
|
| filter | | | query | string | Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. Common filter options include:
parameters payload in order to use this method. Review the available filters table below for more detail. |
Available filters
| Name | Description |
|---|---|
| aid | Unique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. For more info, see Asset Management APIs. Get vulnerabilities for a specific AID: filter="aid:'abcde6b9a3427d8c4a1af416424d6231'" |
| apps.remediation.ids | Unique identifier of a remediation. This filter supports multiple values and negation. Get the vulnerability ID for a specific remediation ID: filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'"Get vulnerabilities for multiple remediation IDs: filter="apps.remediation.ids:['ID1','ID2','ID3']" |
| cid | Unique system-generated customer identifier (CID) of the account. In multi-CID environments:
filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'" |
| closed_timestamp | Date and time a vulnerability was set to a status of CLOSED Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC: filter="closed_timestamp:>'2021-06-25T10:32'"Get vulnerabilities that were marked as closed before October 18, 2021: filter="closed_timestamp:<'2021-10-18'" |
| confidence | Whether or not the vulnerability has been confirmed:confirmedpotentialGet vulnerabilities with a potential confidence level: filter="confidence:<'potential'" |
| created_timestamp | Date and time when this vulnerability was found in your environment. Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on. Get vulnerabilities created before September 30, 2021 at 13:22 UTC: filter="created_timestamp:<'2021-09-25T13:22'"Get vulnerabilities created after February 12, 2021: filter="created_timestamp:>'2021-02-12'" |
| cve.cwes | Unique identifier for a vulnerability from the Common Weakness Enumeration (CWE) listfilter="cve.cwes:>['CWE-787','CWE-699']" |
| cve.exploit_status | Numeric value of the most severe known exploit. This filter supports multiple values and negation. Possible values:
filter="cve.exploit_status:'60'"Get vulnerabilities with an exploit status of 30, 60, or 90: filter="cve.exploit_status:!'0'"or filter="cve.exploit_status:['30','60','90']" |
| cve.exprt_rating | ExPRT rating assigned by CrowdStrike's predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation. Possible values:
filter="cve.exprt_rating:'HIGH'"Get vulnerabilities with an ExPRT rating of high or critical: filter="cve.exprt_rating:['HIGH','CRITICAL']"Get vulnerabilities with any ExPRT rating other than unknown: filter="cve.exprt_rating:!'UNKNOWN'" |
| cve.id | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities with a specific single CVE ID: filter="cve.id:['CVE-2022-1234']"Get vulnerabilities for multiple CVE IDs: filter="cve.id:['CVE-2022-1234','CVE-2023-1234']"Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']" |
| cve.is_cisa_kev | Filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or falseThis filter supports negation. Get vulnerabilities that are in the CISA KEV catalog: filter="cve.is_cisa_kev:true" |
| cve.remediation_level | CVSS remediation level of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with an official fix: filter="cve.remediation_level:'O'"Get vulnerabilities no available fix: filter="cve.remediation_level:'U'" |
| cve.severity | CVSS severity rating of the vulnerability. The value must be entered in all caps. This filter supports multiple values and negation. Possible values:
filter="cve.severity:'LOW'"Get vulnerabilities with any CVE severity but UNKNOWN: filter="cve.severity:!'UNKNOWN'"Get vulnerabilities with a CVE severity of LOW and MEDIUM: filter="cve.severity:['LOW','MEDIUM']" |
| cve.types | Vulnerability type:
filter="cve.types:!'Misconfiguration'" |
| data_providers.ports | Ports on the host where the vulnerability was found by the third-party provider Get vulnerabilities found on port 53: filter="data_providers.ports:'53'"Get vulnerabilities found on any port: filter="data_providers.ports:!'0'" |
| data_providers.provider | Name of the data provider Get vulnerabilities for a specific third-party provider: filter="data_providers.provider:'{provider name}'" |
| data_providers.rating | Possible values:
CRITICAL:filter="data_providers.rating:'CRITICAL'" |
| data_providers.scan_time | UTC date and time when the vulnerability was most recently identified by the third-party provider Get vulnerabilities scanned by a third-party provider after August 3, 2023: filter="data_providers.scan_time:>'023-08-03'" |
| data_providers.scanner_id | ID of the third-party scanner that identified the vulnerability Get vulnerabilities found by a specific scanner: filter="data_providers.scanner_id:'{scanner id}'" |
| host_info.asset_criticality | Assigned criticality level of the asset Possible values:
filter="host_info.asset_criticality:['Critical','High']"Get vulnerabilities on hosts without an assigned asset criticality level: filter="host_info.asset_criticality:!'Unassigned'" |
| host_info.groups | Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs. For more info, see Host and Host Group Management APIs. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts in a specific host group ID: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']"Get vulnerabilities on hosts in all host groups except a specific host group ID: filter="host_info.groups:!['03f0b54af2692e99c4cec945818fbef7']"Get vulnerabilities on hosts in multiple host group IDs: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7','1676624bb307f5054406a3c343d40212']" |
