crowdstrike / gofalcon Goto Github PK
View Code? Open in Web Editor NEWGolang-based SDK to CrowdStrike's APIs
License: MIT License
Golang-based SDK to CrowdStrike's APIs
License: MIT License
The API client seems to call Cloud.Autodiscover even when HostOverride is set which does a request to POST https://api.crowdstrike.com/oauth2/token and results in this error: Insufficient CrowdStrike privileges, please grant [Falcon Images Download: Read] to CrowdStrike API Key. Error was: [POST /oauth2/token][403]
PR's that do not modify Go code should not trigger workflows like CodeQL etc
When trying to use this Go library, I get the following error.
$ go get github.com/CrowdStrike/gofalcon/falcon
go: downloading github.com/CrowdStrike/gofalcon v0.2.11
go get: github.com/CrowdStrike/[email protected]: parsing go.mod:
module declares its path as: github.com/crowdstrike/gofalcon
but was required as: github.com/CrowdStrike/gofalcon
The example script for discover runs into a panic condition when it hits a limit defined within the API endpoint.
Below is sample error
panic: [GET /discover/queries/hosts/v1][400] queryHostsBadRequest &{Errors:[{Code:400 Message:offset 10000 and limit 100 are invalid; offset + limit must be less than or equal to 10000}] Meta:PoweredBy:discover-api QueryTime:0.007191935 TraceID:b8df171b-9f9f-4b0c-90cd-c8b36280328e}}
[BODY {"errors":[{"code":400,"message":"offset 10000 and limit 100 are invalid; offset + limit must be less than or equal to 10000"}],"meta":{"powered_by":"discover-api","query_time":0.007191935,"trace_id":"b8df171b-9f9f-4b0c-90cd-c8b36280328e"}}]
When using client.RealTimeResponse.RTRGetExtractedFileContents
method, I get the following error:
no consumer: "application/x-7z-compressed"
It appears that there are two issues:
*rtr.RTRGetExtractedFileContentsOK.Payload
is []int64 when it should be []bytecustomTransport.Consumers["application/x-7z-compressed"] = httpruntime.ByteStreamConsumer()
should be added to falcon/api_client.go
I'm not sure the best way to modify the auto-generated code, but I've made the modification to my fork here: clayscode@4bca8f8
After doing that, I'm able to successfully download the file contents.
Hello,
Around a month ago a new feature in our application caused around ~1000 bugs every week. Investigation showed that there was an bug in the API of Crowdstrike. This bug has now finally been resolved, and the updated swagger works: The bug is no longer there. Sadly enough we're still dealing with this bug in our application because this API Client Library is sending the request in an incorrect way. I've cloned this repository, and on main it already works perfectly because the codebase has already been re-generated based on the most recent swagger. So the only thing missing for us is a new release containing the updated code base on the most recent swagger documentation :D
Thanks in advance,
Shari
Hey,
I'm failing to receive certain events on the stream because the detections are coming through a process ID and parent process ID of strings instead of ints
ERROR: json: cannot unmarshal string into Go struct field Event.event.ProcessId of type uint64
By the time this occurs the events are already exposed in the error channel
for fatal == nil {
select {
case err := <-stream.Errors:
if err.Fatal {
fatal = err.Err
} else {
// error received here
fmt.Fprintln(os.Stderr, err)
}
case event := <-stream.Events:
if int(event.Metadata.Offset) >= intStart && int(event.Metadata.Offset) <= intEnd {
handleEvent(event)
}
}
}
Whenever we receive a detection event we follow up and request more host and detection details anyway - as far as i'm concerned removing the ProcessID and ParentProcessID from the struct is good enough. Although, it's possible the same problem will occur in the detects models...
json: cannot unmarshal object into Go struct field DomainAWSAccountV2.resources.settings of type string
Settings is not a string
Hello!
