crowdstrike.falcon.falcon_hosts inventory – CrowdStrike Falcon Hosts inventory source
Note
This inventory plugin is part of the crowdstrike.falcon collection (version 4.7.0).
To install it, use: ansible-galaxy collection install crowdstrike.falcon
.
You need further requirements to be able to use this inventory plugin,
see Requirements for details.
To use it in a playbook, specify: crowdstrike.falcon.falcon_hosts
.
New in crowdstrike.falcon 4.3.0
Synopsis
Query asset details from the CrowdStrike Falcon Hosts API.
The inventory file is a YAML configuration and must end with
falcon_hosts.{yml|yaml}
.Example:
my_inventory.falcon_hosts.yml
Requirements
The below requirements are needed on the local controller node that executes this inventory.
Hosts [READ] API scope
python >= 3.6
crowdstrike-falconpy >= 1.3.0
Parameters
Parameter |
Comments |
---|---|
Toggle to enable/disable the caching of the inventory’s source data, requires a cache plugin setup to work. Choices:
Configuration:
|
|
Cache connection data or path, read cache plugin documentation for specifics. Configuration:
|
|
Cache plugin to use for the inventory’s source data. Default: Configuration:
|
|
Prefix to use for cache plugin files/tables Default: Configuration:
|
|
Cache duration in seconds Default: Configuration:
|
|
The CrowdStrike API client ID to use. See the Falcon documentation for more information about API clients. The This option can be set using a Jinja2 template value. |
|
The CrowdStrike API secret that corresponds to the client ID. See the Falcon documentation for more information about API clients. The This option can be set using a Jinja2 template value. |
|
The CrowdStrike cloud region to use. All clouds are automatically discovered if not specified, except for the The This option can be set using a Jinja2 template value. Valid values are Default: |
|
Create vars from jinja2 expressions. Default: |
|
The filter expression that should be used to limit the results using FQL (Falcon Query Language) syntax. See the Falcon documentation for more information about what filters are available for this inventory. |
|
Add hosts to group based on Jinja2 conditionals. Default: |
|
A list of templates in order of precedence to compose Ignores template if resulted in an empty string or None value. You can use any host variable as a template. The default is to use the hostname, external_ip, and local_ip in that order. Default: |
|
Add hosts to group based on the values of a variable. Default: |
|
The default value when the host variable’s value is an empty string. This option is mutually exclusive with |
|
The key from input dictionary used to generate groups |
|
parent group for keyed group |
|
A keyed group name will start with this prefix Default: |
|
separator used to build the keyed group name Default: |
|
Set this option to False to omit the This option is mutually exclusive with Choices:
|
|
Use in conjunction with keyed_groups. By default, a keyed group that does not have a prefix or a separator provided will have a name that starts with an underscore. This is because the default prefix is “” and the default separator is “_”. Set this option to False to omit the leading underscore (or other separator) if no prefix is given. If the group name is derived from a mapping the separator is still used to concatenate the items. To not use a separator in the group name at all, set the separator for the keyed group to an empty string instead. Choices:
|
|
The CrowdStrike member CID for MSSP authentication. See the Falcon documentation for more information about API clients. The This option can be set using a Jinja2 template value. |
|
If Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default. Choices:
|
|
Merge extra vars into the available variables for composition (highest precedence). Choices:
Configuration:
|
Notes
Note
By default, Ansible will deduplicate the
inventory_hostname
, so if multiple hosts have the same hostname, only the last one will be used. In this case, consider using thedevice_id
as the first preference in thehostnames
. You can usecompose
to specify how Ansible will connectz to the host with theansible_host
variable.If no credentials are provided, FalconPy will attempt to use the API credentials via environment variables.
The current behavior is to use the hostname if it exists, otherwise we will attemp to use either the external IP address or the local IP address. If neither of those exist, the host will be skipped as Ansible would not be able to connect to it.
Examples
# sample file: my_inventory.falcon_hosts.yml
# required for all falcon_hosts inventory plugin configs
plugin: crowdstrike.falcon.falcon_hosts
# authentication credentials (required if not using environment variables)
# client_id: 1234567890abcdef12345678
# client_secret: 1234567890abcdef1234567890abcdef12345
# cloud: us-1
# authentication example using hashicorp vault lookup plugin
# client_id: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:client_id') }}"
# client_secret: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:client_secret') }}"
# cloud: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=path/to/secret:cloud') }}"
# return all Windows hosts (authentication via environment variables)
# filter: "platform_name:'Windows'"
# return all Linux hosts in reduced functionality mode
# filter: "platform_name:'Linux' + reduced_functionality_mode:'yes'"
# return stale devices that haven't checked in for 15 days
# filter: "last_seen:<='now-15d'"
# return all Linux hosts running in eBPF User Mode
# filter: "linux_sensor_mode:'User Mode'"
# place hosts into dynamically created groups based on variable values
keyed_groups:
# places host in a group named tag_<tags> for each tag on a host
- prefix: tag
key: tags
# places host in a group named platform_<platform_name> based on the
# platform name (Linux, Windows, etc.)
- prefix: platform
key: platform_name
# places host in a group named tag_<tags> for each tag on a host
- prefix: rfm
key: reduced_functionality_mode
# place hosts into dynamically created groups based on conditional statements
groups:
# places hosts in a group named windows_hosts if the platform_name is Windows
windows_hosts: "platform_name == 'Windows'"
# place hosts in a group named aws_us_west_2 if the zone_group is in us-west-2
aws_us_west_2: "'us-west-2' in zone_group and 'Amazon' in system_manufacturer"
# compose inventory_hostname from Jinja2 expressions
# hostnames:
# - hostname|lower
# compose inventory_hostname from Jinja2 expressions with order of precedence
# hostnames:
# - external_ip
# - local_ip
# - serial_number
# use device_id as the inventory_hostname to prevent deduplication and set ansible_host
# to a reachable attribute
# hostnames:
# - device_id
# compose:
# ansible_host: hostname | default(external_ip) | default(local_ip) | default(None)
# compose connection variables for each host
# compose:
# ansible_host: external_ip
# ansible_user: "'root'"
# ansible_ssh_private_key_file: "'/path/to/private_key_file'"
# Use caching for the inventory
# cache: true
# cache_plugin: jsonfile
# cache_connection: /tmp/falcon_inventory
# cache_timeout: 1800
# cache_prefix: falcon_hosts