Spotlight Vulnerabilities - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Spotlight Vulnerabilities service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
combinedQueryVulnerabilities
PEP 8 query_vulnerabilities_combined
Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.
getRemediationsV2
PEP 8 get_remediations_v2
Get details on remediation by providing one or more IDs.
getVulnerabilities
PEP 8 get_vulnerabilities
Get details on vulnerabilities by providing one or more IDs.
queryVulnerabilities
PEP 8 query_vulnerabilities
Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

combinedQueryVulnerabilities

Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.

PEP8 method name

query_vulnerabilities_combined

Endpoint

Method Route
GET /spotlight/combined/vulnerabilities/v1

Required Scope

spotlight-vulnerabilities:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
facet
Service Class Support

Uber Class Support
query string Select various detail blocks to be returned for each vulnerability.

Supported values:
  • host_info
  • remediation
  • cve
  • evaluation_logic
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results. Wildcards * are unsupported.

You must provide a filter, either via this keyword or as part of a parameters payload in order to use this method. Review the available filters table below for more detail.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return. (Max: 5000, Default: 100)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Common sort options include:
  • created_timestamp|desc
  • closed_timestamp|asc
  • updated_timestamp|desc
Available filters
Name Description
aid Unique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. For more info, see Asset Management APIs.

Get vulnerabilities for a specific AID:

filter="aid:'abcde6b9a3427d8c4a1af416424d6231'"
apps.remediation.ids Unique identifier of a remediation. This filter supports multiple values and negation.

Get the vulnerability ID for a specific remediation ID:

filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'"

Get vulnerabilities for multiple remediation IDs:

filter="apps.remediation.ids:['ID1','ID2','ID3']"
cid Unique system-generated customer identifier (CID) of the account.

In multi-CID environments:
  • You can filter by both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered by.
  • If you're in a non-parent CID, this property only shows data for that CID.
Get vulnerabilities for a specific CID:

filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'"
closed_timestamp Date and time a vulnerability was set to a status of CLOSED

Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC:

filter="closed_timestamp:>'2021-06-25T10:32'"

Get vulnerabilities that were marked as closed before October 18, 2021:

filter="closed_timestamp:<'2021-10-18'"
confidence Whether or not the vulnerability has been confirmed:

confirmed
potential

Get vulnerabilities with a potential confidence level:

filter="confidence:<'potential'"
created_timestamp Date and time when this vulnerability was found in your environment.

Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on.

Get vulnerabilities created before September 30, 2021 at 13:22 UTC:

filter="created_timestamp:<'2021-09-25T13:22'"

Get vulnerabilities created after February 12, 2021:

filter="created_timestamp:>'2021-02-12'"
cve.cwes Unique identifier for a vulnerability from the Common Weakness Enumeration (CWE) list

filter="cve.cwes:>['CWE-787','CWE-699']"
cve.exploit_status Numeric value of the most severe known exploit. This filter supports multiple values and negation.

Possible values:
  • 0: Unproven. No known exploits.
  • 30: Available - Medium. At least one known piece of code developed to take advantage of the vulnerability.
  • 60: Easily accessible - High. An exploit that is packaged and easily available in an exploit framework.
  • 90: Actively used - Critical. An exploit that has been used in at least one attack.
Get vulnerabilities with an exploit status of 60:

filter="cve.exploit_status:'60'"

Get vulnerabilities with an exploit status of 30, 60, or 90:

filter="cve.exploit_status:!'0'"

or

filter="cve.exploit_status:['30','60','90']"
cve.exprt_rating ExPRT rating assigned by CrowdStrike's predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation.

Possible values:
  • UNKNOWN: The CVE Metadata lacks some required properties or a technical/temporary problem.
  • LOW: Score is < ~50% Percentile OR it does not have an Exploit prediction.
  • MEDIUM: Score is > ~50% percentile.
  • HIGH: Exploit Status = Easily Accessible Exploit OR it fits in the ~80-95% ExPRT Scores.
  • CRITICAL: Exploit Status = Actively Used Exploit OR it fits in the top 5% ExpRT Scores.
Get vulnerabilities with an ExPRT rating of high:

filter="cve.exprt_rating:'HIGH'"

Get vulnerabilities with an ExPRT rating of high or critical:

filter="cve.exprt_rating:['HIGH','CRITICAL']"

Get vulnerabilities with any ExPRT rating other than unknown:

filter="cve.exprt_rating:!'UNKNOWN'"
cve.id Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities with a specific single CVE ID:

filter="cve.id:['CVE-2022-1234']"

Get vulnerabilities for multiple CVE IDs:

filter="cve.id:['CVE-2022-1234','CVE-2023-1234']"

Get vulnerabilities that do not contain either of 2 specific CVE IDs:

filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']"
cve.is_cisa_kev Filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or false

This filter supports negation.

Get vulnerabilities that are in the CISA KEV catalog:

filter="cve.is_cisa_kev:true"
cve.remediation_level CVSS remediation level of the vulnerability.

This filter supports multiple values and negation.

Get vulnerabilities with an official fix:

filter="cve.remediation_level:'O'"

Get vulnerabilities no available fix:

filter="cve.remediation_level:'U'"
cve.severity CVSS severity rating of the vulnerability. The value must be entered in all caps.

This filter supports multiple values and negation.

Possible values:
  • UNKNOWN: A severity that’s not defined
  • NONE: No severity provided
  • LOW: A low severity computed out of the base score
  • MEDIUM: A medium severity computed out of the base score
  • HIGH: A high severity computed out of the base score
  • CRITICAL: a critical severity computed out of the base score
Get vulnerabilities with a CVE severity of LOW:

filter="cve.severity:'LOW'"

Get vulnerabilities with any CVE severity but UNKNOWN:

filter="cve.severity:!'UNKNOWN'"

Get vulnerabilities with a CVE severity of LOW and MEDIUM:

filter="cve.severity:['LOW','MEDIUM']"
cve.types Vulnerability type:
  • Vulnerability
  • Misconfiguration
  • Unsupported software
filter="cve.types:!'Misconfiguration'"
data_providers.ports Ports on the host where the vulnerability was found by the third-party provider

Get vulnerabilities found on port 53:

filter="data_providers.ports:'53'"

Get vulnerabilities found on any port:

filter="data_providers.ports:!'0'"

data_providers.provider Name of the data provider

Get vulnerabilities for a specific third-party provider:

filter="data_providers.provider:'{provider name}'"
data_providers.rating Possible values:
  • UNKNOWN: A severity that’s not defined
  • NONE: No severity provided
  • LOW: A low severity computed out of the base score
  • MEDIUM: A medium severity computed out of the base score
  • HIGH: A high severity computed out of the base score
  • CRITICAL: a critical severity computed out of the base score
Get vulnerabilities with a third-party rating of CRITICAL:

filter="data_providers.rating:'CRITICAL'"
data_providers.scan_time UTC date and time when the vulnerability was most recently identified by the third-party provider

Get vulnerabilities scanned by a third-party provider after August 3, 2023:

filter="data_providers.scan_time:>'023-08-03'"
data_providers.scanner_id ID of the third-party scanner that identified the vulnerability

Get vulnerabilities found by a specific scanner:

filter="data_providers.scanner_id:'{scanner id}'"
host_info.asset_criticality Assigned criticality level of the asset

Possible values:
  • Critical
  • High
  • Noncritical
  • Unassigned
Get vulnerabilities on hosts with high and critical levels of asset criticality:

filter="host_info.asset_criticality:['Critical','High']"

Get vulnerabilities on hosts without an assigned asset criticality level:

filter="host_info.asset_criticality:!'Unassigned'"
host_info.groups Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs. For more info, see Host and Host Group Management APIs.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities on hosts in a specific host group ID:

filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']"

Get vulnerabilities on hosts in all host groups except a specific host group ID:

filter="host_info.groups:!['03f0b54af2692e99c4cec945818fbef7']"

Get vulnerabilities on hosts in multiple host group IDs:

filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7','1676624bb307f5054406a3c343d40212']"
host_info.has_run_container Whether or not the host is running Kubernetes containers: true or false

Get vulnerabilities on hosts running Kubernetes containers:

filter="host_info.has_run_container:'true'"
host_info.internet_exposure Whether or not the asset is internet-facing:
  • Yes
  • No
  • Pending
Get vulnerabilities on internet-exposed hosts:

filter="host_info.internet_exposure:'Yes'"
host_info.managed_by Indicates if the asset has the Falcon sensor installed:
  • Falcon sensor
  • Unmanaged
This filter supports multiple values and negation.