While invoking the function client.client.RealTimeResponseAdmin.RTRCreateScripts we sometimes get a 403 Forbidden response. The error message we then get is: *real_time_response_admin.RTRCreateScriptsForbidden · [POST /real-time-response/entities/scripts/v1][403] rTRCreateScriptsForbidden &{Errors:[0xc0008a1460] Meta:0xc000628a80}
As you can see, having pointers being printed to string isn't really helpful here. At
o.Payload
, which refers to the field Payload in RTRCreateScriptsForbidden gofalcon/falcon/models/msa_reply_meta_only.go
Lines 21 to 29 in 7614b9d
Errors
is an array of pointers to MsaAPIError
and Meta
is an pointer to MsaMetaInfo
. If we'd add the following code to the MsaAPIError object
func (m *MsaAPIError) String() string {
return fmt.Sprintf("%+v", *m)
}
and if we'd add the following code to the MsaMetaInfo object
func (m *MsaMetaInfo) String() string {
return fmt.Sprintf("%+v", *m)
}
Then I'd stop seeing pointers and instead see the values in the error messages the library returns. I'd normally open up a pull request myself but on each file on line 1 I see
So that's why I now open up an issue instead :PUpdate:
Debugging another bug I also find
gofalcon/falcon/models/domain_device_details_response_swagger.go
Lines 21 to 34 in 7614b9d
[GET /devices/entities/devices/v1][400] GetDeviceDetails default &{Errors:[0xc00086f060] Meta:0xc0008d7dd0 Resources:[]}
function call. Luckily the suggested solution would also work here, since the models are reused. I do however notice the new field called Resources
. Currently I'm not running into pointers here yet because the list is empty, but because Resources is also an array of pointers, I'd again end up with an array of printed pointers if I had any resources. The solution here again would be to overwrite the string method of the pointer of the DomainDeviceSwagger
model, as we did with the other two already.Currently, there doesn't appear to be a way to provide the gofalcon client a custom User-Agent header. Could this feature be added so that it would make it easier for partners to self-identify which applications are calling CrowdStrike APIs?
Hi, i'd like to retrieve all hosts and their tags. I tried client.Hosts.QueryDevicesByFilter
but this only returns the host IDs.
Querying every host separately is very expensive. Is there a method I missed?
When tagging hosts I stumbled upon the following erorr message
response status code does not match any response statuses defined for this endpoint in the swagger spec
alongside a response code 202 for my request to (un)tag hosts.
The tags are correctly updated, but the API responds with an undocumented code 202
instead of the expected 200
which makes the client return an error.
I was also able to reproduce this using the swagger UI provided via docs, see attached screenshot.
IMHO, the easiest fix would be to update the response code of the /devices/entities/devices/tags/v1
to 202
instead of 200
and run the codegenerator.
Is your feature request related to a problem? Please describe.
For customers with MSSP (Master/member) we need to support using master API credentials to lock the token to member CIDs.
Describe the solution you'd like
Either adding a value to the falcon.ApiConfig
struct that allows for a MemberCID (the way Oauth2AccessTokenParams
already has it) so that you can set the MemberCID right from the beginning, or adding the ability to set this value later on/per request.
Describe alternatives you've considered
Currently our solution is simply creating API keys for every single CID, which is difficult to do in a safe way.
Additional notes
The Oauth2.Oauth2AccessToken
function already allows for the creation of this token, but I don't see a way to use the token in a falcon client. If there is a way to do it, some documentation on that would be useful.
There have been large changes to the CrowdStrike API spec. A lot of the changes have been renames for example the spotlight_vulnerabilities
package changing to vulnerabilities
, or a return type being renamed. Other changes include the removal of depreciated endpoints, new endpoints, and new methods.
Since most of these changes are breaking, we will be releasing a pre-release version of the changes. We wanted to do that to give users of the SDK more time to see the changes while we are going through each endpoint validating they are correct.
The v0.4.0-rc1
release notes have a summary of the diff between the most recent release and v0.4.0-rc1
you can use it to help in the situations where you were using an endpoint that was modified. For example, if you were using an endpoint that returned DetectsapiPatchEntitiesInvestigatablesV2Request
you can find that model and see it was changed to DetectsapiPatchEntitiesAlertsV2Request
Based on usage of the SDK most of these changes will not effect current usage.
Hi there!
Is there a way to fetch Cloud Security misconfigurations via this SDK?
I couldn't immediately find a method to do so. Thanks!
The function call client.CustomIoa.QueryRuleGroupsFull()
is not working properly.
Workaround: Users are required to use sequence of calling client.CustomIoa.QueryRuleGroupsMixin0
first to get list of IDs and then users need to pass this list of IDs to the callclient.CustomIoa.GetRuleGroupsMixin0
to get list of objects. The workaround can be seen in action at #230.
The purpose of this issue is to fix client.CustomIoa.QueryRuleGroupsFull()
and to unable users to run a single call that will get the list of objects directly instead of requiring two API calls.
When we update a script with RTRUpdateScripts we get an error response with status 202 not sure why an error is being thrown with status 202. The script is updated successfully and we see the changes, but we still receive an error with status 202 in the error return value.
Thanks and have a great day.
I'm not sure if I'm using the SDK right, or if there is another bug somewhere further down the chain...
Could you take a look at it?
I'm trying to use this endpoint here.
func main() {
falconClientId := os.Getenv("FALCON_CLIENT_ID")
falconClientSecret := os.Getenv("FALCON_CLIENT_SECRET")
clientCloud := os.Getenv("FALCON_CLOUD")
client, err := falcon.NewClient(&falcon.ApiConfig{
ClientId: falconClientId,
ClientSecret: falconClientSecret,
Cloud: falcon.Cloud(clientCloud),
Context: context.Background(),
})
if err != nil {
panic(err)
}
body := models.APIIndicatorCreateReqV1{
Type: "domain",
Action: "detect",
Severity: "medium",
Description: "test description",
Platforms: []string{"windows", "mac", "linux"},
Value: "cstestblock.com",
}
bodies := models.APIIndicatorCreateReqsV1{}
bodies.Indicators = []*models.APIIndicatorCreateReqV1{&body}
params := ioc.NewIndicatorCreateV1Params()
params.SetBody(&bodies)
_, err = client.Ioc.IndicatorCreateV1(params)
if err != nil {
panic(err)
}
}
It will return this error:
panic: response status code does not match any response statuses defined for this endpoint in the swagger spec (status 400): {}
The examples should be updated to use go install
This commit appears to be missing from release v0.2.34 . Is it possible something went wrong in this build that would cause this?
Steps to reproduce:
require github.com/crowdstrike/gofalcon v0.2.34
go mod vendor
./vendor/github.com/crowdstrike/gofalcon/falcon/api_streaming.go
FYI @isimluk it seems that for DomainBaseAPIVulnerabilityV2 the Mitigation is always nil?
queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
Filter: "status:'open'",
},
)
if err != nil {
return nil, errors.Wrap(err, "could not query vulnerabilities")
}
if queryResult == nil {
return nil, errors.New("QueryVulnerabilities result was nil")
}
for _, vuln := range queryResult.GetPayload().Resources {
logrus.WithField("rem", fmt.Sprintf("%+v", vuln.Remediation)).Debug("rem")
}
}
-> nil, nil, nil, nil, ....
Hi Team, hopefully this is right place to ask, if not, I'd appreciate if you can direct me.
I'm the founder of cloudquery.io, a high performance open source ELT framework.
Our users are interested in a CrowdStrike plugin, but as we cannot maintain all the plugins ourselves, I was curious if this would be an interesting collaboration, where we would help implement an initial source plugin version, and you will help maintain it.
This will give your users the ability to sync their CrowdStrike APIs (alerts, users, devices) to any of their datalakes/data-warehouses/databases easily using any of the growing list of CQ destination plugins.
Best,
Yevgeny
Hi,
We have been getting "json: cannot unmarshal string into Go struct field Event.event.IncidentType of type uint64" errors while reading event data from a falcon stream. The errors repeat indefinitely and cause the stream to be unusable. It looks like the returned json data from the underlying api call has a string type in IncidentType and the string value can not be unmarshalled into unit64 type for Event.IncidentType field package streaming_models. Your help to address this issue is much appreciated.
