How to Use Scheduled Reports with Falcon Spotlight
Introduction
Falcon Spotlight, CrowdStrike’s vulnerability management module, leverages the existing agent to provide real time vulnerability assessment of managed hosts. That vulnerability data is available in the CrowdStrike UI, but can also be exported or shared with the appropriate teams via reports.
Video
Falcon Spotlight Dashboard
The main dashboard presents a count of open vulnerabilities by severity, and this view can be filtered by a number of attributes. The save filter function is available on this page as well as the vulnerabilities page to enable quick, repeat access to filtered data in the UI.
The dashboard also includes charts for recommended remediations and remediations by severity. The statistics on the dashboard are clickable and lead to the supporting vulnerability details.
Creating Scheduled Reports
In this example, filtering for open, high severity remediations related to Firefox reveals a single remediation that should be applied to 31 hosts in order to resolve over thirteen hundred vulnerabilities with available exploits. In addition to the save filter function, the option to “Create scheduled report” automates regular communication of Falcon Spotlight data outside of the user interface.
The report is automatically configured based on the current search parameters with the opportunity to add additional filters. For example, using “Exploit status” helps to highlight vulnerabilities with a real potential to present a security risk.
Once the filters are defined, each report can be given a name and description. The format preference can be selected before specifying who should have access to the report.
The next menu provides choices around how often the report should be generated. The end date can be set as well as the frequency, day and time.
Finally, Spotlight has the ability to generate email, Slack or PagerDuty notifications each time the report is generated. After selecting the notification preference, there are prompts to select the recipients.
Upon saving the newly created report, the list of all scheduled reports is shown with menu options to run or edit the report, change the schedule or delete the report. From this view, users also have the ability to create additional scheduled reports.
Accessing Scheduled Reports
As scheduled reports are generated, notifications will include a download link that can only be accessed by the selected recipients to ensure security of the shared information.
To access the reports from the user interface, open the Spotlight “Reports” option from the main Falcon menu. The page presents a list of current reports with options to download or delete the reports.
Closing
Using the existing agent, Falcon Spotlight provides real time vulnerability reporting through the same easy to use CrowdStrike user interface. With schedule reports, that information can be distributed to the proper teams on a regular basis to ensure vulnerabilities are properly prioritized and remediated.
