Skip to content
CrowdStrike Developer Center

Spotlight Vulnerabilities

The Spotlight Vulnerabilities service collection provides operations for querying and retrieving vulnerability data across your environment. Search for vulnerabilities using FQL filters, retrieve details on specific vulnerabilities and remediations, and use continuous pagination for large result sets.

LanguageLast Update
Pythonv1.4.9
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
combinedQueryVulnerabilities
query_vulnerabilities_combined		Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.
getRemediationsV2
get_remediations_v2		Get details on remediation by providing one or more IDs.
getVulnerabilities
get_vulnerabilities		Get details on vulnerabilities by providing one or more IDs.
queryVulnerabilities
query_vulnerabilities		Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.
getRemediations
get_remediations		Get details on remediations by providing one or more IDs.

combinedQueryVulnerabilities

Section titled “combinedQueryVulnerabilities”

Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.

GET /spotlight/combined/vulnerabilities/v1
Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json
PEP 8 query_vulnerabilities_combined

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
facetquerystringSelect various detail blocks to be returned for each vulnerability. Supported values: host_info, remediation, cve, evaluation_logic.
filterquerystringFQL formatted filter that should be used to limit the results. Wildcards * are unsupported. You must provide a filter, either via this keyword or as part of a parameters payload in order to use this method. Review the available filters table below for more detail.
limitqueryintegerMaximum number of results to return. (Max: 5000, Default: 100)
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringFQL formatted sort filter. Common sort options include: created_timestamp|desc, closed_timestamp|asc, updated_timestamp|desc.
Available filters
Section titled “Available filters”
NameDescription
aidUnique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. Get vulnerabilities for a specific AID: filter="aid:'abcde6b9a3427d8c4a1af416424d6231'"
apps.remediation.idsUnique identifier of a remediation. This filter supports multiple values and negation. Get the vulnerability ID for a specific remediation ID: filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'" Get vulnerabilities for multiple remediation IDs: filter="apps.remediation.ids:['ID1','ID2','ID3']"
cidUnique system-generated customer identifier (CID) of the account. In multi-CID environments: You can filter by both parent and child CIDs. If you’re in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs. If you’re in a parent CID and use this filter, the response includes data for only the CIDs you filtered by. If you’re in a non-parent CID, this property only shows data for that CID. Get vulnerabilities for a specific CID: filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'"
closed_timestampDate and time a vulnerability was set to a status of CLOSED. Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC: filter="closed_timestamp:>'2021-06-25T10:32'" Get vulnerabilities that were marked as closed before October 18, 2021: filter="closed_timestamp:<'2021-10-18'"
confidenceWhether or not the vulnerability has been confirmed: confirmed, potential. Get vulnerabilities with a potential confidence level: filter="confidence:<'potential'"
created_timestampDate and time when this vulnerability was found in your environment. Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on. Get vulnerabilities created before September 30, 2021 at 13:22 UTC: filter="created_timestamp:<'2021-09-25T13:22'" Get vulnerabilities created after February 12, 2021: filter="created_timestamp:>'2021-02-12'"
cve.base_scoreCVE base score. filter="cve.base_score:>50"
cve.cwesUnique identifier for a vulnerability from the Common Weakness Enumeration (CWE) list. filter="cve.cwes:>['CWE-787','CWE-699']"
cve.exploit_statusNumeric value of the most severe known exploit. This filter supports multiple values and negation. Possible values: 0 (Unproven, no known exploits), 30 (Available - Medium, at least one known piece of code developed to take advantage of the vulnerability), 60 (Easily accessible - High, an exploit that is packaged and easily available in an exploit framework), 90 (Actively used - Critical, an exploit that has been used in at least one attack). Get vulnerabilities with an exploit status of 60: filter="cve.exploit_status:'60'" Get vulnerabilities with an exploit status of 30, 60, or 90: filter="cve.exploit_status:!'0'" or filter="cve.exploit_status:['30','60','90']"
cve.exprt_ratingExPRT rating assigned by CrowdStrike’s predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation. Possible values: UNKNOWN (The CVE Metadata lacks some required properties or a technical/temporary problem), LOW (Score is < ~50% Percentile OR it does not have an Exploit prediction), MEDIUM (Score is > ~50% percentile), HIGH (Exploit Status = Easily Accessible Exploit OR it fits in the ~80-95% ExPRT Scores), CRITICAL (Exploit Status = Actively Used Exploit OR it fits in the top 5% ExpRT Scores). Get vulnerabilities with an ExPRT rating of high: filter="cve.exprt_rating:'HIGH'" Get vulnerabilities with an ExPRT rating of high or critical: filter="cve.exprt_rating:['HIGH','CRITICAL']" Get vulnerabilities with any ExPRT rating other than unknown: filter="cve.exprt_rating:!'UNKNOWN'"
cve.idTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities with a specific single CVE ID: filter="cve.id:['CVE-2022-1234']" Get vulnerabilities for multiple CVE IDs: filter="cve.id:['CVE-2022-1234','CVE-2023-1234']" Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']"
cve.is_cisa_kevFilter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or false. This filter supports negation. Get vulnerabilities that are in the CISA KEV catalog: filter="cve.is_cisa_kev:true"
cve.remediation_levelCVSS remediation level of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with an official fix: filter="cve.remediation_level:'O'" Get vulnerabilities with no available fix: filter="cve.remediation_level:'U'"
cve.severityCVSS severity rating of the vulnerability. The value must be entered in all caps. This filter supports multiple values and negation. Possible values: UNKNOWN (A severity that’s not defined), NONE (No severity provided), LOW (A low severity computed out of the base score), MEDIUM (A medium severity computed out of the base score), HIGH (A high severity computed out of the base score), CRITICAL (a critical severity computed out of the base score). Get vulnerabilities with a CVE severity of LOW: filter="cve.severity:'LOW'" Get vulnerabilities with any CVE severity but UNKNOWN: filter="cve.severity:!'UNKNOWN'" Get vulnerabilities with a CVE severity of LOW and MEDIUM: filter="cve.severity:['LOW','MEDIUM']"
cve.typesVulnerability type: Vulnerability, Misconfiguration, Unsupported software. filter="cve.types:!'Misconfiguration'"
data_providers.portsPorts on the host where the vulnerability was found by the third-party provider. Get vulnerabilities found on port 53: filter="data_providers.ports:'53'" Get vulnerabilities found on any port: filter="data_providers.ports:!'0'"
data_providers.providerName of the data provider. Get vulnerabilities for a specific third-party provider: filter="data_providers.provider:'{provider name}'"
data_providers.ratingPossible values: UNKNOWN (A severity that’s not defined), NONE (No severity provided), LOW (A low severity computed out of the base score), MEDIUM (A medium severity computed out of the base score), HIGH (A high severity computed out of the base score), CRITICAL (a critical severity computed out of the base score). Get vulnerabilities with a third-party rating of CRITICAL: filter="data_providers.rating:'CRITICAL'"
data_providers.scan_timeUTC date and time when the vulnerability was most recently identified by the third-party provider. Get vulnerabilities scanned by a third-party provider after August 3, 2023: filter="data_providers.scan_time:>'023-08-03'"
data_providers.scanner_idID of the third-party scanner that identified the vulnerability. Get vulnerabilities found by a specific scanner: filter="data_providers.scanner_id:'{scanner id}'"
host_info.asset_criticalityAssigned criticality level of the asset. Possible values: Critical, High, Noncritical, Unassigned. Get vulnerabilities on hosts with high and critical levels of asset criticality: filter="host_info.asset_criticality:['Critical','High']" Get vulnerabilities on hosts without an assigned asset criticality level: filter="host_info.asset_criticality:!'Unassigned'"
host_info.groupsUnique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts in a specific host group ID: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']" Get vulnerabilities on hosts in all host groups except a specific host group ID: filter="host_info.groups:!['03f0b54af2692e99c4cec945818fbef7']" Get vulnerabilities on hosts in multiple host group IDs: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7','1676624bb307f5054406a3c343d40212']"
host_info.has_run_containerWhether or not the host is running Kubernetes containers: true or false. Get vulnerabilities on hosts running Kubernetes containers: filter="host_info.has_run_container:'true'"
host_info.instance_stateHost instance state.
host_info.internet_exposureWhether or not the asset is internet-facing: Yes, No, Pending. Get vulnerabilities on internet-exposed hosts: filter="host_info.internet_exposure:'Yes'"
host_info.managed_byIndicates if the asset has the Falcon sensor installed: Falcon sensor, Unmanaged. This filter supports multiple values and negation. Get vulnerabilities on assets without a Falcon sensor installed: filter="host_info.managed_by:'Unmanaged'"
host_info.platform_nameOperating system platform. This filter supports negation. Possible values: Windows, Mac, Linux. Get Windows OS vulnerabilities: filter="host_info.platform_name:'Windows'" Get Windows OS and macOS vulnerabilities: filter="host_info.platform_name:!'Linux'"
host_info.product_type_descTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Type of host a sensor is running on. This filter supports multiple values and negation. Enter values as shown with the first letter capitalized. Possible values: Workstation, Server, Domain Controller. Get vulnerabilities on workstation hosts: filter="host_info.product_type_desc:'Workstation'" Get vulnerabilities on server and domain controller hosts: filter="host_info.product_type_desc:!'Workstation'" or filter="host_info.product_type_desc:['Domain Controller','Server']"
host_info.tagsName of a tag assigned to a host. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities on hosts tagged with “ephemeral”: filter="host_info.tags:['ephemeral']" Get vulnerabilities on hosts with any tag but “search” or “ephemeral”: filter="host_info.tags:!['search','ephemeral']" Get vulnerabilities on hosts tagged with “workstation” or “main”: filter="host_info.tags:['workstation','main']"
host_info.third_party_asset_idsAsset IDs assigned to the host by third-party providers in the format: {data_provider}: {data_provider_asset_id}. This filter supports multiple values and negation. Get vulnerabilities for a specific third-party asset: filter="host_info.third_party_asset_ids:'&#123;data_provider&#125;: &#123;data_provider_asset_id&#125;'"
last_seen_withinFilter for vulnerabilities based on the number of days since a host last connected to Falcon. Enter a numeric value from 3 to 45 to indicate the number of days you want to look back. Possible values: Integer, from 3–45. Note: Values less than 3 and greater than 45 are not supported and will result in an error. Get vulnerabilities for hosts that last connected to Falcon within the last 10 days: filter="last_seen_within:'10'"
services.portPort on the host where a vulnerability was found by Falcon EASM or a third-party provider. filter="services.port:'443'"
services.protocolNetwork protocols recognized by Falcon EASM. filter="services.protocol:'pop3'"
services.transportTransport methods recognized by Falcon EASM. filter="services.transport:'tcp'"
statusStatus of a vulnerability. The value must be entered in all lowercase letters. This filter supports multiple values and negation. Possible values: open (Vulnerabilities that are currently open), closed (Vulnerabilities that are closed), reopen (Vulnerabilities that are currently reopened after previously being closed), expired (Vulnerabilities on decommissioned hosts that are set to be deleted). Note that vulnerabilities in the expired status are visible only through the API. Get vulnerabilities with a status of open: filter="status:'open'" Get vulnerabilities with any status except closed: filter="status:!'closed'" Get vulnerabilities with a status of open or reopen: filter="status:['open','reopen']" or filter="status:!['closed','expired']"
suppression_info.is_suppressedIndicates if the vulnerability is suppressed by a suppression rule or not. Get suppressed vulnerabilities: filter="suppression_info.is_suppressed:true"
suppression_info.reasonAttribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get suppressed vulnerabilities where the reason for the rule is “accept risk”: filter="suppression_info.reason:['ACCEPT_RISK']" Get suppressed vulnerabilities where the reason for the rule is anything except “false positive”: filter="suppression_info.reason:!['FALSE_POSITIVE']" Get suppressed vulnerabilities where the reason for the rule is “compensating control” or “false positive”: filter="suppression_info.reason:['COMPENSATING_CONTROL','FALSE_POSITIVE']"
updated_timestampUTC date and time of the last update made on a vulnerability. Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC: filter="updated_timestamp:<'2021-10-20T22:36'" Get vulnerabilities that were last updated after September 15, 2021: filter="updated_timestamp:>'2021-09-15'"
vulnerability_idTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with a specific single CVE ID: filter="vulnerability_id:['CVE-2022-1234']" Get vulnerabilities for multiple CVE IDs: filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']" Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']"

You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.

Code Examples

Section titled “Code Examples”
from falconpy import SpotlightVulnerabilities


falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )


response = falcon.query_vulnerabilities_combined(after="string",
                                                 facet="string",
                                                 filter="string",
                                                 limit="string",
                                                 sort="string")
print(response)

getRemediationsV2

Section titled “getRemediationsV2”

Get details on remediation by providing one or more IDs.

GET /spotlight/entities/remediations/v2
Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json
PEP 8 get_remediations_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more remediation IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SpotlightVulnerabilities


falcon = SpotlightVulnerabilities(client_id=CLIENT_ID,
                                  client_secret=CLIENT_SECRET
                                  )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_remediations_v2(ids=id_list)
print(response)

getVulnerabilities

Section titled “getVulnerabilities”

Get details on vulnerabilities by providing one or more IDs.

GET /spotlight/entities/vulnerabilities/v2
Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json
PEP 8 get_vulnerabilities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more vulnerability IDs (max: 400). Find vulnerability IDs with queryVulnerabilities.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.

queryVulnerabilities

Section titled “queryVulnerabilities”

Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.

GET /spotlight/queries/vulnerabilities/v1
Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json
PEP 8 query_vulnerabilities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
limitqueryintegerThe number of items to return in this response (default: 100, max: 400). Use with the after parameter to manage pagination of results.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringSort vulnerabilities by their properties. Common sort options include: created_timestamp|desc, closed_timestamp|asc, updated_timestamp|desc.
filterquerystringFilter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. Common filter options include: created_timestamp:>‘2019-11-25T22:36:12Z’, closed_timestamp:>‘2019-11-25T22:36:12Z’, aid:‘8e7656b27d8c49a34a1af416424d6231’. You must provide a filter, either via this keyword or as part of a parameters payload in order to use this method. Review the available filters table below for more detail.
Available filters
Section titled “Available filters”
NameDescription
aidUnique agent identifier (AID) of the sensor where the vulnerability was found. For assets without a Falcon sensor installed, this field matches the asset ID field in asset management. Get vulnerabilities for a specific AID: filter="aid:'abcde6b9a3427d8c4a1af416424d6231'"
apps.remediation.idsUnique identifier of a remediation. This filter supports multiple values and negation. Get the vulnerability ID for a specific remediation ID: filter="apps.remediation.ids:'7bba2e543744a92962be7afeb6484858'" Get vulnerabilities for multiple remediation IDs: filter="apps.remediation.ids:['ID1','ID2','ID3']"
cidUnique system-generated customer identifier (CID) of the account. In multi-CID environments: You can filter by both parent and child CIDs. If you’re in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs. If you’re in a parent CID and use this filter, the response includes data for only the CIDs you filtered by. If you’re in a non-parent CID, this property only shows data for that CID. Get vulnerabilities for a specific CID: filter="cid:'0123456789ABCDEFGHIJKLMNOPQRSTUV'"
closed_timestampDate and time a vulnerability was set to a status of CLOSED. Get vulnerabilities that were marked as closed after June 25, 2021 at 10:32 UTC: filter="closed_timestamp:>'2021-06-25T10:32'" Get vulnerabilities that were marked as closed before October 18, 2021: filter="closed_timestamp:<'2021-10-18'"
confidenceWhether or not the vulnerability has been confirmed: confirmed, potential. Get vulnerabilities with a potential confidence level: filter="confidence:<'potential'"
created_timestampDate and time when this vulnerability was found in your environment. Tip: Use this filter to get only the vulnerabilities created after the timestamp you last pulled data on. Get vulnerabilities created before September 30, 2021 at 13:22 UTC: filter="created_timestamp:<'2021-09-25T13:22'" Get vulnerabilities created after February 12, 2021: filter="created_timestamp:>'2021-02-12'"