Kevin
Not sure if an issue with the API endpoint or the Golang library.
Notice limit + offset
parameter is less than 10k
GET /iocs/combined/indicator/v1?limit=2000&offset=0 HTTP/1.1
Host: api.crowdstrike.com
User-Agent: Go-http-client/1.1
Accept: application/json
Accept-Encoding: gzip
HTTP/2.0 200 OK
Content-Type: application/json
Date: Tue, 10 Aug 2021 21:47:35 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Cs-Region: us-1
X-Cs-Traceid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
X-Ratelimit-Limit: 6000
X-Ratelimit-Remaining: 5999
{
"meta": {
"query_time": 0.157897191,
"pagination": {
"limit": 2000,
"total": 10003,
"offset": 2000,
"after": "WzE2Mjc0Mjk2MDEwODQsImM0MzM5YTk4NDgwNDc3OWE2NjNlOTU5MzNlZWZiZTg1ZTA0ODQ4ODczMjFiYzQzNWRlOTNjYjcxZDc5NDIyMTQiXQ=="
},
"powered_by": "ioc-manager",
"trace_id":
...
Notice limit + offset
parameter is greater than 10k
GET /iocs/combined/indicator/v1?limit=3&offset=10000 HTTP/1.1
Host: api.crowdstrike.com
User-Agent: Go-http-client/1.1
Accept: application/json
Accept-Encoding: gzip
HTTP/2.0 500 Internal Server Error
Content-Length: 293
Content-Type: application/json
Date: Tue, 10 Aug 2021 21:47:40 GMT
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 6000
X-Ratelimit-Remaining: 5994
{
"meta": {
"query_time": 1.27e-7,
"powered_by": "crowdstrike-api-gateway",
"trace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
},
"errors": [
{
"code": 500,
"message": "Internal Server Error: Please provide trace-id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' to support"
}
]
}
panic: [GET /iocs/combined/indicator/v1][500] indicator.combined.v1 default &{Errors:[0xc0000b20c0] Meta:0xc0001122a0 Resources:[]}
Parameters | Status |
---|---|
offset=6000&limit=2000 |
200 OK |
offset=9999&limit=1 |
200 OK |
offset=9999&limit=2 |
500 Internal Server Error |
offset=10000&limit=1 |
500 Internal Server Error |
offset=10000&limit=n+1 |
500 Internal Server Error |
Also, this issue didn't seem to pop up until after I managed to put 10k+ custom IOCs into my Crowdstrike instance; I assume you'll have to do the same to get a similar error.
package main
import (
"context"
"errors"
"fmt"
"io/ioutil"
"log"
"os"
"regexp"
"strings"
"time"
"github.com/crowdstrike/gofalcon/falcon"
"github.com/go-openapi/strfmt"
"github.com/crowdstrike/gofalcon/falcon/client"
"github.com/crowdstrike/gofalcon/falcon/client/ioc"
"github.com/crowdstrike/gofalcon/falcon/models"
)
func getCrowdstrikeIOCs(client *client.CrowdStrikeAPISpecification) ([]string, error) {
iocs := []string{}
var limit, offset, total int64
limit = 2000
offset = 0
total = 0
for offset <= total {
params := ioc.NewIndicatorCombinedV1Params().WithDefaults()
params.SetOffset(&offset)
params.SetLimit(&limit)
res, err := client.Ioc.IndicatorCombinedV1(params)
if err != nil {
// fmt.Println(res.Error())
return []string{}, err
}
for _, ioc := range res.GetPayload().Resources {
iocs = append(iocs, ioc.Value)
}
total = *res.GetPayload().Meta.Pagination.Total
offset += limit
if (offset + limit) > total {
limit = total - offset
}
}
return iocs, nil
}
func main() {
falconClientId := os.Getenv("FALCON_CLIENT_ID")
falconClientSecret := os.Getenv("FALCON_CLIENT_SECRET")
clientCloud := os.Getenv("FALCON_CLOUD")
client, err := falcon.NewClient(&falcon.ApiConfig{
ClientId: falconClientId,
ClientSecret: falconClientSecret,
Cloud: falcon.Cloud(clientCloud),
Context: context.Background(),
Debug: true,
})
if err != nil {
return err
}
_, err := getCrowdstrikeIOCs(client)
if err != nil {
panic(err)
}
}
Thanks!
Hello, I am running into issues with the falcon_sensor_download example:
$ sw_vers
ProductName: macOS
ProductVersion: 12.2
BuildVersion: 21D49
$ go version
go version go1.17.6 darwin/amd64
$ ./falcon_sensor_download --all
panic: Suspicious file location: Identity Protection DC Sensor/identity_protection_dc_sensor_6.35.19705.BetaBarb.msi
goroutine 1 [running]:
main.download(0xc00021e600, 0xc0004e0000, {0xc00010e0c0, 0x53})
/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:98 +0x2f9
main.downloadAllSensors(0xc00029fef8)
/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:217 +0xb0
main.main()
/Users/hulk/src/gofalcon/examples/falcon_sensor_download/main.go:53 +0x8fb
It looks like the path to sensor downloads has the /
in them, and this line is causing the panic:
https://github.com/CrowdStrike/gofalcon/blob/main/examples/falcon_sensor_download/main.go#L97
What do you think about removing the check for a /
?
Hi,
It looks like #216 doesn't fix the issue #215. The same error "json: invalid number literal, trying to unmarshal ""DOMAIN_COMPROMISE"" into Number" is still happening. Perhaps the CrowdStrike API could contain "DOMAIN_COMPROMISE" as a value for the Event.IncidentType field and declaring the type of Event.IncidentType as json.Number can't handle non numerical strings like "DOMAIN_COMPROMISE". Your help to address this issue is much appreciated.
Kevin
Using the gofalcon to get containers on the /container-security/combined/containers/v1 endpoint I get the following error:
json: cannot unmarshal string into Go struct field ModelsContainer.resources.first_seen of type int64
This is caused by the fact that the data structure for ModelsContainer defines the FirstSeen and LastSeen fields as int64 and the api has them being strings representing date times.
models.ContainerEntityResponse{ errors [...] meta* msaspec.MetaInfo{ pagination msaspec.Paging{...} powered_by string query_time* number($double) trace_id* string writes msaspec.Writes{...} } resources* [models.Container{ agents* [...] allow_privilege_escalation* boolean cid* string cloud_account_id* string cloud_name* string cloud_region* string cluster_id* string cluster_name* string config_labels* string container_id* string container_name* string created_at* string first_seen* string image_application_package_count* integer($int32) image_assessed_at* integer($int64) image_detection_count* integer($int32) image_digest* string image_has_been_assessed* boolean image_highest_severity_vulnerability* string image_id* string image_package_count* integer($int32) image_registry* string image_repository* string image_tag* string image_vulnerability_count* integer($int32) insecure_mount_source* string insecure_mount_type* string insecure_propagation_mode* boolean interactive_mode* boolean ipv4* string ipv6* string labels* {...} labels_list* [...] last_seen* string namespace* string node_name* string node_uid* string pod_id* string pod_name* string ports* [...] privileged* boolean root_write_access* boolean run_as_root_group* boolean run_as_root_user* boolean running_status* boolean volume_mounts* string }] }
can you please fix this in the go sdk.
Using version v0.6.0 with go version 1.22.1
I am attempting to create an IOC using the ioc.Client.IndicatorCreateV1 method but getting a 400 One or more indicators have a warning or invalid input
error
This is the request body I use via cURL/Postman and I get a succesful 200 response (along with the id).
{
"comment": "Indicator Created by something for domain somedomain.com",
"indicators": [
{
"type": "domain",
"value": "somedomain.com",
"applied_globally": true,
"platforms": ["windows", "mac", "linux"],
"action": "no_action",
"tags": ["something"],
"source": "something",
"severity": "informational",
"description": "URL Created by something"
}
]
}
This is the equivalent go code but results in a 400 error. indicatorCreateV1BadRequest &{Errors:[{Code:400 Message:One or more indicators have a warning or invalid input}] Meta:PoweredBy:ioc-manager QueryTime:0.012351665 TraceID:<TRACE>}}
func boolPtr(v bool) *bool {
return &v
}
const SeverityInformational = "informational"
&ioc.IndicatorCreateV1Params{
Context: context.Background(), // also removed this with no luck
Body: &models.APIIndicatorCreateReqsV1{
Comment: fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
Indicators: []*models.APIIndicatorCreateReqV1{
{
Type: "domain",
Value: "somedomain.com",
AppliedGlobally: boolPtr(true),
Platforms: []string{"windows", "mac", "linux"},
Description: fmt.Sprintf("Indicator Created by something for domain %s", "somedomain.com"),
Action: "no_action",
Tags: []string{"something"},
Source: "something",
Severity: SeverityInformational, // informational, low, medium, high, and critical
},
},
},
}
Checking the generated source vs the json above, everything seems to match up(with the only exception being the bool pointer for the applied_globally field but marshalling usually handles that). It doesnt seem to fail validations either and makes it to the API which then returns the error and I can't see any differences between go vs the curl json blob.
Any suggestions?
I am attempting to utilize Intel.GetVulnerabilities()
to query a vulnerability by CVE ID and retrieve intelligence on that vulnerability, similar to the example shown in the "Vulnerability Intelligence APIs" documentation, but using gofalcon
.
Every request appears to return an unmarshaling error due to the type of DomainVulnerability.resources.cvss_v2_base
, as seen in this simple example:
ids := models.MsaIdsRequest{Ids: []string{"CVE-2017-5638"}}
response, err := client.Intel.GetVulnerabilities(&intel.GetVulnerabilitiesParams{
Context: context.Background(),
Body: &ids,
})
if err != nil {
return nil, err
}
json: cannot unmarshal object into Go struct field DomainVulnerability.resources.cvss_v2_base of type string
I confirmed the same API call using curl returns the expected output:
"resources": [
{
"cve": "CVE-2017-5638",
...
],
"cvss_v2_base": {
"access_vector": "Network",
"access_complexity": "Low",
"authentication": "None",
"confidentiality_impact": "Complete",
"integrity_impact": "Complete",
"availability_impact": "Complete",
"score": 10,
"severity": "HIGH"
},
...
}
Since cvss_v2_base
appears to be a JSON object, I'm wondering if somewhere it's being incorrectly labeled/unmarshaled as a string object.
Interestingly, if I use the latest commit in the repo instead of the published v0.6.0 release, the call is successful, and returns a DomainVulnerability object:
[
{
"evaluatedAffectedAssetsCount": null,
"exploitStatus": null,
"exprt_rating": null,
"totalAffectedAssets": null
}
]
But that doesn't appear to be the desired output I want if I am POST'ing to /intel/entities/vulnerabilities/GET/v1
- According to the API documentation, it should be more like the above output which includes general intelligence on that CVE, not anything about impacted assets.
Perhaps there is a model-mismatch somewhere that is causing issues with Swagger?
Hey.
I've used the host-override in the API definition, in order to support host proxies.
I've wanted to ask regarding it, as I see that the initial auto-discover is always in front of the same hardcoded url, rather then the host override.
I've wanted to ask if there is a way to force it to use the host override for the auto-detect process as well, so it will be possible to support a proxy from a machine with strict firewall rules.
Thanks in advance!
Ido
None of the example show how to do a simple download of the latest snort file or indicator IDs. I'm in the process of converting a Python script to Go and I cannot figure out which methods to use and in what order. We use this script at Corelight to integrate CrowdStrike into our sensors and I'm building this integration directly into our integration utility.
