-
Notifications
You must be signed in to change notification settings - Fork 81
Get FalconVulnerability
bk-cs edited this page Jun 4, 2025
·
29 revisions
Search for Falcon Spotlight vulnerabilities
Requires 'Vulnerabilities: Read'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Id | String[] | Vulnerability identifier | X | X | |||
| Filter | String |
Falcon Query Language expression to limit resultsaidapps_remediationclosed_timestampcreated_timestampcve.exploit_statuscve.exprt_ratingcve.idcve.is_cisa_kevcve.remediation_levelcve.severityhost_info.groupshost_info.platform_namehost_info.product_type_deschost_info.tagslast_seen_withinstatussuppression_info.is_suppressedsuppression_info.reasonupdated_timestamp
|
|||||
| Facet | String[] | Include additional properties |
cveevaluation_logichost_inforemediation
|
||||
| Sort | String | Property and direction to sort results |
created_timestamp.asccreated_timestamp.descclosed_timestamp.ascclosed_timestamp.descupdated_timestamp.ascupdated_timestamp.desc
|
||||
| Limit | Int32 | Maximum number of results per request | 1 |
5000 |
|||
| After | String | Pagination token to retrieve the next set of results | |||||
| Detailed | Switch | Retrieve detailed information | |||||
| All | Switch | Repeat requests until all available results are retrieved | |||||
| Total | Switch | Display total result count instead of results |
Get-FalconVulnerability [-Filter] <String> [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]Get-FalconVulnerability -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]Get-FalconVulnerability [-Filter] <String> [[-Facet] <String[]>] [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]GET /spotlight/combined/vulnerabilities/v1
GET /spotlight/entities/vulnerabilities/v2
GET /spotlight/queries/vulnerabilities/v1
queryVulnerabilities
getVulnerabilities
combinedQueryVulnerabilities
NOTE: The Spotlight API requires the use of a filter when requesting results.
Get-FalconVulnerability -Filter "created_timestamp:>'2019-11-25T22:36:12Z'" [-Detailed] [-All]Get-FalconVulnerability -Id <id>, <id>Get-FalconVulnerability -Filter "data_providers.provider:'Falcon network scan'" -Detailed -AllThe resulting CSV will resemble an export from the Falcon console of vulnerabilities that are not closed, not
suppressed, and were created within the last 7 days. Note that the columns Closed Date, Closed Dwell Time,
CVSS Version, Closed Product Versions, AdditionalRemediationAdvisoryUrl and AdditionalRemediationSteps are
not included. Columns can be modified by changing the properties defined within the [PSCustomObject].
$CsvName = (Join-Path (Get-Location).Path ('vulnerabilities',(Get-Date -Format yyyy-MM-ddTHH_mm_ss) -join '_')),
'csv' -join '.'
$Param = @{
Filter = "status:!'closed'+(created_timestamp:>'now-7d'+created_timestamp:<'now')+suppression_info.is_suppressed:false"
Facet = 'cve','evaluation_logic','host_info','remediation'
Detailed = $true
All = $true
}
$Total = Get-FalconVulnerability -Filter $Param.Filter -Total
Get-FalconVulnerability @Param | ForEach-Object {
$i++
Write-Host "Exported $i of $Total"
[PSCustomObject]@{
Hostname = $_.host_info.hostname
LocalIP = $_.host_info.local_ip
HostType = $_.host_info.product_type_desc
OSVersion = $_.host_info.os_version
MachineDomain = $_.host_info.machine_domain
OU = $_.host_info.ou
SiteName = $_.host_info.site_name
Product = $_.apps.product_name_version
'CVE ID' = $_.cve.id
'CVE Description' = $_.cve.description
Status = $_.status
Severity = $_.cve.severity
'Created Date' = $_.created_timestamp
'Base Score' = $_.cve.base_score
Vector = $_.cve.vector
'Vendor Advisory' = $_.cve.vendor_advisory
References = $_.cve.references -join ', '
'Recommended Remediations' = $_.remediation.entities.title
'Remediation Details' = $_.remediation.entities.action
'Remediation Links' = $_.remediation.entities.link
'Group Names' = ($_.host_info.groups.name | Sort-Object) -join ', '
Tags = ($_.host_info.tags | Sort-Object) -join ', '
'Host ID' = $_.aid
'Exploit status value' = $_.cve.exploit_status
'Exploit status label' = switch ($_.cve.exploit_status) {
0 { 'Unproven' }
30 { 'Available (medium)' }
60 { 'Easily Accessible (high)' }
90 { 'Actively used (critical)' }
}
'Platform' = $_.host_info.platform
'Vulnerable Product Versions' = $_.apps.product_name_version
RemediationLevel = $_.cve.remediation_level
'ExPRT Rating' = $_.cve.exprt_rating
'is Suppressed' = $_.suppression_info.is_suppressed
'Is CISA KEV' = $_.cve.cisa_info.is_cisa_kev
'CISA KEV Due Date' = $_.cve.cisa_info.due_date
'CVE Published Date' = $_.cve.published_date
'Spotlight Published Date' = $_.cve.spotlight_published_date
'Host Last Seen Within' = $_.host_info.host_last_seen_timestamp
'Cloud Service Instance ID' = $_.host_info.instance_id
'OS Build' = $_.host_info.os_build
} | Export-Csv $CsvName -NoTypeInformation -Append
}2024-09-03: PSFalcon v2.2.7

- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust