gocs

package module
v0.0.0-...-b4368d4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 15, 2016 License: MIT Imports: 11 Imported by: 0

README

gocs

CrowdStrike Intel API implementation in Golang

Documentation

Overview

Package gocs is a library implementing the CrowdStrike Intel API v2.0

Written by Slavik Markovich at Demisto

Package gocs is a library implementing the CrowdStrike Intel API v2.0

Written by Slavik Markovich at Demisto

Index

Constants

View Source 
const (
	// DefaultURL is the URL for the API endpoint
	DefaultURL = "https://intelapi.crowdstrike.com/"
	// AuthHeaderID for the API
	AuthHeaderID = "X-CSIX-CUSTID"
	// AuthHeaderKey for the API
	AuthHeaderKey = "X-CSIX-CUSTKEY"
	// AllFields should be returned from the query
	AllFields = "__full__"
	// BasicFields should be returned from the query
	BasicFields = "__basic__"
)
View Source 
const (
	// DefaultURLHost is the URL for the host API endpoint
	DefaultURLHost = "https://falconapi.crowdstrike.com/"
)

Variables

View Source 
var (
	// ErrMissingCredentials is returned when API key is missing
	ErrMissingCredentials = &Error{Code: "missing_credentials", Message: "You must provide the CrowsStrike API ID and key"}
	// ErrMissingParams is returned if parameters are missing for a request
	ErrMissingParams = &Error{Code: "missing_parameters", Message: "You must provide the CrowsStrike API required parameters for the request"}
)

Functions

This section is empty.

Types

type ActorRequest 

type ActorRequest struct {
	Q                    string      `json:"q"`
	Name                 string      `json:"name"`
	Description          string      `json:"description"`
	MinLastModifiedDate  *time.Time  `json:"min_last_modified_date"`
	MaxLastModifieldDate *time.Time  `json:"max_last_modified_date"`
	MinLastActivityDate  *time.Time  `json:"min_last_activity_date"`
	MaxLastActivityDate  *time.Time  `json:"max_last_activity_date"`
	Origins              []string    `json:"origins"`
	TargetCountries      []string    `json:"target_countries"`
	TargetIndustries     []string    `json:"target_industries"`
	Motivations          []string    `json:"motivations"`
	Fields               []string    `json:"fields"` // Fields requested in the reply. Can receive gocs.AllFields and gocs.BasicFields
	SortFields           []SortField `json:"sort"`
	Paging
}

ActorRequest to return actors based on query parameters that will be AND'ed between them

type ActorResponse 

type ActorResponse struct {
	Meta struct {
		Paging struct {
			Total  int `json:"total"`
			Offset int `json:"offset"`
			Limit  int `json:"limit"`
		} `json:"paging"`
	} `json:"meta"`
	QueryTime float64    `json:"query_time"`
	Resources []Resource `json:"resources"`
}

ActorResponse for the ActorRequest

type DeviceCountResponse 

type DeviceCountResponse struct {
	Meta struct {
		QueryTime float64 `json:"query_time"`
		TraceID   string  `json:"trace_id"`
	} `json:"meta"`
	Resources []struct {
		DeviceCount int `json:"device_count"`
	} `json:"resources"`
	Errors []Error `json:"errors"`
}

DeviceCountResponse ...

type Error 

type Error struct {
	Code    string `json:"code"`    // Code of the error
	Message string `json:"message"` // Message of the error
}

Error structs are returned from this library for known error conditions

func (*Error) Error 

func (e *Error) Error() string

type Host 

type Host struct {
	// contains filtered or unexported fields
}

Host interacts with the services provided by CrowdStrike Falcon Host API.

func NewHost 

func NewHost(options ...OptionFunc) (*Host, error)

NewHost creates a new CS client.

The caller can configure the new client by passing configuration options to the func.

