crowdstrike / gofalcon Goto Github PK

The API client seems to call Cloud.Autodiscover even when HostOverride is set which does a request to POST https://api.crowdstrike.com/oauth2/token and results in this error: Insufficient CrowdStrike privileges, please grant [Falcon Images Download: Read] to CrowdStrike API Key. Error was: [POST /oauth2/token][403]

PR's that do not modify Go code should not trigger workflows like CodeQL etc

When trying to use this Go library, I get the following error.

$ go get github.com/CrowdStrike/gofalcon/falcon
go: downloading github.com/CrowdStrike/gofalcon v0.2.11
go get: github.com/CrowdStrike/[email protected]: parsing go.mod:
        module declares its path as: github.com/crowdstrike/gofalcon
                but was required as: github.com/CrowdStrike/gofalcon

The example script for discover runs into a panic condition when it hits a limit defined within the API endpoint.

Below is sample error

panic: [GET /discover/queries/hosts/v1][400] queryHostsBadRequest  &{Errors:[{Code:400 Message:offset 10000 and limit 100 are invalid; offset + limit must be less than or equal to 10000}] Meta:PoweredBy:discover-api QueryTime:0.007191935 TraceID:b8df171b-9f9f-4b0c-90cd-c8b36280328e}}
[BODY {"errors":[{"code":400,"message":"offset 10000 and limit 100 are invalid; offset + limit must be less than or equal to 10000"}],"meta":{"powered_by":"discover-api","query_time":0.007191935,"trace_id":"b8df171b-9f9f-4b0c-90cd-c8b36280328e"}}]

When using client.RealTimeResponse.RTRGetExtractedFileContents method, I get the following error:

no consumer: "application/x-7z-compressed"

It appears that there are two issues:

1. *rtr.RTRGetExtractedFileContentsOK.Payload is []int64 when it should be []byte
2. customTransport.Consumers["application/x-7z-compressed"] = httpruntime.ByteStreamConsumer() should be added to falcon/api_client.go

I'm not sure the best way to modify the auto-generated code, but I've made the modification to my fork here: clayscode@4bca8f8

After doing that, I'm able to successfully download the file contents.

Hello,

Around a month ago a new feature in our application caused around ~1000 bugs every week. Investigation showed that there was an bug in the API of Crowdstrike. This bug has now finally been resolved, and the updated swagger works: The bug is no longer there. Sadly enough we're still dealing with this bug in our application because this API Client Library is sending the request in an incorrect way. I've cloned this repository, and on main it already works perfectly because the codebase has already been re-generated based on the most recent swagger. So the only thing missing for us is a new release containing the updated code base on the most recent swagger documentation :D

Thanks in advance,

Shari

Hey,

I'm failing to receive certain events on the stream because the detections are coming through a process ID and parent process ID of strings instead of ints

ERROR: json: cannot unmarshal string into Go struct field Event.event.ProcessId of type uint64

Type setting

By the time this occurs the events are already exposed in the error channel

		for fatal == nil {
			select {
			case err := <-stream.Errors:
				if err.Fatal {
					fatal = err.Err
				} else {
                                          // error received here
					fmt.Fprintln(os.Stderr, err)
				}
			case event := <-stream.Events:
				if int(event.Metadata.Offset) >= intStart && int(event.Metadata.Offset) <= intEnd {
					handleEvent(event)
				}
			}
		}

Whenever we receive a detection event we follow up and request more host and detection details anyway - as far as i'm concerned removing the ProcessID and ParentProcessID from the struct is good enough. Although, it's possible the same problem will occur in the detects models...

json: cannot unmarshal object into Go struct field DomainAWSAccountV2.resources.settings of type string

Settings is not a string

Hello!

While invoking the function client.client.RealTimeResponseAdmin.RTRCreateScripts we sometimes get a 403 Forbidden response. The error message we then get is: *real_time_response_admin.RTRCreateScriptsForbidden · [POST /real-time-response/entities/scripts/v1][403] rTRCreateScriptsForbidden &{Errors:[0xc0008a1460] Meta:0xc000628a80} As you can see, having pointers being printed to string isn't really helpful here. At

func (m *MsaAPIError) String() string {
	return fmt.Sprintf("%+v", *m)
}

and if we'd add the following code to the MsaMetaInfo object

func (m *MsaMetaInfo) String() string {
	return fmt.Sprintf("%+v", *m)
}

Then I'd stop seeing pointers and instead see the values in the error messages the library returns. I'd normally open up a pull request myself but on each file on line 1 I see

Update:
Debugging another bug I also find

Currently, there doesn't appear to be a way to provide the gofalcon client a custom User-Agent header. Could this feature be added so that it would make it easier for partners to self-identify which applications are calling CrowdStrike APIs?

