crowdstrike.falcon.falcon_hosts inventory – CrowdStrike Falcon Hosts inventory source

Note

This inventory plugin is part of the crowdstrike.falcon collection (version 4.7.0).

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this inventory plugin, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.falcon_hosts.

New in crowdstrike.falcon 4.3.0

Synopsis

  • Query asset details from the CrowdStrike Falcon Hosts API.

  • The inventory file is a YAML configuration and must end with falcon_hosts.{yml|yaml}.

  • Example: my_inventory.falcon_hosts.yml

Requirements

The below requirements are needed on the local controller node that executes this inventory.

  • Hosts [READ] API scope

  • python >= 3.6

  • crowdstrike-falconpy >= 1.3.0

Parameters

Parameter

Comments

cache

boolean

Toggle to enable/disable the caching of the inventory’s source data, requires a cache plugin setup to work.

Choices:

  • false ← (default)

  • true

Configuration:

cache_connection

string

Cache connection data or path, read cache plugin documentation for specifics.

Configuration:

cache_plugin

string

Cache plugin to use for the inventory’s source data.

Default: "memory"

Configuration:

cache_prefix

string

Prefix to use for cache plugin files/tables

Default: "ansible_inventory_"

Configuration:

  • INI entries:

    [default]
    fact_caching_prefix = ansible_inventory_
    

    Removed in: version 2.16 of ansible.builtin

    Why: Fixes typing error in INI section name

    Alternative: Use the ‘defaults’ section instead

    [defaults]
    fact_caching_prefix = ansible_inventory_
    
    [inventory]
    cache_prefix = ansible_inventory_
    
  • Environment variable: ANSIBLE_CACHE_PLUGIN_PREFIX

  • Environment variable: ANSIBLE_INVENTORY_CACHE_PLUGIN_PREFIX

cache_timeout

integer

Cache duration in seconds

Default: 3600

Configuration:

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

This option can be set using a Jinja2 template value.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

This option can be set using a Jinja2 template value.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

This option can be set using a Jinja2 template value.

Valid values are us-1, us-2, eu-1, us-gov-1.

Default: "us-1"

compose

dictionary

Create vars from jinja2 expressions.

Default: {}

filter

string

The filter expression that should be used to limit the results using FQL (Falcon Query Language) syntax.

See the Falcon documentation for more information about what filters are available for this inventory.

groups

dictionary

Add hosts to group based on Jinja2 conditionals.

Default: {}

hostnames

list / elements=string

A list of templates in order of precedence to compose inventory_hostname.

Ignores template if resulted in an empty string or None value.

You can use any host variable as a template.

The default is to use the hostname, external_ip, and local_ip in that order.

Default: ["hostname", "external_ip", "local_ip"]

keyed_groups

list / elements=dictionary

Add hosts to group based on the values of a variable.

Default: []

default_value

string

added in ansible-core 2.12

The default value when the host variable’s value is an empty string.

This option is mutually exclusive with trailing_separator.

key

string

The key from input dictionary used to generate groups

parent_group

string

parent group for keyed group

prefix

string

A keyed group name will start with this prefix

Default: ""

separator

string

separator used to build the keyed group name

Default: "_"

trailing_separator

boolean

added in ansible-core 2.12

Set this option to False to omit the separator after the host variable when the value is an empty string.

This option is mutually exclusive with default_value.

Choices:

  • false

  • true ← (default)

leading_separator

boolean

added in ansible-core 2.11

Use in conjunction with keyed_groups.

By default, a keyed group that does not have a prefix or a separator provided will have a name that starts with an underscore.

This is because the default prefix is “” and the default separator is “_”.

Set this option to False to omit the leading underscore (or other separator) if no prefix is given.

If the group name is derived from a mapping the separator is still used to concatenate the items.

To not use a separator in the group name at all, set the separator for the keyed group to an empty string instead.

Choices:

  • false

  • true ← (default)

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

This option can be set using a Jinja2 template value.

strict

boolean

If yes make invalid entries a fatal error, otherwise skip and continue.

Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default.

Choices:

  • false ← (default)

  • true

use_extra_vars

boolean

added in ansible-core 2.11

Merge extra vars into the available variables for composition (highest precedence).

Choices:

  • false ← (default)

  • true

Configuration:

Notes

Note

  • By default, Ansible will deduplicate the inventory_hostname, so if multiple hosts have the same hostname, only the last one will be used. In this case, consider using the device_id as the first preference in the hostnames. You can use compose to specify how Ansible will connectz to the host with the ansible_host variable.

  • If no credentials are provided, FalconPy will attempt to use the API credentials via environment variables.

  • The current behavior is to use the hostname if it exists, otherwise we will attemp to use either the external IP address or the local IP address. If neither of those exist, the host will be skipped as Ansible would not be able to connect to it.

Examples

# sample file: my_inventory.falcon_hosts.yml

# required for all falcon_hosts inventory plugin configs
plugin: crowdstrike.falcon.falcon_hosts

# authentication credentials (required if not using environment variables)
# client_id: 1234567890abcdef12345678
# client_secret: 1234567890abcdef1234567890abcdef12345
# cloud: us-1

# authentication example using hashicorp vault lookup plugin
# client_id: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:client_id') }}"
# client_secret: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:client_secret') }}"
# cloud: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:cloud') }}"

# return all Windows hosts (authentication via environment variables)
# filter: "platform_name:'Windows'"

# return all Linux hosts in reduced functionality mode
# filter: "platform_name:'Linux' + reduced_functionality_mode:'yes'"

# return stale devices that haven't checked in for 15 days
# filter: "last_seen:<='now-15d'"

# return all Linux hosts running in eBPF User Mode
# filter: "linux_sensor_mode:'User Mode'"

# place hosts into dynamically created groups based on variable values
keyed_groups:
  # places host in a group named tag_<tags> for each tag on a host
  - prefix: tag
    key: tags
  # places host in a group named platform_<platform_name> based on the
  # platform name (Linux, Windows, etc.)
  - prefix: platform
    key: platform_name
  # places host in a group named tag_<tags> for each tag on a host
  - prefix: rfm
    key: reduced_functionality_mode

# place hosts into dynamically created groups based on conditional statements
groups:
  # places hosts in a group named windows_hosts if the platform_name is Windows
  windows_hosts: "platform_name == 'Windows'"
  # place hosts in a group named aws_us_west_2 if the zone_group is in us-west-2
  aws_us_west_2: "'us-west-2' in zone_group and 'Amazon' in system_manufacturer"

# compose inventory_hostname from Jinja2 expressions
# hostnames:
#   - hostname|lower

# compose inventory_hostname from Jinja2 expressions with order of precedence
# hostnames:
#   - external_ip
#   - local_ip
#   - serial_number

# use device_id as the inventory_hostname to prevent deduplication and set ansible_host
# to a reachable attribute
# hostnames:
#   - device_id
# compose:
#   ansible_host: hostname | default(external_ip) | default(local_ip) | default(None)

# compose connection variables for each host
# compose:
#   ansible_host: external_ip
#   ansible_user: "'root'"
#   ansible_ssh_private_key_file: "'/path/to/private_key_file'"

# Use caching for the inventory
# cache: true
# cache_plugin: jsonfile
# cache_connection: /tmp/falcon_inventory
# cache_timeout: 1800
# cache_prefix: falcon_hosts

Authors

  • Carlos Matos (@carlosmmatos)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.