Spotlight Evaluation Logic

The Spotlight Evaluation Logic service collection provides operations for querying the evaluation rules that Spotlight uses to assess vulnerabilities. Search for evaluation logic definitions by FQL filter to understand how specific CVEs are detected and scored across your environment.

Language	Last Update
Python	v1.5.5
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Operation	Description
combinedQueryEvaluationLogic `query_evaluation_logic_combined`	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
combinedSupportedEvaluationExt `get_supported_evaluations`	Perform a combined query and get for RiskSupportedEvaluation entities.
getEvaluationLogic `get_evaluation_logic`	Get details on evaluation logic items by providing one or more IDs.
queryEvaluationLogic `query_evaluation_logic`	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

combinedQueryEvaluationLogic

Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.

GET /spotlight/combined/evaluation-logic/v1

Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json

PEP 8 query_evaluation_logic_combined

Parameters

Name	Type	Data type	Description
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
filter	query	string	FQL query specifying the filter parameters.
limit	query	integer	Maximum number of entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.
sort	query	string	Sort evaluation logic by their properties.

Code Examples

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.query_evaluation_logic_combined(after="string",
                                                  filter="string",
                                                  limit="string",
                                                  sort="string")
print(response)

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.combinedQueryEvaluationLogic(after="string",
                                               filter="string",
                                               limit="string",
                                               sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combinedQueryEvaluationLogic",
                          after="string",
                          limit=integer,
                          filter="string",
                          sort="string")
print(response)

Get-FalconVulnerabilityLogic -Filter "string" `
  -Sort "string" `
  -Limit integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/spotlight_evaluation_logic"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  after := "string"
  limit := int64(0)
  sort := "string"

  response, err := client.SpotlightEvaluationLogic.CombinedQueryEvaluationLogic(
    &spotlight_evaluation_logic.CombinedQueryEvaluationLogicParams{
      After: &after,
      Limit: &limit,
      Filter: "string",
      Sort: &sort,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.spotlightEvaluationLogic.combinedQueryEvaluationLogic(
  "string",  // filter
  "string",  // after
  integer,  // limit
  "string"  // sort
);

console.log(response);

use rusty_falcon::apis::spotlight_evaluation_logic_api::combined_query_evaluation_logic;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = combined_query_evaluation_logic(
        &falcon.cfg,  // configuration
        "string",  // filter
        Some("string"),  // after
        Some(integer),  // limit
        Some("string"),  // sort
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::SpotlightEvaluationLogic.new

response = api.combined_query_evaluation_logic('string')

puts response

combinedSupportedEvaluationExt

Perform a combined query and get for RiskSupportedEvaluation entities.

GET /spotlight/combined/supported-evaluation-external/v1

Scope Risk Platform Risk: READ Consumes · Produces application/json

PEP 8 get_supported_evaluations

Parameters

Name	Type	Data type	Description
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
filter	query	string	Filter items using a query in Falcon Query Language (FQL). Wildcards `` and empty filter values are unsupported. Available filter fields that support exact match: `id`, `risk_id`, `risk_provider`, `finding_provider`, `platform`. Available filter fields that support range comparisons (>, <, >=, <=): `created_timestamp`, `updated_timestamp`. Required*.
limit	query	integer	The number of items to return in this response (default: 100, max: 400). Use with the `after` parameter to manage pagination of results.
offset	query	string	Starting index of overall result set from which to return ids.
risk_provider	query	string or list of strings	Zero or more risk providers. Zero means all. Supported values: `S` (for Falcon sensor).
sort	query	string	Sort vulnerabilities by their properties. Available sort options: `created_timestamp\|asc/desc`, `updated_timestamp\|asc/desc`.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_supported_evaluations(after="string",
                                            filter="string",
                                            limit="string",
                                            offset="string",
                                            risk_provider=id_list,
                                            sort="string")
print(response)

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.combinedSupportedEvaluationExt(after="string",
                                                 filter="string",
                                                 limit="string",
                                                 offset="string",
                                                 risk_provider=id_list,
                                                 sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("combinedSupportedEvaluationExt",
                          after="string",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          risk_provider=id_list)
print(response)

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/spotlight_supported_evaluation"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  after := "string"
  offset := "string"
  limit := int64(0)
  sort := "string"

  response, err := client.SpotlightSupportedEvaluation.CombinedSupportedEvaluationExt(
    &spotlight_supported_evaluation.CombinedSupportedEvaluationExtParams{
      After: &after,
      Offset: &offset,
      Limit: &limit,
      Sort: &sort,
      Filter: "string",
      RiskProvider: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.spotlightSupportedEvaluation.combinedSupportedEvaluationExt(
  "string",  // filter
  "string",  // after
  "string",  // offset
  integer,  // limit
  "string",  // sort
  ["ID1", "ID2", "ID3"]  // riskProvider
);

console.log(response);

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::SpotlightSupportedEvaluation.new

response = api.combined_supported_evaluation_ext('string')

puts response

getEvaluationLogic

Get details on evaluation logic items by providing one or more IDs.

GET /spotlight/entities/evaluation-logic/v1

Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json

PEP 8 get_evaluation_logic

Parameters

Name	Type	Data type	Description
ids	query	list of strings	One or more evaluation logic IDs.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_evaluation_logic(ids=id_list)
print(response)

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getEvaluationLogic(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getEvaluationLogic",
                          ids=id_list)
print(response)

Get-FalconVulnerabilityLogic -Filter "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/spotlight_evaluation_logic"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.SpotlightEvaluationLogic.GetEvaluationLogic(
    &spotlight_evaluation_logic.GetEvaluationLogicParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.spotlightEvaluationLogic.getEvaluationLogic(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::spotlight_evaluation_logic_api::get_evaluation_logic;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_evaluation_logic(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::SpotlightEvaluationLogic.new

response = api.get_evaluation_logic(['ID1', 'ID2', 'ID3'])

puts response

queryEvaluationLogic

Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

GET /spotlight/queries/evaluation-logic/v1

Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json

PEP 8 query_evaluation_logic

Parameters

Name	Type	Data type	Description
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
filter	query	string	FQL query specifying the filter parameters.
limit	query	integer	Maximum number of entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.
sort	query	string	Sort evaluation logic by their properties.

Code Examples

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.query_evaluation_logic(after="string",
                                         filter="string",
                                         limit="string",
                                         sort="string")
print(response)

from falconpy import SpotlightEvaluationLogic

falcon = SpotlightEvaluationLogic(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )

response = falcon.queryEvaluationLogic(after="string",
                                       filter="string",
                                       limit="string",
                                       sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryEvaluationLogic",
                          after="string",
                          limit=integer,
                          filter="string",
                          sort="string")
print(response)

Get-FalconVulnerabilityLogic -Filter "string" `
  -Sort "string" `
  -Limit integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/spotlight_evaluation_logic"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  after := "string"
  limit := int64(0)
  sort := "string"

  response, err := client.SpotlightEvaluationLogic.QueryEvaluationLogic(
    &spotlight_evaluation_logic.QueryEvaluationLogicParams{
      After: &after,
      Limit: &limit,
      Filter: "string",
      Sort: &sort,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.spotlightEvaluationLogic.queryEvaluationLogic(
  "string",  // filter
  "string",  // after
  integer,  // limit
  "string"  // sort
);

console.log(response);

use rusty_falcon::apis::spotlight_evaluation_logic_api::query_evaluation_logic;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_evaluation_logic(
        &falcon.cfg,  // configuration
        "string",  // filter
        Some("string"),  // after
        Some(integer),  // limit
        Some("string"),  // sort
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::SpotlightEvaluationLogic.new

response = api.query_evaluation_logic('string')

puts response

Spotlight Evaluation Logic

Table of Contents

combinedQueryEvaluationLogic

Parameters

Code Examples

combinedSupportedEvaluationExt

Parameters

Code Examples

getEvaluationLogic

Parameters

Code Examples

queryEvaluationLogic

Parameters

Code Examples