Example: 

client, err := gocs.NewHost(
  gocs.SetCredentials("id", "key"),
  gocs.SetUrl("https://some.url.com:port/"),
  gocs.SetErrorLog(log.New(os.Stderr, "CS: ", log.Lshortfile))

If no URL is configured, Client uses DefaultURL by default.

If no HttpClient is configured, then http.DefaultClient is used. You can use your own http.Client with some http.Transport for advanced scenarios.

An error is also returned when some configuration option is invalid.

func (*Host) DeleteIOCs 

func (h *Host) DeleteIOCs(ids []string) (resp *SearchIOCsResponse, err error)

DeleteIOCs ...

func (*Host) DeviceCount 

func (h *Host) DeviceCount(t, v string) (resp *DeviceCountResponse, err error)

DeviceCount ...

func (*Host) DeviceCountJSON 

func (h *Host) DeviceCountJSON(t, v string, w io.Writer) (err error)

DeviceCountJSON ...

func (*Host) DeviceSearch 

func (h *Host) DeviceSearch(filter string, query string) (resp *SearchIOCsResponse, err error)

DeviceSearch ...

func (*Host) DevicesRanOn 

func (h *Host) DevicesRanOn(t, v string) (resp *SearchIOCsResponse, err error)

DevicesRanOn ...

func (*Host) DevicesRanOnJSON 

func (h *Host) DevicesRanOnJSON(t, v string, w io.Writer) (err error)

DevicesRanOnJSON ...

func (*Host) ProcessDetails 

func (h *Host) ProcessDetails(ids []string) (resp *ProcessResponse, err error)

ProcessDetails ...

func (*Host) ProcessDetailsJSON 

func (h *Host) ProcessDetailsJSON(ids []string, w io.Writer) (err error)

ProcessDetailsJSON ...

func (*Host) ProcessesRanOn 

func (h *Host) ProcessesRanOn(t, v, device string) (resp *SearchIOCsResponse, err error)

ProcessesRanOn ...

func (*Host) ProcessesRanOnJSON 

func (h *Host) ProcessesRanOnJSON(t, v, device string, w io.Writer) (err error)

ProcessesRanOnJSON ...

func (*Host) Resolve 

func (h *Host) Resolve(ids []string, toState string) (resp *ResolveResponse, err error)

Resolve ...

func (*Host) SearchIOCs 

func (h *Host) SearchIOCs(req *SearchIOCsRequest) (resp *SearchIOCsResponse, err error)

SearchIOCs ...

func (*Host) SearchIOCsJSON 

func (h *Host) SearchIOCsJSON(req *SearchIOCsRequest, w io.Writer) (err error)

SearchIOCsJSON ...

func (*Host) UpdateIOCs 

func (h *Host) UpdateIOCs(ids []string, ioc *IOC) (resp *SearchIOCsResponse, err error)

UpdateIOCs ...

func (*Host) UploadIOCs 

func (h *Host) UploadIOCs(iocs []IOC) (resp *SearchIOCsResponse, err error)

UploadIOCs ...

type IOC 

type IOC struct {
	Type           string `json:"type,omitempty"`
	Value          string `json:"value,omitempty"`
	Policy         string `json:"policy,omitempty"`
	ShareLevel     string `json:"shareLevel,omitempty"`
	ExpirationDays int    `json:"expiration_days,omitempty"`
	Source         string `json:"source,omitempty"`
	Description    string `json:"description,omitempty"`
}

IOC ...

type IndicatorRequest 

type IndicatorRequest struct {
	Parameter string     `json:"parameter"`
	Filter    string     `json:"filter"`
	Value     string     `json:"value"`
	Sort      *SortField `json:"sort"`
	Page      int        `json:"page"`
	PerPage   int        `json:"perPage"`
}