Can someone provide examples or assist in creating them?
gofalcon/examples/falcon_event_stream/main.go
Lines 61 to 85 in aba6170
What's the correct way to reuse a stream over multiple lifecycles of an app? Do I need to generate a new app id for every run? Can I guarantee that an offset references the same data between app-id's? Meaning, if I were to generate a new unique app id for every run, would the previous run's offset be a useful value for the next run whose app-id is different?
Tracking ticket for adding the swagger of the latest zero-trust-assessment/entities/audit/v1
endpoint.
Thanks!
Hi,
It looks like the fix Allow string and uint values in Event.IncidentType by isimluk · Pull Request #206 · CrowdStrike/gofalcon didn't completely resolve the issue stream error "json: cannot unmarshal string into Go struct field Event.event.IncidentType of type uint64" · Issue #205 · CrowdStrike/gofalcon. The Event.event.IncidentType could be some string literals that can not be unmarshalled into json.Number type. Your help to address this issue is much appreciated.
Kevin
This issue describes inconsistent mapping of model DomainUser
. This change happened in 97a9111.
DomainUser
from endpoint https://api.crowdstrike.com/user-management/entities/users/GET/v1
:gofalcon/falcon/models/domain_user.go
Lines 18 to 34 in 48f6999
Other types of DomainUser
like DomainCreateUserRequest
contain the old structure:
gofalcon/falcon/models/domain_create_user_request.go
Lines 18 to 34 in 48f6999
In the streaming_models.EventItem
model struct returned from gofalcon client, the client should represent optional/missing fields in the REST endpoint response as nil
by using a pointer type in the field.
EventItem
treats some fields as always present in the response, when they are actually optional. I am not sure this is a complete list but the following appear to fall under this condition:
UTCTimestamp
ProcessStartTime
ProcessEndTime
StartTimestamp
EndTimestamp
Timestamp
These fields may or may not appear in a response JSON, depending on the type of event returned.
An application using gofalcon receives the data from the stream.Events
channel as an unmarshaled streaming_models.Event
(which contains a streaming_models.EventItem
). Timestamp fields that are missing are unmarshalled as the default value (0
). At that point, it is not possible to tell whether the timestamp field set to 0
was actually present in the REST endpoint response, or whether it was missing.
The client returned EventItem
struct should accurately reflect the contents of the JSON response. This can be achieved by changing the field types to a pointer. E.g.:
type EventItem Struct {
...
UTCTimestamp *uint64 `json:"UTCTimestamp,omitempty"`
...
For example, the "RemoteResponseSessionStartEvent" event type does not return a UTCTimestamp
in the JSON response so having this field set to nil
in that case would more accurately reflect the API response.
https://github.com/CrowdStrike/gofalcon/tree/main/examples/falcon_host_details
week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d)
falcon_host_details --filter="product_type_desc:'Pod'+last_seen:>='${week_ago}'" \
| jq -r 'map({(.device_id): {"agent_version": .agent_version, "cloud": .service_provider, "pod_name": .pod_name}}) | add'
The week_ago variable command argument is not working.
─$ week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d)
date: invalid option -- 'j'
Try 'date --help' for more information.
When using the RTRDeleteQueueSession I'm sending the cloudID and i'm getting an error stating the following the Received response status code does not match any response statuses defined for this endpoint in the swagger spec (status 200): {}.
I sometimes get an error stating that it can't find the queued session although the RTRListQueuedSessions provides me with the necessary information.
The SDK is trying to unmarshal a uint64
value into an int64
struct property.
json: cannot unmarshal number 12977666641747678918 into Go struct field DomainAPIEvaluationLogicItemV1.resources.apps.evaluation_logic.logic.id of type int64
This error comes up when we call the client.SpotlightVulnerabilities.CombinedQueryVulnerabilities
function.
