Closed Gianlu closed 6 months ago
carlosmmatos
commented
6 months ago Hello @Gianlu - apologies as I noticed that I did not add the API Scope to the dynamic inventory in order to use it. Can you try adding the following API Scope to your credentials?
Gianlu
commented
6 months ago Hello, Sorry, where I have to define the scope? In crowdstryke console, I have full read for every single scope and I can't see the asset scope. Moreover, with same credentials the falconpy samples work (es get_dups.py).
Thanks
carlosmmatos
commented
6 months ago Which falconpy sample are you referring to? Also, would you mind sharing your dynamic inventory file configuration?
Gianlu
commented
6 months ago Hello, my inventory file is:
# filename: 20_my_inventory.falcon_discover.yml
plugin: crowdstrike.falcon.falcon_discover
client_id: '*****************'
client_secret: '************************'
cloud: eu-1The duplicate finder is duplicate_sensors.py
Thanks
carlosmmatos
commented
6 months ago Cool thanks.. So yeah, that FalconPy sample is for the Hosts collection service, not to be confused with the Discover service collection which is what this inventory file uses.
This would be the equivalent to trying this FalconPy sample. Can you let me know if that sample works for you?
romankis95
commented
6 months ago Hi @carlosmmatos I'm a colleague of @Gianlu and the one that manages the API keys and tokens. Nope, that sample doesn't work for me. I was wondering which scope I'm missing, as I've allowed (for debugging purpose obviously) every single scope in READ mode on my Falcon console. Is it possible that we may not have a specific subscription?
carlosmmatos
commented
6 months ago Hey @romankis95 - It is possible you might not have the subscription needed for this. This is part of Exposure Management. This is what the subs needed would be:
And this is what the API scope would be:
If you are simply looking to take advantage of the Falcon Hosts API to use as an inventory, I have that as an action item todo.
Gianlu
commented
6 months ago Hello @carlosmmatos.
It seems we don't have the right subscription but we are glad to read that an inventory version using the Hosts API is planned.
May I ask when do you plan to release it? I would be happy to be an "early adopter"; I hope the new version will have a similar input interface (eg. the fql filter) and will inherit cacheable and constructable (it's mandatory for us in order to modify inventory_hostname).
I have just a couple of questions:
Thanks
carlosmmatos
commented
6 months ago As for timeline, I'm trying to play catchup this week on this project. Have a few minor changes/updates, but then I plan on starting to add new modules + inventory plugin. It shouldn't take to long to do the inventory plugin since it will be very similar to the existing one.
With regards to your questions - the answer is yes, it will have the same feel as the existing dynamic inventory file - it will inherit cacheable and constructible and use fql to query the api. The output of the Hosts API is different than the Discover API, but if you wanted to get an idea of what to expect, you can do the following:
import json
from falconpy import Hosts
# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Pass in an AID of an existing host
response = falcon.GetDeviceDetails(ids='AID')
print(json.dumps(response, indent=4))As for Jinja2 support, this is part of constructable class in dynamic inventories, so since we will be using it should support jinja2 templating. (I assume this is what you are asking for).
carlosmmatos
commented
6 months ago @Gianlu | @romankis95 - new PR is in place right now: #470
Hi, I'm trying to use the ansible inventory but I reveive a
I'm pretty sure that client_id and client_secret are right because via curl I'm authenticated. My token is associated to a policy with read grant on all entities.
May you help me?
Thanks