falcon

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 27, 2024 License: MIT Imports: 25 Imported by: 22

Documentation

Index

Constants

View Source
const (
	CloudAutoDiscover = iota
	CloudUs1
	CloudUs2
	CloudEu1
	CloudUsGov1
)

Variables

View Source
var (
	Version = semver.MustParse("0.6.0")
)

Functions

func AssertNoError added in v0.2.6

func AssertNoError(payloadErrors []*models.MsaAPIError) error

AssertNoError converts MsaAPIError to golang errors Falcon API oftentimes returns payload structure that may include application errors within MsaAPIError list. For the users of the API it is often times desirable to convert the application errors from CrowdStrike platform to golang native errors to inform application flow.

func ErrorExplain

func ErrorExplain(apiError error) string

ErrorExplain extracts as much information from the error object as possible and returns as human readable string. This is useful for developers as gofalcon/falcon/client library is swagger generated and various error classes do not adhere to a common interface.

func FalconContainerSensorImageURI added in v0.5.0

func FalconContainerSensorImageURI(falconCloud CloudType, sensorType SensorType) string

FalconContainerSensorImageURI returns a URI for downloading a container sensor image. Defaults to the falcon-sensor image.

func FalconContainerUploadURI added in v0.5.0

func FalconContainerUploadURI(falconCloud CloudType) string

FalconContainerUploadURI parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc) and returns a URI for uploading a container image for ImageAssessment.

func NewClient

NewClient return newly configured API Client based on configuration supplied by user. NewClient function is preferred entry-point to gofalcon SDK.

Types

type ApiConfig

type ApiConfig struct {
	// AccessToken is the access token used to access the CrowdStrike Falcon platform.
	// If used either Cloud or HostOverride must be provided.
	// *required* if ClientId and ClientSecret are empty.
	AccessToken string
	// Client ID used for authentication with CrowdStrike Falcon platform.
	// *required* if AccessToken is empty.
	ClientId string
	// Client Secret used for authentication with CrowdStrike Falcon platform.
	// *required* if AccessToken is empty.
	ClientSecret string
	// Optional: CID selector for cases when the ClientID/ClientSecret has access to multiple CIDs
	MemberCID string
	// This Context object will be used only when authenticating with the OAuth interface.
	Context context.Context
	// Cloud allows us to select Falcon Cloud to connect.
	Cloud CloudType
	// HostOverride allows to override host. Cloud will be ignored.
	HostOverride string
	// BasePathOverride allows to override default base path (default: /)
	BasePathOverride string
	// HttpTimeOutOverride allows users to override default HTTP Time-out (5 minutes). This timeout should rarely be hit. The time-out protects user-application should an unlikely event of CrowdStrike outage occur. Users that need to have more control over HTTP time-outs are advised to use context.Context argument to API calls instead of this variable.
	HttpTimeOutOverride *time.Duration
	// UserAgentOverride allows to override default User-Agent HTTP header when talking with CrowdStrike API (default: gofalcon/$VERSION)
	UserAgentOverride string
	// TransportDecorator allows users to decorate and customize default authenticated client http.RoundTripper behavior.
	TransportDecorator TransportDecorator
	// Debug forces print out of all http traffic going through the API Runtime
	Debug bool
}

ApiConfig object is used to initialise and configure API Client. Together with NewClient function, ApiConfig provides preferred way to initiate API communication.

func (*ApiConfig) BasePath

func (ac *ApiConfig) BasePath() string

BasePath returns base URL path to be used by this ApiConfig

func (*ApiConfig) Host

func (ac *ApiConfig) Host() string

Host returns FQDN of CrowdStrike API Gateway to be used by this ApiConfig

func (*ApiConfig) HttpTimeout added in v0.2.13

func (ac *ApiConfig) HttpTimeout() time.Duration

func (*ApiConfig) UserAgent added in v0.2.30

func (ac *ApiConfig) UserAgent() string

type CloudType

type CloudType int

CloudType represents type of CrowdStrike Falcon cloud region.

func Cloud

func Cloud(cloudString string) CloudType

Cloud parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc). If a string is not recognized CloudUs1 is returned.

func CloudValidate

func CloudValidate(cloudString string) (CloudType, error)

CloudValidate parses cloud string (example: us-1, us-2, eu-1, us-gov-1, etc.). Error is returned when string cannot be recognized.

func (*CloudType) Autodiscover added in v0.2.15

func (c *CloudType) Autodiscover(ctx context.Context, clientId, clientSecret string) error

func (CloudType) Host

func (c CloudType) Host() string

Host returns default hostname for given cloud.

func (CloudType) String added in v0.2.11

func (c CloudType) String() string

type CommonPayload

type CommonPayload interface {
	MarshalBinary() ([]byte, error)
}

CommonPayload is interface for *Payload structures in the gofalcon/falcon/client library.

func ErrorExtractPayload

func ErrorExtractPayload(apiError error) CommonPayload

ErrorExtractPayload pops out a .Payload member from the API Error (if included).

type RTR added in v0.2.22

type RTR struct {
	// contains filtered or unexported fields
}

func NewRTR added in v0.2.22

func NewRTR(apiCfg *ApiConfig) (*RTR, error)

func (*RTR) ActiveSessions added in v0.2.22

func (r *RTR) ActiveSessions(ctx context.Context) ([]RTRSession, error)

func (*RTR) BatchActiveResponderCmd added in v0.2.35

func (r *RTR) BatchActiveResponderCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchActiveResponderCmd executes an RTR Active Responder command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) BatchAdminCmd added in v0.2.35

func (r *RTR) BatchAdminCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response_admin.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchAdminCmd executes an RTR Admin command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) BatchCmd added in v0.2.35

func (r *RTR) BatchCmd(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration,
	baseCommand, batchID, commandString string, optionalHosts []string, opts ...real_time_response.ClientOption) (map[string]models.DomainMultiStatusSensorResponse, error)

BatchCmd executes an RTR Read Only Analyst command against a batch of hosts. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) CreatePutFile added in v0.2.32

func (r *RTR) CreatePutFile(ctx context.Context, name *string, description string, auditLogComment *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

func (*RTR) CreateScript added in v0.2.32

func (r *RTR) CreateScript(ctx context.Context, name *string, description, permissionType string, platform []string, auditLogComment, content *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

func (*RTR) DeletePutFile added in v0.2.32

func (r *RTR) DeletePutFile(ctx context.Context, id string, opts ...real_time_response_admin.ClientOption) error

func (*RTR) DeleteScript added in v0.2.32

func (r *RTR) DeleteScript(ctx context.Context, id string, opts ...real_time_response_admin.ClientOption) error

func (*RTR) GetPutFiles added in v0.2.32

func (*RTR) GetScripts added in v0.2.32

func (*RTR) ListPutFiles added in v0.2.32

func (r *RTR) ListPutFiles(ctx context.Context, filter *string, limit *int64, offset, sort *string, opts ...real_time_response_admin.ClientOption) (*models.BinservapiMsaPutFileResponse, error)

func (*RTR) ListScripts added in v0.2.32

func (r *RTR) ListScripts(ctx context.Context, filter *string, limit *int64, offset, sort *string, opts ...real_time_response_admin.ClientOption) (*models.BinservapiMsaPutFileResponse, error)

func (*RTR) NewBatchSession added in v0.2.35

func (r *RTR) NewBatchSession(ctx context.Context, timeout *int64, timeoutDuration *time.Duration, hostTimeoutDuration time.Duration, hostIDs []string, existingBatchID *string, queueOffline bool, opts ...real_time_response.ClientOption) (*models.DomainBatchInitSessionResponse, error)

NewBatchSession initiates a batch session for the given hosts. Use the returned BatchID in subsequent call via the command methods in this type to then execute RTR commands on them. timeout and timeoutDuration are pointers because only one is required and they are mutually exclusive. timeoutDuration is preferred.

