Sample Updates

.github/wordlist.txt

@@ -1382,3 +1382,10 @@ QueryCasesIdsByFilter
 SDKDEMO
 kube
 KPA
+argparse
+colorama
+Oke
+Okumo
+Moomaw
+Esha
+Kumar

AUTHORS.md

@@ -97,6 +97,9 @@ This has been a critical element in the development of the FalconPy project.
 + Nick, `nickforsythbarr`
 + `nesies`
 + `David-M-Berry`
++ Oke Okumo, `@okewoma`
++ Alexander Moomaw, `@alhumaw`
++ Esha Kumar, `@exk200006` 
 
 
 ## Sponsors

samples/authentication/README.md

@@ -7,7 +7,8 @@ The examples in this folder focus on authentication to CrowdStrike's APIs.
 
 - [Azure Key Vault Authentication](#azure-key-vault-authentication) - CrowdStrike API authentication leveraging Azure Key Vault for credential storage.
 - [AES Authentication](#aes-authentication) - Leverage AES/CBC to encrypt credentials for use with authentication to the CrowdStrike API.
-- [AES File Crypt](#aes-file-crypt) - Encrypt arbitrary files with AES/CBC.
+- [AES File Crypt](#aes-file-crypt) - Encrypt arbitrary files with AES/CBC
+- [AWS Parameter Store](#aws-parameter-store) - CrowdStrike API authentication leveraging AWS Parameter Store for credential storage
 - [Token Authentication](#token-authentication) - Token Authentication is the original solution for authenticating to a Service Class, and is still fully supported. This example demonstrates how to use Token Authentication to interact with multiple Service Classes.
 
 ## Azure Key Vault Authentication
@@ -458,6 +459,64 @@ file arguments:
 Source code for this example can be found [here](aes_file_crypt.py).
 
 ---
+## AWS Parameter store
+This application demonstrates storing CrowdStrike API credentials within the AWS Parameter Store service, and retrieving them to access the CrowdStrike API.
+
+### Running the program
+In order to run this demonstration, you will need access to CrowdStrike API keys. You will also need to set your specific AWS location
+
+#### Command line arguments
+This program accepts the following command line arguments.
+
+| Argument | Long Argument | Description |
+| :-- | :-- | :-- |
+| `-h` | `--help` | Display command line help and exit |
+|  `-k` _CLIENT_ID_PARAMETER_ | `--client_id_parameter` _CLIENT_ID_PARAMETER_ | Name of the Key Vault Secrets parameter storing your API client ID |
+|  `-s` _CLIENT_SECRET_PARAMETER_ | `--client_secret_parameter` _CLIENT_SECRET_PARAMETER_ | Name of the Key Vault Secrets parameter storing your API client secret |
+|  `-d`  | `--debug`| Enables debugging functionality |
+
+#### Basic usage
+
+##### Use this command to test out the sample.
+
+```shell
+python3 aws_parameter_store.py -k FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET
+```
+##### Use this command to activate debugging.
+
+```shell
+python3 aws_parameter_store.py -k FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET -d
+```
+#### Command-line help
+Command-line help is available via the `-h` argument.
+
+```shell
+usage: aws_parameter_store.py [-h] [-k] CLIENT_ID [-s] CLIENT_SECRET [-d] DEGUG
+
+
+  ___   ____    __    ____   _______.
+    /   \  \   \  /  \  /   /  /       |
+   /  ^  \  \   \/    \/   /  |   (----`
+  /  /_\  \  \            /    \   \
+ /  _____  \  \    /\    / .----)   |
+/__/     \__\  \__/  \__/  |_______/
+
+        ____                                  __               _____ __
+       / __ \____ __________ _____ ___  ___  / /____  _____   / ___// /_____  ________
+      / /_/ / __ `/ ___/ __ `/ __ `__ \/ _ \/ __/ _ \/ ___/   \__ \/ __/ __ \/ ___/ _ \
+     / ____/ /_/ / /  / /_/ / / / / / /  __/ /_/  __/ /      ___/ / /_/ /_/ / /  /  __/
+    /_/    \__,_/_/   \__,_/_/ /_/ /_/\___/\__/\___/_/      /____/\__/\____/_/   \___/
+
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -d, --debug           enables degugging 
+
+required arguments:
+  -k CLIENT_ID, --client_id_parameter CLIENT_ID    
+  -s CLIENT_SECRET, --client_secret_parameter CLIENT_SECRET
+```
+
 
