falcon_discover
Query asset details from the CrowdStrike Falcon Discover API. To learn more about Falcon Discover and
Added in version 4.0.0
Parameters
Section titled “Parameters”| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
allow_duplicates | bool | No | false | Allow duplicate hosts to be added to the inventory by adding the asset ID as a suffix to the hostname. By default, duplicate hostnames are not allowed. |
client_id | str | No | The CrowdStrike API client ID to use. See the L(Falcon documentation,https://falcon.crowdstrike.com/documentation/46/crowdstrike-oauth2-based-apis#understanding-api-clients) The C(FALCON_CLIENT_ID) environment variable can also be used. | |
client_secret | str | No | The CrowdStrike API secret that corresponds to the client ID. See the L(Falcon documentation,https://falcon.crowdstrike.com/documentation/46/crowdstrike-oauth2-based-apis#understanding-api-clients) The C(FALCON_CLIENT_SECRET) environment variable can also be used. | |
cloud | str | No | us-1 | The CrowdStrike cloud region to use. All clouds are automatically discovered if not specified, except for the C(us-gov-1) cloud. The C(FALCON_CLOUD) environment variable can also be used. us-1 us-2 us-gov-1 eu-1 |
filter | str | No | The filter expression that should be used to limit the results using FQL See the L(Falcon documentation,https://falcon.crowdstrike.com/documentation/page/a9df69ec/asset-management-apis#t0e123bd) | |
member_cid | str | No | The CrowdStrike member CID for MSSP authentication. See the L(Falcon documentation,https://falcon.crowdstrike.com/documentation/46/crowdstrike-oauth2-based-apis#understanding-api-clients) The C(FALCON_MEMBER_CID) environment variable can also be used. |
Examples
Section titled “Examples”# sample file: my_inventory.falcon_discover.yml
# required for all falcon_discover inventory configsplugin: crowdstrike.falcon.falcon_discover
# authentication credentials (required if not using environment variables)# client_id: 1234567890abcdef12345678# client_secret: 1234567890abcdef1234567890abcdef12345# cloud: us-1
# fql filter expression to limit results (by default all assets are returned)# examples below:
# return unmanaged assets discovered in the past day# filter: "entity_type:'unmanaged'+first_seen_timestamp:>'now-1d'"
# return all new assets within the past week# filter: "first_seen_timestamp:>'now-1w'"
# return all assets that have been seen in the past 3 days# filter: "last_seen_timestamp:>'now-3d'"
# return all assets seen in the last 12 hours that are in RFM mode# filter: "reduced_functionality_mode:Yes+last_seen_timestamp:>'now-12h'"
# return all AWS assets# filter: "cloud_provider:'AWS'"
# allow duplicate hostnames to be added to the inventory# example: If you two hosts with the same hostname, they will be added as:# hostnameA# hostnameA_1234567890abcdef12345678## allow_duplicates: true
# place hosts into dynamically created groups based on variable valueskeyed_groups: # places host in a group named cloud_<cloud_provider> (e.g. cloud_AWS) if the asset is a cloud asset - prefix: cloud key: cloud_provider # places host in a group named platform_<platform_name> based on the platform name (Linux, Windows, etc.) - prefix: platform key: platform_name # places host in a group named tag_<tags> for each tag on a host - prefix: tag key: tags # places host in a group named rfm_<Yes|No> to see if the host is in reduced functionality mode - prefix: rfm key: reduced_functionality_mode # places host in a group named location_<city> based on the city the host is located in - prefix: location key: city
# place hosts in named groups based on conditional statements <evaluated as true>groups: # places host in a group named unmanaged_assets if the entity_type is unmanaged unmanaged_assets: "entity_type == 'unmanaged'" # places host in a group named cloud_assets if the entity_type is cloud cloud_assets: "cloud_provider != None"
# create and modify host variables from Jinja2 expressions# compose:# # this sets the ansible_host variable to the external_ip address# ansible_host: external_ip# # this defines combinations of host servers, IP addresses, and related SSH private keys.# ansible_host: external_ip# ansible_user: "'root'"# ansible_ssh_private_key_file: "'/path/to/private_key_file'"
# caching is supported for this inventory plugin.# caching can be configured in the ansible.cfg file or in the inventory file.cache: truecache_plugin: jsonfilecache_connection: /tmp/falcon_inventorycache_timeout: 1800cache_prefix: falcon_discover