feat: add falcon_discover_host_details datasource

blackstork-io · Oct 23, 2024 · 38054ed · 38054ed
1 parent 237561f
commit 38054ed
Show file tree

Hide file tree

Showing 9 changed files with 662 additions and 4 deletions.
diff --git a/.mockery.yaml b/.mockery.yaml
@@ -60,6 +60,7 @@ packages:
       DetectsClient:
       SpotVulnerabilitiesClient:
       IntelClient:
+      DiscoverClient:
   github.com/blackstork-io/fabric/plugin/resolver:
     config:
       inpackage: true

diff --git a/docs/plugins/crowdstrike/data-sources/falcon_discover_host_details.md b/docs/plugins/crowdstrike/data-sources/falcon_discover_host_details.md
@@ -0,0 +1,93 @@
+---
+title: "`falcon_discover_host_details` data source"
+plugin:
+  name: blackstork/crowdstrike
+  description: "The `falcon_discover_host_details` data source fetches host details from Falcon Discover Host API"
+  tags: []
+  version: "v0.4.2"
+  source_github: "https://github.com/blackstork-io/fabric/tree/main/internal/crowdstrike/"
+resource:
+  type: data-source
+type: docs
+---
+
+{{< breadcrumbs 2 >}}
+
+{{< plugin-resource-header "blackstork/crowdstrike" "crowdstrike" "v0.4.2" "falcon_discover_host_details" "data source" >}}
+
+## Description
+The `falcon_discover_host_details` data source fetches host details from Falcon Discover Host API.
+
+## Installation
+
+To use `falcon_discover_host_details` data source, you must install the plugin `blackstork/crowdstrike`.
+
+To install the plugin, add the full plugin name to the `plugin_versions` map in the Fabric global configuration block (see [Global configuration]({{< ref "configs.md#global-configuration" >}}) for more details), as shown below:
+
+```hcl
+fabric {
+  plugin_versions = {
+    "blackstork/crowdstrike" = ">= v0.4.2"
+  }
+}
+```
+
+Note the version constraint set for the plugin.
+
+## Configuration
+
+The data source supports the following configuration arguments:
+
+```hcl
+config data falcon_discover_host_details {
+  # Client ID for accessing CrowdStrike Falcon Platform
+  #
+  # Required string.
+  # Must be non-empty
+  # For example:
+  client_id = "some string"
+
+  # Client Secret for accessing CrowdStrike Falcon Platform
+  #
+  # Required string.
+  # Must be non-empty
+  # For example:
+  client_secret = "some string"
+
+  # Member CID for MSSP
+  #
+  # Optional string.
+  # Default value:
+  member_cid = null
+
+  # Falcon cloud abbreviation
+  #
+  # Optional string.
+  # Must be one of: "autodiscover", "us-1", "us-2", "eu-1", "us-gov-1", "gov1"
+  # For example:
+  # client_cloud = "us-1"
+  # 
+  # Default value:
+  client_cloud = null
+}
+```
+
+## Usage
+
+The data source supports the following execution arguments:
+
+```hcl
+data falcon_discover_host_details {
+  # limit the number of queried items
+  #
+  # Required integer.
+  # For example:
+  size = 42
+
+  # Host search expression using Falcon Query Language (FQL)
+  #
+  # Optional string.
+  # Default value:
+  filter = null
+}
+```
diff --git a/docs/plugins/plugins.json b/docs/plugins/plugins.json
@@ -165,6 +165,20 @@
           "limit"
         ]
       },
+      {
+        "name": "falcon_discover_host_details",
+        "type": "data-source",
+        "config_params": [
+          "client_cloud",
+          "client_id",
+          "client_secret",
+          "member_cid"
+        ],
+        "arguments": [
+          "filter",
+          "size"
+        ]
+      },
       {
         "name": "falcon_intel_indicators",
         "type": "data-source",

