Pulling all Spotlight data

[mtobias-getty]

We utilize multiple vulnerability management products and like to standardize on one visualization system for our vulnerability data. I'm hoping to pull all host and vulnerability data from Spotlight via API. What I was hoping/expecting is that there would be a many to one relationship between hosts and vulnerability information. For example, these 5 hosts all have this 1 CVE, here are the details for this CVE.

I'm finding that is not the case with the current Spotlight APIs. It appears that the vulnerability IDs are tied in a 1 to 1 relationship with the agent IDs. So even though 5 hosts all have 1 CVE, I have 5 records for that CVE because the CVE record, via the get_vulnerabilities endpoint in Falconpy. While I should be able to do what I'm looking for, this is likely going to result in a large amount of data storage as well as API transfer to constantly pull all of this information. Am I thinking about this in the wrong way? From what I can see to essentially export everything my hands are a bit tied to pull all vuln IDs via the query_vulnerabilities endpoint by specifying a filter such as last seen within 45 days, and then putting all of those vuln IDs through the get_vulnerabilities endpoint.

[jshcodes]

Hi @mtobias-getty!

You're correct that you will have a hit for each host / CVE. You may have to massage the data to meet your requirements as you consume the results.

While researching this question, I wound up producing a new Spotlight Vulnerabilities sample. In an effort to speak to the concerns you've listed, I've reduced the data transfer to the bare minimum and used a simple JSON structure for data storage.

This sample leverages the combinedQueryVulnerabilities operation.

JSON structure

UPPER CASE represents a dynamic value.

{
    "sensor": {
        "HOST_AID": {
            "SEVERITY": ["CVE IDs..."]
        }
    },
    "cve": {
        "SEVERITY": {
            "CVE_ID": ["HOST AIDs..."]
        }
    }
}

Notes

• The default behavior is to exclude duplicates. This can be disabled with the -a command line argument.

• This simple example only correlates severity, AID and CVE ID.

• You can save the results of a report to JSON format with the -o command line argument.

  • Example: python3 spotlight_quick_report.py -k KEY -s SECRET -d 3 -o save_file.json.
    This file can then be loaded again using the -f argument.

• For more details regarding command line arguments, check the help provided by the -h argument.

Let us know if there are any questions! 😄

[mtobias-getty]

Thanks @jshcodes! Does confirm what I was understanding from reading the docs. I appreciate the quick response.