Skip to content

Latest commit

 

History

History
57 lines (45 loc) · 3.08 KB

crowdstrike.falcon.eventstream.md

File metadata and controls

57 lines (45 loc) · 3.08 KB
Raw

crowdstrike.falcon.eventstream

An ansible-rulebook event source plugin for generating events from the Falcon Event Stream API.

Synopsis

  • This event source can be used to automate responses to events generated by the CrowdStrike Falcon platform.

Requirements

  • Python 3.6+
  • Python requirements are listed in requirements.txt
  • Ensure the following API scopes are enabled:
    • Event Streams: [read]

Parameters

Parameter Comments
falcon_client_id
string / required		 CrowdStrike OAUTH Client ID
falcon_client_secret
string / required		 CrowdStrike OAUTH Client Secret
falcon_cloud
string / required		 CrowdStrike Cloud Region
Choices:
us-1
us-2
eu-1
us-gov-1
Default: us-1
stream_name
string		 Label that identifies your connection.
Max: 32 alphanumeric characters (a-z, A-Z, 0-9)
Default: eda
include_event_types
list		 List of event types to include. Otherwise all event types are included.
Refer to the Streaming API Event Dictionary.
Default: None.
exclude_event_types
list		 List of event types to exclude.
Refer to the Streaming API Event Dictionary.
Default: None.
offset
int		 Specifies where in the event stream you want to being processing. This is useful if you have a mechanism to track the latest offset processed.
This option is mutually exclusive with latest.
Default: None.
latest
bool		 Start the stream from the latest event. By default, if offset is not set, the stream will start from the beginning of all events.
This option is mutually exclusive with offset.
Default: false.
delay
float		 Introduce a delay between each event.
Default: 0.

Example Rulebook

---
- name: Simple Falcon Event Stream Usage Example
  hosts: all
  sources:
    - crowdstrike.falcon.eventstream:
        falcon_client_id: "{{ FALCON_CLIENT_ID }}"
        falcon_client_secret: "{{ FALCON_CLIENT_SECRET }}"
        falcon_cloud: "us-2"
        # start stream from specified offset
        offset: 12345
        stream_name: "eda-example"
        include_event_types:
          - "DetectionSummaryEvent"

  rules:
    - name: Print High and Critical Severity Detection Events
      condition: event.falcon.event.Severity > 3
      action:
        debug:

Authors

  • Carlos Matos (@carlosmmatos)
  • Frank Falor (@ffalor)