An ansible-rulebook event source plugin for generating events from the Falcon Event Stream API.
- This event source can be used to automate responses to events generated by the CrowdStrike Falcon platform.
- Python 3.6+
- Python requirements are listed in requirements.txt
- Ensure the following API scopes are enabled:
- Event Streams: [read]
Parameter | Comments |
---|---|
falcon_client_id string / required |
CrowdStrike OAUTH Client ID |
falcon_client_secret string / required |
CrowdStrike OAUTH Client Secret |
falcon_cloud string / required |
CrowdStrike Cloud Region Choices: us-1 us-2 eu-1 us-gov-1 Default: us-1 |
stream_name string |
Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9) Default: eda |
include_event_types list |
List of event types to include. Otherwise all event types are included. Refer to the Streaming API Event Dictionary. Default: None. |
exclude_event_types list |
List of event types to exclude. Refer to the Streaming API Event Dictionary. Default: None. |
offset int |
The offset to start streaming from. Default: 0. |
delay float |
Introduce a delay between each event. Default: 0. |
---
- name: Simple Falcon Event Stream Usage Example
hosts: all
sources:
- crowdstrike.falcon.eventstream:
falcon_client_id: "{{ FALCON_CLIENT_ID }}"
falcon_client_secret: "{{ FALCON_CLIENT_SECRET }}"
falcon_cloud: "us-2"
# offset: 12345
stream_name: "eda-example"
include_event_types:
- "DetectionSummaryEvent"
rules:
- name: Print High and Critical Severity Detection Events
condition: event.falcon.event.Severity > 3
action:
debug:
- Carlos Matos (@carlosmmatos)
- Frank Falor (@ffalor)