CrowdStrike Plugin documentation

Report an issue

Back to source list

CrowdStrike

This plugin is in preview.

Sync data from Crowdstrike APIs

Publisher

justmiles

Repositorygithub.com

Latest version

v2.1.0

Type

Source

Platforms

Date Published

December 22, 2023

Price

Free

Documentation Tables Changelog Destinations

Overview

Overview #

A crowdstrike source plugin for CloudQuery Falcon that loads data from crowdstrike to any database, data warehouse or data lake supported by CloudQuery, such as PostgreSQL, BigQuery, Athena, and many more.

Features #

Detections – Extracts details for Falcon detections, including behavior, severity, host, timestamps, and more.
Hosts – Extracts host details including OS, version, sensor specific data, and more.
Incidents - Extracts incidents and their details
Vulnerabilities - Extracts vulnerabilities and their details
Disover Hosts - Extracts managed host details from Discover data
Discover Applications - Extracts application information from Discover for all managed hosts

Configuration #

Export the following environment variables to configure CrowdStrike:

FALCON_CLIENT_ID - Falcon ClientID
FALCON_SECRET - Falcon Secret

To obtain an OAuth2 API Client navigate to the CrowdStrike Falcon / API clients and keys portal.

CloudQuery should only have read access to CrowdStrike resources. The intent is to index all resources in CrowdStrike, so all scopes should be accessible, but read-only.

Alerts
Custom IOA rules
Detections
Hosts
Falcon Discover
Falcon Complete Dashboard
Actors (Falcon Intelligence)
Reports (Falcon Intelligence)
Host groups
Incidents
Installation Tokens
IOC Management
IOCs (Indicators of Compromise)
Message Center for Overwatch
Message Center
Machine Learning Exclusions
On-demand scans (ODS)
OverWatch Dashboard
Prevention policies
Quarantined Files
Real time response (admin)
Real time responseResponse policies
Scheduled ReportsIOA Exclusions
Sensor DownloadSensor update policies
Sensor Visibility Exclusions
Spotlight vulnerabilities
Event streams
User management
Zero Trust Assessment

Example #

# crowdstrike.yml
kind: source
spec:
  name: "crowdstrike"
  registry: "cloudquery"
  path: "justmiles/crowdstrike"
  version: "v2.0.0"
  # use this to enable incremental syncing - unimplemented
  # backend_options:
  #   table_name: "cq_state_crowdstrike"
  #   connection: "@@plugins.postgresql.connection"
  destinations: ["sqlite"]
  tables: ["*"]
  spec:
    # plugin spec section

Plugin Spec #

concurrency (int, optional, default: 1000): Best effort maximum number of Go routines to use. Lower this number to reduce memory usage.

Development #

Run tests #

make test

Run linter #

make lint

Generate docs #

make gen-docs

Release a new version #

Run git tag v1.0.0 to create a new tag for the release (replace v1.0.0 with the new version number)
Run git push origin v1.0.0 to push the tag to GitHub

Once the tag is pushed, a new GitHub Actions workflow will be triggered to build the release binaries and create the new release on GitHub. To customize the release notes, see the Go releaser changelog configuration docs.

Publish a new version to the Cloudquery Hub #

After tagging a release, you can build and publish a new version to the Cloudquery Hub by running the following commands. Replace v1.0.0 with the new version number.

# "make dist" uses the README as main documentation and adds a generic release note. Output is created in dist/
VERSION=v1.0.0 make dist

# Login to cloudquery hub and publish the new version
cloudquery login
cloudquery plugin publish --finalize

After publishing the new version, it will show up in the hub.

For more information please refer to the official Publishing a Plugin to the Hub guide.