CrowdStrike source integration documentation

Sync from CrowdStrike to any destination

Publisher

cloudquery

Latest version

v2.1.4

Type

Source

Platforms

Date Published

Start Syncing

Overview Licenses

Overview #

The CloudQuery Crowdstrike plugin pulls data out of Crowdstrike and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Crowdstrike Source Plugin Configuration Reference

Authentication #

The CrowdStrike source supports two different methods of authentication: API Client or Access Token authentication. More details on each method are provided in the configuration reference section.

Example Configuration #

kind: source
spec:
  name: crowdstrike
  path: cloudquery/crowdstrike
  registry: cloudquery
  version: "v2.1.4"
  tables: ["*"]
  destinations: ["postgresql"]
  backend_options:
    table_name: "cq_state_crowdstrike"
    connection: "@@plugins.postgresql.connection"

  spec:
    auth_method: "client_secret"
    client_id: "${CROWDSTRIKE_CLIENT_ID}"
    client_secret: "${CROWDSTRIKE_CLIENT_SECRET}"

    # optional
    # base_path_override: "/"
    # cloud: "autodiscover"
    # host_override: ""
    # member_cid: ""

Configuration Reference #

This is the (nested) spec used by the CrowdStrike source plugin.

auth_method (string) (optional, default: client_secret)
This plugin supports different authentication methods when communicating with the CrowdStrike API. Depending on the chosen authentication method, additional configuration parameters are required.
Supported values are client_secret and access_token. If the client_secret method is selected, the following additional configuration parameters will be used. If the access_token method is selected, the following additional configuration parameters will be used.
cloud (string) (optional, default: autodiscover)
Region where the CrowdStrike backend is hosted. autodiscover can automatically discover the region when using API Client authentication.
When using Access Token authentication method, a specific cloud region is required:
```
spec:
  access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
  cloud: us-1 # possible values are: us-1, us-2, eu-1, us-gov-1
```
host_override (string) (optional, default: empty)
A specific API host to use when making API requests. This must be a fully qualified domain name without a scheme or slashes.
When set, the value of cloud will be ignored.
```
spec:
  access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
  host_override: api.mysubdomain.crowdstrike.com
```
base_path_override (string) (optional, default: /)
Sets the URL path to prepend when making API requests. With or without a leading slash.
member_cid (string) (optional, default: empty)
A specific CID to use. This value can be used for filtering when the Client has access to multiple CIDs.
concurrency (integer) (optional, default: 10000)
A best effort maximum number of Go routines to use. Lower this number to reduce memory usage.
scheduler (string) (optional, default: dfs)
The scheduler to use when determining the priority of resources to sync. Supported values are dfs (depth-first search), round-robin, shuffle and shuffle-queue.
For more information about this, see performance tuning.
table_options (Table Options spec) (optional)
Options to apply to specific tables. See table options for more information.

Incremental Syncing #

The Crowdstrike plugin supports incremental syncing for the following tables:

crowdstrike_discover_applications
crowdstrike_discover_hosts

To enable this, backend_options must be set in the spec (as shown above). This is documented in the Managing Incremental Tables section.

Crowdstrike Table Options Spec #

crowdstrike_discover_applications
- filter (string) (optional)
  Application filter in Falcon Query Language (FQL). Example: vendor: "Google"
  
  Available filter fields that support exact match: name, version, vendor, name_vendor, name_vendor_version, first_seen_timestamp, installation_timestamp, architectures, installation_paths, versioning_scheme, groups, is_normalized, last_used_user_sid, last_used_user_name, last_used_file_name, last_used_file_hash, last_used_timestamp, last_updated_timestamp, is_suspicious, host.id, host.platform_name, host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, host.aid
  
  Available filter fields that support wildcard (*): name, version, vendor, name_vendor, name_vendor_version, architectures, installation_paths, groups, last_used_user_sid, last_used_user_name, last_used_file_name, last_used_file_hash, host.platform_name, host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, host.aid
  
  Available filter fields that support range comparisons (>, <, >=, <=): first_seen_timestamp, installation_timestamp, last_used_timestamp, last_updated_timestamp
  
  All filter fields and operations support negation (!).
- facet ([]string) (optional) (default: ["browser_extension", "host_info", "install_usage"])
  Select various details blocks to be returned for each application entity. Supported values: browser_extension, host_info, install_usage. If omitted, related columns will be empty.
crowdstrike_discover_hosts
- filter (string) (optional)
  Host filter in Falcon Query Language (FQL).
- facet ([]string) (optional) (default: [])
  Facet filtering for hosts.
crowdstrike_vulnerabilities
- filter (string) (optional) (default: created_timestamp:>'2000-01-01T01:00:00Z')
  Vulnerability filter in Falcon Query Language (FQL).
- facet ([]string) (optional) (default: ["host_info", "remediation", "cve", "evaluation_logic"])
  Facet filtering for vulnerabilities.

Client Secret Configuration Reference #

To use this authentication method, generate new Client Credentials by navigating to the Falcon UI. From the left menubar, go to Support and Resources > API Clients and Keys > Create API Client, and select all Read scopes.

client_id (string) (required)
The ID of the CrowdStrike Client to use.
client_secret (string) (required)
The secret to authenticate the client with ID client_id.

Access Token Configuration Reference #

To use this authentication method, you will need to generate an access_token using /oauth2/token API with an existing client. This is done automatically when using the client secret authentication method.

access_token (string) (required)
The OAuth 2.0 Access Token to authenticate with (recommendation: Use environment variable instead of a hardcoded token in the config).

Licenses #

The following tools / packages are used in this plugin:

Name	License
github.com/adrg/xdg	MIT
github.com/apache/arrow-go/v18	Apache-2.0
github.com/apache/arrow/go/v13	Apache-2.0
github.com/apapsch/go-jsonmerge/v2	MIT
github.com/asaskevich/govalidator	MIT
github.com/aws/aws-sdk-go-v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/config	Apache-2.0
github.com/aws/aws-sdk-go-v2/credentials	Apache-2.0
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/configsources	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/ini	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight	BSD-3-Clause
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/licensemanager	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/marketplacemetering	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sso	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/ssooidc	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sts	Apache-2.0
github.com/aws/smithy-go	Apache-2.0
github.com/aws/smithy-go/internal/sync/singleflight	BSD-3-Clause
github.com/bahlo/generic-list-go	BSD-3-Clause
github.com/blang/semver/v4	MIT
github.com/buger/jsonparser	MIT
github.com/cenkalti/backoff/v5	MIT
github.com/cloudquery/cloudquery-api-go	MPL-2.0
github.com/cloudquery/codegen/jsonschema/docs	MPL-2.0
github.com/cloudquery/plugin-pb-go	MPL-2.0
github.com/cloudquery/plugin-sdk/v2/internal/glob	MIT
github.com/cloudquery/plugin-sdk/v2/schema	MIT
github.com/cloudquery/plugin-sdk/v2/types	MPL-2.0
github.com/cloudquery/plugin-sdk/v4	MPL-2.0
github.com/cloudquery/plugin-sdk/v4/glob	MIT
github.com/cloudquery/plugin-sdk/v4/scalar	MIT
github.com/crowdstrike/gofalcon	MIT
github.com/davecgh/go-spew/spew	ISC
github.com/ghodss/yaml	MIT
github.com/go-logr/logr	Apache-2.0
github.com/go-logr/stdr	Apache-2.0
github.com/go-openapi/analysis	Apache-2.0
github.com/go-openapi/errors	Apache-2.0
github.com/go-openapi/jsonpointer	Apache-2.0
github.com/go-openapi/jsonreference	Apache-2.0
github.com/go-openapi/loads	Apache-2.0
github.com/go-openapi/runtime	Apache-2.0
github.com/go-openapi/runtime/middleware/denco	MIT
github.com/go-openapi/spec	Apache-2.0
github.com/go-openapi/strfmt	Apache-2.0
github.com/go-openapi/swag	Apache-2.0
github.com/go-openapi/validate	Apache-2.0
github.com/goccy/go-json	MIT
github.com/google/flatbuffers/go	Apache-2.0
github.com/google/uuid	BSD-3-Clause
github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors	Apache-2.0
github.com/grpc-ecosystem/grpc-gateway/v2	BSD-3-Clause
github.com/hashicorp/go-cleanhttp	MPL-2.0
github.com/hashicorp/go-retryablehttp	MPL-2.0
github.com/invopop/jsonschema	MIT
github.com/josharian/intern	MIT
github.com/klauspost/compress	Apache-2.0
github.com/klauspost/compress/internal/snapref	BSD-3-Clause
github.com/klauspost/compress/zstd/internal/xxhash	MIT
github.com/mailru/easyjson	MIT
github.com/mattn/go-colorable	MIT
github.com/mattn/go-isatty	MIT
github.com/mitchellh/mapstructure	MIT
github.com/oapi-codegen/runtime	Apache-2.0
github.com/oklog/ulid	Apache-2.0
github.com/opentracing/opentracing-go	Apache-2.0
github.com/pierrec/lz4/v4	BSD-3-Clause
github.com/pmezard/go-difflib/difflib	BSD-3-Clause
github.com/rs/zerolog	MIT
github.com/samber/lo	MIT
github.com/santhosh-tekuri/jsonschema/v6	Apache-2.0
github.com/sirupsen/logrus	MIT
github.com/spf13/cobra	Apache-2.0
github.com/spf13/pflag	BSD-3-Clause
github.com/stretchr/testify	MIT
github.com/thoas/go-funk	MIT
github.com/wk8/go-ordered-map/v2	Apache-2.0
github.com/zeebo/xxh3	BSD-2-Clause
go.mongodb.org/mongo-driver	Apache-2.0
go.opentelemetry.io/auto/sdk	Apache-2.0
go.opentelemetry.io/otel	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	Apache-2.0
go.opentelemetry.io/otel/log	Apache-2.0
go.opentelemetry.io/otel/metric	Apache-2.0
go.opentelemetry.io/otel/sdk	Apache-2.0
go.opentelemetry.io/otel/sdk/log	Apache-2.0
go.opentelemetry.io/otel/sdk/metric	Apache-2.0
go.opentelemetry.io/otel/trace	Apache-2.0
go.opentelemetry.io/proto/otlp	Apache-2.0
golang.org/x/exp	BSD-3-Clause
golang.org/x/net	BSD-3-Clause
golang.org/x/oauth2	BSD-3-Clause
golang.org/x/sync	BSD-3-Clause
golang.org/x/sys	BSD-3-Clause
golang.org/x/text	BSD-3-Clause
golang.org/x/xerrors	BSD-3-Clause
google.golang.org/genproto/googleapis/api/httpbody	Apache-2.0
google.golang.org/genproto/googleapis/rpc/status	Apache-2.0
google.golang.org/grpc	Apache-2.0
google.golang.org/protobuf	BSD-3-Clause
gopkg.in/yaml.v2	Apache-2.0
gopkg.in/yaml.v3	MIT

Loading plugin documentation