Hi, i'd like to retrieve all hosts and their tags. I tried client.Hosts.QueryDevicesByFilter but this only returns the host IDs.
Querying every host separately is very expensive. Is there a method I missed?

When tagging hosts I stumbled upon the following erorr message
response status code does not match any response statuses defined for this endpoint in the swagger spec
alongside a response code 202 for my request to (un)tag hosts.

The tags are correctly updated, but the API responds with an undocumented code 202 instead of the expected 200 which makes the client return an error.

I was also able to reproduce this using the swagger UI provided via docs, see attached screenshot.

IMHO, the easiest fix would be to update the response code of the /devices/entities/devices/tags/v1 to 202 instead of 200 and run the codegenerator.

Is your feature request related to a problem? Please describe.
For customers with MSSP (Master/member) we need to support using master API credentials to lock the token to member CIDs.

Describe the solution you'd like
Either adding a value to the falcon.ApiConfig struct that allows for a MemberCID (the way Oauth2AccessTokenParams already has it) so that you can set the MemberCID right from the beginning, or adding the ability to set this value later on/per request.

Describe alternatives you've considered
Currently our solution is simply creating API keys for every single CID, which is difficult to do in a safe way.

Additional notes
The Oauth2.Oauth2AccessToken function already allows for the creation of this token, but I don't see a way to use the token in a falcon client. If there is a way to do it, some documentation on that would be useful.

There have been large changes to the CrowdStrike API spec. A lot of the changes have been renames for example the spotlight_vulnerabilities package changing to vulnerabilities, or a return type being renamed. Other changes include the removal of depreciated endpoints, new endpoints, and new methods.

Since most of these changes are breaking, we will be releasing a pre-release version of the changes. We wanted to do that to give users of the SDK more time to see the changes while we are going through each endpoint validating they are correct.

The v0.4.0-rc1 release notes have a summary of the diff between the most recent release and v0.4.0-rc1 you can use it to help in the situations where you were using an endpoint that was modified. For example, if you were using an endpoint that returned DetectsapiPatchEntitiesInvestigatablesV2Request you can find that model and see it was changed to DetectsapiPatchEntitiesAlertsV2Request

Based on usage of the SDK most of these changes will not effect current usage.

Hi there!

Is there a way to fetch Cloud Security misconfigurations via this SDK?
I couldn't immediately find a method to do so. Thanks!

The function call client.CustomIoa.QueryRuleGroupsFull() is not working properly.

Workaround: Users are required to use sequence of calling client.CustomIoa.QueryRuleGroupsMixin0 first to get list of IDs and then users need to pass this list of IDs to the callclient.CustomIoa.GetRuleGroupsMixin0 to get list of objects. The workaround can be seen in action at #230.

The purpose of this issue is to fix client.CustomIoa.QueryRuleGroupsFull() and to unable users to run a single call that will get the list of objects directly instead of requiring two API calls.

When we update a script with RTRUpdateScripts we get an error response with status 202 not sure why an error is being thrown with status 202. The script is updated successfully and we see the changes, but we still receive an error with status 202 in the error return value.

Thanks and have a great day.

I'm not sure if I'm using the SDK right, or if there is another bug somewhere further down the chain...

Could you take a look at it?

I'm trying to use this endpoint here.

func main() {
	falconClientId := os.Getenv("FALCON_CLIENT_ID")
	falconClientSecret := os.Getenv("FALCON_CLIENT_SECRET")
	clientCloud := os.Getenv("FALCON_CLOUD")
	client, err := falcon.NewClient(&falcon.ApiConfig{
		ClientId:     falconClientId,
		ClientSecret: falconClientSecret,
		Cloud:        falcon.Cloud(clientCloud),
		Context:      context.Background(),
	})
	if err != nil {
		panic(err)
	}

	body := models.APIIndicatorCreateReqV1{
		Type:         "domain",
		Action:       "detect",
		Severity:     "medium",
		Description:  "test description",
		Platforms:    []string{"windows", "mac", "linux"},
		Value:        "cstestblock.com",
	}
	bodies := models.APIIndicatorCreateReqsV1{}
	bodies.Indicators = []*models.APIIndicatorCreateReqV1{&body}
	params := ioc.NewIndicatorCreateV1Params()
	params.SetBody(&bodies)

	_, err = client.Ioc.IndicatorCreateV1(params)
	if err != nil {
		panic(err)
	}
}

It will return this error:

panic: response status code does not match any response statuses defined for this endpoint in the swagger spec (status 400): {}

The examples should be updated to use go install

This commit appears to be missing from release v0.2.34 . Is it possible something went wrong in this build that would cause this?

Steps to reproduce:

1. Create new project directory and go.mod
2. Add require github.com/crowdstrike/gofalcon v0.2.34
3. go mod vendor
4. Check the contents of ./vendor/github.com/crowdstrike/gofalcon/falcon/api_streaming.go

FYI @isimluk it seems that for DomainBaseAPIVulnerabilityV2 the Mitigation is always nil?

queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
			Filter:  "status:'open'",
		},
	)
	if err != nil {
		return nil, errors.Wrap(err, "could not query vulnerabilities")
	}

	if queryResult == nil {
		return nil, errors.New("QueryVulnerabilities result was nil")
	}

	for _, vuln := range queryResult.GetPayload().Resources {
			logrus.WithField("rem", fmt.Sprintf("%+v", vuln.Remediation)).Debug("rem")
	}
}

-> nil, nil, nil, nil, ....

Hi Team, hopefully this is right place to ask, if not, I'd appreciate if you can direct me.

I'm the founder of cloudquery.io, a high performance open source ELT framework.

Our users are interested in a CrowdStrike plugin, but as we cannot maintain all the plugins ourselves, I was curious if this would be an interesting collaboration, where we would help implement an initial source plugin version, and you will help maintain it.

This will give your users the ability to sync their CrowdStrike APIs (alerts, users, devices) to any of their datalakes/data-warehouses/databases easily using any of the growing list of CQ destination plugins.

Best,
Yevgeny

Hi,

We have been getting "json: cannot unmarshal string into Go struct field Event.event.IncidentType of type uint64" errors while reading event data from a falcon stream. The errors repeat indefinitely and cause the stream to be unusable. It looks like the returned json data from the underlying api call has a string type in IncidentType and the string value can not be unmarshalled into unit64 type for Event.IncidentType field package streaming_models. Your help to address this issue is much appreciated.

Kevin

Not sure if an issue with the API endpoint or the Golang library.

Working Example

Notice limit + offset parameter is less than 10k

GET /iocs/combined/indicator/v1?limit=2000&offset=0 HTTP/1.1
Host: api.crowdstrike.com
User-Agent: Go-http-client/1.1
Accept: application/json
Accept-Encoding: gzip


HTTP/2.0 200 OK
Content-Type: application/json
Date: Tue, 10 Aug 2021 21:47:35 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Cs-Region: us-1
X-Cs-Traceid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
X-Ratelimit-Limit: 6000
X-Ratelimit-Remaining: 5999

{
 "meta": {
  "query_time": 0.157897191,
  "pagination": {
   "limit": 2000,
   "total": 10003,
   "offset": 2000,
   "after": "WzE2Mjc0Mjk2MDEwODQsImM0MzM5YTk4NDgwNDc3OWE2NjNlOTU5MzNlZWZiZTg1ZTA0ODQ4ODczMjFiYzQzNWRlOTNjYjcxZDc5NDIyMTQiXQ=="
  },
  "powered_by": "ioc-manager",
  "trace_id":
  ...

NOT Working Example

Notice limit + offset parameter is greater than 10k

GET /iocs/combined/indicator/v1?limit=3&offset=10000 HTTP/1.1
Host: api.crowdstrike.com
User-Agent: Go-http-client/1.1
Accept: application/json
Accept-Encoding: gzip


HTTP/2.0 500 Internal Server Error
Content-Length: 293
Content-Type: application/json
Date: Tue, 10 Aug 2021 21:47:40 GMT
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 6000
X-Ratelimit-Remaining: 5994

{
 "meta": {
  "query_time": 1.27e-7,
  "powered_by": "crowdstrike-api-gateway",
  "trace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
 },
 "errors": [
  {
   "code": 500,
   "message": "Internal Server Error: Please provide trace-id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' to support"
  }
 ]
}

panic: [GET /iocs/combined/indicator/v1][500] indicator.combined.v1 default  &{Errors:[0xc0000b20c0] Meta:0xc0001122a0 Resources:[]}

Test cases

Reproduction Steps

Also, this issue didn't seem to pop up until after I managed to put 10k+ custom IOCs into my Crowdstrike instance; I assume you'll have to do the same to get a similar error.

package main

import (
        "context"
        "errors"
        "fmt"
        "io/ioutil"
        "log"
        "os"
        "regexp"
        "strings"
        "time"

        "github.com/crowdstrike/gofalcon/falcon"
        "github.com/go-openapi/strfmt"

        "github.com/crowdstrike/gofalcon/falcon/client"
        "github.com/crowdstrike/gofalcon/falcon/client/ioc"
        "github.com/crowdstrike/gofalcon/falcon/models"
)

func getCrowdstrikeIOCs(client *client.CrowdStrikeAPISpecification) ([]string, error) {
        iocs := []string{}
        var limit, offset, total int64
        limit = 2000
        offset = 0
        total = 0

        for offset <= total {
                params := ioc.NewIndicatorCombinedV1Params().WithDefaults()
                params.SetOffset(&offset)
                params.SetLimit(&limit)
                res, err := client.Ioc.IndicatorCombinedV1(params)
                if err != nil {
                        // fmt.Println(res.Error())
                        return []string{}, err
                }
                for _, ioc := range res.GetPayload().Resources {
                        iocs = append(iocs, ioc.Value)
                }

                total = *res.GetPayload().Meta.Pagination.Total
                offset += limit
                if (offset + limit) > total {
                        limit = total - offset
                }
        }

        return iocs, nil
}

func main() {
        falconClientId := os.Getenv("FALCON_CLIENT_ID")
        falconClientSecret := os.Getenv("FALCON_CLIENT_SECRET")
        clientCloud := os.Getenv("FALCON_CLOUD")

        client, err := falcon.NewClient(&falcon.ApiConfig{
                ClientId:     falconClientId,
                ClientSecret: falconClientSecret,
                Cloud:        falcon.Cloud(clientCloud),
                Context:      context.Background(),
                Debug:        true,
        })
        if err != nil {
                return err
        }

        _, err := getCrowdstrikeIOCs(client)
        if err != nil {
                panic(err)
        }
}

Thanks!

Hello, I am running into issues with the falcon_sensor_download example:

$ sw_vers
ProductName:	macOS
ProductVersion:	12.2
BuildVersion:	21D49

$ go version
go version go1.17.6 darwin/amd64

$ ./falcon_sensor_download --all
panic: Suspicious file location: Identity Protection DC Sensor/identity_protection_dc_sensor_6.35.19705.BetaBarb.msi

goroutine 1 [running]:
main.download(0xc00021e600, 0xc0004e0000, {0xc00010e0c0, 0x53})
	/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:98 +0x2f9
main.downloadAllSensors(0xc00029fef8)
	/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:217 +0xb0
main.main()
	/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:53 +0x8fb

It looks like the path to sensor downloads has the / in them, and this line is causing the panic:
https://github.com/CrowdStrike/gofalcon/blob/main/examples/falcon_sensor_download/main.go#L97

What do you think about removing the check for a /?

Hi,

It looks like #216 doesn't fix the issue #215. The same error "json: invalid number literal, trying to unmarshal ""DOMAIN_COMPROMISE"" into Number" is still happening. Perhaps the CrowdStrike API could contain "DOMAIN_COMPROMISE" as a value for the Event.IncidentType field and declaring the type of Event.IncidentType as json.Number can't handle non numerical strings like "DOMAIN_COMPROMISE". Your help to address this issue is much appreciated.

Kevin

Using the gofalcon to get containers on the /container-security/combined/containers/v1 endpoint I get the following error:
json: cannot unmarshal string into Go struct field ModelsContainer.resources.first_seen of type int64

This is caused by the fact that the data structure for ModelsContainer defines the FirstSeen and LastSeen fields as int64 and the api has them being strings representing date times.