IndicatorRequest searches for an indicator based on the parameter and relevant filter

type IndicatorResponse 

type IndicatorResponse struct {
	Indicator           string  `json:"indicator"`
	Type                string  `json:"type"`
	LastUpdatedEpoch    float64 `json:"last_updated"`
	LastUpdated         time.Time
	PublishedDateEpoch  float64 `json:"published_date"`
	PublishedDate       time.Time
	MaliciousConfidence string     `json:"malicious_confidence"`
	Reports             []string   `json:"reports"`
	Actors              []string   `json:"actors"`
	MalwareFamilies     []string   `json:"malware_families"`
	KillChains          []string   `json:"kill_chains"`
	DomainTypes         []string   `json:"domain_types"`
	IPAddressTypes      []string   `json:"ip_address_types"`
	Relations           []Relation `json:"relations"`
	Labels              []Label    `json:"labels"`
}

IndicatorResponse for the request

type Intel 

type Intel struct {
	// contains filtered or unexported fields
}

Intel interacts with the services provided by CrowdStrike Falcon Intelligence.

func NewIntel 

func NewIntel(options ...OptionFunc) (*Intel, error)

NewIntel creates a new CS client.

The caller can configure the new client by passing configuration options to the func.

Example: 

client, err := gocs.NewIntel(
  gocs.SetCredentials("id", "key"),
  gocs.SetUrl("https://some.url.com:port/"),
  gocs.SetErrorLog(log.New(os.Stderr, "CS: ", log.Lshortfile))

If no URL is configured, Client uses DefaultURL by default.

If no HttpClient is configured, then http.DefaultClient is used. You can use your own http.Client with some http.Transport for advanced scenarios.

An error is also returned when some configuration option is invalid.

func (*Intel) Actors 

func (c *Intel) Actors(req *ActorRequest) (resp *ActorResponse, err error)

Actors will query the actors API

func (*Intel) ActorsJSON 

func (c *Intel) ActorsJSON(req *ActorRequest, w io.Writer) (err error)

ActorsJSON will write the response to the given writer

func (*Intel) Indicators 

func (c *Intel) Indicators(req *IndicatorRequest) (resp []IndicatorResponse, err error)

Indicators will query the indicators API

func (*Intel) IndicatorsJSON 

func (c *Intel) IndicatorsJSON(req *IndicatorRequest, w io.Writer) (err error)

IndicatorsJSON will write the response to the given writer

type Label 

type Label struct {
	Name             string  `json:"name"`
	CreatedOnEpoch   float64 `json:"created_on"`
	CreatedOn        time.Time
	LastValidOnEpoch float64 `json:"last_valid_on"`
	LastValidOn      time.Time
}

Label for an indicator

type OptionFunc 

type OptionFunc func(*client) error

OptionFunc is a function that configures a Client. It is used in New

func SetCredentials 

func SetCredentials(id, key string) OptionFunc

SetCredentials sets the CS API key To receive a key, login to the portal at https://intel.crowdstrike.com and go to the "CrowdStrike API" tab

func SetErrorLog 

func SetErrorLog(logger *log.Logger) OptionFunc

SetErrorLog sets the logger for critical messages. It is nil by default.

func SetHTTPClient 

func SetHTTPClient(httpClient *http.Client) OptionFunc

SetHTTPClient can be used to specify the http.Client to use when making HTTP requests to Infinity API.

func SetTraceLog 

func SetTraceLog(logger *log.Logger) OptionFunc

SetTraceLog specifies the logger to use for output of trace messages like HTTP requests and responses. It is nil by default.

func SetURL 

func SetURL(rawurl string) OptionFunc

SetURL defines the URL endpoint for Infinity

type Paging 

type Paging struct {
	Offset int `json:"offset"`
	Limit  int `json:"limit"`
}

Paging control

type Process 

type Process struct {
	DeviceID            string `json:"device_id"`
	CommandLine         string `json:"command_line"`
	ProcessID           string `json:"process_id"`
	ProcessIDLocal      string `json:"process_id_local"`
	FileName            string `json:"file_name"`
	StartTimestamp      time.Time
	StartTimestampEpoch float64 `json:"start_timestamp_raw"`
	StopTimestamp       time.Time
	StopTimestampEpoch  float64 `json:"stop_timestamp_raw"`
}

