Falcon RTR Secrets Scanner
The SailPoint Entro Falcon RTR Secrets Scanner discovers exposed credentials stored in configuration files across all endpoints managed by CrowdStrike Falcon. It uses Falcon Real-Time Response (RTR) to run a read-only scan directly on each host and submits file contents to the SailPoint Entro API for secret detection.
How it works
The scanner connects to your Falcon tenant, discovers target hosts, and opens parallel RTR sessions. On each host, a built-in shell script (find + curl on Unix/macOS, PowerShell on Windows) locates config files and posts them directly to the SailPoint Entro API from the host.
Customer Environment
│
├── Scanner (EC2 or local machine)
│ └── Opens RTR sessions via Falcon API
│
├── CrowdStrike Falcon Cloud
│ └── Executes commands through Falcon Agent
│
└── Endpoint (macOS / Linux / Windows)
└── find / PowerShell → curl → Entro API
No persistent scripts, agents, or binaries are installed on endpoints. All RTR commands originate from the scanner machine. No direct inbound connectivity to endpoints is required.
Prerequisites
-
CrowdStrike Falcon with RTR enabled
-
Falcon API client with Hosts: Read, Real Time Response: Read, and Real Time Response: Write scopes. Create in Falcon: Support > API Clients and Keys.
- Available at
https://falcon.<region>.crowdstrike.com/api-clients-and-keys/
- Available at
-
SailPoint Entro Scan only API key
- Available in [
https://app.entro.security/admin/settings?tab=api-keys](https://app.entro.security/admin/settings?tab=api-keys)
- Available in [
-
Python 3.9+
-
For the Terraform based deployment:
- AWS account, Terraform ≥ 1.5, and AWS CLI configured (EC2 deployment)
Current Terraform deployment is AWS based. For any other cloud environmernt please reach out to SailPoint Entro.
Setup
Local run
python3 -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt
cp .env.example .env
# Fill in Falcon and Entro credentials — see Configuration below
Example .env file
# =============================================================================
# entro_rtr_scanner.py — environment file (.env)
# =============================================================================
#
# WHEN YOU NEED THIS FILE
# -----------------------
# • Terraform + EC2 (default deploy): you do NOT copy this to your laptop for production.
# Terraform / cloud-init writes /home/ec2-user/scanner/.env on the scanner instance.
# • Local machine, CI, or any host where YOU run: python3 entro_rtr_scanner.py
# → copy this file to `.env` in the same directory as entro_rtr_scanner.py
#
# HOW CREDENTIALS ARE RESOLVED (in order)
# ----------------------------------------
# 1) If AWS_CS_SECRET_ARN / AWS_ENTRO_SECRET_ARN are set, boto3 loads Secrets Manager
# (needs AWS credentials on that machine + IAM permission to read those secrets).
# 2) Else CROWDSTRIKE and ENTRO variables below are used.
#
# =============================================================================
# ── CrowdStrike Falcon API (your tenant) ─────────────────────────────────────
# CROWDSTRIKE_CLIENT_ID — OAuth2 client ID from Falcon → Support → API clients and keys
# CROWDSTRIKE_CLIENT_SECRET — OAuth2 secret for that client (rotate like a password)
# CROWDSTRIKE_BASE_URL — REST base URL for your Falcon cloud (must match region)
CROWDSTRIKE_CLIENT_ID=your-client-id-here
CROWDSTRIKE_CLIENT_SECRET=your-client-secret-here
CROWDSTRIKE_BASE_URL=https://api.us-2.crowdstrike.com
# Other regions (examples):
# US-1: https://api.crowdstrike.com
# EU-1: https://api.eu-1.crowdstrike.com
# US-GOV: https://api.laggar.gcw.crowdstrike.com
# ── Which Falcon-managed hosts to scan ───────────────────────────────────────
# SCAN_ALL_HOSTS=true — query every host visible to this API client (mac + linux + windows)
# SCAN_ALL_HOSTS=false — use a single host or list instead (set one of the following)
SCAN_ALL_HOSTS=true
