Falcon Exposure Management - Hosts¶
The CrowdStrike Falcon Exposure Management Hosts integration will download data about all entity_types that match the provided criteria. If no “entity_type” is specified, all known entities (that have a current IP address) will be listed.
CrowdStrike Falcon Exposure Management relies on endpoint agents and does not scheduled “network scans” to identify network entities. As a result, frequently downloading data from Falcon Exposure Management can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings
Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the known_hosts.log.
The input file will be published with any other input files from other integrations (if there are any). If “input” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Settings¶
crowdstrike_exposure_mgmt_hosts:
enabled: false
interval_hours: 0
entity_type: "" # managed, unmanaged, or unsupported
filename: hosts_data.tsv
Input file¶
The input file contains the following information (if it’s available):
IP address (required)
MAC address
Hostname
Host Unique ID
OS version
Endpoint status
Machine domain
Additional description
Customer ID
Endpoint information source (required)
The following is a sample input file created by this integration, using tab-separated values.
#fields ip mac hostname host_uid os_version status machine_domain cid desc source
192.168.56.103 00-50-56-A3-B1-C2 WEF ced83f0c26493b638086fdc7b8b2c01d - managed - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
10.21.0.102 00-50-56-A1-B1-C4 DC c53fdc3178ba36759c471d6b6655e324 - managed - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.56.104 00-50-56-A2-B1-C2 WIN10 abb6c27309cf3730bb73e8cfd732d838 Windows 10 managed lab.local e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.1.155 92-91-E0-3E-66-A8 ss2oh 9caa11e26d1f371797e73e9b9199d481 - managed - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.1.120 00-0C-29-AB-75-05 fleet 81f845fe72ae32168aba94707fc8a49f - managed - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.12.1 - - 613cd0e8a671350e83dec735143db1e0 - unsupported - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.12.210 - - 5f67453d7e833b0f82ac1d7a5788142a - unmanaged - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.12.222 - - 5abcec34b3443f3cb7fe17c4f7100e02 - unmanaged - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
192.168.12.212 00-50-56-A1-1F-07 skynet 439293445449716808dec735143db1e9 Ubuntu 22.04 managed - e29b670f12d342e3bcc7170a288a0xxx Exposure Management CrowdStrike
Attention
The CrowdStrike Exposure Management integrations only create Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.
See Zeek package management for information about using Corelight-update to manage Zeek package bundles.
See Zeek-Endpoint-Enrichment for an example of a Zeek package that can use this data.