How to Use Custom Filters in Falcon Spotlight

Introduction

This article and video will provide an overview of the power of custom filters in Falcon Spotlight. Spotlight provides customers with realtime data about the vulnerabilities in the environment. With custom filters, organizations can quickly sort that data to focus on critical assets, vulnerabilities and remediations. Those filters can then be saved for repeat use in the future.

Video

Filtering Vulnerability Data

By default, the Spotlight dashboard displays a summary of all open vulnerabilities in the environment with a breakdown by severity.

Spotlight dashboard

That data can be filtered using the faceted search at the top of the page or a number of other attributes shown in the menu below.

spotlight filter menu

Once the desired criteria are in place, users also have the option to save that filter for repeat use. In the example below, the new saved filter will identify all open, critical vulnerabilities on hosts in the remote systems group. Filters can also be created from the “Custom Filters” app.

spotlight save filter

Using Saved Filters

Once filters are saved, they can be accessed from the pull down menu on the Spotlight dashboard or the Vulnerabilities app.

spotlight custom filter menu

Upon selecting a saved filter, the criteria and results are immediately displayed. The “New Firefox vulnerabilities” filter reflects only vulnerabilities in the Firefox product that have been opened in the last thirty days.

spotlight firefox filter

With the custom filter in place, users still have the ability to use the menu bar to further filter the information. However, there is also the option to “group” the resulting vulnerabilities by host, product, product version and remediation. These options provide different views of the data to help prioritize patching efforts.

spotlight group menu

Prioritized Remediation

Because a given patch or upgrade can resolve multiple vulnerabilities, grouping vulnerabilities by remediation helps organizations quickly understand how they can quickly address large groups of vulnerabilities. In the example below, the filter displays high and critical severity open vulnerabilities in the San Francisco office. Grouping by host indicates that all of the reporting vulnerabilities exist on one host. Grouping by remediation shows which two updates should be installed first to address the vast majority of the vulnerabilities.

spotlight group remediation

Closing

Falcon Spotlight provides custom filters and prioritized remediation to help companies quickly understand vulnerability data, identify risk and prioritize remediation.

More resources

 

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial