falcon

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2024 License: MIT Imports: 25 Imported by: 20

Documentation

Index

Constants

View Source 
const (
	CloudAutoDiscover = iota
	CloudUs1
	CloudUs2
	CloudEu1
	CloudUsGov1
)

Variables

View Source 
var (
	Version = semver.MustParse("0.6.0")
)

Functions

func AssertNoError added in v0.2.6 

func AssertNoError(payloadErrors []*models.MsaAPIError) error

AssertNoError converts MsaAPIError to golang errors Falcon API oftentimes returns payload structure that may include application errors within MsaAPIError list. For the users of the API it is often times desirable to convert the application errors from CrowdStrike platform to golang native errors to inform application flow.

func ErrorExplain 

func ErrorExplain(apiError error) string

ErrorExplain extracts as much information from the error object as possible and returns as human readable string. This is useful for developers as gofalcon/falcon/client library is swagger generated and various error classes do not adhere to a common interface.

func FalconContainerSensorImageURI added in v0.5.0 

func FalconContainerSensorImageURI(falconCloud CloudType, sensorType SensorType) string

FalconContainerSensorImageURI returns a URI for downloading a container sensor image. Defaults to the falcon-sensor image.

func FalconContainerUploadURI added in v0.5.0 

func FalconContainerUploadURI(falconCloud CloudType) string

FalconContainerUploadURI parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc) and returns a URI for uploading a container image for ImageAssessment.

func NewClient 

func NewClient(ac *ApiConfig) (*client.CrowdStrikeAPISpecification, error)

NewClient return newly configured API Client based on configuration supplied by user. NewClient function is preferred entry-point to gofalcon SDK.

Types

type ApiConfig 

type ApiConfig struct {
	// AccessToken is the access token used to access the CrowdStrike Falcon platform.
	// If used either Cloud or HostOverride must be provided.
	// *required* if ClientId and ClientSecret are empty.
	AccessToken string
	// Client ID used for authentication with CrowdStrike Falcon platform.
	// *required* if AccessToken is empty.
	ClientId string
	// Client Secret used for authentication with CrowdStrike Falcon platform.
	// *required* if AccessToken is empty.
	ClientSecret string
	// Optional: CID selector for cases when the ClientID/ClientSecret has access to multiple CIDs
	MemberCID string
	// This Context object will be used only when authenticating with the OAuth interface.
	Context context.Context
	// Cloud allows us to select Falcon Cloud to connect.
	Cloud CloudType
	// HostOverride allows to override host. Cloud will be ignored.
	HostOverride string
	// BasePathOverride allows to override default base path (default: /)
	BasePathOverride string
	// HttpTimeOutOverride allows users to override default HTTP Time-out (5 minutes). This timeout should rarely be hit. The time-out protects user-application should an unlikely event of CrowdStrike outage occur. Users that need to have more control over HTTP time-outs are advised to use context.Context argument to API calls instead of this variable.
	HttpTimeOutOverride *time.Duration
	// UserAgentOverride allows to override default User-Agent HTTP header when talking with CrowdStrike API (default: gofalcon/$VERSION)
	UserAgentOverride string
	// TransportDecorator allows users to decorate and customize default authenticated client http.RoundTripper behavior.
	TransportDecorator TransportDecorator
	// Debug forces print out of all http traffic going through the API Runtime
	Debug bool
}

ApiConfig object is used to initialise and configure API Client. Together with NewClient function, ApiConfig provides preferred way to initiate API communication.

func (*ApiConfig) BasePath 

func (ac *ApiConfig) BasePath() string

BasePath returns base URL path to be used by this ApiConfig

func (*ApiConfig) Host 

func (ac *ApiConfig) Host() string

Host returns FQDN of CrowdStrike API Gateway to be used by this ApiConfig

func (*ApiConfig) HttpTimeout added in v0.2.13 

func (ac *ApiConfig) HttpTimeout() time.Duration

func (*ApiConfig) UserAgent added in v0.2.30 

func (ac *ApiConfig) UserAgent() string

type CloudType 

type CloudType int

CloudType represents type of CrowdStrike Falcon cloud region.

func Cloud 

func Cloud(cloudString string) CloudType

Cloud parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc). If a string is not recognized CloudUs1 is returned.

func CloudValidate 

func CloudValidate(cloudString string) (CloudType, error)

CloudValidate parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc.). Error is returned when string cannot be recognized.

func (*CloudType) Autodiscover added in v0.2.15 

func (c *CloudType) Autodiscover(ctx context.Context, clientId, clientSecret string) error

func (CloudType) Host 

func (c CloudType) Host() string

Host returns default hostname for given cloud.

func (CloudType) String added in v0.2.11 

func (c CloudType) String() string

type CommonPayload 

type CommonPayload interface {
	MarshalBinary() ([]byte, error)
}

CommonPayload is interface for *Payload structures in the gofalcon/falcon/client library.

func ErrorExtractPayload 

func ErrorExtractPayload(apiError error) CommonPayload

ErrorExtractPayload pops out a .Payload member from the API Error (if included).

type RTR added in v0.2.22 

type RTR struct {
	// contains filtered or unexported fields
}

func NewRTR added in v0.2.22 

func NewRTR(apiCfg *ApiConfig) (*RTR, error)

func (*RTR) ActiveSessions added in v0.2.22 

func (r *RTR) ActiveSessions(ctx context.Context) ([]RTRSession, error)

func (*RTR) BatchActiveResponderCmd added in v0.2.35 

func (r *RTR) BatchActiveResponderCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchActiveResponderCmd executes an RTR Active Responder command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) BatchAdminCmd added in v0.2.35 

func (r *RTR) BatchAdminCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response_admin.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchAdminCmd executes an RTR Admin command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) BatchCmd added in v0.2.35 

func (r *RTR) BatchCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchCmd executes an RTR Read Only Analyst command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) CreatePutFile added in v0.2.32 

func (r *RTR) CreatePutFile(ctx context.Context, name *string, description string, auditLogComment *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

func (*RTR) CreateScript added in v0.2.32 

func (r *RTR) CreateScript(ctx context.Context, name *string, description, permissionType string, platform []string, auditLogComment, content *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

func (*RTR) DeletePutFile added in v0.2.32 

func (r *RTR) DeletePutFile(ctx context.Context, id string, opts ...real_time_response_admin.ClientOption) error

func (*RTR) DeleteScript added in v0.2.32 

func (r *RTR) DeleteScript(ctx context.Context, id string, opts ...real_time_response_admin.ClientOption) error

func (*RTR) GetPutFiles added in v0.2.32 

func (r *RTR) GetPutFiles(ctx context.Context, ids []string, opts ...real_time_response_admin.ClientOption) ([]*models.EmpowerapiRemoteCommandPutFileV2, error)

func (*RTR) GetScripts added in v0.2.32 

func (r *RTR) GetScripts(ctx context.Context, ids []string, opts ...real_time_response_admin.ClientOption) ([]*models.EmpowerapiRemoteCommandPutFileV2, error)

func (*RTR) ListPutFiles added in v0.2.32 

func (r *RTR) ListPutFiles(ctx context.Context, filter *string, limit *int64, offset, sort *string, opts ...real_time_response_admin.ClientOption) (*models.BinservapiMsaPutFileResponse, error)

func (*RTR) ListScripts added in v0.2.32 

func (r *RTR) ListScripts(ctx context.Context, filter *string, limit *int64, offset, sort *string, opts ...real_time_response_admin.ClientOption) (*models.BinservapiMsaPutFileResponse, error)

func (*RTR) NewBatchSession added in v0.2.35 

func (r *RTR) NewBatchSession(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration, hostIDs []string, existingBatchID *string, queueOffline bool, opts ...real_time_response.ClientOption) (*models.DomainBatchInitSessionResponse, error)

NewBatchSession initiates a batch session for the given hosts. Use the returned BatchID in subsequent call via the command methods in this type to then execute RTR commands on them. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) NewSession added in v0.2.22 

func (r *RTR) NewSession(ctx context.Context, deviceID string) (*RTRSession, error)

func (*RTR) PulseSession added in v0.2.22 

func (r *RTR) PulseSession(ctx context.Context, request *models.DomainInitRequest) (*RTRSession, error)

func (*RTR) UpdateScript added in v0.2.32 

func (r *RTR) UpdateScript(ctx context.Context, id string, name, description, permissionType *string, platform []string, auditLogComment, content *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

type RTRSession added in v0.2.22 

type RTRSession struct {
	// contains filtered or unexported fields
}

func (*RTRSession) ActiveResponderExecute added in v0.2.32 

func (s *RTRSession) ActiveResponderExecute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) ActiveResponderExecuteAndWait added in v0.2.32 

func (s *RTRSession) ActiveResponderExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) ActiveResponderWaitForExecution added in v0.2.32 

func (s *RTRSession) ActiveResponderWaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) AdminExecute added in v0.2.32 