Get vulnerabilities on assets without a Falcon sensor installed:

filter="host_info.managed_by:'Unmanaged'"
host_info.platform_name Operating system platform.

This filter supports negation.

Possible values:
  • Windows
  • Mac
  • Linux
Get Windows OS vulnerabilities:

filter="host_info.platform_name:'Windows'"

Get Windows OS and macOS vulnerabilities:

filter="host_info.platform_name:!'Linux'"
host_info.product_type_desc Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

Type of host a sensor is running on. This filter supports multiple values and negation. Enter values as shown with the first letter capitalized.

Possible values:
  • Workstation
  • Server
  • Domain Controller
Get vulnerabilities on workstation hosts:

filter="host_info.product_type_desc:'Workstation'"

Get vulnerabilities on server and domain controller hosts:

filter="host_info.product_type_desc:!'Workstation'"

or

filter="host_info.product_type_desc:['Domain Controller','Server']"
host_info.tags Name of a tag assigned to a host. Retrieve tags from Host Tags APIs. For more info, see Host and Host Group Management APIs.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities on hosts tagged with “ephemeral”:

filter="host_info.tags:['ephemeral']"

Get vulnerabilities on hosts with any tag but “search” or “ephemeral”:

filter="host_info.tags:!['search','ephemeral']"

Get vulnerabilities on hosts tagged with “workstation” or “main”:

filter="host_info.tags:['workstation','main']"
host_info.third_party_asset_ids Asset IDs assigned to the host by third-party providers in the format:

{data_provider}: {data_provider_asset_id}

This filter supports multiple values and negation.

Get vulnerabilities for a specific third-party asset:

filter="host_info.third_party_asset_ids:'{data_provider}: {data_provider_asset_id}'"
last_seen_within Filter for vulnerabilities based on the number of days since a host last connected to Falcon. Enter a numeric value from 3 to 45 to indicate the number of days you want to look back. All active hosts seen up to the specified number of days are returned with a host_last_seen_timestamp response field populated as follows:

A UTC timestamp of the most recent connection displays for hosts that were last seen online more than 3 days ago

Null for hosts that have been online in the last 3 days

Possible values: Integer, from 3–45

Note: Values less than 3 and greater than 45 are not supported and will result in an error.

Get vulnerabilities for hosts that last connected to Falcon within the last 10 days:

filter="last_seen_within:'10'"

The host_last_seen_timestamp in the response shows:
  • A timestamp for last host activity detected on days 4-10
  • Null for last host activity detected on days 1-3
services.port Port on the host where a vulnerability was found by Falcon EASM or a third-party provider

filter="services.port:'443'"
services.protocol Network protocols recognized by Falcon EASM

filter="services.protocol:'pop3'"
services.transport Transport methods recognized by Falcon EASM

filter="services.transport:'tcp'"
status Status of a vulnerability. The value must be entered in all lowercase letters.

This filter supports multiple values and negation.

Possible values:
  • open: Vulnerabilities that are currently open. A vulnerability is automatically assigned the open status upon creation.
  • closed: Vulnerabilities that are closed. You can close a vulnerability from the open or reopen status.
  • reopen: Vulnerabilities that are currently reopened after previously being closed.
  • expired: Vulnerabilities on decommissioned hosts that are set to be deleted. The expired status appears 3 days before a vulnerability is deleted from the system.
Note that vulnerabilities in the expired status are visible only through the API. They do not appear in the Falcon console or in reports.