models.ContainerEntityResponse{ errors [...] meta* msaspec.MetaInfo{ pagination msaspec.Paging{...} powered_by string query_time* number($double) trace_id* string writes msaspec.Writes{...} } resources* [models.Container{ agents* [...] allow_privilege_escalation* boolean cid* string cloud_account_id* string cloud_name* string cloud_region* string cluster_id* string cluster_name* string config_labels* string container_id* string container_name* string created_at* string first_seen* string image_application_package_count* integer($int32) image_assessed_at* integer($int64) image_detection_count* integer($int32) image_digest* string image_has_been_assessed* boolean image_highest_severity_vulnerability* string image_id* string image_package_count* integer($int32) image_registry* string image_repository* string image_tag* string image_vulnerability_count* integer($int32) insecure_mount_source* string insecure_mount_type* string insecure_propagation_mode* boolean interactive_mode* boolean ipv4* string ipv6* string labels* {...} labels_list* [...] last_seen* string namespace* string node_name* string node_uid* string pod_id* string pod_name* string ports* [...] privileged* boolean root_write_access* boolean run_as_root_group* boolean run_as_root_user* boolean running_status* boolean volume_mounts* string }] }

can you please fix this in the go sdk.

Using version v0.6.0 with go version 1.22.1

I am attempting to create an IOC using the ioc.Client.IndicatorCreateV1 method but getting a 400 One or more indicators have a warning or invalid input error

This is the request body I use via cURL/Postman and I get a succesful 200 response (along with the id).

{
    "comment": "Indicator Created by something for domain somedomain.com",
    "indicators": [
        {
            "type": "domain",
            "value": "somedomain.com",
            "applied_globally": true,
            "platforms": ["windows", "mac", "linux"],
            "action": "no_action",
            "tags": ["something"],
            "source": "something",
            "severity": "informational",
            "description": "URL Created by something"
        }
    ]
}

This is the equivalent go code but results in a 400 error. indicatorCreateV1BadRequest &{Errors:[{Code:400 Message:One or more indicators have a warning or invalid input}] Meta:PoweredBy:ioc-manager QueryTime:0.012351665 TraceID:<TRACE>}}

func boolPtr(v bool) *bool {
	return &v
}

const SeverityInformational = "informational"

&ioc.IndicatorCreateV1Params{
		Context: context.Background(), // also removed this with no luck
		Body: &models.APIIndicatorCreateReqsV1{
			Comment: fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
			Indicators: []*models.APIIndicatorCreateReqV1{
				{
					Type:            "domain",
					Value:           "somedomain.com",
					AppliedGlobally: boolPtr(true),
					Platforms:       []string{"windows", "mac", "linux"},
					Description:     fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
					Action:          "no_action",
					Tags:            []string{"something"},
					Source:          "something",
					Severity:        SeverityInformational, //  informational, low, medium, high, and critical
				},
			},
		},
	}

Checking the generated source vs the json above, everything seems to match up(with the only exception being the bool pointer for the applied_globally field but marshalling usually handles that). It doesnt seem to fail validations either and makes it to the API which then returns the error and I can't see any differences between go vs the curl json blob.

Any suggestions?

I am attempting to utilize Intel.GetVulnerabilities() to query a vulnerability by CVE ID and retrieve intelligence on that vulnerability, similar to the example shown in the "Vulnerability Intelligence APIs" documentation, but using gofalcon.

Every request appears to return an unmarshaling error due to the type of DomainVulnerability.resources.cvss_v2_base, as seen in this simple example:

ids := models.MsaIdsRequest{Ids: []string{"CVE-2017-5638"}}
response, err := client.Intel.GetVulnerabilities(&intel.GetVulnerabilitiesParams{
    Context: context.Background(),
    Body:    &ids,
})
if err != nil {
    return nil, err
}

json: cannot unmarshal object into Go struct field DomainVulnerability.resources.cvss_v2_base of type string

I confirmed the same API call using curl returns the expected output:

 "resources": [
  {
   "cve": "CVE-2017-5638",
   ...
   ],
   "cvss_v2_base": {
    "access_vector": "Network",
    "access_complexity": "Low",
    "authentication": "None",
    "confidentiality_impact": "Complete",
    "integrity_impact": "Complete",
    "availability_impact": "Complete",
    "score": 10,
    "severity": "HIGH"
   },
   ...
}

Since cvss_v2_base appears to be a JSON object, I'm wondering if somewhere it's being incorrectly labeled/unmarshaled as a string object.

Interestingly, if I use the latest commit in the repo instead of the published v0.6.0 release, the call is successful, and returns a DomainVulnerability object:

[
    {
        "evaluatedAffectedAssetsCount": null,
        "exploitStatus": null,
        "exprt_rating": null,
        "totalAffectedAssets": null
    }
]

But that doesn't appear to be the desired output I want if I am POST'ing to /intel/entities/vulnerabilities/GET/v1 - According to the API documentation, it should be more like the above output which includes general intelligence on that CVE, not anything about impacted assets.

Perhaps there is a model-mismatch somewhere that is causing issues with Swagger?

Hey.
I've used the host-override in the API definition, in order to support host proxies.
I've wanted to ask regarding it, as I see that the initial auto-discover is always in front of the same hardcoded url, rather then the host override.
I've wanted to ask if there is a way to force it to use the host override for the auto-detect process as well, so it will be possible to support a proxy from a machine with strict firewall rules.

Thanks in advance!
Ido

None of the example show how to do a simple download of the latest snort file or indicator IDs. I'm in the process of converting a Python script to Go and I cannot figure out which methods to use and in what order. We use this script at Corelight to integrate CrowdStrike into our sensors and I'm building this integration directly into our integration utility.

Can someone provide examples or assist in creating them?

What's the correct way to reuse a stream over multiple lifecycles of an app? Do I need to generate a new app id for every run? Can I guarantee that an offset references the same data between app-id's? Meaning, if I were to generate a new unique app id for every run, would the previous run's offset be a useful value for the next run whose app-id is different?

Tracking ticket for adding the swagger of the latest zero-trust-assessment/entities/audit/v1 endpoint.
Thanks!

Hi,

It looks like the fix Allow string and uint values in Event.IncidentType by isimluk · Pull Request #206 · CrowdStrike/gofalcon didn't completely resolve the issue stream error "json: cannot unmarshal string into Go struct field Event.event.IncidentType of type uint64" · Issue #205 · CrowdStrike/gofalcon. The Event.event.IncidentType could be some string literals that can not be unmarshalled into json.Number type. Your help to address this issue is much appreciated.

Kevin

This issue describes inconsistent mapping of model DomainUser. This change happened in 97a9111.

Current structure of DomainUser from endpoint https://api.crowdstrike.com/user-management/entities/users/GET/v1:

Type in code:

Other types of DomainUser like DomainCreateUserRequest contain the old structure:

Expected behavior

In the streaming_models.EventItem model struct returned from gofalcon client, the client should represent optional/missing fields in the REST endpoint response as nil by using a pointer type in the field.

Observed behavior

EventItem treats some fields as always present in the response, when they are actually optional. I am not sure this is a complete list but the following appear to fall under this condition:

• UTCTimestamp
• ProcessStartTime
• ProcessEndTime
• StartTimestamp
• EndTimestamp
• Several fields in nested structs contain a Timestamp

These fields may or may not appear in a response JSON, depending on the type of event returned.

Problem

An application using gofalcon receives the data from the stream.Events channel as an unmarshaled streaming_models.Event (which contains a streaming_models.EventItem). Timestamp fields that are missing are unmarshalled as the default value (0). At that point, it is not possible to tell whether the timestamp field set to 0 was actually present in the REST endpoint response, or whether it was missing.

Proposed Change

The client returned EventItem struct should accurately reflect the contents of the JSON response. This can be achieved by changing the field types to a pointer. E.g.:

type EventItem Struct {
    ...
    UTCTimestamp *uint64 `json:"UTCTimestamp,omitempty"`
    ...

For example, the "RemoteResponseSessionStartEvent" event type does not return a UTCTimestamp in the JSON response so having this field set to nil in that case would more accurately reflect the API response.

https://github.com/CrowdStrike/gofalcon/tree/main/examples/falcon_host_details

week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d)
falcon_host_details --filter="product_type_desc:'Pod'+last_seen:>='${week_ago}'" \
    | jq -r 'map({(.device_id): {"agent_version": .agent_version, "cloud": .service_provider, "pod_name": .pod_name}}) | add'

The week_ago variable command argument is not working.

─$ week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d)
date: invalid option -- 'j'
Try 'date --help' for more information.

When using the RTRDeleteQueueSession I'm sending the cloudID and i'm getting an error stating the following the Received response status code does not match any response statuses defined for this endpoint in the swagger spec (status 200): {}.

I sometimes get an error stating that it can't find the queued session although the RTRListQueuedSessions provides me with the necessary information.

The SDK is trying to unmarshal a uint64 value into an int64 struct property.

json: cannot unmarshal number 12977666641747678918 into Go struct field DomainAPIEvaluationLogicItemV1.resources.apps.evaluation_logic.logic.id of type int64

This error comes up when we call the client.SpotlightVulnerabilities.CombinedQueryVulnerabilities function.

I believe the culprit is models.DomainBaseAPIVulnerabilityV2.Apps.EvaluationLogic.Logic[*].ID

I'm trying to create a session so I can do an ipcofig on the devices. But when I add the device id and send in my request I get an error stating client.RealTimeResponse.RTRInitSession Receiving an error response status code does not match any response statuses defined for this endpoint in the swagger spec (status 404): {} . I don't know how to resolve this issue. Any assistance would be greatly appreciated.

var initSession real_time_response.RTRInitSessionParams
var initSessionBody models.DomainInitRequest
initSessionBody.DeviceID = &pDeviceId

initSession.Body = &initSessionBody
     initSession.Context = ctx

session, sessionError := client.RealTimeResponse.RTRInitSession(&initSession)

Hi,
Any chance of a start offstart specifier for the event streams api please? or guidance on how to set.
https://github.com/CrowdStrike/gofalcon/tree/main/falcon/client/event_streams
:)

A panic can occur on this line if the StreamingHandle Close() method is called: https://github.com/CrowdStrike/gofalcon/blob/main/falcon/api_streaming.go#L122

The Errors channel is closed here: https://github.com/CrowdStrike/gofalcon/blob/main/falcon/api_streaming.go#L138

There is a race condition between the Errors channel close on line 138 and the write to the Errors channel on line 122. The block in 122 needs to ensure that the Errors channel is writeable before writing to it.

Impact:

• The client causes a panic

Hi there,

is there any plan on supporting management of suppression rules via API?
I think not being able to create or update suppression rules is really lacking the otherwise really good crowstrike API.

Best regards,
Marko

Would be nice to be able to fetch the mitigations for Spotlight vulnerabilities.

How do you configure gofalcon to use a proxy or honor the proxy environment variables?

I am attempting to put a file on windows host.
First I upload a file to the the Cloud
then I use the cd command to cd to path I want to put the file
then I use the put command to put the file on the host
The file is uploaded to the host but it puts in on the c drive no the specified directory
When i do the same action on a Mac system it puts the file in the specified directory without a problem.

Hi,

I'm looking into fetching all image assessment related vulnerabilities using the Go SDK, version v0.6.0.

I noticed that there is no After argument in CombinedImageVulnerabilitySummaryParams, which means there is no way to pass a pagination token. *queryResult.GetPayload().Meta.Pagination.LastPage() also does not exist, so i'm curious how one is supposed to do pagination (akin to Spotlight)l with this? Thanks!

Example code:

func (cs *CrowdStrike) GetImageVulnerabilities(ctx context.Context) ([]ImageVulnerability, error) {
	round := 0
	paginationToken := ""
	for {
		// Query vulnerabilities from Falcon
		cs.logger.WithField("round", round).Debug("fetching image vulnerabilities")

		queryResult, err := cs.client.ContainerImages.CombinedImageVulnerabilitySummary(
			&container_images.CombinedImageVulnerabilitySummaryParams{
				Cid:        "",
				Registry:   "",
				Repository: "",
				Tag:        "",
				Context:    ctx,
				// ??
			},
		)
		if err != nil {
			return nil, fmt.Errorf("could not query image vulnerabilities: %v\n", err)
		}

		cs.logger.WithField("total", len(queryResult.GetPayload().Resources)).Debug("vulns returned")

		// Process each vulnerability
		for _, vuln := range queryResult.GetPayload().Resources {
			// TODO
		}

		// Stop pagination if we reached the end
		paginationToken = *queryResult.GetPayload().Meta.Pagination.LastPage() // ??
		if paginationToken == "" {
			break
		}
	}
}

We recently encountered the following JSON unmarshal error while streaming EDR events using gofalcon.

json: cannot unmarshal number into Go struct field Event.event.IncidentType of type string"

Going by what we can get from the Falcon web api/interface the incident type we received was 1, but the (EventItem struct)[https://github.com/CrowdStrike/gofalcon/blob/302c29018eb1bfa0ea2dca53d746ae54c66f84af/falcon/models/streaming_models/models.go#L72] defines the field as *string. Also the the domain incident struct defines it as int64. So i suspect the streaming EvenItem struct should *be modified so that IncidentType is either:

• int64
• or *IntOrString

depending on if a string incident type is actually possible.