-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add falcon_vulnerabilities datasource (#255)
- Loading branch information
Showing
10 changed files
with
578 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
docs/plugins/crowdstrike/data-sources/falcon_vulnerabilities.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
--- | ||
title: "`falcon_vulnerabilities` data source" | ||
plugin: | ||
name: blackstork/crowdstrike | ||
description: "The `falcon_vulnerabilities` data source fetches environment vulnerabilities from Falcon Spotlight API" | ||
tags: [] | ||
version: "v0.4.2" | ||
source_github: "https://github.com/blackstork-io/fabric/tree/main/internal/crowdstrike/" | ||
resource: | ||
type: data-source | ||
type: docs | ||
--- | ||
|
||
{{< breadcrumbs 2 >}} | ||
|
||
{{< plugin-resource-header "blackstork/crowdstrike" "crowdstrike" "v0.4.2" "falcon_vulnerabilities" "data source" >}} | ||
|
||
## Description | ||
The `falcon_vulnerabilities` data source fetches environment vulnerabilities from Falcon Spotlight API. | ||
|
||
## Installation | ||
|
||
To use `falcon_vulnerabilities` data source, you must install the plugin `blackstork/crowdstrike`. | ||
|
||
To install the plugin, add the full plugin name to the `plugin_versions` map in the Fabric global configuration block (see [Global configuration]({{< ref "configs.md#global-configuration" >}}) for more details), as shown below: | ||
|
||
```hcl | ||
fabric { | ||
plugin_versions = { | ||
"blackstork/crowdstrike" = ">= v0.4.2" | ||
} | ||
} | ||
``` | ||
|
||
Note the version constraint set for the plugin. | ||
|
||
## Configuration | ||
|
||
The data source supports the following configuration arguments: | ||
|
||
```hcl | ||
config data falcon_vulnerabilities { | ||
# Client ID for accessing CrowdStrike Falcon Platform | ||
# | ||
# Required string. | ||
# Must be non-empty | ||
# For example: | ||
client_id = "some string" | ||
# Client Secret for accessing CrowdStrike Falcon Platform | ||
# | ||
# Required string. | ||
# Must be non-empty | ||
# For example: | ||
client_secret = "some string" | ||
# Member CID for MSSP | ||
# | ||
# Optional string. | ||
# Default value: | ||
member_cid = null | ||
# Falcon cloud abbreviation | ||
# | ||
# Optional string. | ||
# Must be one of: "autodiscover", "us-1", "us-2", "eu-1", "us-gov-1", "gov1" | ||
# For example: | ||
# client_cloud = "us-1" | ||
# | ||
# Default value: | ||
client_cloud = null | ||
} | ||
``` | ||
|
||
## Usage | ||
|
||
The data source supports the following execution arguments: | ||
|
||
```hcl | ||
data falcon_vulnerabilities { | ||
# limit the number of queried items | ||
# | ||
# Optional integer. | ||
# Default value: | ||
limit = 10 | ||
# Vulnerability search expression using Falcon Query Language (FQL) | ||
# | ||
# Optional string. | ||
# Default value: | ||
filter = null | ||
# Vulnerability sort expression using Falcon Query Language (FQL) | ||
# | ||
# Optional string. | ||
# Default value: | ||
sort = null | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
examples/templates/crowdstrike/data_falcon_vulnerabilities.fabric
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
fabric { | ||
plugin_versions = { | ||
"blackstork/crowdstrike" = ">= 0.4 < 1.0 || 0.4.0-rev0" | ||
} | ||
} | ||
|
||
document "vulnerabilities" { | ||
meta { | ||
name = "example_document" | ||
} | ||
|
||
data falcon_vulnerabilities "vulnerabilities" { | ||
config { | ||
client_id = "" | ||
client_secret = "" | ||
client_cloud = "eu-1" | ||
} | ||
size = 100 | ||
} | ||
|
||
title = "List of Falcon vulnerabilities" | ||
