Skip to content

Get FalconVulnerability

bk-cs edited this page Jul 27, 2023 · 26 revisions

Get-FalconVulnerability

SYNOPSIS

Search for Falcon Spotlight vulnerabilities

DESCRIPTION

Requires 'Spotlight vulnerabilities: Read'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Vulnerability identifier X X
Filter String Falcon Query Language expression to limit results

aid
apps_remediation
closed_timestamp
created_timestamp
cve.exploit_status
cve.exprt_rating
cve.id
cve.is_cisa_kev
cve.remediation_level
cve.severity
host_info.groups
host_info.platform_name
host_info.product_type_desc
host_info.tags
last_seen_within
status
suppression_info.is_suppressed
suppression_info.reason
updated_timestamp
Facet String[] Include additional properties cve
evaluation_logic
host_info
remediation
Sort String Property and direction to sort results created_timestamp.asc
created_timestamp.desc
closed_timestamp.asc
closed_timestamp.desc
updated_timestamp.asc
updated_timestamp.desc
Limit Int32 Maximum number of results per request 1 400
After String Pagination token to retrieve the next set of results
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results

SYNTAX

Get-FalconVulnerability [-Filter] <String> [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconVulnerability -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconVulnerability [-Filter] <String> [[-Facet] <String[]>] [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /spotlight/combined/vulnerabilities/v1
GET /spotlight/entities/vulnerabilities/v2
GET /spotlight/queries/vulnerabilities/v1

falconpy

queryVulnerabilities
getVulnerabilities
combinedQueryVulnerabilities

USAGE

Search for vulnerabilities

NOTE: The Spotlight API requires the use of a filter when requesting results.

Get-FalconVulnerability -Filter "created_timestamp:>'2019-11-25T22:36:12Z'" [-Detailed] [-All]

Get information about specific vulnerabilities

Get-FalconVulnerability -Id <id>, <id>

Export vulnerabilities to CSV

The resulting CSV will resemble an export from the Falcon console of vulnerabilities that are not closed, not suppressed, and were created within the last 7 days. Note that the columns Closed Date, Closed Dwell Time, CVSS Version, Closed Product Versions, AdditionalRemediationAdvisoryUrl and AdditionalRemediationSteps are not included. Columns can be modified by changing the properties defined within the [PSCustomObject].

$CsvName = (Join-Path (Get-Location).Path ('vulnerabilities',(Get-Date -Format yyyy-MM-ddTHH_mm_ss) -join '_')),
    'csv' -join '.'
$Param = @{
    Filter = "status:!'closed'+(created_timestamp:>'now-7d'+created_timestamp:<'now')+suppression_info.is_suppressed:false"
    Facet = 'cve','evaluation_logic','host_info','remediation'
    Detailed = $true
    All = $true
}
$Total = Get-FalconVulnerability -Filter $Param.Filter -Total
Get-FalconVulnerability @Param | ForEach-Object {
    $i++
    Write-Host "Exported $i of $Total"
    [PSCustomObject]@{
        Hostname = $_.host_info.hostname
        LocalIP = $_.host_info.local_ip
        HostType = $_.host_info.product_type_desc
        OSVersion = $_.host_info.os_version
        MachineDomain = $_.host_info.machine_domain
        OU = $_.host_info.ou
        SiteName = $_.host_info.site_name
        Product = $_.apps.product_name_version
        'CVE ID' = $_.cve.id
        'CVE Description' = $_.cve.description
        Status = $_.status
        Severity = $_.cve.severity
        'Created Date' = $_.created_timestamp
        'Base Score' = $_.cve.base_score
        Vector = $_.cve.vector
        'Vendor Advisory' = $_.cve.vendor_advisory
        References = $_.cve.references -join ', '
        'Recommended Remediations' = $_.remediation.entities.title
        'Remediation Details' = $_.remediation.entities.action
        'Remediation Links' = $_.remediation.entities.link
        'Group Names' = ($_.host_info.groups.name | Sort-Object) -join ', '
        Tags = ($_.host_info.tags | Sort-Object) -join ', '
        'Host ID' = $_.aid
        'Exploit status value' = $_.cve.exploit_status
        'Exploit status label' = switch ($_.cve.exploit_status) {
            0 { 'Unproven' }
            30 { 'Available (medium)' }
            60 { 'Easily Accessible (high)' }
            90 { 'Actively used (critical)' }
        }
        'Platform' = $_.host_info.platform
        'Vulnerable Product Versions' = $_.apps.product_name_version
        RemediationLevel = $_.cve.remediation_level
        'ExPRT Rating' = $_.cve.exprt_rating
        'is Suppressed' = $_.suppression_info.is_suppressed
        'Is CISA KEV' = $_.cve.cisa_info.is_cisa_kev
        'CISA KEV Due Date' = $_.cve.cisa_info.due_date
        'CVE Published Date' = $_.cve.published_date
        'Spotlight Published Date' = $_.cve.spotlight_published_date
        'Host Last Seen Within' = $_.host_info.host_last_seen_timestamp
        'Cloud Service Instance ID' = $_.host_info.instance_id
        'OS Build' = $_.host_info.os_build
    } | Export-Csv $CsvName -NoTypeInformation -Append
}

2023-04-25: PSFalcon v2.2.5

Clone this wiki locally