Official

Premium

CrowdStrike source integration documentation

Sync from CrowdStrike to any destination

Publisher

cloudquery

Latest version

v2.0.1

Type

Source

Platforms

Date Published

Start Syncing

Documentation Tables Changelog Destinations

Overview Licenses

Overview #

The CloudQuery Crowdstrike plugin pulls data out of Crowdstrike and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Crowdstrike Source Plugin Configuration Reference

Authentication #

The CrowdStrike source supports two different methods of authentication: API Client or Access Token authentication. More details on each method are provided in the configuration reference section.

Example Configuration #

kind: source
spec:
  name: crowdstrike
  path: cloudquery/crowdstrike
  registry: cloudquery
  version: "v2.0.1"
  tables: ["*"]
  destinations: ["postgresql"]
  backend_options:
    table_name: "cq_state_crowdstrike"
    connection: "@@plugins.postgresql.connection"

  spec:
    auth_method: "client_secret"
    client_id: "${CROWDSTRIKE_CLIENT_ID}"
    client_secret: "${CROWDSTRIKE_CLIENT_SECRET}"

    # optional
    # base_path_override: "/"
    # cloud: "autodiscover"
    # host_override: ""
    # member_cid: ""

Configuration Reference #

This is the (nested) spec used by the CrowdStrike source plugin.

auth_method (string) (optional, default: client_secret)
This plugin supports different authentication methods when communicating with the CrowdStrike API. Depending on the chosen authentication method, additional configuration parameters are required.
Supported values are client_secret and access_token. If the client_secret method is selected, the following additional configuration parameters will be used. If the access_token method is selected, the following additional configuration parameters will be used.
cloud (string) (optional, default: autodiscover)
Region where the CrowdStrike backend is hosted. autodiscover can automatically discover the region when using API Client authentication.
When using Access Token authentication method, a specific cloud region is required:
```
spec:
  access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
  cloud: us-1 # possible values are: us-1, us-2, eu-1, us-gov-1
```
host_override (string) (optional, default: empty)
A specific API host to use when making API requests. This must be a fully qualified domain name without a scheme or slashes.
When set, the value of cloud will be ignored.
```
spec:
  access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
  host_override: api.mysubdomain.crowdstrike.com
```
base_path_override (string) (optional, default: /)
Sets the URL path to prepend when making API requests. With or without a leading slash.
member_cid (string) (optional, default: empty)
A specific CID to use. This value can be used for filtering when the Client has access to multiple CIDs.
concurrency (integer) (optional, default: 10000)
A best effort maximum number of Go routines to use. Lower this number to reduce memory usage.
scheduler (string) (optional, default: dfs)
The scheduler to use when determining the priority of resources to sync. Supported values are dfs (depth-first search), round-robin, shuffle and shuffle-queue.
For more information about this, see performance tuning.
table_options (Table Options spec) (optional)
Options to apply to specific tables. See table options for more information.

Incremental Syncing #

The Crowdstrike plugin supports incremental syncing for the following tables:

crowdstrike_discover_applications
crowdstrike_discover_hosts

To enable this, backend_options must be set in the spec (as shown above). This is documented in the Managing Incremental Tables section.

Crowdstrike Table Options Spec #

crowdstrike_discover_applications
- filter (string) (optional)
  Application filter in Falcon Query Language (FQL). Example: vendor: "Google"
  
  Available filter fields that support exact match: name, version, vendor, name_vendor, name_vendor_version, first_seen_timestamp, installation_timestamp, architectures, installation_paths, versioning_scheme, groups, is_normalized, last_used_user_sid, last_used_user_name, last_used_file_name, last_used_file_hash, last_used_timestamp, last_updated_timestamp, is_suspicious, host.id, host.platform_name, host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, host.aid
  
  Available filter fields that support wildcard (*): name, version, vendor, name_vendor, name_vendor_version, architectures, installation_paths, groups, last_used_user_sid, last_used_user_name, last_used_file_name, last_used_file_hash, host.platform_name, host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, host.aid
  
  Available filter fields that support range comparisons (>, <, >=, <=): first_seen_timestamp, installation_timestamp, last_used_timestamp, last_updated_timestamp
  
  All filter fields and operations support negation (!).
- facet ([]string) (optional) (default: ["browser_extension", "host_info", "install_usage"])
  Select various details blocks to be returned for each application entity. Supported values: browser_extension, host_info, install_usage. If omitted, related columns will be empty.
crowdstrike_discover_hosts
- filter (string) (optional)
  Host filter in Falcon Query Language (FQL).
- facet ([]string) (optional) (default: [])
  Facet filtering for hosts.
crowdstrike_vulnerabilities
- filter (string) (optional) (default: created_timestamp:>'2000-01-01T01:00:00Z')
  Vulnerability filter in Falcon Query Language (FQL).
- facet ([]string) (optional) (default: ["host_info", "remediation", "cve", "evaluation_logic"])
  Facet filtering for vulnerabilities.

Client Secret Configuration Reference #

To use this authentication method, generate new Client Credentials by navigating to the Falcon UI. From the left menubar, go to Support and Resources > API Clients and Keys > Create API Client, and select all Read scopes.

client_id (string) (required)
The ID of the CrowdStrike Client to use.
client_secret (string) (required)
The secret to authenticate the client with ID client_id.

Access Token Configuration Reference #

To use this authentication method, you will need to generate an access_token using /oauth2/token API with an existing client. This is done automatically when using the client secret authentication method.

access_token (string) (required)
The OAuth 2.0 Access Token to authenticate with (recommendation: Use environment variable instead of a hardcoded token in the config).