| host_info.has_run_container | Whether or not the host is running Kubernetes containers: true or falseGet vulnerabilities on hosts running Kubernetes containers: filter="host_info.has_run_container:'true'" |
| host_info.internet_exposure | Whether or not the asset is internet-facing:
filter="host_info.internet_exposure:'Yes'" |
| host_info.managed_by | Indicates if the asset has the Falcon sensor installed:
Get vulnerabilities on assets without a Falcon sensor installed: filter="host_info.managed_by:'Unmanaged'" |
| host_info.platform_name | Operating system platform. This filter supports negation. Possible values:
filter="host_info.platform_name:'Windows'"Get Windows OS and macOS vulnerabilities: filter="host_info.platform_name:!'Linux'" |
| host_info.product_type_desc | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Type of host a sensor is running on. This filter supports multiple values and negation. Enter values as shown with the first letter capitalized. Possible values:
filter="host_info.product_type_desc:'Workstation'"Get vulnerabilities on server and domain controller hosts: filter="host_info.product_type_desc:!'Workstation'"or filter="host_info.product_type_desc:['Domain Controller','Server']" |
| host_info.tags | Name of a tag assigned to a host. Retrieve tags from Host Tags APIs. For more info, see Host and Host Group Management APIs. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts tagged with “ephemeral”: filter="host_info.tags:['ephemeral']"Get vulnerabilities on hosts with any tag but “search” or “ephemeral”: filter="host_info.tags:!['search','ephemeral']"Get vulnerabilities on hosts tagged with “workstation” or “main”: filter="host_info.tags:['workstation','main']" |
| host_info.third_party_asset_ids | Asset IDs assigned to the host by third-party providers in the format: {data_provider}: {data_provider_asset_id} This filter supports multiple values and negation. Get vulnerabilities for a specific third-party asset: filter="host_info.third_party_asset_ids:'{data_provider}: {data_provider_asset_id}'" |
| last_seen_within | Filter for vulnerabilities based on the number of days since a host last connected to Falcon. Enter a numeric value from 3 to 45 to indicate the number of days you want to look back. All active hosts seen up to the specified number of days are returned with a host_last_seen_timestamp response field populated as follows: A UTC timestamp of the most recent connection displays for hosts that were last seen online more than 3 days ago Null for hosts that have been online in the last 3 days Possible values: Integer, from 3–45 Note: Values less than 3 and greater than 45 are not supported and will result in an error. Get vulnerabilities for hosts that last connected to Falcon within the last 10 days: filter="last_seen_within:'10'"The host_last_seen_timestamp in the response shows:
|
| services.port | Port on the host where a vulnerability was found by Falcon EASM or a third-party providerfilter="services.port:'443'" |
| services.protocol | Network protocols recognized by Falcon EASMfilter="services.protocol:'pop3'" |
| services.transport | Transport methods recognized by Falcon EASMfilter="services.transport:'tcp'" |
| status | Status of a vulnerability. The value must be entered in all lowercase letters. This filter supports multiple values and negation. Possible values:
Get vulnerabilities with a status of open: filter="status:'open'"Get vulnerabilities with any status except closed: filter="status:!'closed'"Get vulnerabilities with a status of open or reopen: filter="status:['open','reopen']"or filter="status:!['closed','expired']" |
| suppression_info.is_suppressed | Indicates if the vulnerability is suppressed by a suppression rule or not Get suppressed vulnerabilities: filter="suppression_info.is_suppressed:true" |
| suppression_info.reason | Attribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE.This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get suppressed vulnerabilities where the reason for the rule is “accept risk”: filter="suppression_info.reason:['ACCEPT_RISK']"Get suppressed vulnerabilities where the reason for the rule is anything except “false positive”: filter="suppression_info.reason:!['FALSE_POSITIVE']"Get suppressed vulnerabilities where the reason for the rule is “compensating control” or “false positive”: filter="suppression_info.reason:['COMPENSATING_CONTROL','FALSE_POSITIVE']" |
| updated_timestamp | UTC date and time of the last update made on a vulnerability Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC: filter="updated_timestamp:<'2021-10-20T22:36'"Get vulnerabilities that were last updated after September 15, 2021: filter="updated_timestamp:>'2021-09-15'" |
| vulnerability_id | Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability For more info, see Asset Management APIs. This filter supports multiple values and negation. Get vulnerabilities with a specific single CVE ID: filter="vulnerability_id:['CVE-2022-1234']"Get vulnerabilities for multiple CVE IDs: filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']"Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']" |
Usage
You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.
Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_vulnerabilities(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities
# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryVulnerabilities(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryVulnerabilities",
after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)