cve.base_scoreCVE base score. filter="cve.base_score:>50"
cve.cwesUnique identifier for a vulnerability from the Common Weakness Enumeration (CWE) list. filter="cve.cwes:>['CWE-787','CWE-699']"
cve.exploit_statusNumeric value of the most severe known exploit. This filter supports multiple values and negation. Possible values: 0 (Unproven, no known exploits), 30 (Available - Medium), 60 (Easily accessible - High), 90 (Actively used - Critical). Get vulnerabilities with an exploit status of 60: filter="cve.exploit_status:'60'" Get vulnerabilities with an exploit status of 30, 60, or 90: filter="cve.exploit_status:!'0'" or filter="cve.exploit_status:['30','60','90']"
cve.exprt_ratingExPRT rating assigned by CrowdStrike’s predictive AI rating system. The value must be entered in all caps. This filter supports multiple values and negation. Possible values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. Get vulnerabilities with an ExPRT rating of high: filter="cve.exprt_rating:'HIGH'" Get vulnerabilities with an ExPRT rating of high or critical: filter="cve.exprt_rating:['HIGH','CRITICAL']" Get vulnerabilities with any ExPRT rating other than unknown: filter="cve.exprt_rating:!'UNKNOWN'"
cve.idTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Unique identifier for a vulnerability as cataloged in the NVD. This filter supports multiple values and negation. Note: All values must be enclosed in brackets, including single values. Get vulnerabilities with a specific single CVE ID: filter="cve.id:['CVE-2022-1234']" Get vulnerabilities for multiple CVE IDs: filter="cve.id:['CVE-2022-1234','CVE-2023-1234']" Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="cve.id:!['CVE-2022-1234','CVE-2023-1234']"
cve.is_cisa_kevFilter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog: true or false. This filter supports negation. Get vulnerabilities that are in the CISA KEV catalog: filter="cve.is_cisa_kev:true"
cve.remediation_levelCVSS remediation level of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with an official fix: filter="cve.remediation_level:'O'" Get vulnerabilities with no available fix: filter="cve.remediation_level:'U'"
cve.severityCVSS severity rating of the vulnerability. The value must be entered in all caps. This filter supports multiple values and negation. Possible values: UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL. Get vulnerabilities with a CVE severity of LOW: filter="cve.severity:'LOW'" Get vulnerabilities with any CVE severity but UNKNOWN: filter="cve.severity:!'UNKNOWN'" Get vulnerabilities with a CVE severity of LOW and MEDIUM: filter="cve.severity:['LOW','MEDIUM']"
cve.typesVulnerability type: Vulnerability, Misconfiguration, Unsupported software. filter="cve.types:!'Misconfiguration'"
data_providers.portsPorts on the host where the vulnerability was found by the third-party provider. Get vulnerabilities found on port 53: filter="data_providers.ports:'53'" Get vulnerabilities found on any port: filter="data_providers.ports:!'0'"
data_providers.providerName of the data provider. Get vulnerabilities for a specific third-party provider: filter="data_providers.provider:'{provider name}'"
data_providers.ratingPossible values: UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL. Get vulnerabilities with a third-party rating of CRITICAL: filter="data_providers.rating:'CRITICAL'"
data_providers.scan_timeUTC date and time when the vulnerability was most recently identified by the third-party provider. Get vulnerabilities scanned by a third-party provider after August 3, 2023: filter="data_providers.scan_time:>'023-08-03'"
data_providers.scanner_idID of the third-party scanner that identified the vulnerability. Get vulnerabilities found by a specific scanner: filter="data_providers.scanner_id:'{scanner id}'"
host_info.asset_criticalityAssigned criticality level of the asset. Possible values: Critical, High, Noncritical, Unassigned. Get vulnerabilities on hosts with high and critical levels of asset criticality: filter="host_info.asset_criticality:['Critical','High']" Get vulnerabilities on hosts without an assigned asset criticality level: filter="host_info.asset_criticality:!'Unassigned'"
host_info.groupsUnique system-assigned ID of a host group. This filter supports multiple values and negation. Note: All values must be enclosed in brackets. Get vulnerabilities on hosts in a specific host group ID: filter="host_info.groups:['03f0b54af2692e99c4cec945818fbef7']"
host_info.has_run_containerWhether or not the host is running Kubernetes containers: true or false. Get vulnerabilities on hosts running Kubernetes containers: filter="host_info.has_run_container:'true'"
host_info.instance_stateHost instance state.
host_info.internet_exposureWhether or not the asset is internet-facing: Yes, No, Pending. Get vulnerabilities on internet-exposed hosts: filter="host_info.internet_exposure:'Yes'"
host_info.managed_byIndicates if the asset has the Falcon sensor installed: Falcon sensor, Unmanaged. This filter supports multiple values and negation. Get vulnerabilities on assets without a Falcon sensor installed: filter="host_info.managed_by:'Unmanaged'"
host_info.platform_nameOperating system platform. This filter supports negation. Possible values: Windows, Mac, Linux. Get Windows OS vulnerabilities: filter="host_info.platform_name:'Windows'" Get Windows OS and macOS vulnerabilities: filter="host_info.platform_name:!'Linux'"
host_info.product_type_descTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. Type of host a sensor is running on. This filter supports multiple values and negation. Possible values: Workstation, Server, Domain Controller. Get vulnerabilities on workstation hosts: filter="host_info.product_type_desc:'Workstation'"
host_info.tagsName of a tag assigned to a host. This filter supports multiple values and negation. Note: All values must be enclosed in brackets. Get vulnerabilities on hosts tagged with “ephemeral”: filter="host_info.tags:['ephemeral']"
host_info.third_party_asset_idsAsset IDs assigned to the host by third-party providers. This filter supports multiple values and negation. Get vulnerabilities for a specific third-party asset: filter="host_info.third_party_asset_ids:'&#123;data_provider&#125;: &#123;data_provider_asset_id&#125;'"
last_seen_withinFilter for vulnerabilities based on the number of days since a host last connected to Falcon. Possible values: Integer, from 3–45. Get vulnerabilities for hosts that last connected to Falcon within the last 10 days: filter="last_seen_within:'10'"
services.portPort on the host where a vulnerability was found by Falcon EASM or a third-party provider. filter="services.port:'443'"
services.protocolNetwork protocols recognized by Falcon EASM. filter="services.protocol:'pop3'"
services.transportTransport methods recognized by Falcon EASM. filter="services.transport:'tcp'"
statusStatus of a vulnerability. The value must be entered in all lowercase letters. This filter supports multiple values and negation. Possible values: open, closed, reopen, expired. Get vulnerabilities with a status of open: filter="status:'open'" Get vulnerabilities with any status except closed: filter="status:!'closed'" Get vulnerabilities with a status of open or reopen: filter="status:['open','reopen']" or filter="status:!['closed','expired']"
suppression_info.is_suppressedIndicates if the vulnerability is suppressed by a suppression rule or not. Get suppressed vulnerabilities: filter="suppression_info.is_suppressed:true"
suppression_info.reasonAttribute assigned to a suppression rule. One of ACCEPT_RISK, COMPENSATING_CONTROL, or FALSE_POSITIVE. This filter supports multiple values and negation. Note: All values must be enclosed in brackets. Get suppressed vulnerabilities where the reason for the rule is “accept risk”: filter="suppression_info.reason:['ACCEPT_RISK']"
updated_timestampUTC date and time of the last update made on a vulnerability. Get vulnerabilities that were last updated before October 20, 2021 at 10:36 PM UTC: filter="updated_timestamp:<'2021-10-20T22:36'" Get vulnerabilities that were last updated after September 15, 2021: filter="updated_timestamp:>'2021-09-15'"
vulnerability_idTip: For case-insensitive filtering, add .insensitive to the field name in the filter parameters. CVE ID of the vulnerability. If there’s no CVE ID, this is the CrowdStrike or third-party ID of the vulnerability. This filter supports multiple values and negation. Get vulnerabilities with a specific single CVE ID: filter="vulnerability_id:['CVE-2022-1234']" Get vulnerabilities for multiple CVE IDs: filter="vulnerability_id:['CVE-2022-1234','CVE-2023-4321']" Get vulnerabilities that do not contain either of 2 specific CVE IDs: filter="vulnerability_id:!['CVE-2022-1234','CVE-2023-4321']"

You must provide a value for filter to make use of this operation, either by using the filter keyword or as part of your parameters payload.

Code Examples

Section titled “Code Examples”

Examples coming soon.

getRemediations

Section titled “getRemediations”

Get details on remediations by providing one or more IDs.

GET /spotlight/entities/remediations/v2
Scope Spotlight Vulnerabilities: READ Consumes · Produces application/json
PEP 8 get_remediations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerylistOne or more remediation IDs (max: 400).
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use