Falcon Exposure Management - CVEs¶
The CrowdStrike Falcon Exposure Management CVE integration will download data about all hosts with CVE’s that match the provided criteria. If no CVE “status” or “severity” is specified, all CVE’s who’s status is NOT “closed” will be downloaded.
Exposure Management relies on endpoint agents, and currently does not schedule “network scans” to identify vulnerabilities. As a result, frequently downloading data from Falcon Exposure Management can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings
Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the suricata_corelight.log and notice.log.
The input file will be published with all the input files from other integrations (if there are any). If “input” is enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Settings¶
crowdstrike_exposure_mgmt_cve:
enabled: false
interval_hours: 0
filename: cve_data.tsv
request_limit: 5000 # max 5000
status: open,reopen # comma separated, one or more of: open, reopen, closed, expired
severity: critical # comma separated, one or more of: critical, high, medium, low, unknown, none
Input file¶
The input file contains the following information (if it’s available):
IP address (required)
Hostname
Host Unique ID
Machine domain
OS version
Endpoint information source (required)
Customer ID
CVE list
The following is a sample input file created by this integration, using tab-separated values.
#fields ip hostname host_uid machine_domain os_version source cid cve_list
10.21.0.102 DC fb5946b0422e4da49e4575995fb89060 windomain.local Windows Server 2016 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
192.168.1.120 fleet 04a15f26ace249f68c583fd7be70f9db - Ubuntu 20.04 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.155 ss2oh 62c850ec617843f8959f1442843bb816 - Ubuntu 20.04 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.12.212 skynet fae3f73ce1404e0aae1626dbddfc3fe8 - Ubuntu 22.04 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.102 DC 34a6b864b61146d6ad051a9d63a5585f windomain.local Windows Server 2016 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103 WEF c6f3d2351739482baf36cc6e4af65163 windomain.local Windows Server 2016 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103 WEF 0bb70f50a9a3470dbc3e09bd6eb18fc4 windomain.local Windows Server 2016 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.104 WIN10 a71be784db1a40e5b0fd7e6b73f6c7b7 windomain.local Windows 10 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2021-36965,CVE-2021-43217,CVE-2022-22012,CVE-2020-9633,CVE-2021-24077
192.168.56.104 WIN10 23fac76b0e5246f8b8ba22d1bbd6bc04 windomain.local Windows 10 CrowdStrike e29b670f12d342e3bcc7170a288a0xxx CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391
Attention
The CrowdStrike Exposure Management integrations only create Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.
See Zeek package management for information about using Corelight-update to manage Zeek package bundles.
See Zeek-CVE-Enrichment for an example of a Zeek package that can use this data.