 ## Token Authentication
 [Token authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#legacy-authentication) (also referred to as _legacy authentication_) is the process of authenticating to a FalconPy Service Class by providing a previously assigned bearer token directly to the [`auth_token`](https://www.falconpy.io/Usage/Basic-Service-Class-usage.html#legacy-authentication) keyword when instantiating the Service Class. This is the original method of authentication provided by Service Classes, and while it is frequently eschewed in preference to [Direct](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#direct-authentication) and [Object](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#object-authentication) [Authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html), there are multiple scenarios where it is still the best option for the situation.

samples/authentication/aws_parameter_store.py

@@ -34,6 +34,7 @@
 This application demonstrates storing CrowdStrike API credentials within the
 AWS Parameter Store service, and retrieving them to access the CrowdStrike API.
 """
+import logging
 from argparse import ArgumentParser, RawTextHelpFormatter, Namespace
 try:
     import boto3
@@ -64,8 +65,19 @@ def consume_arguments() -> Namespace:
                         default="FALCON_CLIENT_SECRET",
                         dest="client_secret_parameter"
                         )
+    parser.add_argument("-d", "--debug",
+                        help="Enable API debugging",
+                        action="store_true",
+                        default=False
+                        )
+
+    parsed = parser.parse_args()
+    if parsed.debug:
+        logging.basicConfig(level=logging.DEBUG)
+
+
+    return parsed
 
-    return parser.parse_args()
 
 
 def get_parameter_store_params(cmd_line: Namespace):
@@ -101,9 +113,9 @@ def get_parameter_store_params(cmd_line: Namespace):
     return returned_client_id, returned_client_secret
 
 
-def perform_simple_demonstration(client_id: str, client_secret: str):
+def perform_simple_demonstration(client_id: str, client_secret: str, debug: bool):
     """Perform a simple API demonstration using the credentials retrieved."""
-    falcon = Hosts(client_id=client_id, client_secret=client_secret)
+    falcon = Hosts(client_id=client_id, client_secret=client_secret, debug=debug)
     # Retrieve 500 hosts and sort ascending by hostname
     aid_lookup = falcon.query_devices_by_filter_scroll(sort="hostname.asc", limit=500)
     if not aid_lookup["status_code"] == 200:
@@ -120,6 +132,9 @@ def perform_simple_demonstration(client_id: str, client_secret: str):
 
 
 if __name__ == "__main__":
-    # Consume our command line, retrieve our credentials from AWS parameter store
+    # Consume our command line arguments 
+    args = consume_arguments()
+    # retrieve our credentials from AWS parameter store
+    client_id, client_secret = get_parameter_store_params(args)
     # and then execute a simple API demonstration to prove functionality.
-    perform_simple_demonstration(*get_parameter_store_params(consume_arguments()))
+    perform_simple_demonstration(client_id, client_secret)

samples/authentication/requirements_aws_parameter_store.txt

@@ -0,0 +1,2 @@
+boto3
+crowdstrike-falconpy

samples/authentication/requirements_token_authentication_example.txt

@@ -0,0 +1,4 @@
+boto3
+click
+colorama
+crowdstrike-falconpy

samples/authentication/token_authentication_example.py

@@ -34,9 +34,11 @@
 
 This sample should run using any version of FalconPy and requires the colorama and click libraries.
 """
+import logging
 import os
 import click
 import colorama
+from argparse import ArgumentParser, RawTextHelpFormatter, Namespace 
 from falconpy import (
     CloudConnectAWS,
     Detects,
@@ -54,9 +56,27 @@
 BOLD = colorama.Style.BRIGHT
 ENDMARK = colorama.Style.RESET_ALL
 
-
+def consume_arguments() -> Namespace:
+    parser = ArgumentParser(description=__doc__, fromatter_class=RawTextHelpFormatter)
+    parser.add_argument("-d", "--debug",
+                        help="Enable API debugging",
+                        action="store_true",
+                        default=False
+                        )
+    parser.add_argument("-b", "--base-url",
+                        dest="base_url",
+                        help="CrowdStrike cloud region. (auto or usgov1, Default: auto)",
+                        required=False,
+                        default="usgov1"
+                        )
+    parsed = parser.parse_args()
+    if parsed.debug:
+        logging.basicConfig(level=logging.DEBUG)
+
+
+    return parsed
 # ### BEGIN token simulation
-def get_token():
+def get_token(debug=False):
     """
     Generate a token to use for authentication.
 
@@ -95,7 +115,8 @@ def get_token():
                                             )
     auth = OAuth2(
         client_id=falcon_client_id,
-        client_secret=falcon_client_secret
+        client_secret=falcon_client_secret,
+        debug=debug 
         )
     # Generate a token
     auth.token()
@@ -176,6 +197,10 @@ def passed(svc_class: str):
 
 
 if __name__ == "__main__":
+    # Parse command-line arguments and retrieve debug mode setting
+    args = consume_arguments()
+    # Authenticate using Falcon API OAuth2 with debug mode enabled if specified
+    get_token(debug=args.debug)
     # Test each of these classes to confirm cross collection authentication for Service Classes
     classes_to_test = [CloudConnectAWS, Detects, Hosts, IOC, Incidents, Intel]
     # Grab a simulated token and execute the test series

samples/cspm_registration/README.md

@@ -48,6 +48,10 @@ python3 get_cspm_policies.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o fi
 python3 get_cspm_policies.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c aws
 ```
 
+```shell
+python3 get_cspm_policies.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -d
+```
+> To activate debugging, use the `-d` argument.
 #### Command-line help
 Command-line help is available via the `-h` argument.
 
@@ -98,7 +102,8 @@ optional arguments:
                         Policy report output file (CSV format)
   -c CLOUD, --cloud CLOUD
                         Cloud provider (aws, azure, gcp)
+  -d, --debug,          Activates debugging 
 ```
 
 ### Example source code
-The source code for this example can be found [here](get_cspm_policies.py).
+The source code for this example can be found [here](get_cspm_policies.py).

samples/cspm_registration/get_cspm_policies.py

@@ -39,7 +39,7 @@
 import os
 import sys
 import logging
-from argparse import ArgumentParser, RawTextHelpFormatter
+from argparse import ArgumentParser, RawTextHelpFormatter, Namespace
 from tabulate import tabulate
 try:
     from falconpy import CSPMRegistration
@@ -49,17 +49,42 @@
         ) from no_falconpy
 
 
+def consume_arguments() -> Namespace:
 # Capture command line arguments
-parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
-parser.add_argument("-f", "--falcon_client_id",
-                    help="Falcon Client ID", default=None, required=False)
-parser.add_argument("-s", "--falcon_client_secret",
-                    help="Falcon Client Secret", default=None, required=False)
-parser.add_argument("-o", "--output_file",
-                    help="Policy report output file (CSV format)", required=False)
-parser.add_argument(
-    "-c", "--cloud", help="Cloud provider (aws, azure, gcp)", required=False)
-args = parser.parse_args()
+    parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
+    parser.add_argument("-f", "--falcon_client_id",
+                        help="Falcon Client ID", 
+                        default=None,
+                        required=False)
+    parser.add_argument("-s", "--falcon_client_secret",
+                        help="Falcon Client Secret",
+                        default=None, 
+                        required=False)
+    parser.add_argument("-o", "--output_file",
+                        help="Policy report output file (CSV format)", 
+                        required=False)
+    parser.add_argument("-c", "--cloud", 
+                        help="Cloud provider (aws, azure, gcp)", 
+                        required=False)
+    parser.add_argument("-d", "--debug",
+                        help="Enable API debugging",
+                        action="store_true",
+                        default=False
+                        )
+
+    parsed = parser.parse_args()
+    return parsed
+
+
+cmd_line = consume_arguments()
+
+# Activate debugging if requested
+if cmd_line.debug:
+    logging.basicConfig(level=logging.DEBUG)
+
+
+
+# pylint: disable=E0606
 
 # Grab our client_id and client_secret or exit
 CONFIG_FILE = '../config.json'
@@ -68,20 +93,22 @@
         config = json.loads(file_config.read())
         falcon_client_id = config['falcon_client_id']
         falcon_client_secret = config['falcon_client_secret']
-elif args.falcon_client_id is not None and args.falcon_client_secret is not None:
-    falcon_client_id = args.falcon_client_id
-    falcon_client_secret = args.falcon_client_secret
+elif cmd_line.falcon_client_id is not None and cmd_line.falcon_client_secret is not None:
+    falcon_client_id = cmd_line.falcon_client_id
+    falcon_client_secret = cmd_line.falcon_client_secret
+    debug = cmd_line.debug if cmd_line.debug else False  # Set debug mode based on argument
 else:
     logging.error(
         " Please specify Falcon API Credentials with config.json or script arguments")
     sys.exit()
 
-data_file = args.output_file
-cloud = args.cloud
+data_file = cmd_line.output_file
+cloud = cmd_line.cloud
 
 # Instantiate CSPM_Registration service class
 falcon = CSPMRegistration(client_id=falcon_client_id,
-                          client_secret=falcon_client_secret
+                          client_secret=falcon_client_secret,
+                          debug=debug
                           )
 
 

samples/cspm_registration/requirements_get_cspm_policies.txt

@@ -0,0 +1,2 @@
+crowdstrike-falconpy
+tabulate

samples/ioc/create_ioc.py

@@ -24,6 +24,7 @@
     "applied_globally": true
 }
 """
+import logging
 import json
 import os
 from argparse import ArgumentParser, RawTextHelpFormatter
@@ -32,12 +33,34 @@
 
 def consume_command_line():
     parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
-    parser.add_argument("-k", "--falcon_client_id", help="Falcon API Client ID", required=True)
-    parser.add_argument("-s", "--falcon_client_secret", help="Falcon API Client Secret", required=True)
-    parser.add_argument("-m", "--method", help="SDK method to use ('service' or 'uber').", required=False, default="service")
-    parser.add_argument("-i", "--indicator", help="Path to the file representing the indicator (JSON format).", default="example_indicator.json", required=False)
+    parser.add_argument("-k", "--falcon_client_id", 
+                        help="Falcon API Client ID", 
+                        required=True)
+    parser.add_argument("-s", "--falcon_client_secret", 
+                        help="Falcon API Client Secret", 
+                        required=True)
+    parser.add_argument("-m", "--method", 
+                        help="SDK method to use ('service' or 'uber').", 
+                        required=False, 
+                        default="service")
+    parser.add_argument("-i", "--indicator", 
+                        help="Path to the file representing the indicator (JSON format).", 
+                        default="example_indicator.json", 
+                        required=False)
+    parser.add_argument("-d", "--debug",
+                        help="Enable API debugging",
+                        action="store_true",
+                        default=False
+                        )
+
+
+    parsed = parser.parse_args()
 
-    return parser.parse_args()
+    if parsed.debug:
+        logging.basicConfig(level=logging.DEBUG)
+
+
+    return parsed
 
 
 def connect_api(class_type: str = "service", creds: dict = None):
@@ -58,7 +81,7 @@ def connect_api(class_type: str = "service", creds: dict = None):
 if args.method not in ["service", "uber"]:
     args.method = "service"
 
-falcon = connect_api(args.method, credentials)
+falcon = connect_api(args.method, credentials, args.debug)
 
 if not os.path.exists(args.indicator):
     raise SystemExit("Unable to load indicator file.")