crowdstrike plugin with multiple data sources

[traut]

Description

Crowdstike is a leading vendor in cyber security. With such a wide customer base, integrating with Crowdstrike APIs will bring massive value to Fabric users.

This issue defines the requirements for 5 data sources.

Requirements

All data sources share the same configuration arguments:

• client_id -- (required) string argument. Client ID for accessing CrowdStrike Falcon Platform
• client_secret -- (required) string argument. Client Secret for accessing CrowdStrike Falcon Platform
• member_cid -- (optional) string argument. Member CID for MSSP (for cases when OAuth2 authenticates multiple CIDs)
• client_cloud -- (optional) string argument. Falcon cloud abbreviation (us-1, us-2, eu-1, us-gov-1, etc)

Docs bit for the creds:

Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys

falcon_cspm_ioms data source

The data source fetches cloud indicators of misconfigurations (IOMs) from the Falcon security posture management (CSPM) feature.

Example code using CrowdStrike SDK -- https://github.com/crowdstrike/gofalcon/tree/v0.7.0/examples/falcon_cspm_ioms

• configuration: no specific arguments; use generic API args
• execution: no args

falcon_detection_details data source

The data source fetches detection details from Falcon API.

Example code using CrowdStrike SDK -- https://github.com/crowdstrike/gofalcon/tree/v0.7.0/examples/falcon_detection_details

• configuration: no specific arguments; use generic API args
• execution:
  • filter -- (optional) string argument. Host search expression using Falcon Query Language (FQL)

falcon_discover_host_details data source

The data source fetches host details from Falcon Discover Host API.

Example code using CrowdStrike SDK -- https://github.com/crowdstrike/gofalcon/tree/v0.7.0/examples/falcon_discover_host_details

• configuration: no specific arguments; use generic API args
• execution:
  • filter -- (optional) string argument. Host search expression using Falcon Query Language (FQL)

falcon_intel_indicators data source

The data source fetches intel indicators from Falcon API.

Example code using CrowdStrike SDK -- https://github.com/crowdstrike/gofalcon/tree/v0.7.0/examples/falcon_intel_indicators

• configuration: no specific arguments; use generic API args
• execution:
  • filter -- (required) string argument. Indicators filter expression using Falcon Query Language (FQL)
  • sort -- (optional) string argument. Indicators sort expression using Falcon Query Language (FQL)

falcon_vulnerabilities data source

The data source fetches environment vulnerabilities from Falcon Spotlight API.

Example code using CrowdStrike SDK -- https://github.com/crowdstrike/gofalcon/tree/v0.7.0/examples/falcon_vulnerabilities

• configuration: no specific arguments; use generic API args
• execution:
  • filter -- (required) string argument. Vulnerability search expression using Falcon Query Language (FQL)
  • sort -- (optional) string argument. Vulnerability sort expression using Falcon Query Language (FQL)

Additional Information

• https://github.com/crowdstrike/gofalcon
• https://developer.crowdstrike.com/docs/sdks/

[traut]

@anasmuhmd one thing I missed here -- all data sources that return lists of items must support the size exec attribute to limit the number of queried items.