diff --git a/examples/templates/crowdstrike/data_falcon_discover_host_details.fabric b/examples/templates/crowdstrike/data_falcon_discover_host_details.fabric
@@ -0,0 +1,32 @@
+document "falcon_discover_host_details" {
+  meta {
+    name = "example_document"
+  }
+
+  data falcon_discover_host_details "fdhd" {
+    config {
+        client_id = ""
+        client_secret = ""
+        client_cloud = "eu-1"
+    }
+    size = 100
+  }
+
+  title = "List of discover host details"
+
+  content table {
+        rows = query_jq(".data.falcon_discover_host_details.fdhd")
+        columns = [
+            {
+                "header" = "Cid"
+                "value"  = "{{.row.value.cid}}"
+            },
+            {
+                "header" = "City"
+                "value"  = "{{.row.value.city}}"
+            }
+        ]
+  }
+
+}
+
diff --git a/internal/crowdstrike/data_falcon_discover_host_details.go b/internal/crowdstrike/data_falcon_discover_host_details.go
@@ -0,0 +1,102 @@
+package crowdstrike
+
+import (
+	"context"
+
+	"github.com/crowdstrike/gofalcon/falcon"
+	"github.com/crowdstrike/gofalcon/falcon/client/discover"
+	"github.com/hashicorp/hcl/v2"
+	"github.com/zclconf/go-cty/cty"
+
+	"github.com/blackstork-io/fabric/pkg/diagnostics"
+	"github.com/blackstork-io/fabric/plugin"
+	"github.com/blackstork-io/fabric/plugin/dataspec"
+	"github.com/blackstork-io/fabric/plugin/dataspec/constraint"
+	"github.com/blackstork-io/fabric/plugin/plugindata"
+)
+
+func makeFalconDiscoverHostDetailsDataSource(loader ClientLoaderFn) *plugin.DataSource {
+	return &plugin.DataSource{
+		Doc:      "The `falcon_discover_host_details` data source fetches host details from Falcon Discover Host API.",
+		DataFunc: fetchFalconDiscoverHostDetails(loader),
+		Config:   makeDataSourceConfig(),
+		Args: &dataspec.RootSpec{
+			Attrs: []*dataspec.AttrSpec{
+				{
+					Name:        "size",
+					Type:        cty.Number,
+					Constraints: constraint.Integer | constraint.RequiredNonNull,
+					Doc:         "limit the number of queried items",
+				},
+				{
+					Name: "filter",
+					Type: cty.String,
+					Doc:  "Host search expression using Falcon Query Language (FQL)",
+				},
+			},
+		},
+	}
+}
+
+func fetchFalconDiscoverHostDetails(loader ClientLoaderFn) plugin.RetrieveDataFunc {
+	return func(ctx context.Context, params *plugin.RetrieveDataParams) (plugindata.Data, diagnostics.Diag) {
+		cli, err := loader(makeApiConfig(ctx, params.Config))
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Unable to create falcon client",
+				Detail:   err.Error(),
+			}}
+		}
+		size, _ := params.Args.GetAttrVal("size").AsBigFloat().Int64()
+		queryHostParams := discover.NewQueryHostsParams().WithDefaults()
+		queryHostParams.SetLimit(&size)
+		queryHostParams.SetContext(ctx)
+		queryHostsResponse, err := cli.Discover().QueryHosts(queryHostParams)
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to query Falcon Discover Hosts",
+				Detail:   err.Error(),
+			}}
+		}
+		if err = falcon.AssertNoError(queryHostsResponse.GetPayload().Errors); err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to query Falcon Discover Hosts",
+				Detail:   err.Error(),
+			}}
+		}
+		hostIds := queryHostsResponse.GetPayload().Resources
+
+		getHostParams := discover.NewGetHostsParams().WithDefaults()
+		getHostParams.SetIds(hostIds)
+		getHostParams.SetContext(ctx)
+		getHostsResponse, err := cli.Discover().GetHosts(getHostParams)
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to fetch Falcon Discover Hosts",
+				Detail:   err.Error(),
+			}}
+		}
+		if err = falcon.AssertNoError(queryHostsResponse.GetPayload().Errors); err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to fetch Falcon Discover Hosts",
+				Detail:   err.Error(),
+			}}
+		}
+
+		resources := getHostsResponse.GetPayload().Resources
+		data, err := encodeResponse(resources)
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to parse response",
+				Detail:   err.Error(),
+			}}
+		}
+		return data, nil
+	}
+}