Process holds the information about a detected process

type ProcessResponse 

type ProcessResponse struct {
	Meta struct {
		QueryTime float64 `json:"query_time"`
		TraceID   string  `json:"trace_id"`
	} `json:"meta"`
	Resources []Process `json:"resources"`
	Errors    []Error   `json:"errors"`
}

ProcessResponse ...

type Relation 

type Relation struct {
	Indicator          string  `json:"indicator"`
	Type               string  `json:"type"`
	CreatedDateEpoch   float64 `json:"created_date"`
	CreatedDate        time.Time
	LastValidDateEpoch float64 `json:"last_valid_date"`
	LastValidDate      time.Time
}

Relation to indicator

type ResolveResponse 

type ResolveResponse struct {
	Meta struct {
		QueryTime float64 `json:"query_time"`
		TraceID   string  `json:"trace_id"`
		Writes    struct {
			ResourcesAffected int `json:"resources_affected"`
		} `json:"writes"`
	} `json:"meta"`
	Errors []Error `json:"errors"`
}

ResolveResponse ...

type Resource 

type Resource struct {
	ID                 int    `json:"id"`
	Name               string `json:"name"`
	ShortDescription   string `json:"short_description"`
	KnownAs            string `json:"known_as"`
	CreatedDate        time.Time
	CreatedEpoch       float64    `json:"created_date"`
	TargetIndustries   []Slugable `json:"target_industries"`
	LastModifiedDate   time.Time
	LastModifiedEpoch  float64    `json:"last_modified_date"`
	TargetCountries    []Slugable `json:"target_countries"`
	FirstActivityDate  time.Time
	FirstActivityEpoch float64 `json:"first_activity_date"`
	LastActivityDate   time.Time
	LastActivityEpoch  float64    `json:"last_activity_date"`
	URL                string     `json:"url"`
	Motivations        []Slugable `json:"motivations"`
	Origins            []Slugable `json:"origins"`
	Slug               string     `json:"slug"`
}

Resource for an actor

type SearchIOCsRequest 

type SearchIOCsRequest struct {
	Types                   []string   `json:"types"`
	Values                  []string   `json:"values"`
	Policies                []string   `json:"policies"`
	ShareLevels             []string   `json:"share_levels"`
	Sources                 []string   `json:"sources"`
	FromExpirationTimestamp *time.Time `json:"fromExpirationTimestamp"`
	ToExpirationTimestamp   *time.Time `json:"toExpirationTimestamp"`
	Sort                    *SortField `json:"sort"`
	Paging
}

SearchIOCsRequest ...

type SearchIOCsResponse 

type SearchIOCsResponse struct {
	Meta struct {
		QueryTime  float64 `json:"query_time"`
		Pagination struct {
			Total  int `json:"total"`
			Offset int `json:"offset"`
			Limit  int `json:"limit"`
		} `json:"pagination"`
		TraceID string `json:"trace_id"`
		Entity  string `json:"entity"`
	} `json:"meta"`
	Resources []string `json:"resources"`
	Errors    []Error  `json:"errors"`
}

SearchIOCsResponse ...

type Slugable 

type Slugable struct {
	ID    int    `json:"id"`
	Value string `json:"value"`
	Slug  string `json:"slug"`
}

Slugable ...

type SortField 

type SortField struct {
	Name      string `json:"name"`
	Ascending bool   `json:"ascending"`
}

SortField ...

Source Files

View all Source files

Directories

Path Synopsis
cmd
actors
Command line interface to CrowdStrike Intel API
 Command line interface to CrowdStrike Intel API
indicators
Command line interface to CrowdStrike Intel API
 Command line interface to CrowdStrike Intel API
iocs
Command line interface to CrowdStrike Intel API
 Command line interface to CrowdStrike Intel API

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.