Table: crowdstrike_zta_assessment - Query CrowdStrike ZTA Assessments using SQL
CrowdStrike ZTA Assessments is a feature within CrowdStrike Falcon that provides a security posture assessment of devices within an organization's network. It uses Zero Trust principles to evaluate and report on the security risks associated with each device. These assessments can help organizations identify vulnerabilities and enforce security policies.
Table Usage Guide
The crowdstrike_zta_assessment
table provides insights into the security posture of devices within an organization's network using CrowdStrike Falcon. As a security analyst or IT administrator, explore device-specific details through this table, including security risks and vulnerabilities. Utilize it to uncover information about the security posture of each device, helping to identify potential security risks and enforce security policies.
Examples
Basic info
Explore the security posture of your devices by assessing their risk levels and the platforms they operate on.
select device_id, aid, assessment, event_platformfrom crowdstrike_zta_assessment;
select device_id, aid, assessment, event_platformfrom crowdstrike_zta_assessment;
List Zero Trust assessments with assessment score over a threshold
Explore which Zero Trust assessments exceed a certain score threshold. This is useful for identifying devices that may require further investigation or action due to their high assessment scores.
select device_id, aid, assessment, event_platform, assessment ->> 'overall' as overallfrom crowdstrike_zta_assessmentwhere (assessment ->> 'overall') :: int > 92;
select device_id, aid, assessment, event_platform, json_extract(assessment, '$.overall') as overallfrom crowdstrike_zta_assessmentwhere cast(json_extract(assessment, '$.overall') as integer) > 92;
List device IDs with firewalls disabled
Discover the segments that have their firewalls disabled, which allows you to identify potential security risks and take necessary actions to mitigate them. This is essential for maintaining the security integrity of your devices.
select device_id, event_platformfrom crowdstrike_zta_assessment, jsonb_array_elements(assessment_items -> 'os_signals') as twhere t ->> 'signal_id' like 'application_firewall_%' and t ->> 'meets_criteria' = 'no';
select device_id, event_platformfrom crowdstrike_zta_assessment, json_each(assessment_items, '$.os_signals') as twhere json_extract(t.value, '$.signal_id') like 'application_firewall_%' and json_extract(t.value, '$.meets_criteria') = 'no';
Schema for crowdstrike_zta_assessment
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
aid | text | The agent ID. | |
assessment | jsonb | The Assessment object. | |
assessment_items | jsonb | Assessment items. | |
cid | text | The Customer ID. | |
device_id | text | Host device ID. | |
event_platform | text | The platform on which the event occurred. | |
modified_time | timestamp with time zone | Timestamp of last modified. | |
product_type_desc | text | Product type. | |
sensor_file_status | text | Sensor file status. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
system_serial_number | text | System serial number. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike
You can pass the configuration to the command with the --config
argument:
steampipe_export_crowdstrike --config '<your_config>' crowdstrike_zta_assessment