Get vulnerabilities with a status of open:

filter="status:'open'"

Get vulnerabilities with any status except closed:

filter="status:!'closed'"

Get vulnerabilities with a status of open or reopen:

filter="status:['open','reopen']"

or

filter="status:!['closed','expired']"
suppression_info.is_suppressed Indicates if the vulnerability is suppressed by a suppression rule or not

Get suppressed vulnerabilities:

filter="suppression_info.is_suppressed:true"
suppression_info.reason Attribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get suppressed vulnerabilities where the reason for the rule is “accept risk”:

filter="suppression_info.reason:['ACCEPT_RISK']"

Get suppressed vulnerabilities where the reason for the rule is anything except “false positive”:

filter="suppression_info.reason:!['FALSE_POSITIVE']"

Get suppressed vulnerabilities where the reason for the rule is “compensating control” or “false positive”:

filter="suppression_info.reason:['COMPENSATING_CONTROL','FALSE_POSITIVE']"
updated_timestamp UTC date and time of the last update made on a vulnerability

Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC:

filter="updated_timestamp:<'2021-10-20T22:36'"

Get vulnerabilities that were last updated after September 15, 2021:

filter="updated_timestamp:>'2021-09-15'"
vulnerability_id Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability

For more info, see Asset Management APIs.

This filter supports multiple values and negation.

Get vulnerabilities with a specific single CVE ID:

filter="vulnerability_id:['CVE-2022-1234']"

Get vulnerabilities for multiple CVE IDs:

filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']"

Get vulnerabilities that do not contain either of 2 specific CVE IDs:

filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']"

Usage

You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.

Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.query_vulnerabilities_combined(filter="string",
                                                 facet="string",
                                                 limit=integer,
                                                 sort="string",
                                                 after="string"
                                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.combinedQueryVulnerabilities(filter="string",
                                               facet="string",
                                               limit=integer,
                                               sort="string",
                                               after="string"
                                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combinedQueryVulnerabilities",
                          filter="string",
                          facet="string",
                          limit=integer,
                          sort="string",
                          after="string"
                          )
print(response)

getRemediationsV2

Get details on remediation by providing one or more IDs

PEP8 method name

get_remediations_v2

Endpoint

Method Route
GET /spotlight/entities/remediations/v2

Required Scope

spotlight-vulnerabilities:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more remediation IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_remediations_v2(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getRemediationsV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getRemediationsV2", ids=id_list)
print(response)

getVulnerabilities

Get details on vulnerabilities by providing one or more IDs

PEP8 method name

get_vulnerabilities

Endpoint

Method Route
GET /spotlight/entities/vulnerabilities/v2

Required Scope

spotlight-vulnerabilities:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more vulnerability IDs (max: 400). Find vulnerability IDs with queryVulnerabilities.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vulnerabilities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getVulnerabilities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getVulnerabilities", ids=id_list)
print(response)

queryVulnerabilities

Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria

PEP8 method name

query_vulnerabilities

Endpoint

Method Route
GET /spotlight/queries/vulnerabilities/v1

Required Scope

spotlight-vulnerabilities:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
limit
Service Class Support

Uber Class Support
query integer The number of items to return in this response (default: 100, max: 400). Use with the after parameter to manage pagination of results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort vulnerabilities by their properties. Common sort options include:
  • created_timestamp|desc
  • closed_timestamp|asc
  • updated_timestamp|desc
filter
Service Class Support

Uber Class Support
query string Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. Common filter options include:
  • created_timestamp:>'2019-11-25T22:36:12Z'
  • closed_timestamp:>'2019-11-25T22:36:12Z'
  • aid:'8e7656b27d8c49a34a1af416424d6231'
You must provide a filter, either via this keyword or as part of a parameters payload in order to use this method. Review the available filters table below for more detail.
Available filters
Name Description
aid Unique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. For more info, see Asset Management APIs.

Get vulnerabilities for a specific AID:

filter="aid:'abcde6b9a3427d8c4a1af416424d6231'"
apps.remediation.ids Unique identifier of a remediation. This filter supports multiple values and negation.

Get the vulnerability ID for a specific remediation ID:

filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'"

Get vulnerabilities for multiple remediation IDs:

filter="apps.remediation.ids:['ID1','ID2','ID3']"
cid Unique system-generated customer identifier (CID) of the account.

In multi-CID environments:
  • You can filter by both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered by.
  • If you're in a non-parent CID, this property only shows data for that CID.
Get vulnerabilities for a specific CID:

filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'"
closed_timestamp Date and time a vulnerability was set to a status of CLOSED

Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC:

filter="closed_timestamp:>'2021-06-25T10:32'"

Get vulnerabilities that were marked as closed before October 18, 2021:

filter="closed_timestamp:<'2021-10-18'"
confidence Whether or not the vulnerability has been confirmed:

confirmed
potential

Get vulnerabilities with a potential confidence level:

filter="confidence:<'potential'"
created_timestamp Date and time when this vulnerability was found in your environment.

Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on.

Get vulnerabilities created before September 30, 2021 at 13:22 UTC:

filter="created_timestamp:<'2021-09-25T13:22'"

Get vulnerabilities created after February 12, 2021:

filter="created_timestamp:>'2021-02-12'"
cve.cwes Unique identifier for a vulnerability from the Common Weakness Enumeration (CWE) list

filter="cve.cwes:>['CWE-787','CWE-699']"
cve.exploit_status Numeric value of the most severe known exploit. This filter supports multiple values and negation.

Possible values:
  • 0: Unproven. No known exploits.
  • 30: Available - Medium. At least one known piece of code developed to take advantage of the vulnerability.
  • 60: Easily accessible - High. An exploit that is packaged and easily available in an exploit framework.
  • 90: Actively used - Critical. An exploit that has been used in at least one attack.
Get vulnerabilities with an exploit status of 60:

filter="cve.exploit_status:'60'"

Get vulnerabilities with an exploit status of 30, 60, or 90:

filter="cve.exploit_status:!'0'"

or

filter="cve.exploit_status:['30','60','90']"
cve.exprt_rating ExPRT rating assigned by CrowdStrike's predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation.

Possible values:
  • UNKNOWN: The CVE Metadata lacks some required properties or a technical/temporary problem.
  • LOW: Score is < ~50% Percentile OR it does not have an Exploit prediction.
  • MEDIUM: Score is > ~50% percentile.
  • HIGH: Exploit Status = Easily Accessible Exploit OR it fits in the ~80-95% ExPRT Scores.
  • CRITICAL: Exploit Status = Actively Used Exploit OR it fits in the top 5% ExpRT Scores.
Get vulnerabilities with an ExPRT rating of high:

filter="cve.exprt_rating:'HIGH'"

Get vulnerabilities with an ExPRT rating of high or critical:

filter="cve.exprt_rating:['HIGH','CRITICAL']"

Get vulnerabilities with any ExPRT rating other than unknown:

filter="cve.exprt_rating:!'UNKNOWN'"
cve.id Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities with a specific single CVE ID:

filter="cve.id:['CVE-2022-1234']"

Get vulnerabilities for multiple CVE IDs:

filter="cve.id:['CVE-2022-1234','CVE-2023-1234']"

Get vulnerabilities that do not contain either of 2 specific CVE IDs:

filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']"
cve.is_cisa_kev Filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or false

This filter supports negation.

Get vulnerabilities that are in the CISA KEV catalog:

filter="cve.is_cisa_kev:true"
cve.remediation_level CVSS remediation level of the vulnerability.

This filter supports multiple values and negation.

Get vulnerabilities with an official fix:

filter="cve.remediation_level:'O'"

Get vulnerabilities no available fix:

filter="cve.remediation_level:'U'"
cve.severity CVSS severity rating of the vulnerability. The value must be entered in all caps.

This filter supports multiple values and negation.

Possible values:
  • UNKNOWN: A severity that’s not defined
  • NONE: No severity provided
  • LOW: A low severity computed out of the base score
  • MEDIUM: A medium severity computed out of the base score
  • HIGH: A high severity computed out of the base score
  • CRITICAL: a critical severity computed out of the base score
Get vulnerabilities with a CVE severity of LOW:

filter="cve.severity:'LOW'"

Get vulnerabilities with any CVE severity but UNKNOWN:

filter="cve.severity:!'UNKNOWN'"

Get vulnerabilities with a CVE severity of LOW and MEDIUM:

filter="cve.severity:['LOW','MEDIUM']"
cve.types Vulnerability type:
  • Vulnerability
  • Misconfiguration
  • Unsupported software
filter="cve.types:!'Misconfiguration'"
data_providers.ports Ports on the host where the vulnerability was found by the third-party provider

Get vulnerabilities found on port 53:

filter="data_providers.ports:'53'"

Get vulnerabilities found on any port:

filter="data_providers.ports:!'0'"

data_providers.provider Name of the data provider

Get vulnerabilities for a specific third-party provider:

filter="data_providers.provider:'{provider name}'"
data_providers.rating Possible values:
  • UNKNOWN: A severity that’s not defined
  • NONE: No severity provided
  • LOW: A low severity computed out of the base score
  • MEDIUM: A medium severity computed out of the base score
  • HIGH: A high severity computed out of the base score
  • CRITICAL: a critical severity computed out of the base score
Get vulnerabilities with a third-party rating of CRITICAL:

filter="data_providers.rating:'CRITICAL'"
data_providers.scan_time UTC date and time when the vulnerability was most recently identified by the third-party provider

Get vulnerabilities scanned by a third-party provider after August 3, 2023:

filter="data_providers.scan_time:>'023-08-03'"
data_providers.scanner_id ID of the third-party scanner that identified the vulnerability

Get vulnerabilities found by a specific scanner:

filter="data_providers.scanner_id:'{scanner id}'"
host_info.asset_criticality Assigned criticality level of the asset

Possible values:
  • Critical
  • High
  • Noncritical
  • Unassigned
Get vulnerabilities on hosts with high and critical levels of asset criticality:

filter="host_info.asset_criticality:['Critical','High']"

Get vulnerabilities on hosts without an assigned asset criticality level:

filter="host_info.asset_criticality:!'Unassigned'"
host_info.groups Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs. For more info, see Host and Host Group Management APIs.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities on hosts in a specific host group ID:

filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']"

Get vulnerabilities on hosts in all host groups except a specific host group ID:

filter="host_info.groups:!['03f0b54af2692e99c4cec945818fbef7']"

Get vulnerabilities on hosts in multiple host group IDs:

filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7','1676624bb307f5054406a3c343d40212']"
host_info.has_run_container Whether or not the host is running Kubernetes containers: true or false

Get vulnerabilities on hosts running Kubernetes containers:

filter="host_info.has_run_container:'true'"
host_info.internet_exposure Whether or not the asset is internet-facing:
  • Yes
  • No
  • Pending
Get vulnerabilities on internet-exposed hosts:

filter="host_info.internet_exposure:'Yes'"
host_info.managed_by Indicates if the asset has the Falcon sensor installed:
  • Falcon sensor
  • Unmanaged
This filter supports multiple values and negation.

Get vulnerabilities on assets without a Falcon sensor installed:

filter="host_info.managed_by:'Unmanaged'"
host_info.platform_name Operating system platform.

This filter supports negation.

Possible values:
  • Windows
  • Mac
  • Linux
Get Windows OS vulnerabilities:

filter="host_info.platform_name:'Windows'"

Get Windows OS and macOS vulnerabilities:

filter="host_info.platform_name:!'Linux'"
host_info.product_type_desc Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

Type of host a sensor is running on. This filter supports multiple values and negation. Enter values as shown with the first letter capitalized.

Possible values:
  • Workstation
  • Server
  • Domain Controller
Get vulnerabilities on workstation hosts:

filter="host_info.product_type_desc:'Workstation'"

Get vulnerabilities on server and domain controller hosts:

filter="host_info.product_type_desc:!'Workstation'"

or

filter="host_info.product_type_desc:['Domain Controller','Server']"
host_info.tags Name of a tag assigned to a host. Retrieve tags from Host Tags APIs. For more info, see Host and Host Group Management APIs.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get vulnerabilities on hosts tagged with “ephemeral”:

filter="host_info.tags:['ephemeral']"

Get vulnerabilities on hosts with any tag but “search” or “ephemeral”:

filter="host_info.tags:!['search','ephemeral']"

Get vulnerabilities on hosts tagged with “workstation” or “main”:

filter="host_info.tags:['workstation','main']"
host_info.third_party_asset_ids Asset IDs assigned to the host by third-party providers in the format:

{data_provider}: {data_provider_asset_id}

This filter supports multiple values and negation.

Get vulnerabilities for a specific third-party asset:

filter="host_info.third_party_asset_ids:'{data_provider}: {data_provider_asset_id}'"
last_seen_within Filter for vulnerabilities based on the number of days since a host last connected to Falcon. Enter a numeric value from 3 to 45 to indicate the number of days you want to look back. All active hosts seen up to the specified number of days are returned with a host_last_seen_timestamp response field populated as follows:

A UTC timestamp of the most recent connection displays for hosts that were last seen online more than 3 days ago

Null for hosts that have been online in the last 3 days

Possible values: Integer, from 3–45

Note: Values less than 3 and greater than 45 are not supported and will result in an error.

Get vulnerabilities for hosts that last connected to Falcon within the last 10 days:

filter="last_seen_within:'10'"

The host_last_seen_timestamp in the response shows:
  • A timestamp for last host activity detected on days 4-10
  • Null for last host activity detected on days 1-3
services.port Port on the host where a vulnerability was found by Falcon EASM or a third-party provider

filter="services.port:'443'"
services.protocol Network protocols recognized by Falcon EASM

filter="services.protocol:'pop3'"
services.transport Transport methods recognized by Falcon EASM

filter="services.transport:'tcp'"
status Status of a vulnerability. The value must be entered in all lowercase letters.

This filter supports multiple values and negation.

Possible values:
  • open: Vulnerabilities that are currently open. A vulnerability is automatically assigned the open status upon creation.
  • closed: Vulnerabilities that are closed. You can close a vulnerability from the open or reopen status.
  • reopen: Vulnerabilities that are currently reopened after previously being closed.
  • expired: Vulnerabilities on decommissioned hosts that are set to be deleted. The expired status appears 3 days before a vulnerability is deleted from the system.
Note that vulnerabilities in the expired status are visible only through the API. They do not appear in the Falcon console or in reports.

Get vulnerabilities with a status of open:

filter="status:'open'"

Get vulnerabilities with any status except closed:

filter="status:!'closed'"

Get vulnerabilities with a status of open or reopen:

filter="status:['open','reopen']"

or

filter="status:!['closed','expired']"
suppression_info.is_suppressed Indicates if the vulnerability is suppressed by a suppression rule or not

Get suppressed vulnerabilities:

filter="suppression_info.is_suppressed:true"
suppression_info.reason Attribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE.

This filter supports multiple values and negation.

Note: All values must be enclosed in brackets, including single values.

Get suppressed vulnerabilities where the reason for the rule is “accept risk”:

filter="suppression_info.reason:['ACCEPT_RISK']"

Get suppressed vulnerabilities where the reason for the rule is anything except “false positive”:

filter="suppression_info.reason:!['FALSE_POSITIVE']"

Get suppressed vulnerabilities where the reason for the rule is “compensating control” or “false positive”:

filter="suppression_info.reason:['COMPENSATING_CONTROL','FALSE_POSITIVE']"
updated_timestamp UTC date and time of the last update made on a vulnerability

Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC:

filter="updated_timestamp:<'2021-10-20T22:36'"

Get vulnerabilities that were last updated after September 15, 2021:

filter="updated_timestamp:>'2021-09-15'"
vulnerability_id Tip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters.

CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability

For more info, see Asset Management APIs.

This filter supports multiple values and negation.

Get vulnerabilities with a specific single CVE ID:

filter="vulnerability_id:['CVE-2022-1234']"

Get vulnerabilities for multiple CVE IDs:

filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']"

Get vulnerabilities that do not contain either of 2 specific CVE IDs:

filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']"

Usage

You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.

Service class example (PEP8 syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.query_vulnerabilities(after="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string"
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import SpotlightVulnerabilities

# Do not hardcode API credentials!
falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.queryVulnerabilities(after="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string"
                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryVulnerabilities",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)
⚠️ **GitHub.com Fallback** ⚠️