func (*RTR) NewSession added in v0.2.22

func (r *RTR) NewSession(ctx context.Context, deviceID string) (*RTRSession, error)

func (*RTR) PulseSession added in v0.2.22

func (r *RTR) PulseSession(ctx context.Context, request *models.DomainInitRequest) (*RTRSession, error)

func (*RTR) UpdateScript added in v0.2.32

func (r *RTR) UpdateScript(ctx context.Context, id string, name, description, permissionType *string, platform []string, auditLogComment, content *string, file runtime.NamedReadCloser, opts ...real_time_response_admin.ClientOption) error

type RTRSession added in v0.2.22

type RTRSession struct {
	// contains filtered or unexported fields
}

func (*RTRSession) ActiveResponderExecute added in v0.2.32

func (s *RTRSession) ActiveResponderExecute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) ActiveResponderExecuteAndWait added in v0.2.32

func (s *RTRSession) ActiveResponderExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) ActiveResponderWaitForExecution added in v0.2.32

func (s *RTRSession) ActiveResponderWaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) AdminExecute added in v0.2.32

func (s *RTRSession) AdminExecute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response_admin.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) AdminExecuteAndWait added in v0.2.32

func (s *RTRSession) AdminExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response_admin.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) AdminWaitForExecution added in v0.2.32

func (s *RTRSession) AdminWaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response_admin.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) Close added in v0.2.22

func (s *RTRSession) Close(ctx context.Context) error

func (*RTRSession) Execute added in v0.2.22

func (s *RTRSession) Execute(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainCommandExecuteResponse, error)

func (*RTRSession) ExecuteAndWait added in v0.2.22

func (s *RTRSession) ExecuteAndWait(ctx context.Context, baseCommand, commandString string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

func (*RTRSession) GetFile added in v0.2.22

func (s *RTRSession) GetFile(ctx context.Context, sha256, filePath string, output io.Writer) error

func (*RTRSession) ListFiles added in v0.2.22

func (s *RTRSession) ListFiles(ctx context.Context) ([]*models.DomainFileV2, error)

func (*RTRSession) WaitForExecution added in v0.2.22

func (s *RTRSession) WaitForExecution(ctx context.Context, cloudRequestId string, opts ...real_time_response.ClientOption) (*models.DomainStatusResponse, error)

type SensorType added in v0.5.0

type SensorType string
const (
	SidecarSensor SensorType = "falcon-container"
	ImageSensor   SensorType = "falcon-imageanalyzer"
	KacSensor     SensorType = "falcon-kac"
	NodeSensor    SensorType = "falcon-sensor"
)

type StreamingError

type StreamingError struct {
	Fatal bool
	Err   error
}

StreamingError structure that holds original error and indicates whether the Error is likely fatal or not

func (StreamingError) Error

func (e StreamingError) Error() string

type StreamingHandle

type StreamingHandle struct {
	Events     chan *streaming_models.EventItem
	Errors     chan StreamingError
	HTTPClient *http.Client
	// contains filtered or unexported fields
}

StreamingHandle is higher order type that allows for easy use of CrowdStrike Falcon Streaming API

func NewStream

NewStream initializes new StreamingHandle and connects to the Streaming API. The streams need to be discovered first by event_streams.ListAvailableStreamsOAuth2() method. The appId must be an ID that is unique within your CrowdStrike account. Each running instance of your application must provide unique ID. The offset value can then be used to skip seen events, should the stream disconnect. Users are advised to use zero (0) value at start. Each event then contains its own offset.

func NewStreamWithClient added in v0.2.35

func NewStreamWithClient(ctx context.Context, client *client.CrowdStrikeAPISpecification, appId string, stream *models.MainAvailableStreamV2, offset uint64, httpClient *http.Client) (*StreamingHandle, error)

NewStreamWithClient initializes new StreamingHandle and connects to the Streaming API using the provided http.Client.

func (*StreamingHandle) Close

func (sh *StreamingHandle) Close()

Close the StreamingHandle after use

type TransportDecorator added in v0.2.34

type TransportDecorator func(http.RoundTripper) http.RoundTripper

TransportDecorator accepts a RoundTripper and returns a RoundTripper. This can be used to wrap or decorate the authenticated client's built-in HTTP client operation behavior for all API requests.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL