Table: crowdstrike_zta_assessment - Query CrowdStrike ZTA Assessments using SQL

CrowdStrike ZTA Assessments is a feature within CrowdStrike Falcon that provides a security posture assessment of devices within an organization's network. It uses Zero Trust principles to evaluate and report on the security risks associated with each device. These assessments can help organizations identify vulnerabilities and enforce security policies.

Table Usage Guide

The crowdstrike_zta_assessment table provides insights into the security posture of devices within an organization's network using CrowdStrike Falcon. As a security analyst or IT administrator, explore device-specific details through this table, including security risks and vulnerabilities. Utilize it to uncover information about the security posture of each device, helping to identify potential security risks and enforce security policies.

Examples

Basic info

Explore the security posture of your devices by assessing their risk levels and the platforms they operate on.

select
  device_id,
  aid,
  assessment,
  event_platform
from
  crowdstrike_zta_assessment;

select
  device_id,
  aid,
  assessment,
  event_platform
from
  crowdstrike_zta_assessment;

List Zero Trust assessments with assessment score over a threshold

Explore which Zero Trust assessments exceed a certain score threshold. This is useful for identifying devices that may require further investigation or action due to their high assessment scores.

select
  device_id,
  aid,
  assessment,
  event_platform,
  assessment ->> 'overall' as overall
from
  crowdstrike_zta_assessment
where
  (assessment ->> 'overall') :: int > 92;

select
  device_id,
  aid,
  assessment,
  event_platform,
  json_extract(assessment, '$.overall') as overall
from
  crowdstrike_zta_assessment
where
  cast(json_extract(assessment, '$.overall') as integer) > 92;

List device IDs with firewalls disabled

Discover the segments that have their firewalls disabled, which allows you to identify potential security risks and take necessary actions to mitigate them. This is essential for maintaining the security integrity of your devices.

select
  device_id,
  event_platform
from
  crowdstrike_zta_assessment,
  jsonb_array_elements(assessment_items -> 'os_signals') as t
where
  t ->> 'signal_id' like 'application_firewall_%'
  and t ->> 'meets_criteria' = 'no';

select
  device_id,
  event_platform
from
  crowdstrike_zta_assessment,
  json_each(assessment_items, '$.os_signals') as t
where
  json_extract(t.value, '$.signal_id') like 'application_firewall_%'
  and json_extract(t.value, '$.meets_criteria') = 'no';

Schema for crowdstrike_zta_assessment

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
aid	text	The agent ID.
assessment	jsonb	The Assessment object.
assessment_items	jsonb	Assessment items.
cid	text	The Customer ID.
device_id	text	Host device ID.
event_platform	text	The platform on which the event occurred.
modified_time	timestamp with time zone	Timestamp of last modified.
product_type_desc	text	Product type.
sensor_file_status	text	Sensor file status.
system_serial_number	text	System serial number.
title	text	Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike

You can pass the configuration to the command with the --config argument:

steampipe_export_crowdstrike --config '<your_config>' crowdstrike_zta_assessment