Licenses #

The following tools / packages are used in this plugin:

Name	License
github.com/adrg/xdg	MIT
github.com/apache/arrow-go/v18	Apache-2.0
github.com/apache/arrow/go/v13	Apache-2.0
github.com/apapsch/go-jsonmerge/v2	MIT
github.com/asaskevich/govalidator	MIT
github.com/aws/aws-sdk-go-v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/config	Apache-2.0
github.com/aws/aws-sdk-go-v2/credentials	Apache-2.0
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/configsources	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/ini	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight	BSD-3-Clause
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/licensemanager	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/marketplacemetering	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sso	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/ssooidc	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sts	Apache-2.0
github.com/aws/smithy-go	Apache-2.0
github.com/aws/smithy-go/internal/sync/singleflight	BSD-3-Clause
github.com/bahlo/generic-list-go	BSD-3-Clause
github.com/blang/semver/v4	MIT
github.com/buger/jsonparser	MIT
github.com/cenkalti/backoff/v5	MIT
github.com/cloudquery/cloudquery-api-go	MPL-2.0
github.com/cloudquery/codegen/jsonschema/docs	MPL-2.0
github.com/cloudquery/plugin-pb-go	MPL-2.0
github.com/cloudquery/plugin-sdk/v2/internal/glob	MIT
github.com/cloudquery/plugin-sdk/v2/schema	MIT
github.com/cloudquery/plugin-sdk/v2/types	MPL-2.0
github.com/cloudquery/plugin-sdk/v4	MPL-2.0
github.com/cloudquery/plugin-sdk/v4/glob	MIT
github.com/cloudquery/plugin-sdk/v4/scalar	MIT
github.com/crowdstrike/gofalcon	MIT
github.com/davecgh/go-spew/spew	ISC
github.com/ghodss/yaml	MIT
github.com/go-logr/logr	Apache-2.0
github.com/go-logr/stdr	Apache-2.0
github.com/go-openapi/analysis	Apache-2.0
github.com/go-openapi/errors	Apache-2.0
github.com/go-openapi/jsonpointer	Apache-2.0
github.com/go-openapi/jsonreference	Apache-2.0
github.com/go-openapi/loads	Apache-2.0
github.com/go-openapi/runtime	Apache-2.0
github.com/go-openapi/runtime/middleware/denco	MIT
github.com/go-openapi/spec	Apache-2.0
github.com/go-openapi/strfmt	Apache-2.0
github.com/go-openapi/swag	Apache-2.0
github.com/go-openapi/validate	Apache-2.0
github.com/goccy/go-json	MIT
github.com/google/flatbuffers/go	Apache-2.0
github.com/google/uuid	BSD-3-Clause
github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors	Apache-2.0
github.com/grpc-ecosystem/grpc-gateway/v2	BSD-3-Clause
github.com/hashicorp/go-cleanhttp	MPL-2.0
github.com/hashicorp/go-retryablehttp	MPL-2.0
github.com/invopop/jsonschema	MIT
github.com/josharian/intern	MIT
github.com/klauspost/compress	Apache-2.0
github.com/klauspost/compress/internal/snapref	BSD-3-Clause
github.com/klauspost/compress/zstd/internal/xxhash	MIT
github.com/mailru/easyjson	MIT
github.com/mattn/go-colorable	MIT
github.com/mattn/go-isatty	MIT
github.com/mitchellh/mapstructure	MIT
github.com/oapi-codegen/runtime	Apache-2.0
github.com/oklog/ulid	Apache-2.0
github.com/opentracing/opentracing-go	Apache-2.0
github.com/pierrec/lz4/v4	BSD-3-Clause
github.com/pmezard/go-difflib/difflib	BSD-3-Clause
github.com/rs/zerolog	MIT
github.com/samber/lo	MIT
github.com/santhosh-tekuri/jsonschema/v6	Apache-2.0
github.com/sirupsen/logrus	MIT
github.com/spf13/cobra	Apache-2.0
github.com/spf13/pflag	BSD-3-Clause
github.com/stretchr/testify	MIT
github.com/thoas/go-funk	MIT
github.com/wk8/go-ordered-map/v2	Apache-2.0
github.com/zeebo/xxh3	BSD-2-Clause
go.mongodb.org/mongo-driver	Apache-2.0
go.opentelemetry.io/auto/sdk	Apache-2.0
go.opentelemetry.io/otel	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	Apache-2.0
go.opentelemetry.io/otel/log	Apache-2.0
go.opentelemetry.io/otel/metric	Apache-2.0
go.opentelemetry.io/otel/sdk	Apache-2.0
go.opentelemetry.io/otel/sdk/log	Apache-2.0
go.opentelemetry.io/otel/sdk/metric	Apache-2.0
go.opentelemetry.io/otel/trace	Apache-2.0
go.opentelemetry.io/proto/otlp	Apache-2.0
golang.org/x/exp	BSD-3-Clause
golang.org/x/net	BSD-3-Clause
golang.org/x/oauth2	BSD-3-Clause
golang.org/x/sync	BSD-3-Clause
golang.org/x/sys	BSD-3-Clause
golang.org/x/text	BSD-3-Clause
golang.org/x/xerrors	BSD-3-Clause
google.golang.org/genproto/googleapis/api/httpbody	Apache-2.0
google.golang.org/genproto/googleapis/rpc/status	Apache-2.0
google.golang.org/grpc	Apache-2.0
google.golang.org/protobuf	BSD-3-Clause
gopkg.in/yaml.v2	Apache-2.0
gopkg.in/yaml.v3	MIT

Loading plugin documentation