# TARGET_HOST=one-hostname-only
# TARGET_HOSTS=host1,host2,host3
# ── Entro Security API (your Entro tenant) ───────────────────────────────────
# ENTRO_API_KEY — API key from Entro (treat as secret)
# ENTRO_API_URL — Scan API base (include /v2/scan pathL)
ENTRO_API_KEY=your-entro-api-key-here
ENTRO_API_URL=https://api.entro.security/v2/scan
# ── What to scan on each remote host (RTR-side behavior) ─────────────────────
# SCAN_FILE_TYPES — comma-separated globs for filenames to consider
# SCAN_PATHS_UNIX — comma-separated roots on macOS/Linux endpoints
# SCAN_PATHS_WIN — comma-separated roots on Windows endpoints
# SCAN_MAX_SIZE_KB — skip larger files (approximate cap per file)
# SCAN_MAX_DEPTH — max directory depth under each root
# SCAN_OS_TYPES — optional filter: mac,linux,windows (comma-separated); empty = all
SCAN_FILE_TYPES=*.crt,*.key,*.pem,*.json,*.env,*.env.*,*.yaml,*.yml
SCAN_PATHS_UNIX=/home,/Users
SCAN_PATHS_WIN=C:\Users,C:\ProgramData,C:\inetpub
SCAN_MAX_SIZE_KB=250
SCAN_MAX_DEPTH=3
# SCAN_OS_TYPES=mac,linux
# ── Concurrency ──────────────────────────────────────────────────────────────
# MAX_WORKERS — max parallel host scans in entro_rtr_scanner.py (thread pool)
# MAX_WORKERS=20
# ── AWS Secrets Manager (optional; typical on EC2 when .env only has ARNs) ─────
# AWS_REGION — region for Secrets Manager API
# AWS_CS_SECRET_ARN — secret JSON: clientId, clientSecret, baseUrl
# AWS_ENTRO_SECRET_ARN — secret JSON: entroApiKey, entroApiUrl
# AWS_REGION=us-east-1
# AWS_CS_SECRET_ARN=arn:aws:secretsmanager:us-east-1:123456789012:secret:your-falcon-api-secret
# AWS_ENTRO_SECRET_ARN=arn:aws:secretsmanager:us-east-1:123456789012:secret:your-entro-secret
Run the scanner:
python3 entro_rtr_scanner.py --all # every host in tenant
python3 entro_rtr_scanner.py host1 host2 # specific hosts
python3 entro_rtr_scanner.py --all --filter "platform_name:'Linux'" # OS-filtered
AWS deployment (Terraform → EC2)
The provided Terraform configuration targets AWS only. If you are deploying on a different cloud platform or on-premises environment, please reach out to SailPoint Entro for assistance.
The scanner runs as a systemd oneshot service on EC2, triggered on a schedule by a systemd timer. Credentials are read from AWS Secrets Manager at runtime via IAM — no credentials are stored in AMIs or on disk.
Step 1 — Create the Falcon Credentials Secret in Secrets Manager
Create a secret in your AWS account with the following JSON and note its ARN:
{
"clientId": "your-falcon-client-id",
"clientSecret": "your-falcon-client-secret",
"baseUrl": "https://api.us-2.crowdstrike.com"
}
| CrowdStrike region | Base URL |
|---|---|
| US-1 | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com |
Step 2 — Configure Terraform
Minimum required fields:
crowdstrike_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:..."
entro_api_key = "your-entro-api-key"
entro_api_url = "entro.api.domain/v2/scan"
ssh_key_name = "my-keypair"
ssh_private_key_path = "~/.ssh/my-keypair.pem"
allowed_ssh_cidr = "203.0.113.42/32"
You might need to specify your entro_api_url if instructed to do so
Step 3 — Deploy
After apply, cloud-init writes /home/ec2-user/scanner/.env on the instance and enables the systemd timer. terraform output shows the SSH address, CloudWatch log group, and a ready-to-run scan command.
Step 4 — Verify
ssh -i ~/.ssh/my-keypair.pem ec2-user@<instance-ip>
systemctl status entro-rtr-scanner.timer
journalctl -fu entro-rtr-scanner.service
# Trigger an immediate scan (non-blocking)
systemctl start --no-block entro-rtr-scanner.service
Updating the Script
Edit entro_rtr_scanner.py locally, then run terraform apply. This re-copies the file to the instance and refreshes the systemd units.
Configuration Reference
All settings are environment variables (.env file, or Terraform terraform.tfvars which bakes them into the instance .env via cloud-init).
