crowdstrike.falcon.falcon_discover inventory – CrowdStrike Falcon Discover inventory source

Note

This inventory plugin is part of the crowdstrike.falcon collection (version 4.7.2).

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this inventory plugin, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.falcon_discover.

New in crowdstrike.falcon 4.0.0

Synopsis

  • Query asset details from the CrowdStrike Falcon Discover API. To learn more about Falcon Discover and Exposure Management, see the Falcon documentation

  • The inventory file is a YAML configuration and must end with falcon_discover.{yml|yaml}.

  • Example: my_inventory.falcon_discover.yml

Requirements

The below requirements are needed on the local controller node that executes this inventory.

  • Assets [READ] API scope

  • python >= 3.6

  • crowdstrike-falconpy >= 1.3.0

Parameters

Parameter

Comments

allow_duplicates

boolean

Allow duplicate hosts to be added to the inventory by adding the asset ID as a suffix to the hostname.

By default, duplicate hostnames are not allowed.

Choices:

  • false ← (default)

  • true

cache

boolean

Toggle to enable/disable the caching of the inventory’s source data, requires a cache plugin setup to work.

Choices:

  • false ← (default)

  • true

Configuration:

cache_connection

string

Cache connection data or path, read cache plugin documentation for specifics.

Configuration:

cache_plugin

string

Cache plugin to use for the inventory’s source data.

Default: "memory"

Configuration:

cache_prefix

string

Prefix to use for cache plugin files/tables

Default: "ansible_inventory_"

Configuration:

  • INI entries:

    [default]
fact_caching_prefix = ansible_inventory_

    Removed in: version 2.16 of ansible.builtin

    Why: Fixes typing error in INI section name

    Alternative: Use the ‘defaults’ section instead

    [defaults]
fact_caching_prefix = ansible_inventory_

    [inventory]
cache_prefix = ansible_inventory_

  • Environment variable: ANSIBLE_CACHE_PLUGIN_PREFIX

  • Environment variable: ANSIBLE_INVENTORY_CACHE_PLUGIN_PREFIX

cache_timeout

integer

Cache duration in seconds

Default: 3600

Configuration:

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

Choices:

  • "us-1" ← (default)

  • "us-2"

  • "us-gov-1"

  • "eu-1"

compose

dictionary

Create vars from jinja2 expressions.

Default: {}

filter

string

The filter expression that should be used to limit the results using FQL (Falcon Query Language) syntax.

See the Falcon documentation for more information about what filters are available for this inventory.

groups

dictionary

Add hosts to group based on Jinja2 conditionals.

Default: {}

keyed_groups

list / elements=dictionary

Add hosts to group based on the values of a variable.

Default: []

default_value

string

added in ansible-core 2.12

The default value when the host variable’s value is an empty string.

This option is mutually exclusive with trailing_separator.

key

string

The key from input dictionary used to generate groups

parent_group

string

parent group for keyed group

prefix

string

A keyed group name will start with this prefix

Default: ""

separator

string

separator used to build the keyed group name

Default: "_"

trailing_separator

boolean

added in ansible-core 2.12

Set this option to False to omit the separator after the host variable when the value is an empty string.

This option is mutually exclusive with default_value.

Choices:

  • false

  • true ← (default)

leading_separator

boolean

added in ansible-core 2.11

Use in conjunction with keyed_groups.

By default, a keyed group that does not have a prefix or a separator provided will have a name that starts with an underscore.

This is because the default prefix is “” and the default separator is “_”.

Set this option to False to omit the leading underscore (or other separator) if no prefix is given.

If the group name is derived from a mapping the separator is still used to concatenate the items.

To not use a separator in the group name at all, set the separator for the keyed group to an empty string instead.

Choices:

  • false

  • true ← (default)

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

strict

boolean

If yes make invalid entries a fatal error, otherwise skip and continue.

Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default.

Choices:

  • false ← (default)

  • true

use_extra_vars

boolean

added in ansible-core 2.11

Merge extra vars into the available variables for composition (highest precedence).

Choices:

  • false ← (default)

  • true

Configuration:

Notes

Note

  • If no credentials are provided, FalconPy will attempt to use the API credentials via environment variables.

  • Hostnames are set to the hostname hostvar if it exists, otherwise the IP address is used.

  • The current behavior for assigning an IP address to a host is to use the external IP address if it exists, otherwise the current local IP address is used. If neither of those exist, the host is skipped as Ansible would not be able to connect to it.

Examples

# sample file: my_inventory.falcon_discover.yml

# required for all falcon_discover inventory configs
plugin: crowdstrike.falcon.falcon_discover

# authentication credentials (required if not using environment variables)
#client_id: 1234567890abcdef12345678
#client_secret: 1234567890abcdef1234567890abcdef12345
#cloud: us-1

# fql filter expression to limit results (by default all assets are returned)
# examples below:

# return unmanaged assets discovered in the past day
#filter: "entity_type:'unmanaged'+first_seen_timestamp:>'now-1d'"

# return all new assets within the past week
#filter: "first_seen_timestamp:>'now-1w'"

# return all assets that have been seen in the past 3 days
#filter: "last_seen_timestamp:>'now-3d'"

# return all assets seen in the last 12 hours that are in RFM mode
#filter: "reduced_functionality_mode:Yes+last_seen_timestamp:>'now-12h'"

# return all AWS assets
#filter: "cloud_provider:'AWS'"

# allow duplicate hostnames to be added to the inventory
# example: If you two hosts with the same hostname, they will be added as:
#     hostnameA
#     hostnameA_1234567890abcdef12345678
#
#allow_duplicates: true

# place hosts into dynamically created groups based on variable values
keyed_groups:
  # places host in a group named cloud_<cloud_provider> (e.g. cloud_AWS) if the asset is a cloud asset
  - prefix: cloud
    key: cloud_provider
  # places host in a group named platform_<platform_name> based on the platform name (Linux, Windows, etc.)
  - prefix: platform
    key: platform_name
  # places host in a group named tag_<tags> for each tag on a host
  - prefix: tag
    key: tags
  # places host in a group named rfm_<Yes|No> to see if the host is in reduced functionality mode
  - prefix: rfm
    key: reduced_functionality_mode
  # places host in a group named location_<city> based on the city the host is located in
  - prefix: location
    key: city

# place hosts in named groups based on conditional statements <evaluated as true>
groups:
  # places host in a group named unmanaged_assets if the entity_type is unmanaged
  unmanaged_assets: "entity_type == 'unmanaged'"
  # places host in a group named cloud_assets if the entity_type is cloud
  cloud_assets: "cloud_provider != None"

# create and modify host variables from Jinja2 expressions
# compose:
#   # this sets the ansible_host variable to the external_ip address
#   ansible_host: external_ip
#   # this defines combinations of host servers, IP addresses, and related SSH private keys.
#   ansible_host: external_ip
#   ansible_user: "'root'"
#   ansible_ssh_private_key_file: "'/path/to/private_key_file'"

# caching is supported for this inventory plugin.
# caching can be configured in the ansible.cfg file or in the inventory file.
cache: true
cache_plugin: jsonfile
cache_connection: /tmp/falcon_inventory
cache_timeout: 1800
cache_prefix: falcon_discover

Authors

  • Carlos Matos (@carlosmmatos)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.