|
||
content table { | ||
rows = query_jq(".data.falcon_vulnerabilities.vulnerabilities") | ||
columns = [ | ||
{ | ||
"header" = "Id" | ||
"value" = "{{.row.value.id}}" | ||
}, | ||
{ | ||
"header" = "Status" | ||
"value" = "{{.row.value.status}}" | ||
} | ||
] | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package crowdstrike | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/crowdstrike/gofalcon/falcon" | ||
"github.com/crowdstrike/gofalcon/falcon/client/spotlight_vulnerabilities" | ||
"github.com/hashicorp/hcl/v2" | ||
"github.com/zclconf/go-cty/cty" | ||
|
||
"github.com/blackstork-io/fabric/pkg/diagnostics" | ||
"github.com/blackstork-io/fabric/plugin" | ||
"github.com/blackstork-io/fabric/plugin/dataspec" | ||
"github.com/blackstork-io/fabric/plugin/dataspec/constraint" | ||
"github.com/blackstork-io/fabric/plugin/plugindata" | ||
) | ||
|
||
func makeFalconVulnerabilitiesDataSource(loader ClientLoaderFn) *plugin.DataSource { | ||
return &plugin.DataSource{ | ||
Doc: "The `falcon_vulnerabilities` data source fetches environment vulnerabilities from Falcon Spotlight API.", | ||
DataFunc: fetchFalconVulnerabilitiesData(loader), | ||
Config: makeDataSourceConfig(), | ||
Args: &dataspec.RootSpec{ | ||
Attrs: []*dataspec.AttrSpec{ | ||
{ | ||
Name: "limit", | ||
Type: cty.Number, | ||
Constraints: constraint.Integer, | ||
DefaultVal: cty.NumberIntVal(10), | ||
Doc: "limit the number of queried items", | ||
}, | ||
{ | ||
Name: "filter", | ||
Type: cty.String, | ||
Doc: "Vulnerability search expression using Falcon Query Language (FQL)", | ||
}, | ||
{ | ||
Name: "sort", | ||
Type: cty.String, | ||
Doc: "Vulnerability sort expression using Falcon Query Language (FQL)", | ||
}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func fetchFalconVulnerabilitiesData(loader ClientLoaderFn) plugin.RetrieveDataFunc { | ||
return func(ctx context.Context, params *plugin.RetrieveDataParams) (plugindata.Data, diagnostics.Diag) { | ||
cli, err := loader(makeApiConfig(ctx, params.Config)) | ||
if err != nil { | ||
return nil, diagnostics.Diag{{ | ||
Severity: hcl.DiagError, | ||
Summary: "Unable to create falcon client", | ||
Detail: err.Error(), | ||
}} | ||
} | ||
size, _ := params.Args.GetAttrVal("limit").AsBigFloat().Int64() | ||
apiParams := spotlight_vulnerabilities.NewCombinedQueryVulnerabilitiesParams().WithDefaults() | ||
apiParams.SetLimit(&size) | ||
apiParams.SetContext(ctx) | ||
if filter := params.Args.GetAttrVal("filter"); !filter.IsNull() { | ||
apiParams.SetFilter(filter.AsString()) | ||
} | ||
if sort := params.Args.GetAttrVal("sort"); !sort.IsNull() { | ||
sortStr := sort.AsString() | ||
apiParams.SetSort(&sortStr) | ||
} | ||
response, err := cli.SpotlightVulnerabilities().CombinedQueryVulnerabilities(apiParams) | ||
if err != nil { | ||
return nil, diagnostics.Diag{{ | ||
Severity: hcl.DiagError, | ||
Summary: "Failed to fetch Falcon Spotlight vulnerabilities", | ||
Detail: err.Error(), | ||
}} | ||
} | ||
if err = falcon.AssertNoError(response.GetPayload().Errors); err != nil { | ||
return nil, diagnostics.Diag{{ | ||
Severity: hcl.DiagError, | ||
Summary: "Failed to fetch Falcon Spotlight vulnerabilities", | ||
Detail: err.Error(), | ||
}} | ||
} | ||
vulnerabilities := response.GetPayload().Resources | ||
data, err := encodeResponse(vulnerabilities) | ||
if err != nil { | ||
return nil, diagnostics.Diag{{ | ||
Severity: hcl.DiagError, | ||
Summary: "Failed to parse response", | ||
Detail: err.Error(), | ||
}} | ||
} | ||
return data, nil | ||
} | ||
} |
Oops, something went wrong.