Credentials
| Variable | Required | Description |
|---|---|---|
CROWDSTRIKE_CLIENT_ID |
Yes | Falcon API client ID |
CROWDSTRIKE_CLIENT_SECRET |
Yes | Falcon API client secret |
CROWDSTRIKE_BASE_URL |
No | Falcon API base URL (default: https://api.us-2.crowdstrike.com) |
ENTRO_API_KEY |
Yes | SailPoint Entro API key |
ENTRO_API_URL |
No | SailPoint Entro scan endpoint (default: https://api.entro.security/v2/scan) |
AWS_CS_SECRET_ARN |
No | Secrets Manager ARN for Falcon credentials — overrides the env vars above |
AWS_ENTRO_SECRET_ARN |
No | Secrets Manager ARN for SailPoint Entro credentials — overrides the env vars above |
Scan targets
| Variable | Default | Description |
|---|---|---|
SCAN_ALL_HOSTS |
true |
Scan every host in the Falcon tenant |
TARGET_HOST / TARGET_HOSTS |
— | Specific hostname(s) when SCAN_ALL_HOSTS=false |
SCAN_OS_TYPES |
(all) | Comma-separated OS filter: mac, linux, windows |
File selection
| Variable | Default | Description |
|---|---|---|
SCAN_FILE_TYPES |
*.json,*.env,*.yaml,*.yml,*.conf,*.config,*.properties,*.toml,*.ini,*.tfvars,... |
Glob patterns to match |
SCAN_PATHS_UNIX |
/home,/Users |
Directories searched on macOS/Linux |
SCAN_PATHS_WIN |
C:\Users,C:\inetpub,C:\app,C:\ProgramData |
Directories searched on Windows |
SCAN_MAX_SIZE_KB |
250 |
Skip files larger than this (KB) |
SCAN_MAX_DEPTH |
3 |
Directory traversal depth |
SCAN_EXCLUDE_UNIX |
*/node_modules/*,*/.npm/*,*/.cache/*,... |
Paths excluded on macOS/Linux |
SCAN_EXCLUDE_WIN |
*\node_modules\*,*\AppData\Local\*,... |
Paths excluded on Windows |
Performance
| Variable | Default | Description |
|---|---|---|
MAX_WORKERS |
20 |
Concurrent host scans |
SCAN_PARALLEL |
10 |
Concurrent curl calls per host |
MAX_WAIT_TIME |
1800 |
Per-host scan budget in seconds |
POLL_INTERVAL |
5 |
RTR command-status check interval (seconds) |
Scheduled scans (EC2 only)
| Terraform variable | Default | Description |
|---|---|---|
scanner_timer_enabled |
true |
Install and enable the systemd timer |
scanner_on_calendar |
*-*-* 02:00:00 |
systemd OnCalendar value (UTC) — see systemd.time(7) |
scanner_randomized_delay_sec |
300 |
Jitter added to each timer fire (seconds) |
scanner_run_on_deploy |
true |
Trigger one background scan immediately after terraform apply |
Scan Output
Each run produces a timestamped directory next to entro_rtr_scanner.py:
scan_YYYYMMDD_HHMMSS/
├── <hostname>.json # per-host findings and scan metadata
└── _report.json # aggregate report across all hosts
Each per-host file contains host metadata (hostname, IP, OS), the list of findings returned by SailPoint Entro (secret type, file path, owner, timestamps), and scan statistics (files found, files scanned, duration).
AWS Resources Created by Terraform
| Resource | Purpose |
|---|---|
EC2 instance (t3.micro) |
Runs the scanner |
| IAM role + instance profile | Grants Secrets Manager and CloudWatch access |
| Security group | SSH from allowed_ssh_cidr only; all outbound allowed |
| Secrets Manager secret | Stores SailPoint Entro API credentials (when create_entro_secret = true) |
| CloudWatch log group | Receives scanner logs; retention set by log_retention_days (default 30 days) |
Troubleshooting
| Error | Cause | Resolution |
|---|---|---|
CROWDSTRIKE_CLIENT_ID not set |
Missing .env or Secrets Manager ARN |
Confirm .env exists next to the script, or set AWS_CS_SECRET_ARN |
ENTRO_API_KEY not set |
Missing SailPoint Entro key | Set ENTRO_API_KEY in .env or AWS_ENTRO_SECRET_ARN |
401 Unauthorized (Falcon) |
Invalid or expired credentials | Regenerate Client ID and Secret in Falcon → Support → API Clients and Keys |
403 Forbidden (Falcon) |
Insufficient API scopes | Confirm Hosts: Read and Real Time Response (Admin): Write are granted |
| RTR session timeout | Host offline or Falcon agent not running | Verify the Falcon agent is active on the target endpoint |
| No findings returned | Scan paths or file types too restrictive | Broaden SCAN_PATHS_UNIX / SCAN_FILE_TYPES and re-run |
Logs are written to logs/scan_YYYYMMDD_HHMMSS.log next to the script, and to CloudWatch when running on EC2.
Security Notes
-
Use AWS Secrets Manager for production deployments. Never commit
.envorterraform.tfvarscontaining real credentials. -
Scope the Falcon API client to the minimum required permissions.
-
Restrict
allowed_ssh_cidrto a specific IP or VPN egress — avoid0.0.0.0/0. -
All RTR sessions are logged in the CrowdStrike console and are fully auditable.
-
Rotate Falcon client secrets and the SailPoint Entro API key on your standard rotation cadence.