falcon_detection_details

command
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2023 License: MIT Imports: 9 Imported by: 0

README

Falcon Detection Details

Stand-alone tool that uses Detects API to query all the detection details and output JSON to the stdout. This tool can be used together with JSON parsing tools like jq in order to build reports of your liking.

Installation

go get github.com/crowdstrike/gofalcon/examples/falcon_detection_details

Exemplary Usage

Get full details of all the detections

$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \
      falcon_detection_details

Get total number of all detections

falcon_detection_details | jq length

List command-line of the processes that triggered detection.

falcon_detection_details  | jq 'map(.behaviors[].cmdline)'

List affected hostnames and the command-lines together as a key-value dictionary. (Note: this will only show the very latest detection per each hostname, when the hostname was associated with multiple detections)

falcon_detection_details  | jq -r ' map( { (.device.hostname) : .behaviors[].cmdline } ) | add'

List detections that have not yet been assigned to a responsible person

$ falcon_detection_details --filter="assigned_to_uid:NULL"

Please refer to Falcon Detection Monitoring API documentation to learn more about FQL filter parameter, the meaning of the entity properties, and best practices. Further, please refer to jq tool manual to learn how to effectively post-process JSON outputs in command-line.

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL