def serviceAny_forceGovCloudAutoSelectFailure(self):
falcon = OAuth2(client_id=os.environ["CROSS_DEBUG_KEY"],
client_secret=os.environ["CROSS_DEBUG_SECRET"],
base_url="usgov1"
)
result = falcon.token()
if result["status_code"] == 201:
falcon = APIHarness(client_id=os.environ["CROSS_DEBUG_KEY"],
client_secret=os.environ["CROSS_DEBUG_SECRET"],
base_url="usgov1"
)
t_creds = {
"client_id": os.environ["CROSS_DEBUG_KEY"],
"client_secret": os.environ["CROSS_DEBUG_SECRET"],
}
result = falcon.command("oauth2AccessToken", data=t_creds, base_url="usgov1")
if result["status_code"] == 201:
falcon = CloudConnectAWS(client_id=os.environ["CROSS_DEBUG_KEY"],
client_secret=os.environ["CROSS_DEBUG_SECRET"],
base_url="usgov1"
)
result = falcon.auth_object.token()
if result["status_code"] == 429:
pytest.skip("Rate limit hit")
if result["status_code"] == 201:
return True
else:
return False
else:
return False
else:
return False
def uberCCAWS_BadAuthentication(self):
falcon = APIHarness()
if falcon.command("QueryAWSAccounts",
parameters={"limit":
1})["status_code"] in AllowedResponses:
return True
else:
return False
def uberCCAWS_DisableSSLVerify(self):
falcon = APIHarness(creds={
"client_id": config["falcon_client_id"],
"client_secret": config["falcon_client_secret"]
},
ssl_verify=False,
base_url=config["falcon_base_url"])
if falcon.command("QueryAWSAccounts",
parameters={"limit":
1})["status_code"] in AllowedResponses:
return True
else:
return False
def failUberMSSPAuth(self):
status = self.getConfig()
if status:
self.falcon = APIHarness(
client_id=self.config["falcon_client_id"],
client_secret=self.config["falcon_client_secret"],
member_cid="1234567890ABCDEFG")
self.falcon.authenticate()
if not self.falcon.authenticated:
return True
else:
return False
else:
return False
def uberAuth(self):
status = self.getConfig()
if status:
self.falcon = APIHarness(creds={
"client_id":
self.config["falcon_client_id"],
"client_secret":
self.config["falcon_client_secret"],
},
base_url=self.config["falcon_base_url"])
self.falcon.authenticate()
if self.falcon.authenticated:
return True
else:
if self.falcon.base_url == "https://api.laggar.gcw.crowdstrike.com":
pytest.skip("GovCloud rate limit hit")
else:
return False
else:
return False
def serviceAny_forceCrossCloudResponseFailure(self):
falcon = OAuth2(client_id=os.environ["CROSS_DEBUG_KEY"],
client_secret="will_not_work",
base_url="us1"
)
result = falcon.token()
if result["status_code"] == 403:
falcon = APIHarness(client_id=os.environ["CROSS_DEBUG_KEY"],
client_secret="will_not_work",
base_url="us1"
)
t_creds = {
"client_id": os.environ["CROSS_DEBUG_KEY"],
"client_secret": "shouldn't work",
}
result = falcon.command("oauth2AccessToken", data=t_creds, base_url="us1")
if result["status_code"] in [401, 403]:
return True
else:
return False
else:
return False
def connect_api(class_type: str = "service"):
"""Connect to the selected API service."""
with open("../config.json", "r", encoding="utf-8") as cred_file:
config = json.loads(cred_file.read())
if class_type.lower() == "service":
falcon_api = IOC(client_id=config["falcon_client_id"],
client_secret=config["falcon_client_secret"])
elif class_type.lower() == "uber":
falcon_api = APIHarness(client_id=config["falcon_client_id"],
client_secret=config["falcon_client_secret"])
else:
falcon_api = None
return falcon_api
def parse(self, line):
"""Parse the received line."""
# Return a false if this is a miss
payload = False
decoded_line = json.loads(line.decode("utf-8"))
# Grab our current offset
cur_offset = decoded_line["metadata"]["offset"]
# Detections only
if decoded_line["metadata"]["eventType"] == "DetectionSummaryEvent":
# Only submit detections that meet our severity threshold
if int(self.severity_threshold) <= int(
decoded_line["event"]["Severity"]):
creds = {
"client_id": self.api_config["falcon_client_id"],
"client_secret": self.api_config["falcon_client_secret"]
}
# Is this a child detection?
member_cid = self.current_cid.lower()
if "customerIDString" in decoded_line["metadata"]:
member_cid = decoded_line["metadata"][
"customerIDString"].lower()
if member_cid != self.current_cid.lower():
creds["member_cid"] = member_cid
# Connect to the Hosts API and check all hosts that match this sensor
falcon = APIHarness(creds=creds, base_url=self.base_url)
sensor = decoded_line["event"]["SensorId"]
# print(sensor)
payload = self.check_records(decoded_line, sensor, falcon,
payload)
else:
# Miss - below severity threshold
self.discarded += 1
else:
# Miss - not a detection
self.discarded += 1
return payload, cur_offset
class TestAuthorization():
def getConfigObject(self):
status = self.getConfig()
if status:
os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config[
"falcon_client_id"]
os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config[
"falcon_client_secret"]
self.authorization = OAuth2(
creds={
"client_id": self.config["falcon_client_id"],
"client_secret": self.config["falcon_client_secret"]
},
base_url=self.config["falcon_base_url"])
try:
global shared_token
if not shared_token:
shared_token = self.authorization.token(
)['body']['access_token']
except KeyError:
shared_token = False
return self.authorization
def getConfigExtended(self):
if "FALCONPY_DEBUG_TOKEN" in os.environ:
self.token = os.getenv("FALCONPY_DEBUG_TOKEN")
self.config = {}
self.config["falcon_client_id"] = os.environ[
"FALCONPY_DEBUG_CLIENT_ID"]
self.config["falcon_client_secret"] = os.environ[
"FALCONPY_DEBUG_CLIENT_SECRET"]
if "DEBUG_API_BASE_URL" in os.environ:
self.config["falcon_base_url"] = os.getenv(
"DEBUG_API_BASE_URL")
else:
self.config["falcon_base_url"] = "https://api.crowdstrike.com"
else:
status = self.getConfig()
if status:
os.environ["FALCONPY_DEBUG_CLIENT_ID"] = self.config[
"falcon_client_id"]
os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = self.config[
"falcon_client_secret"]
self.authorization = OAuth2(
creds={
"client_id": self.config["falcon_client_id"],
"client_secret": self.config["falcon_client_secret"]
},
base_url=self.config["falcon_base_url"])
try:
self.token = self.authorization.token()['body']['access_token']
os.environ["FALCONPY_DEBUG_TOKEN"] = self.token
except KeyError:
self.token = False
return self.token
def clear_env_token(self):
if "FALCONPY_DEBUG_TOKEN" in os.environ:
os.environ["FALCONPY_DEBUG_TOKEN"] = ""
os.environ["FALCONPY_DEBUG_CLIENT_ID"] = ""
os.environ["FALCONPY_DEBUG_CLIENT_SECRET"] = ""
return True
def getConfig(self):
# Grab our config parameters
if "DEBUG_API_ID" in os.environ and "DEBUG_API_SECRET" in os.environ:
self.config = {}
self.config["falcon_client_id"] = os.getenv("DEBUG_API_ID")
self.config["falcon_client_secret"] = os.getenv("DEBUG_API_SECRET")
if "DEBUG_API_BASE_URL" in os.environ:
self.config["falcon_base_url"] = os.getenv(
"DEBUG_API_BASE_URL")
else:
self.config["falcon_base_url"] = "auto"
return True
else:
cur_path = os.path.dirname(os.path.abspath(__file__))
if os.path.exists('%s/test.config' % cur_path):
with open('%s/test.config' % cur_path, 'r') as file_config:
self.config = json.loads(file_config.read())
return True
else:
return False
def uberAuth(self):
status = self.getConfig()
if status:
self.falcon = APIHarness(creds={
"client_id":
self.config["falcon_client_id"],
"client_secret":
self.config["falcon_client_secret"],
},
base_url=self.config["falcon_base_url"])
self.falcon.authenticate()
if self.falcon.authenticated:
return True
else:
if self.falcon.base_url == "https://api.laggar.gcw.crowdstrike.com":
pytest.skip("GovCloud rate limit hit")
else:
return False
else:
return False
def failUberMSSPAuth(self):
status = self.getConfig()
if status:
self.falcon = APIHarness(
client_id=self.config["falcon_client_id"],
client_secret=self.config["falcon_client_secret"],
member_cid="1234567890ABCDEFG")
self.falcon.authenticate()
if not self.falcon.authenticated:
return True
else:
return False
else:
return False
def uberRevoke(self):
return self.falcon.deauthenticate()
def serviceAuth(self):
status = self.getConfig()
if status:
self.authorization = OAuth2(
creds={
'client_id': self.config["falcon_client_id"],
'client_secret': self.config["falcon_client_secret"]
},
base_url=self.config["falcon_base_url"])
try:
check = self.authorization.token()
if check["status_code"] == 429:
pytest.skip("Rate limit hit")
self.token = check['body']['access_token']
# Force a token authentication
_ = Hosts(access_token=self.token)
except KeyError:
self.token = False
if self.token:
return True
else:
return False
else:
return False
def serviceAuthNoSSL(self):
status = self.getConfig()
if status:
self.authorization = Hosts(creds={
'client_id':
self.config["falcon_client_id"],
'client_secret':
self.config["falcon_client_secret"]
},
ssl_verify=False,
base_url=self.config["falcon_base_url"])
check = self.authorization.auth_object.token()
if check["status_code"] == 429:
pytest.skip("Rate limit hit")
if check["body"]["access_token"]:
self.authorization.auth_object.revoke(
check["body"]["access_token"])
return True
else:
return False
else:
return False
def serviceMSSPAuth(self):
status = self.getConfig()
result = False
if status:
authorization = OAuth2(
client_id=self.config["falcon_client_id"],
client_secret=self.config["falcon_client_secret"],
member_cid='1234567890ABCDEFG')
try:
req = authorization.token()
if req["status_code"] in [
201, 403
]: # Prolly an invalid MSSP cred, 403 is correct
result = True
except KeyError:
pass
return result
def failServiceAuth(self):
self.authorization = Hosts(client_id="BadClientID",
client_secret="BadClientSecret",
member_cid="123456789ABCDEFG",
base_url="us3")
# self.authorization.auth_object.base_url = "nowhere"
try:
self.token = self.authorization.auth_object.token(
)['body']['access_token']
except KeyError:
self.token = False
self.authorization.auth_object.revoke(self.token)
if self.token:
return False
else:
return True
def serviceRevoke(self):
try:
result = self.authorization.revoke(token=self.token)["status_code"]
if result > 0:
return True
else:
return False
except KeyError:
return False
def credential_logout(self, api: object = None):
if api:
return bool(
api.auth_object.revoke(api.auth_object.token(
)["body"]["access_token"])["status_code"] in [200, 201])
else:
return False
def test_uberAuth(self):
assert self.uberAuth() is True
self.uberRevoke()
def test_uberRevoke(self):
self.uberAuth()
assert self.uberRevoke() is True
def test_serviceAuth(self):
assert self.serviceAuth() is True
self.serviceRevoke()
# This test disables SSL and will generate a warning in pytest if we don't disable it
@pytest.mark.filterwarnings(
"ignore:Unverified HTTPS request is being made.*")
def test_serviceAuthNoSSL(self):
assert self.serviceAuthNoSSL() is True
def test_serviceMSSPAuth(self):
assert self.serviceMSSPAuth() is True
def test_uberMSSPAuthFailure(self):
assert self.failUberMSSPAuth() is True
def test_serviceRevoke(self):
self.serviceAuth()
assert self.serviceRevoke() is True
def test_failServiceAuth(self):
assert self.failServiceAuth() is True
@pytest.mark.skipif(os.getenv("DEBUG_API_BASE_URL", "us1").lower() in [
"https://api.laggar.gcw.crowdstrike.com", "usgov1"
],
reason="Unit testing unavailable on US-GOV-1")
def test_base_url_lookup(self):
_ = self.getConfig()
test_falcon = OAuth2(client_id=self.config["falcon_client_id"],
client_secret=self.config["falcon_client_secret"],
base_url="us1")
assert bool(test_falcon.token()["status_code"] == 201)
def test_fail_base_url_lookup(self):
_ = self.getConfig()
test_falcon = OAuth2(client_id=self.config["falcon_client_id"],
client_secret=self.config["falcon_client_secret"],
base_url="nowhere")
assert bool(test_falcon.token()["status_code"] != 201)
for env in Environment:
# User submitted name matches an accepted type
if env.name == SANDBOX_ENV:
MATCHED = True
if not MATCHED:
# We only accept the environments defined in our Enum above
raise SystemExit("Invalid sandbox environment specified.")
if not os.path.isfile(args.file):
# We were not provided a valid filename
raise SystemExit("Invalid filename specified.")
# Announce progress
inform(f"[ Init ] {running_time(start_time)}")
# Connec to the API and provide our credentials for authorization
falcon = APIHarness(client_id=args.key, client_secret=args.secret)
# Announce progress
inform(f"[ Upload ] {running_time(start_time)}")
# Upload our test file
response = upload_file(args.file,
f"FalconX File Analysis: {time.strftime('%V %r %Z')}",
"Falcon X upload and scan example",
confidential=False)
# Retrieve the SHA of our upload file
sha = response["body"]["resources"][0]["sha256"]
# Announce progress
inform(f"[ Submit ] {running_time(start_time)}")
# _ _
# / _ .__|_o _
# \_(_)| || |(_|
# _|
#
# Grab our config parameters from our config file.
# Review this README here for more detail regarding the sample config file.
# https://github.com/CrowdStrike/falconpy/tree/main/samples
with open('../config.json', 'r', encoding="utf-8") as file_config:
config = json.loads(file_config.read())
# Provide our credentials to the Uber Class using Direct Authentication.
# Since we are using version 0.8.6+ we do not need to specify the base_url
# keyword unless we are on GovCloud.
falcon = APIHarness(client_id=config["falcon_client_id"],
client_secret=config["falcon_client_secret"]
# ,base_url="usgov1" # GovCloud users only
)
# Define our upload and download file names
UP_FILENAME = "testfile.jpg"
DOWN_FILENAME = "uberclass.jpg"
# Remove our download file if it is present before we begin
if os.path.exists(DOWN_FILENAME):
os.remove(DOWN_FILENAME)
# | |._ | _ _. _|
# |_||_)|(_)(_|(_|
# |
#
# Open the file for binary read, this will be our payload
config["falcon_client_id"] = os.getenv("DEBUG_API_ID")
config["falcon_client_secret"] = os.getenv("DEBUG_API_SECRET")
if "DEBUG_API_BASE_URL" in os.environ:
config["falcon_base_url"] = os.getenv("DEBUG_API_BASE_URL")
else:
config["falcon_base_url"] = "us1"
else:
cur_path = os.path.dirname(os.path.abspath(__file__))
if os.path.exists('%s/test.config' % cur_path):
with open('%s/test.config' % cur_path, 'r') as file_config:
config = json.loads(file_config.read())
else:
sys.exit(1)
falcon = APIHarness(client_id=config["falcon_client_id"],
client_secret=config["falcon_client_secret"],
base_url=config["falcon_base_url"])
class TestUber:
def uberCCAWS_GetAWSSettings(self):
if falcon.command("GetAWSSettings")["status_code"] in AllowedResponses:
return True
else:
return False
def uberCCAWS_QueryAWSAccounts(self):
if falcon.command("QueryAWSAccounts",
parameters={"limit":
1})["status_code"] in AllowedResponses:
return True
if not args.crowdstrike_cloud:
CLOUD_URL = "US1"
else:
CLOUD_URL = args.crowdstrike_cloud
log_enabled = args.log_enabled
if not args.query_limit:
QUERY_LIMIT = 100
else:
QUERY_LIMIT = args.query_limit
# ############## MAIN ROUTINE
# Connect to the API using our provided falcon client_id and client_secret
try:
falcon = APIHarness(client_id=falcon_client_id,
client_secret=falcon_client_secret,
base_url=CLOUD_URL)
except Exception as err: # noqa: E722 pylint: disable=W0703
# We can't communicate with the endpoint
print(f'Unable to communicate with API {str(err)}')
# Authenticate
if falcon.authenticate():
try:
# Execute the command by calling the named function
if command.lower() == "check":
check_account()
if command.lower() == "update":
update_account()
if command.lower() == "register":
register_account()
if command.lower() == "delete":
FILENAME = args.filename
FORMAT = "fancy_grid"
if args.format:
FORMAT = args.format
SHOW_ALL = False
if args.all:
SHOW_ALL = True
OSVER = ""
if args.osver:
OSVER = args.osver
# Login to the Falcon API and retrieve our list of sensors
falcon = APIHarness(client_id=CLIENTID, client_secret=CLIENTSECRET)
sensors = falcon.command(action="GetCombinedSensorInstallersByQuery",
filter=OS_FILTER)
if CMD in "list":
# List sensors
data = []
headers = {
"name": "Name",
"description": "Description",
"platform": "Platform",
"os": "OS",
"os_version": "OS Version",
"sha256": "File Hash",
"release_date": "Release Date",
"version": "Version",
"file_size": "File Size",
def connect_api(key: str, secret: str):
"""
Connects and returns an instance of the Uber class.
"""
return APIHarness(client_id=key, client_secret=secret)
BASE_URL = "us1"
except KeyError:
# Any failure assume we're doing commercial / US-1
BASE_URL = "us1"
try:
VERIFY_SSL_CONNECTIONS = config["ssl_verify"]
if VERIFY_SSL_CONNECTIONS == "":
VERIFY_SSL_CONNECTIONS = True
except KeyError:
VERIFY_SSL_CONNECTIONS = True
config["ssl_verify"] = VERIFY_SSL_CONNECTIONS
# Connect to the API
falcon = APIHarness(client_id=config["falcon_client_id"],
client_secret=config["falcon_client_secret"],
base_url=BASE_URL,
ssl_verify=VERIFY_SSL_CONNECTIONS)
# Authenticate to the API
falcon.authenticate()
# Cry about our bad keys
if not falcon.authenticated:
status.status_write(
f"Failed to connect to the API on {BASE_URL}. Check base_url and ssl_verify configuration settings."
)
raise SystemExit(
f"Failed to connect to the API on {BASE_URL}. Check base_url and ssl_verify configuration settings."
)
# Retrieve our current CID (MSSP functionality) or add it to config?
# This method requires Sensor Install API, our fallback option uses the Hosts API but a device must exist
try: