crowdstrike.falcon.falconctl module – Configure CrowdStrike Falcon Sensor

Note

This module is part of the crowdstrike.falcon collection (version 4.7.3).

To install it, use: ansible-galaxy collection install crowdstrike.falcon.

To use it in a playbook, specify: crowdstrike.falcon.falconctl.

New in crowdstrike.falcon 3.2.0

Synopsis

  • Configures CrowdStrike Falcon Sensor on Linux systems

Parameters

Parameter

Comments

aid

boolean

Whether or not you would like to delete the associated Agent ID.

Useful when preparing a host as a master image for cloning or virtualization.

This applies only to state=absent.

Choices:

  • false

  • true

apd

string

Whether to enable or disable the Falcon sensor to use a proxy.

To enable the proxy, set to 'false'.

Valid Options are: 'true'|'false'|''

aph

string

Specifies the application proxy host to use for Falcon sensor proxy configuration.

app

string

Specifies the application proxy port to use for Falcon sensor proxy configuration.

backend

string

Configure the backend for the Falcon sensor. This was introduced to support the BPF backend.

backend is only available in sensor versions that support the --backend option (>6.46.0).

Valid Options are: 'auto'|'bpf'|'kernel'

billing

string

Specify the (Pay-As-You-Go) billing model for Cloud Workloads.

Falcon for Cloud Workloads (Pay-As-You-Go) is a billing model for your hosts that run in Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

For ephemeral workloads in these cloud environments, you pay only for the hours that hosts are active each month metered, rather than a full annual contract price per sensor default.

Valid Options are: 'metered'|'default'|''

cid

string

CrowdStrike Falcon Customer ID (CID).

feature

list / elements=string

Configure the Falcon sensor feature flags.

Choices:

  • "none"

  • "enableLog"

  • "disableLogBuffer"

message_log

string

Whether or not you would like to log messages to disk.

Valid Options are: 'true'|'false'|''

provisioning_token

string

Installation tokens prevent unauthorized hosts from being accidentally or maliciously added to your customer ID (CID).

Optional security measure for your CID.

This parameter requires supplying a cid.

state

string / required

Ensures that requested parameters are removed (absent) or added (present) to the Falcon sensor.

Choices:

  • "absent"

  • "present"

tags

string

Sensor grouping tags are optional, user-defined identifiers you can use to group and filter hosts.

To assign multiple tags, separate tags with commas.

The combined length of all tags for a host, including comma separators, cannot exceed 256 characters.

trace

string

Configure the appropriate trace level.

Choices:

  • "none"

  • "err"

  • "warn"

  • "info"

  • "debug"

Examples

- name: Set CrowdStrike Falcon CID
  crowdstrike.falcon.falconctl:
    state: present
    cid: 1234567890ABCDEF1234567890ABCDEF-12

- name: Set CrowdStrike Falcon CID with Provisioning Token
  crowdstrike.falcon.falconctl:
    state: present
    cid: 1234567890ABCDEF1234567890ABCDEF-12
    provisioning_token: 12345678

- name: Delete CrowdStrike Falcon CID
  crowdstrike.falcon.falconctl:
    state: absent
    cid: ""

- name: Delete Agent ID to Prep Master Image
  crowdstrike.falcon.falconctl:
    state: absent
    aid: yes

- name: Configure Falcon Sensor Proxy
  crowdstrike.falcon.falconctl:
    state: present
    apd: no
    aph: example.com
    app: 8080

Authors

  • Gabriel Alford (@redhatrises)

  • Carlos Matos (@carlosmmatos)