I believe the culprit is models.DomainBaseAPIVulnerabilityV2.Apps.EvaluationLogic.Logic[*].ID
I'm trying to create a session so I can do an ipcofig on the devices. But when I add the device id and send in my request I get an error stating client.RealTimeResponse.RTRInitSession Receiving an error response status code does not match any response statuses defined for this endpoint in the swagger spec (status 404): {} . I don't know how to resolve this issue. Any assistance would be greatly appreciated.
var initSession real_time_response.RTRInitSessionParams
var initSessionBody models.DomainInitRequest
initSessionBody.DeviceID = &pDeviceId
initSession.Body = &initSessionBody
initSession.Context = ctx
session, sessionError := client.RealTimeResponse.RTRInitSession(&initSession)
Hi,
Any chance of a start offstart specifier for the event streams api please? or guidance on how to set.
https://github.com/CrowdStrike/gofalcon/tree/main/falcon/client/event_streams
:)
A panic can occur on this line if the StreamingHandle Close()
method is called: https://github.com/CrowdStrike/gofalcon/blob/main/falcon/api_streaming.go#L122
The Errors
channel is closed here: https://github.com/CrowdStrike/gofalcon/blob/main/falcon/api_streaming.go#L138
There is a race condition between the Errors
channel close on line 138 and the write to the Errors
channel on line 122. The block in 122 needs to ensure that the Errors
channel is writeable before writing to it.
Impact:
Hi there,
is there any plan on supporting management of suppression rules via API?
I think not being able to create or update suppression rules is really lacking the otherwise really good crowstrike API.
Best regards,
Marko
Would be nice to be able to fetch the mitigations for Spotlight vulnerabilities.
How do you configure gofalcon to use a proxy or honor the proxy environment variables?
I am attempting to put a file on windows host.
First I upload a file to the the Cloud
then I use the cd command to cd to path I want to put the file
then I use the put command to put the file on the host
The file is uploaded to the host but it puts in on the c drive no the specified directory
When i do the same action on a Mac system it puts the file in the specified directory without a problem.
Hi,
I'm looking into fetching all image assessment related vulnerabilities using the Go SDK, version v0.6.0.
I noticed that there is no After
argument in CombinedImageVulnerabilitySummaryParams
, which means there is no way to pass a pagination token. *queryResult.GetPayload().Meta.Pagination.LastPage()
also does not exist, so i'm curious how one is supposed to do pagination (akin to Spotlight)l with this? Thanks!
Example code:
func (cs *CrowdStrike) GetImageVulnerabilities(ctx context.Context) ([]ImageVulnerability, error) {
round := 0
paginationToken := ""
for {
// Query vulnerabilities from Falcon
cs.logger.WithField("round", round).Debug("fetching image vulnerabilities")
queryResult, err := cs.client.ContainerImages.CombinedImageVulnerabilitySummary(
&container_images.CombinedImageVulnerabilitySummaryParams{
Cid: "",
Registry: "",
Repository: "",
Tag: "",
Context: ctx,
// ??
},
)
if err != nil {
return nil, fmt.Errorf("could not query image vulnerabilities: %v\n", err)
}
cs.logger.WithField("total", len(queryResult.GetPayload().Resources)).Debug("vulns returned")
// Process each vulnerability
for _, vuln := range queryResult.GetPayload().Resources {
// TODO
}
// Stop pagination if we reached the end
paginationToken = *queryResult.GetPayload().Meta.Pagination.LastPage() // ??
if paginationToken == "" {
break
}
}
}
We recently encountered the following JSON unmarshal error while streaming EDR events using gofalcon.
json: cannot unmarshal number into Go struct field Event.event.IncidentType of type string"
Going by what we can get from the Falcon web api/interface the incident type we received was 1
, but the (EventItem struct)[https://github.com/CrowdStrike/gofalcon/blob/302c29018eb1bfa0ea2dca53d746ae54c66f84af/falcon/models/streaming_models/models.go#L72] defines the field as *string
. Also the the domain incident struct defines it as int64
. So i suspect the streaming EvenItem struct should *be modified so that IncidentType is either:
int64
*IntOrString
depending on if a string incident type is actually possible.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.