Falcon Spotlight - Hosts¶
The CrowdStrike Falcon Spotlight Hosts integration will download data about all entity_types that match the provided criteria. If no “entity_type” is specified, all known entities (that have a current IP address) will be listed.
CrowdStrike Falcon Spotlight relies on endpoint agents and does not scheduled “network scans” to identify network entities. As a result, frequently downloading data from Falcon Spotlight can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings
Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the conn.log.
The input file will be published with any other input files from other integrations (if there are any). If “input” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Settings¶
crowdstrike_spotlight_hosts:
enabled: true
interval_hours: 0
entity_type: "" # managed, unmanaged, or unsupported
filename: hosts_data.tsv
Input file¶
The following is a sample input file created by this integration, using tab-separated values.
#fields ip mac hostname description
192.168.12.10 - - unsupported
192.168.12.16 - - unmanaged
192.168.12.221 - - unmanaged
192.168.12.9 - - unsupported
192.168.12.220 - - unsupported
192.168.12.1 - - unsupported
192.168.12.210 - - unmanaged
192.168.12.222 - - unmanaged
192.168.12.212 00-50-56-A1-1F-07 skynet managed
192.168.56.103 00-50-56-A3-B1-C2 WEF managed
10.21.0.102 00-50-56-A1-B1-C4 DC managed
192.168.56.104 00-50-56-A2-B1-C2 WIN10 managed
192.168.1.155 92-91-E0-3E-66-A8 ss2oh managed
192.168.1.120 00-0C-29-AB-75-05 fleet managed
Important
To use this file, an additional Zeek package is required on the sensor.