func (s *RTRSession) AdminExecute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response_admin.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) AdminExecuteAndWait added in v0.2.32 

func (s *RTRSession) AdminExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response_admin.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) AdminWaitForExecution added in v0.2.32 

func (s *RTRSession) AdminWaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response_admin.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) Close added in v0.2.22 

func (s *RTRSession) Close(ctx context.Context) error

func (*RTRSession) Execute added in v0.2.22 

func (s *RTRSession) Execute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) ExecuteAndWait added in v0.2.22 

func (s *RTRSession) ExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) GetFile added in v0.2.22 

func (s *RTRSession) GetFile(ctx context.Context, sha256, filePath string, output io.Writer) error

func (*RTRSession) ListFiles added in v0.2.22 

func (s *RTRSession) ListFiles(ctx context.Context) ([]*models.DomainFileV2, error)

func (*RTRSession) WaitForExecution added in v0.2.22 

func (s *RTRSession) WaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

type SensorType added in v0.5.0 

type SensorType string
const (
	SidecarSensor SensorType = "falcon-container"
	ImageSensor   SensorType = "falcon-imageanalyzer"
	KacSensor     SensorType = "falcon-kac"
	NodeSensor    SensorType = "falcon-sensor"
)

type StreamingError 

type StreamingError struct {
	Fatal bool
	Err   error
}

StreamingError structure that holds original error and indicates whether the Error is likely fatal or not

func (StreamingError) Error 

func (e StreamingError) Error() string

type StreamingHandle 

type StreamingHandle struct {
	Events     chan *streaming_models.EventItem
	Errors     chan StreamingError
	HTTPClient *http.Client
	// contains filtered or unexported fields
}

StreamingHandle is higher order type that allows for easy use of CrowdStrike Falcon Streaming API

func NewStream 

func NewStream(ctx context.Context, client *client.CrowdStrikeAPISpecification, appId string, stream *models.MainAvailableStreamV2, offset uint64) (*StreamingHandle, error)

NewStream initializes new StreamingHandle and connects to the Streaming API. The streams need to be discovered first by event_streams.ListAvailableStreamsOAuth2() method. The appId must be an ID that is unique within your CrowdStrike account. Each running instance of your application must provide unique ID. The offset value can then be used to skip seen events, should the stream disconnect. Users are advised to use zero (0) value at start. Each event then contains its own offset.

func NewStreamWithClient added in v0.2.35 

func NewStreamWithClient(ctx context.Context, client *client.CrowdStrikeAPISpecification, appId string, stream *models.MainAvailableStreamV2, offset uint64, httpClient *http.Client) (*StreamingHandle, error)

NewStreamWithClient initializes new StreamingHandle and connects to the Streaming API using the provided http.Client.

func (*StreamingHandle) Close 

func (sh *StreamingHandle) Close()

Close the StreamingHandle after use

type TransportDecorator added in v0.2.34 

type TransportDecorator func(http.RoundTripper) http.RoundTripper

TransportDecorator accepts a RoundTripper and returns a RoundTripper. This can be used to wrap or decorate the authenticated client's built-in HTTP client operation behavior for all API requests.

Source Files

View all Source files

Directories

Path Synopsis
alerts
cloud_connect_aws
cloud_snapshots
configuration_assessment
configuration_assessment_evaluation_logic
container_alerts
container_detections
container_images
container_packages
container_vulnerabilities
cspm_registration
custom_ioa
custom_storage
d4c_registration
detects
device_control_policies
discover
discover_iot
drift_indicators
event_schema
event_streams
falcon_complete_dashboard
falcon_container
falcon_container_cli
falcon_container_image
falconx_sandbox
field_schema
filevantage
firewall_management
firewall_policies
foundry_logscale
host_group
hosts
identity_entities
identity_protection
image_assessment_policies
incidents
installation_tokens
installation_tokens_settings
intel
ioa_exclusions
ioc
iocs
kubernetes_protection
malquery
message_center
ml_exclusions
mobile_enrollment
mssp
oauth2
ods
overwatch_dashboard
prevention_policies
provision
quarantine
quick_scan
real_time_response
real_time_response_admin
real_time_response_audit
recon
report_executions
response_policies
runtime_detections
sample_uploads
scheduled_reports
sensor_download
sensor_update_policies
sensor_visibility_exclusions
spotlight_evaluation_logic
spotlight_vulnerabilities
tailored_intelligence
unidentified_containers
user_management
workflows
zero_trust_assessment
streaming_models

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.