crowdstrike.falcon.falcon_discover inventory – CrowdStrike Falcon Discover inventory source
Note
This inventory plugin is part of the crowdstrike.falcon collection (version 4.7.0).
To install it, use: ansible-galaxy collection install crowdstrike.falcon
.
You need further requirements to be able to use this inventory plugin,
see Requirements for details.
To use it in a playbook, specify: crowdstrike.falcon.falcon_discover
.
New in crowdstrike.falcon 4.0.0
Synopsis
Query asset details from the CrowdStrike Falcon Discover API. To learn more about Falcon Discover and Exposure Management, see the Falcon documentation
The inventory file is a YAML configuration and must end with
falcon_discover.{yml|yaml}
.Example:
my_inventory.falcon_discover.yml
Requirements
The below requirements are needed on the local controller node that executes this inventory.
Assets [READ] API scope
python >= 3.6
crowdstrike-falconpy >= 1.3.0
Parameters
Parameter |
Comments |
---|---|
Allow duplicate hosts to be added to the inventory by adding the asset ID as a suffix to the hostname. By default, duplicate hostnames are not allowed. Choices:
|
|
Toggle to enable/disable the caching of the inventory’s source data, requires a cache plugin setup to work. Choices:
Configuration:
|
|
Cache connection data or path, read cache plugin documentation for specifics. Configuration:
|
|
Cache plugin to use for the inventory’s source data. Default: Configuration:
|
|
Prefix to use for cache plugin files/tables Default: Configuration:
|
|
Cache duration in seconds Default: Configuration:
|
|
The CrowdStrike API client ID to use. See the Falcon documentation for more information about API clients. The |
|
The CrowdStrike API secret that corresponds to the client ID. See the Falcon documentation for more information about API clients. The |
|
The CrowdStrike cloud region to use. All clouds are automatically discovered if not specified, except for the The Choices:
|
|
Create vars from jinja2 expressions. Default: |
|
The filter expression that should be used to limit the results using FQL (Falcon Query Language) syntax. See the Falcon documentation for more information about what filters are available for this inventory. |
|
Add hosts to group based on Jinja2 conditionals. Default: |
|
Add hosts to group based on the values of a variable. Default: |
|
The default value when the host variable’s value is an empty string. This option is mutually exclusive with |
|
The key from input dictionary used to generate groups |
|
parent group for keyed group |
|
A keyed group name will start with this prefix Default: |
|
separator used to build the keyed group name Default: |
|
Set this option to False to omit the This option is mutually exclusive with Choices:
|
|
Use in conjunction with keyed_groups. By default, a keyed group that does not have a prefix or a separator provided will have a name that starts with an underscore. This is because the default prefix is “” and the default separator is “_”. Set this option to False to omit the leading underscore (or other separator) if no prefix is given. If the group name is derived from a mapping the separator is still used to concatenate the items. To not use a separator in the group name at all, set the separator for the keyed group to an empty string instead. Choices:
|
|
The CrowdStrike member CID for MSSP authentication. See the Falcon documentation for more information about API clients. The |
|
If Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default. Choices:
|
|
Merge extra vars into the available variables for composition (highest precedence). Choices:
Configuration:
|
Notes
Note
If no credentials are provided, FalconPy will attempt to use the API credentials via environment variables.
Hostnames are set to the
hostname
hostvar if it exists, otherwise the IP address is used.The current behavior for assigning an IP address to a host is to use the external IP address if it exists, otherwise the current local IP address is used. If neither of those exist, the host is skipped as Ansible would not be able to connect to it.
Examples
# sample file: my_inventory.falcon_discover.yml
# required for all falcon_discover inventory configs
plugin: crowdstrike.falcon.falcon_discover
# authentication credentials (required if not using environment variables)
#client_id: 1234567890abcdef12345678
#client_secret: 1234567890abcdef1234567890abcdef12345
#cloud: us-1
# fql filter expression to limit results (by default all assets are returned)
# examples below:
# return unmanaged assets discovered in the past day
#filter: "entity_type:'unmanaged'+first_seen_timestamp:>'now-1d'"
# return all new assets within the past week
#filter: "first_seen_timestamp:>'now-1w'"
# return all assets that have been seen in the past 3 days
#filter: "last_seen_timestamp:>'now-3d'"
# return all assets seen in the last 12 hours that are in RFM mode
#filter: "reduced_functionality_mode:Yes+last_seen_timestamp:>'now-12h'"
# return all AWS assets
#filter: "cloud_provider:'AWS'"
# allow duplicate hostnames to be added to the inventory
# example: If you two hosts with the same hostname, they will be added as:
# hostnameA
# hostnameA_1234567890abcdef12345678
#
#allow_duplicates: true
# place hosts into dynamically created groups based on variable values
keyed_groups:
# places host in a group named cloud_<cloud_provider> (e.g. cloud_AWS) if the asset is a cloud asset
- prefix: cloud
key: cloud_provider
# places host in a group named platform_<platform_name> based on the platform name (Linux, Windows, etc.)
- prefix: platform
key: platform_name
# places host in a group named tag_<tags> for each tag on a host
- prefix: tag
key: tags
# places host in a group named rfm_<Yes|No> to see if the host is in reduced functionality mode
- prefix: rfm
key: reduced_functionality_mode
# places host in a group named location_<city> based on the city the host is located in
- prefix: location
key: city
# place hosts in named groups based on conditional statements <evaluated as true>
groups:
# places host in a group named unmanaged_assets if the entity_type is unmanaged
unmanaged_assets: "entity_type == 'unmanaged'"
# places host in a group named cloud_assets if the entity_type is cloud
cloud_assets: "cloud_provider != None"
# create and modify host variables from Jinja2 expressions
# compose:
# # this sets the ansible_host variable to the external_ip address
# ansible_host: external_ip
# # this defines combinations of host servers, IP addresses, and related SSH private keys.
# ansible_host: external_ip
# ansible_user: "'root'"
# ansible_ssh_private_key_file: "'/path/to/private_key_file'"
# caching is supported for this inventory plugin.
# caching can be configured in the ansible.cfg file or in the inventory file.
cache: true
cache_plugin: jsonfile
cache_connection: /tmp/falcon_inventory
cache_timeout: 1800
cache_prefix: falcon_discover