Falcon Spotlight - CVEs

The CrowdStrike Falcon Spotlight CVE integration will download data about all hosts with CVE’s that match the provided criteria. If no CVE “status” or “severity” is specified, all CVE’s who’s status is NOT “closed” will be downloaded.

CrowdStrike Falcon Spotlight relies on endpoint agents, and does not schedule “network scans” to identify vulnerabilities. As a result, frequently downloading data from Falcon Spotlight can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings

Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the suricata_corelight.log.

The input file will be published with any other input files from other integrations (if there are any). If “input” is enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.

Settings

crowdstrike_spotlight_cve:
  enabled: true
  interval_hours: 0
  filename: cve_data.tsv
  request_limit: 5000     # max 5000
  status: open,reopen     # comma separated, one or more of: open, reopen, closed, expired
  severity: critical      # comma separated, one or more of: critical, high, medium, low, unknown, none

Input file

The following is a sample input file created by this integration, using tab-separated values.

#fields ip      hostname  host_uid                          machine_domain    os_version           source                 cve_list
10.21.0.102     DC        fb5946b0422e4da49e4575995fb89060  windomain.local   Windows Server 2016  CrowdStrike Spotlight  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
192.168.1.120   fleet     04a15f26ace249f68c583fd7be70f9db  -                 Ubuntu 20.04         CrowdStrike Spotlight  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.155   ss2oh     62c850ec617843f8959f1442843bb816  -                 Ubuntu 20.04         CrowdStrike Spotlight  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.12.212  skynet    fae3f73ce1404e0aae1626dbddfc3fe8  -                 Ubuntu 22.04         CrowdStrike Spotlight  CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.102  DC        34a6b864b61146d6ad051a9d63a5585f  windomain.local   Windows Server 2016  CrowdStrike Spotlight  CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103  WEF       c6f3d2351739482baf36cc6e4af65163  windomain.local   Windows Server 2016  CrowdStrike Spotlight  CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103  WEF       0bb70f50a9a3470dbc3e09bd6eb18fc4  windomain.local   Windows Server 2016  CrowdStrike Spotlight  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.104  WIN10     a71be784db1a40e5b0fd7e6b73f6c7b7  windomain.local   Windows 10           CrowdStrike Spotlight  CVE-2021-36965,CVE-2021-43217,CVE-2022-22012,CVE-2020-9633,CVE-2021-24077
192.168.56.104  WIN10     23fac76b0e5246f8b8ba22d1bbd6bc04  windomain.local   Windows 10           CrowdStrike Spotlight  CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391

Important

To use this file, an additional Zeek package is required on the sensor.

suricata_corelight log

A typical suricata_corelight.log provides content like the example below:

  {
    _path: suricata_corelight
    _system_name: Lab-AP200
    _write_ts: 2023-08-01T01:22:20.096550Z
    alert.action: allowed
    alert.category: Attempted Information Leak
    alert.gid: 1
    alert.metadata: [ [-]
      created_at:2023_07_28
      updated_at:2023_07_28
    ]
    alert.rev: 1
    alert.severity: 2
    alert.signature: **CONTROL** curl User-Agent Outbound CVE-2020-12313
    alert.signature_id: 1000000
    community_id: 1:hfVPB4FWl48hOvuIzwyVBvzWBwY=
    flow_id: 11005288195832
    id.orig_h: 192.168.12.212
    id.orig_p: 48086
    id.resp_h: 3.160.22.77
    id.resp_p: 80
    id.vlan: 12
    pcap_cnt: 0
    service: http
    suri_id: Sp5Hxvr0blDf
    ts: 2023-08-01T01:22:20.092276Z
    tx_id: 0
    uid: CUWMCe4TJo8pS41Rnj
  }

If the Zeek package is loaded, the suricata_corelight.log will be enriched with additional content provided by the integration, like the example below:

  {
    orig_vulnerable_host.cve: CVE-2020-12313
    orig_vulnerable_host.host_uid: fae3f73ce1404e0aae1626dbddfc3fe8
    orig_vulnerable_host.hostname: skynet
    orig_vulnerable_host.os_version: Ubuntu 22.04
    orig_vulnerable_host.source: CrowdStrike Spotlight
  }

Note

Field names begin with “orig” or “resp” to identify which host is referenced.