Falcon Spotlight provides vulnerability assessment and management capabilities for devices in your environment. Use these cmdlets to search for vulnerabilities, retrieve remediation details, and review evaluation logic.
Get-FalconVulnerability
Search for Falcon Spotlight vulnerabilities.
Get-FalconVulnerability -Filter "status:'open'" -Detailed
Parameters
Vulnerability identifier(s) in format [aid]_[cve]
Falcon Query Language expression to limit results
Include additional properties: cve, evaluation_logic, host_info, remediation
Property and direction to sort resultsOptions: created_timestamp.asc, created_timestamp.desc, closed_timestamp.asc, closed_timestamp.desc, updated_timestamp.asc, updated_timestamp.desc
Maximum number of results per request (1-5000)
Pagination token to retrieve the next set of results
Retrieve detailed information
Repeat requests until all available results are retrieved
Display total result count instead of results
Example: Find Critical Vulnerabilities
# Search for open critical vulnerabilities
$Vulnerabilities = Get-FalconVulnerability -Filter "status:'open'+severity:'critical'" -Detailed -All
# Group by CVE
$Vulnerabilities | Group-Object -Property cve.id | Select-Object Name, Count
Example: Get Vulnerability Details
# Get detailed information for specific vulnerabilities
$VulnIds = @('aid1_cve123', 'aid2_cve456')
Get-FalconVulnerability -Id $VulnIds
Get-FalconRemediation -Id <remediation_id>
Parameters
Remediation identifier(s) or detailed vulnerability objects containing remediation IDs
# Get vulnerabilities with remediation facet
$Vulns = Get-FalconVulnerability -Filter "status:'open'" -Facet remediation -Detailed
# Extract and retrieve remediation details
$Vulns | Get-FalconRemediation
Get-FalconVulnerabilityLogic
Search for Falcon Spotlight vulnerability evaluation logic.
Get-FalconVulnerabilityLogic -Filter "created_timestamp:>'2024-01-01'" -Detailed
Parameters
Vulnerability logic identifier(s) or detailed vulnerability objects
Falcon Query Language expression to limit results
Property and direction to sort results
Maximum number of results per request
Pagination token to retrieve the next set of results
Retrieve detailed information
Repeat requests until all available results are retrieved
Display total result count instead of results
Example: Review Evaluation Logic
# Get vulnerabilities with evaluation logic facet
$Vulns = Get-FalconVulnerability -Filter "cve.id:'CVE-2024-1234'" -Facet evaluation_logic -Detailed
# Retrieve evaluation logic details
$Vulns | Get-FalconVulnerabilityLogic
Use Cases
Vulnerability Assessment Report
# Generate vulnerability report by severity
$OpenVulns = Get-FalconVulnerability -Filter "status:'open'" -Detailed -All
$Report = $OpenVulns | Group-Object -Property { $_.cve.severity } | ForEach-Object {
[PSCustomObject]@{
Severity = $_.Name
Count = $_.Count
CVEs = ($_.Group | Select-Object -ExpandProperty cve.id -Unique) -join ', '
}
}
$Report | Format-Table -AutoSize
# Get vulnerabilities with available remediations
$VulnsWithRemediation = Get-FalconVulnerability -Filter "status:'open'" -Facet remediation -Detailed
# Extract remediation details
$Remediations = $VulnsWithRemediation | Get-FalconRemediation
# Display remediation information
$Remediations | Select-Object id, title, action | Format-Table -AutoSize
Host-Specific Vulnerabilities
# Find vulnerabilities for a specific host
$HostAid = 'abc123...'
$HostVulns = Get-FalconVulnerability -Filter "aid:'$HostAid'" -Facet host_info,cve -Detailed
# Display vulnerabilities with host context
$HostVulns | Select-Object cve.id, cve.severity, host_info.hostname | Format-Table
Requires Vulnerabilities: Read scope for all Spotlight cmdlets.
