Golang-based SDK to CrowdStrike's Falcon APIs.
Gofalcon documentation is available on pkg.go.dev. Users are advised to consult this gofalcon documentation together with the comprehensive CrowdStrike API documentation published on Developer Portal. The easiest way to learn about the SDK is to consult the set of examples built on top of the SDK. What follows is a subset of these examples that can be found useful as stand-alone programs.
| Example | Description |
|---|---|
| falcon_sensor_download | stand-alone tool that can be used to download CrowdStrike Falcon Sensor |
| falcon_event_stream | stand-alone tool that can be used to stream events as they happen in CrowdStrike Falcon Console |
| falcon_cleanup_pods | stand-alone tool that can be used to clean-up inactive pods from CrowdStrike Falcon Console |
| falcon_cspm_ioms | stand-alone tool that leverages CrowdStrike Cloud Security Posture Management (CSPM) to list indicators of misconfigurations (IOMs) |
| falcon_detection_details | stand-alone tool that outputs inventory of all Falcon Detections based on custom filter |
| falcon_discover_host_details | stand-alone tool that can be used for auditing purposes and for gaining timely visibility into your environment |
| falcon_get_cid | stand-alone tool that can be used to get Customer ID based on the API key pair |
| falcon_iocs | stand-alone tool that can be used to add, delete or list Custom IOCs in the CrowdStrike Falcon Console |
| falcon_intel_indicators | stand-alone tool that queries CrowdStrike Intelligence Indicators |
| falcon_intel_rules_download | stand-alone tool that downloads CrowdStrike Falcon Intelligence Rule files |
| falcon_host_details | stand-alone tool that outputs inventory of hosts registered to CrowdStrike Falcon platform |
| falcon_registry_token | helper to generate container registry logic information for docker login |
| falcon_rtr_read_only_command | stand-alone example to run basic read-only RTR (Real-Time Response) command against a specific agent |
| falcon_rtr_admin_create_and_run_script | stand-alone example of running custom script on the specific agent using RTR (Real-Time Response) API |
| falcon_spotlight_vulnerabilities | stand-alone tool that outputs inventory of vulnerabilities affecting your environment |
| falcon_supported_kernels | stand-alone tool that outputs short list recent Linux kernels supported by CrowdStrike Falcon for a given distribution |
| falcon_zta | stand-alone tool that utilises Hosts and ZTA APIs and outputs ZTA findings for your environment |
Gofalcon is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.
Gofalcon is periodically refreshed to reflect the newest additions to the CrowdStrike API. Users of the SDK are advised to track the latest releases rather closely to ensure proper function in the unlikely event of an incompatible change to a CrowdStrike API.
go get github.com/crowdstrike/gofalcon/falcon
Various real-life examples can be found in the examples/ directory. The bare minimum example follows.
package main
import (
"context"
"fmt"
"os"
"github.com/crowdstrike/gofalcon/falcon"
"github.com/crowdstrike/gofalcon/falcon/client/incidents"
)
func main() {
client, err := falcon.NewClient(&falcon.ApiConfig{
ClientId: os.Getenv("FALCON_CLIENT_ID"),
ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
Context: context.Background(),
})
if err != nil {
panic(err)
}
desc := "timestamp.desc"
res, err := client.Incidents.CrowdScore(&incidents.CrowdScoreParams{
Context: context.Background(),
Sort: &desc,
})
if err != nil {
panic(err)
}
payload := res.GetPayload()
fmt.Printf("As of %s your CrowdScore is %d.\n",
payload.Resources[0].Timestamp.String(), *payload.Resources[0].Score)
}