Falcon Spotlight - Hosts

The CrowdStrike Falcon Spotlight Hosts integration will download data about all entity_types that match the provided criteria. If no “entity_type” is specified, all known entities (that have a current IP address) will be listed.

CrowdStrike Falcon Spotlight relies on endpoint agents and does not scheduled “network scans” to identify network entities. As a result, frequently downloading data from Falcon Spotlight can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings

Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the known_hosts.log.

The input file will be published with any other input files from other integrations (if there are any). If “input” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.

Settings

crowdstrike_spotlight_hosts:
  enabled: true
  interval_hours: 0
  entity_type: ""             # managed, unmanaged, or unsupported
  filename: hosts_data.tsv

Input file

The input file contains the following information (if it’s available):

  • IP address (required)

  • MAC address

  • Hostname

  • Host Unique ID

  • OS version

  • Endpoint status (required)

  • Machine domain

  • Additional description

  • Endpoint information source (required)

The following is a sample input file created by this integration, using tab-separated values.

#fields  ip     mac                hostname  host_uid                             os_version    status        machine_domain  desc                     source
192.168.56.103  00-50-56-A3-B1-C2  WEF       ced83f0c26493b638086fdc7b8b2c01d     -             managed       -               Falcon Discover details  CrowdStrike
10.21.0.102     00-50-56-A1-B1-C4  DC        c53fdc3178ba36759c471d6b6655e324     -             managed       -               Falcon Discover details  CrowdStrike
192.168.56.104  00-50-56-A2-B1-C2  WIN10     abb6c27309cf3730bb73e8cfd732d838     Windows 10    managed       lab.local       Falcon Discover details  CrowdStrike
192.168.1.155   92-91-E0-3E-66-A8  ss2oh     9caa11e26d1f371797e73e9b9199d481     -             managed       -               Falcon Discover details  CrowdStrike
192.168.1.120   00-0C-29-AB-75-05  fleet     81f845fe72ae32168aba94707fc8a49f     -             managed       -               Falcon Discover details  CrowdStrike
192.168.12.1    -                  -         613cd0e8a671350e83dec735143db1e0     -             unsupported   -               Falcon Discover details  CrowdStrike
192.168.12.210  -                  -         5f67453d7e833b0f82ac1d7a5788142a     -             unmanaged     -               Falcon Discover details  CrowdStrike
192.168.12.222  -                  -         5abcec34b3443f3cb7fe17c4f7100e02     -             unmanaged     -               Falcon Discover details  CrowdStrike
192.168.12.212  00-50-56-A1-1F-07  skynet    439293445449716808dec735143db1e9     Ubuntu 22.04  managed       -               Falcon Discover details  CrowdStrike

Important

To use this file, the “zeek-endpoint-enrichment” package is required on the sensor.

known_hosts log

A typical known_hosts.log provides content like the example below:

  {
    _path: known_hosts
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [ ]
    conns_closed: 167
    conns_opened: 167
    conns_pending: 0
    duration: 920.0746190547943
    endpoint.desc: Falcon Discover details
    endpoint.host_uid: 439293445449716808dec735143db1e9
    endpoint.os_version: Ubuntu 22.04
    endpoint.source: CrowdStrike
    endpoint.status: managed
    host_ip: 192.168.12.212
    kuid: Kf1THOpT9hJa5
    last_active_interval: 954.522488117218
    last_active_session: KfqhT6kg6fP7k
    long_conns: 0
    ts: 2023-08-22T13:04:54.000617Z
  }

known_devices log

A typical known_devices.log provides content like the example below:

  {
    _path: known_devices
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [
      CrowdStrike
    ]
    duration: 920.0746190547943
    host_ip: 192.168.12.212
    kuid: Kf1THOpT9hJa5
    last_active_interval: 954.522488117218
    last_active_session: KfqhT6kg6fP7k
    mac: 00-50-56-A1-1F-07
    num_conns: 0
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:04:54.000617Z
    vendor_mac: unknown
  }

known_domains log

A typical known_domains.log provides content like the example below:

  {
    _path: known_domains
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:51:39.591783Z
    annotations: [
      CrowdStrike
    ]
    domain: LAB.LOCAL
    duration: 0
    host_ip: 192.168.56.104
    kuid: KfkAPIKyTuYv3
    last_active_interval: 42202.37188410759
    last_active_session: Kf64KcY1eZwM
    num_conns: 1
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:47:23.586163Z
  }

known_names log

A typical known_names.log provides content like the example below:

  {
    _path: known_names
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [
      CrowdStrike
    ]
    duration: 920.0746190547943
    host_ip: 192.168.12.212
    hostname: SKYNET
    kuid: Kf1THOpT9hJa5
    last_active_interval: 954.522488117218
    last_active_session: KfqhT6kg6fP7k
    num_conns: 0
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:04:54.000617Z
  }