cloudquery · cqgaurav · Dec 9, 2022 · Nov 28, 2022 · Nov 28, 2022 · Nov 28, 2022
@@ -4,6 +4,8 @@ azure:
   - plugins/source/azure/**/*
 cloudflare:
   - plugins/source/cloudflare/**/*
+crowdstrike:
+  - plugins/source/crowdstrike/**/*
 digitalocean:
   - plugins/source/digitalocean/**/*
 datadog:

@@ -136,11 +136,12 @@ Datadog
 nvm
 npm
 Gandi
+CrowdStrike
+crowdstrike
 parallelization
 hyperscale
 goroutines
 arn
-arns
 ARN
 ARNs
 SCP

@@ -0,0 +1,106 @@
+name: Source Plugin CrowdStrike Workflow
+
+on:
+  pull_request:
+    paths:
+      - "plugins/source/crowdstrike/**"
+      - ".github/workflows/source_crowdstrike.yml"
+  push:
+    branches:
+      - main
+    paths:
+      - "plugins/source/crowdstrike/**"
+      - ".github/workflows/source_crowdstrike.yml"
+
+jobs:
+  resolve-runner:
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    outputs:
+      runner: ${{ steps.resolve.outputs.runner }}
+    steps:
+      - name: Check if should use large runner
+        id: large-runner
+        # We want to speed runs on the main branch which prime the cache
+        # We allow large runners only in this case to prevent forks from abusing them (it's enforced via runner groups access rules)
+        # IF YOU WANT TO USE A LARGE RUNNER YOU NEED TO ADD THE WORKFLOW TO THE `CloudQuery releases` GROUP IN https://github.com/organizations/cloudquery/settings/actions/runner-groups
+        if: github.event_name == 'push'
+        run: |
+          echo "runner=cloudquery-release-runner" >> $GITHUB_OUTPUT
+      - name: Resolve runner
+        id: resolve
+        run: |
+          RUNNER=${{ steps.large-runner.outputs.runner }}
+          echo "runner=${RUNNER:-"ubuntu-latest"}" >> $GITHUB_OUTPUT
+  plugins-source-crowdstrike:
+    timeout-minutes: 30
+    name: "plugins/source/crowdstrike"
+    needs: [resolve-runner]
+    runs-on: ${{ needs.resolve-runner.outputs.runner }}
+    defaults:
+      run:
+        working-directory: ./plugins/source/crowdstrike
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: plugins/source/crowdstrike/go.mod
+          cache: true
+          cache-dependency-path: plugins/source/crowdstrike/go.sum
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.50.1
+          working-directory: plugins/source/crowdstrike
+          args: "--config ../../.golangci.yml"
+      - name: Get dependencies
+        run: go get -t -d ./...
+      - name: Build
+        run: go build .
+      - name: Test
+        run: make test
+      - name: gen
+        if: github.event_name == 'pull_request'
+        run: make gen
+      - name: Fail if generation updated files
+        if: github.event_name == 'pull_request'
+        run: test "$(git status -s | wc -l)" -eq 0
+  validate-release:
+    timeout-minutes: 30
+    needs: [resolve-runner]
+    runs-on: ${{ needs.resolve-runner.outputs.runner }}
+    env:
+      CGO_ENABLED: 0
+    steps:
+      - name: Checkout
+        if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'
+        uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.19.3-release-cache-${{ hashFiles('plugins/source/crowdstrike/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.19.3-release-cache-plugins-source-crowdstrike
+      - name: Set up Go
+        if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: plugins/source/crowdstrike/go.mod
+      - name: Install GoReleaser
+        if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          install-only: true
+      - name: Run GoReleaser Dry-Run
+        if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'
+        run: goreleaser release --snapshot --rm-dist --skip-validate --skip-publish --skip-sign -f ./plugins/source/crowdstrike/.goreleaser.yaml
+        env:
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
@@ -43,6 +43,7 @@ jobs:
                            "plugins/source/aws",
                            "plugins/source/azure",
                            "plugins/source/cloudflare",
+                           "plugins/source/crowdstrike",
                            "plugins/source/digitalocean",
                            "plugins/source/datadog",
                            "plugins/source/gandi",

@@ -0,0 +1,14 @@
+variables:
+  component: source/crowdstrike
+  binary: crowdstrike
+
+project_name: plugins/source/crowdstrike
+
+monorepo:
+  tag_prefix: plugins-source-crowdstrike-
+  dir: plugins/source/crowdstrike
+
+includes:
+  - from_file:
+      # Relative to the directory Go Releaser is run from (which is the root of the repository)
+      path: ./plugins/.goreleaser.yaml
@@ -0,0 +1,38 @@
+# Generate mocks for mock/unit testing 
+.PHONY: gen-mocks
+gen-mocks:
+	go generate ./client/...
+
+# Test unit
+.PHONY: test
+test:
+	go test -timeout 3m ./...
+
+# Install tools
+.PHONY: install-tools
+install-tools:
+	@echo Installing tools from tools/tool.go
+	@cat tools/tool.go | grep _ | awk -F'"' '{print $$2}' | xargs -tI % go install %
+
+# Install pre-commit hooks. This requires pre-commit to be installed (https://pre-commit.com/)
+.PHONY: install-hooks
+install-hooks:
+	pre-commit install
+
+.PHONY: gen-docs
+gen-docs:
+	rm -rf ./docs/tables/*
+	go run main.go doc ./docs/tables
+
+.PHONY: lint
+lint:
+	golangci-lint run --config ../../.golangci.yml 
+
+.PHONY: gen-code
+gen-code:
+	grep -rl '// Code generated by codegen; DO NOT EDIT.' resources/services/* | xargs rm
+	go run codegen/main.go
+
+# All gen targets
+.PHONY: gen
+gen: gen-code gen-docs
@@ -0,0 +1,38 @@
+# CrowdStrike Plugin
+
+This plugin pulls information from CrowdStrike and loads it into any supported CloudQuery destination (e.g. PostgreSQL).
+
+## Links
+
+- [Tables](./docs/tables/README.md)
+
+## Authentication
+
+In order to fetch information from CrowdStrike, `cloudquery` needs to be authenticated. A client id and secret is required for authentication. Follow [these steps](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) to set these up. Note that you will also need to enlist the client to have the appropriate scope for what you want to query.
+
+## Configuration
+
+To configure CloudQuery to extract from CrowdStrike, create a `.yml` file in your CloudQuery configuration directory.
+For example, the following configuration will extract information from CrowdStrike, and connect it to a `postgresql` destination plugin
+
+```yml
+kind: source
+spec:
+  # Source spec section
+  name: crowdstrike
+  path: cloudquery/crowdstrike
+  version: "0.0.1" # latest version of crowdstrike plugin
+  tables: ["*"]
+  destinations: ["postgresql"]
+  spec:
+    client_id: <CLIENT_ID>
+    client_secret: <CLIENT_SECRET>
+```
+
+## Example
+
+You can reduce alert fatigue by narrowing alerts down from CrowdStrike using fuzzy matching.
+
+```sql
+select * from crowdstrike_alerts_query where resources like ('%filter_here%');
+```
@@ -0,0 +1,72 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/cloudquery/plugin-sdk/schema"
+	"github.com/cloudquery/plugin-sdk/specs"
+	"github.com/crowdstrike/gofalcon/falcon"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+)
+
+type Client struct {
+	logger   zerolog.Logger
+	spec     specs.Source
+	Services Services
+}
+
+type Services struct {
+	Incidents Incidents
+	Alerts    Alerts
+}
+
+func (*Client) Logger() *zerolog.Logger {
+	return &log.Logger
+}
+
+func (c *Client) ID() string {
+	return c.spec.Name
+}
+
+func New(ctx context.Context, logger zerolog.Logger, s specs.Source) (schema.ClientMeta, error) {
+	crowdStrikeSpec := &Spec{}
+	if err := s.UnmarshalSpec(&crowdStrikeSpec); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal CrowdStrike spec: %w", err)
+	}
+	clientId, ok := os.LookupEnv("FALCON_CLIENT_ID")
+	if !ok {
+		if crowdStrikeSpec.ClientID == "" {
+			return nil, errors.New("missing FALCON_CLIENT_ID, either set it as an environment variable or pass it in the configuration")
+		}
+		clientId = crowdStrikeSpec.ClientID
+	}
+
+	secret, ok := os.LookupEnv("FALCON_CLIENT_SECRET")
+	if !ok {
+		if crowdStrikeSpec.ClientID == "" {
+			return nil, errors.New("missing FALCON_CLIENT_SECRET, either set it as an environment variable or pass it in the configuration")
+		}
+		secret = crowdStrikeSpec.ClientSecret
+	}
+
+	c, err := falcon.NewClient(&falcon.ApiConfig{
+		ClientId:     clientId,
+		ClientSecret: secret,
+		Context:      ctx,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &Client{
+		logger: logger,
+		Services: Services{
+			Incidents: c.Incidents,
+			Alerts:    c.Alerts,
+		},
+		spec: s,
+	}, nil
+}