turbot/crowdstrike
steampipe plugin install crowdstrike

Table: crowdstrike_zta_assessment - Query CrowdStrike ZTA Assessments using SQL

CrowdStrike ZTA Assessments is a feature within CrowdStrike Falcon that provides a security posture assessment of devices within an organization's network. It uses Zero Trust principles to evaluate and report on the security risks associated with each device. These assessments can help organizations identify vulnerabilities and enforce security policies.

Table Usage Guide

The crowdstrike_zta_assessment table provides insights into the security posture of devices within an organization's network using CrowdStrike Falcon. As a security analyst or IT administrator, explore device-specific details through this table, including security risks and vulnerabilities. Utilize it to uncover information about the security posture of each device, helping to identify potential security risks and enforce security policies.

Examples

Basic info

Explore the security posture of your devices by assessing their risk levels and the platforms they operate on.

select
device_id,
aid,
assessment,
event_platform
from
crowdstrike_zta_assessment;
select
device_id,
aid,
assessment,
event_platform
from
crowdstrike_zta_assessment;

List Zero Trust assessments with assessment score over a threshold

Explore which Zero Trust assessments exceed a certain score threshold. This is useful for identifying devices that may require further investigation or action due to their high assessment scores.

select
device_id,
aid,
assessment,
event_platform,
assessment ->> 'overall' as overall
from
crowdstrike_zta_assessment
where
(assessment ->> 'overall') :: int > 92;
select
device_id,
aid,
assessment,
event_platform,
json_extract(assessment, '$.overall') as overall
from
crowdstrike_zta_assessment
where
cast(json_extract(assessment, '$.overall') as integer) > 92;

List device IDs with firewalls disabled

Discover the segments that have their firewalls disabled, which allows you to identify potential security risks and take necessary actions to mitigate them. This is essential for maintaining the security integrity of your devices.

select
device_id,
event_platform
from
crowdstrike_zta_assessment,
jsonb_array_elements(assessment_items -> 'os_signals') as t
where
t ->> 'signal_id' like 'application_firewall_%'
and t ->> 'meets_criteria' = 'no';
select
device_id,
event_platform
from
crowdstrike_zta_assessment,
json_each(assessment_items, '$.os_signals') as t
where
json_extract(t.value, '$.signal_id') like 'application_firewall_%'
and json_extract(t.value, '$.meets_criteria') = 'no';

Schema for crowdstrike_zta_assessment

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
aidtextThe agent ID.
assessmentjsonbThe Assessment object.
assessment_itemsjsonbAssessment items.
cidtextThe Customer ID.
device_idtextHost device ID.
event_platformtextThe platform on which the event occurred.
modified_timetimestamp with time zoneTimestamp of last modified.
product_type_desctextProduct type.
sensor_file_statustextSensor file status.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
system_serial_numbertextSystem serial number.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike

You can pass the configuration to the command with the --config argument:

steampipe_export_crowdstrike --config '<your_config>' crowdstrike_zta_assessment