Skip to content

Falcon RTR Secrets Scanner

The SailPoint Entro Falcon RTR Secrets Scanner discovers exposed credentials stored in configuration files across all endpoints managed by CrowdStrike Falcon. It uses Falcon Real-Time Response (RTR) to run a read-only scan directly on each host and submits file contents to the SailPoint Entro API for secret detection.


How it works

The scanner connects to your Falcon tenant, discovers target hosts, and opens parallel RTR sessions. On each host, a built-in shell script (find + curl on Unix/macOS, PowerShell on Windows) locates config files and posts them directly to the SailPoint Entro API from the host.

Customer Environment
├── Scanner (EC2 or local machine)
│    └── Opens RTR sessions via Falcon API
├── CrowdStrike Falcon Cloud
│    └── Executes commands through Falcon Agent
└── Endpoint (macOS / Linux / Windows)
     └── find / PowerShell → curl → Entro API

No persistent scripts, agents, or binaries are installed on endpoints. All RTR commands originate from the scanner machine. No direct inbound connectivity to endpoints is required.


Prerequisites

  • CrowdStrike Falcon with RTR enabled

  • Falcon API client with Hosts: Read, Real Time Response: Read, and Real Time Response: Write scopes. Create in Falcon: Support > API Clients and Keys.

    • Available at https://falcon.<region>.crowdstrike.com/api-clients-and-keys/
  • SailPoint Entro Scan only API key

    • Available in [https://app.entro.security/admin/settings?tab=api-keys](https://app.entro.security/admin/settings?tab=api-keys)
  • Python 3.9+

  • For the Terraform based deployment:

    • AWS account, Terraform ≥ 1.5, and AWS CLI configured (EC2 deployment)

    Current Terraform deployment is AWS based. For any other cloud environmernt please reach out to SailPoint Entro.


Setup

25KB
entro-falcon-rtr-secrets-scanner.zip
archive

Local run

python3 -m venv venv
source venv/bin/activate      # Windows: venv\Scripts\activate
pip install -r requirements.txt

cp .env.example .env
# Fill in Falcon and Entro credentials — see Configuration below

Example .env file

# =============================================================================
# entro_rtr_scanner.py — environment file (.env)
# =============================================================================
#
# WHEN YOU NEED THIS FILE
# -----------------------
# • Terraform + EC2 (default deploy): you do NOT copy this to your laptop for production.
#   Terraform / cloud-init writes /home/ec2-user/scanner/.env on the scanner instance.
# • Local machine, CI, or any host where YOU run: python3 entro_rtr_scanner.py
#   → copy this file to `.env` in the same directory as entro_rtr_scanner.py
#
# HOW CREDENTIALS ARE RESOLVED (in order)
# ----------------------------------------
# 1) If AWS_CS_SECRET_ARN / AWS_ENTRO_SECRET_ARN are set, boto3 loads Secrets Manager
#    (needs AWS credentials on that machine + IAM permission to read those secrets).
# 2) Else CROWDSTRIKE and ENTRO variables below are used.
#
# =============================================================================

# ── CrowdStrike Falcon API (your tenant) ─────────────────────────────────────
# CROWDSTRIKE_CLIENT_ID     — OAuth2 client ID from Falcon → Support → API clients and keys
# CROWDSTRIKE_CLIENT_SECRET — OAuth2 secret for that client (rotate like a password)
# CROWDSTRIKE_BASE_URL      — REST base URL for your Falcon cloud (must match region)

CROWDSTRIKE_CLIENT_ID=your-client-id-here
CROWDSTRIKE_CLIENT_SECRET=your-client-secret-here
CROWDSTRIKE_BASE_URL=https://api.us-2.crowdstrike.com

# Other regions (examples):
# US-1: https://api.crowdstrike.com
# EU-1: https://api.eu-1.crowdstrike.com
# US-GOV: https://api.laggar.gcw.crowdstrike.com

# ── Which Falcon-managed hosts to scan ───────────────────────────────────────
# SCAN_ALL_HOSTS=true  — query every host visible to this API client (mac + linux + windows)
# SCAN_ALL_HOSTS=false — use a single host or list instead (set one of the following)

SCAN_ALL_HOSTS=true
# TARGET_HOST=one-hostname-only
# TARGET_HOSTS=host1,host2,host3

# ── Entro Security API (your Entro tenant) ───────────────────────────────────
# ENTRO_API_KEY — API key from Entro (treat as secret)
# ENTRO_API_URL — Scan API base (include /v2/scan pathL)

ENTRO_API_KEY=your-entro-api-key-here
ENTRO_API_URL=https://api.entro.security/v2/scan

# ── What to scan on each remote host (RTR-side behavior) ─────────────────────
# SCAN_FILE_TYPES   — comma-separated globs for filenames to consider
# SCAN_PATHS_UNIX   — comma-separated roots on macOS/Linux endpoints
# SCAN_PATHS_WIN    — comma-separated roots on Windows endpoints
# SCAN_MAX_SIZE_KB  — skip larger files (approximate cap per file)
# SCAN_MAX_DEPTH    — max directory depth under each root
# SCAN_OS_TYPES     — optional filter: mac,linux,windows (comma-separated); empty = all

SCAN_FILE_TYPES=*.crt,*.key,*.pem,*.json,*.env,*.env.*,*.yaml,*.yml
SCAN_PATHS_UNIX=/home,/Users
SCAN_PATHS_WIN=C:\Users,C:\ProgramData,C:\inetpub
SCAN_MAX_SIZE_KB=250
SCAN_MAX_DEPTH=3
# SCAN_OS_TYPES=mac,linux

# ── Concurrency ──────────────────────────────────────────────────────────────
# MAX_WORKERS — max parallel host scans in entro_rtr_scanner.py (thread pool)

# MAX_WORKERS=20

# ── AWS Secrets Manager (optional; typical on EC2 when .env only has ARNs) ─────
# AWS_REGION          — region for Secrets Manager API
# AWS_CS_SECRET_ARN   — secret JSON: clientId, clientSecret, baseUrl
# AWS_ENTRO_SECRET_ARN — secret JSON: entroApiKey, entroApiUrl

# AWS_REGION=us-east-1
# AWS_CS_SECRET_ARN=arn:aws:secretsmanager:us-east-1:123456789012:secret:your-falcon-api-secret
# AWS_ENTRO_SECRET_ARN=arn:aws:secretsmanager:us-east-1:123456789012:secret:your-entro-secret

Run the scanner:

python3 entro_rtr_scanner.py --all                                   # every host in tenant
python3 entro_rtr_scanner.py host1 host2                             # specific hosts
python3 entro_rtr_scanner.py --all --filter "platform_name:'Linux'"  # OS-filtered

AWS deployment (Terraform → EC2)

The provided Terraform configuration targets AWS only. If you are deploying on a different cloud platform or on-premises environment, please reach out to SailPoint Entro for assistance.

The scanner runs as a systemd oneshot service on EC2, triggered on a schedule by a systemd timer. Credentials are read from AWS Secrets Manager at runtime via IAM — no credentials are stored in AMIs or on disk.

Step 1 — Create the Falcon Credentials Secret in Secrets Manager

Create a secret in your AWS account with the following JSON and note its ARN:

{
  "clientId": "your-falcon-client-id",
  "clientSecret": "your-falcon-client-secret",
  "baseUrl": "https://api.us-2.crowdstrike.com"
}
CrowdStrike region Base URL
US-1 https://api.crowdstrike.com
US-2 https://api.us-2.crowdstrike.com
EU-1 https://api.eu-1.crowdstrike.com
US-GOV-1 https://api.laggar.gcw.crowdstrike.com

Step 2 — Configure Terraform

cd terraform
cp terraform.tfvars.example terraform.tfvars

Minimum required fields:

crowdstrike_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:..."
entro_api_key          = "your-entro-api-key"
entro_api_url          = "entro.api.domain/v2/scan"
ssh_key_name           = "my-keypair"
ssh_private_key_path   = "~/.ssh/my-keypair.pem"
allowed_ssh_cidr       = "203.0.113.42/32"

You might need to specify your entro_api_url if instructed to do so

Step 3 — Deploy

terraform init
terraform plan
terraform apply

After apply, cloud-init writes /home/ec2-user/scanner/.env on the instance and enables the systemd timer. terraform output shows the SSH address, CloudWatch log group, and a ready-to-run scan command.

Step 4 — Verify

ssh -i ~/.ssh/my-keypair.pem ec2-user@<instance-ip>

systemctl status entro-rtr-scanner.timer
journalctl -fu entro-rtr-scanner.service

# Trigger an immediate scan (non-blocking)
systemctl start --no-block entro-rtr-scanner.service

Updating the Script

Edit entro_rtr_scanner.py locally, then run terraform apply. This re-copies the file to the instance and refreshes the systemd units.


Configuration Reference

All settings are environment variables (.env file, or Terraform terraform.tfvars which bakes them into the instance .env via cloud-init).

