Event Driven Ansible
An ansible-rulebook event source plugin for generating events from the Falcon Event Stream API.
Synopsis
Section titled “Synopsis”- This event source can be used to automate responses to events generated by the CrowdStrike Falcon platform.
Requirements
Section titled “Requirements”- Python 3.6+
- Python requirements are listed in requirements.txt
- Ensure the following API scopes are enabled:
- Event Streams: [read]
Parameters
Section titled “Parameters”| Parameter | Comments |
|---|---|
| falcon_client_id string / required | CrowdStrike OAUTH Client ID |
| falcon_client_secret string / required | CrowdStrike OAUTH Client Secret |
| falcon_cloud string / required | CrowdStrike Cloud Region Choices: us-1 us-2 eu-1 us-gov-1 Default: us-1 |
| stream_name string | Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9) Default: eda |
| include_event_types list | List of event types to include. Otherwise all event types are included. Refer to the Streaming API Event Dictionary. Default: None. |
| exclude_event_types list | List of event types to exclude. Refer to the Streaming API Event Dictionary. Default: None. |
| offset int | Specifies where in the event stream you want to being processing. This is useful if you have a mechanism to track the latest offset processed. This option is mutually exclusive with latest. Default: None. |
| latest bool | Start the stream from the latest event. By default, if offset is not set, the stream will start from the beginning of all events.This option is mutually exclusive with offset.Default: false. |
| delay float | Introduce a delay between each event. Default: 0. |
Example Rulebook
Section titled “Example Rulebook”---- name: Simple Falcon Event Stream Usage Example hosts: all sources: - crowdstrike.falcon.eventstream: falcon_client_id: "{{ FALCON_CLIENT_ID }}" falcon_client_secret: "{{ FALCON_CLIENT_SECRET }}" falcon_cloud: "us-2" # start stream from specified offset offset: 12345 stream_name: "eda-example" include_event_types: - "DetectionSummaryEvent"
rules: - name: Print High and Critical Severity Detection Events condition: event.falcon.event.Severity > 3 action: debug:Authors
Section titled “Authors”- Carlos Matos (@carlosmmatos)
- Frank Falor (@ffalor)