Credentials

Variable Required Description
CROWDSTRIKE_CLIENT_ID Yes Falcon API client ID
CROWDSTRIKE_CLIENT_SECRET Yes Falcon API client secret
CROWDSTRIKE_BASE_URL No Falcon API base URL (default: https://api.us-2.crowdstrike.com)
ENTRO_API_KEY Yes SailPoint Entro API key
ENTRO_API_URL No SailPoint Entro scan endpoint (default: https://api.entro.security/v2/scan)
AWS_CS_SECRET_ARN No Secrets Manager ARN for Falcon credentials — overrides the env vars above
AWS_ENTRO_SECRET_ARN No Secrets Manager ARN for SailPoint Entro credentials — overrides the env vars above

Scan targets

Variable Default Description
SCAN_ALL_HOSTS true Scan every host in the Falcon tenant
TARGET_HOST / TARGET_HOSTS Specific hostname(s) when SCAN_ALL_HOSTS=false
SCAN_OS_TYPES (all) Comma-separated OS filter: mac, linux, windows

File selection

Variable Default Description
SCAN_FILE_TYPES *.json,*.env,*.yaml,*.yml,*.conf,*.config,*.properties,*.toml,*.ini,*.tfvars,... Glob patterns to match
SCAN_PATHS_UNIX /home,/Users Directories searched on macOS/Linux
SCAN_PATHS_WIN C:\Users,C:\inetpub,C:\app,C:\ProgramData Directories searched on Windows
SCAN_MAX_SIZE_KB 250 Skip files larger than this (KB)
SCAN_MAX_DEPTH 3 Directory traversal depth
SCAN_EXCLUDE_UNIX */node_modules/*,*/.npm/*,*/.cache/*,... Paths excluded on macOS/Linux
SCAN_EXCLUDE_WIN *\node_modules\*,*\AppData\Local\*,... Paths excluded on Windows

Performance

Variable Default Description
MAX_WORKERS 20 Concurrent host scans
SCAN_PARALLEL 10 Concurrent curl calls per host
MAX_WAIT_TIME 1800 Per-host scan budget in seconds
POLL_INTERVAL 5 RTR command-status check interval (seconds)

Scheduled scans (EC2 only)

Terraform variable Default Description
scanner_timer_enabled true Install and enable the systemd timer
scanner_on_calendar *-*-* 02:00:00 systemd OnCalendar value (UTC) — see systemd.time(7)
scanner_randomized_delay_sec 300 Jitter added to each timer fire (seconds)
scanner_run_on_deploy true Trigger one background scan immediately after terraform apply

Scan Output

Each run produces a timestamped directory next to entro_rtr_scanner.py:

scan_YYYYMMDD_HHMMSS/
├── <hostname>.json     # per-host findings and scan metadata
└── _report.json        # aggregate report across all hosts

Each per-host file contains host metadata (hostname, IP, OS), the list of findings returned by SailPoint Entro (secret type, file path, owner, timestamps), and scan statistics (files found, files scanned, duration).


AWS Resources Created by Terraform

Resource Purpose
EC2 instance (t3.micro) Runs the scanner
IAM role + instance profile Grants Secrets Manager and CloudWatch access
Security group SSH from allowed_ssh_cidr only; all outbound allowed
Secrets Manager secret Stores SailPoint Entro API credentials (when create_entro_secret = true)
CloudWatch log group Receives scanner logs; retention set by log_retention_days (default 30 days)

Troubleshooting

Error Cause Resolution
CROWDSTRIKE_CLIENT_ID not set Missing .env or Secrets Manager ARN Confirm .env exists next to the script, or set AWS_CS_SECRET_ARN
ENTRO_API_KEY not set Missing SailPoint Entro key Set ENTRO_API_KEY in .env or AWS_ENTRO_SECRET_ARN
401 Unauthorized (Falcon) Invalid or expired credentials Regenerate Client ID and Secret in Falcon → Support → API Clients and Keys
403 Forbidden (Falcon) Insufficient API scopes Confirm Hosts: Read and Real Time Response (Admin): Write are granted
RTR session timeout Host offline or Falcon agent not running Verify the Falcon agent is active on the target endpoint
No findings returned Scan paths or file types too restrictive Broaden SCAN_PATHS_UNIX / SCAN_FILE_TYPES and re-run

Logs are written to logs/scan_YYYYMMDD_HHMMSS.log next to the script, and to CloudWatch when running on EC2.


Security Notes

  • Use AWS Secrets Manager for production deployments. Never commit .env or terraform.tfvars containing real credentials.

  • Scope the Falcon API client to the minimum required permissions.

  • Restrict allowed_ssh_cidr to a specific IP or VPN egress — avoid 0.0.0.0/0.

  • All RTR sessions are logged in the CrowdStrike console and are fully auditable.

  • Rotate Falcon client secrets and the SailPoint Entro API key on your standard rotation cadence.