falcon

package

v0.11.0 Latest Latest Go to latest Published: Mar 1, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/secmon-lab/warren

Links

Open Source Insights

README ¶

CrowdStrike Falcon Agent Configuration

Overview

The Falcon agent enables Warren to query CrowdStrike Falcon for security incidents, alerts, behaviors, CrowdScores, and EDR telemetry events. This is a read-only agent — it does not modify any data in your Falcon environment.

Prerequisites

Create API Client Credentials

Log in to the CrowdStrike Falcon Console
Navigate to Support and resources > Resources and tools > API clients and keys
Click Create API client
Configure the following:
- Client Name: A descriptive name (e.g., warren-readonly)
- API Scopes: Select the scopes listed below
Click Create
Copy and securely store the Client ID and Client Secret (the secret cannot be retrieved later)

Required API Scopes

Scope	Permission	Purpose
Incidents	Read	Search and retrieve incident details, behaviors
Alerts	Read	Search and retrieve alert details, aggregates
NGSIEM	Read + Write	Search EDR telemetry events via Next-Gen SIEM API

Note: The NGSIEM scope requires both Read and Write permissions because the Search API uses Write to create query jobs and Read to retrieve results. Despite requiring Write permission, this agent only performs read operations (search queries) — it does not modify any data.

Cloud Regions

CrowdStrike operates in multiple cloud regions. Set the base URL matching your Falcon tenant region:

Cloud Region	Base URL
US-1 (default)	`https://api.crowdstrike.com`
US-2	`https://api.us-2.crowdstrike.com`
EU-1	`https://api.eu-1.crowdstrike.com`
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`
US-GOV-2	`https://api.us-gov-2.crowdstrike.mil`

You can find your region by checking the domain in your Falcon console URL (e.g., falcon.us-2.crowdstrike.com means US-2).

Deployment

Environment Variables

export WARREN_AGENT_FALCON_CLIENT_ID="your-client-id"
export WARREN_AGENT_FALCON_CLIENT_SECRET="your-client-secret"
export WARREN_AGENT_FALCON_BASE_URL="https://api.crowdstrike.com"  # Optional, defaults to US-1

CLI Flags

warren serve \
  --agent-falcon-client-id=your-client-id \
  --agent-falcon-client-secret=your-client-secret \
  --agent-falcon-base-url=https://api.crowdstrike.com

Cloud Run

gcloud run services update warren \
  --set-env-vars="WARREN_AGENT_FALCON_CLIENT_ID=your-client-id" \
  --set-env-vars="WARREN_AGENT_FALCON_CLIENT_SECRET=your-client-secret" \
  --set-env-vars="WARREN_AGENT_FALCON_BASE_URL=https://api.crowdstrike.com"

Security Note: For production, use Secret Manager for the client secret rather than plain environment variables:
gcloud run services update warren \
  --set-secrets="WARREN_AGENT_FALCON_CLIENT_SECRET=falcon-secret:latest"

Authentication

The agent uses OAuth2 Client Credentials Flow to authenticate with the CrowdStrike API:

Sends client_id and client_secret to POST /oauth2/token
Receives a bearer token (valid for 30 minutes)
Automatically refreshes the token before expiry

No manual token management is required.

Available Tools

The agent exposes the following read-only tools to the LLM:

Incidents

Tool	Description
`falcon_search_incidents`	Search for incidents using FQL filters
`falcon_get_incidents`	Get detailed incident information by ID

Alerts

Tool	Description
`falcon_search_alerts`	Search and retrieve alerts (combined endpoint with cursor pagination)
`falcon_get_alerts`	Get detailed alert information by composite ID

Behaviors

Tool	Description
`falcon_search_behaviors`	Search for behaviors using FQL filters
`falcon_get_behaviors`	Get detailed behavior information by ID

CrowdScores

Tool	Description
`falcon_get_crowdscores`	Get CrowdScore values for your environment

Events (EDR Telemetry)

Tool	Description
`falcon_search_events`	Search raw EDR events using CQL (process executions, network connections, DNS, file writes, etc.)

Note: Event search uses the Next-Gen SIEM Search API, which runs queries asynchronously. The tool handles job creation and polling internally — results are returned once the search completes.

Troubleshooting

Agent not appearing in available tools

Verify that both WARREN_AGENT_FALCON_CLIENT_ID and WARREN_AGENT_FALCON_CLIENT_SECRET are set. The agent is skipped if either is empty.

401 Unauthorized errors

Verify your Client ID and Client Secret are correct
Check that the API client has not been revoked in the Falcon console
Ensure the base URL matches your Falcon tenant region

403 Forbidden errors

Verify the API client has the required scopes (Incidents: Read, Alerts: Read, NGSIEM: Read + Write)
Check that the API client is active and not expired

Empty results

Verify FQL filter syntax (values must be quoted, e.g., status:'new' not status:new)
For event search, verify CQL syntax (e.g., aid=abc123, #event_simpleName=ProcessRollup2)
Check the time range — CrowdStrike may have data retention limits
Use simpler filters first, then refine

Documentation ¶

Index ¶

type Factory
- func (f *Factory) Configure(ctx context.Context, llmClient gollem.LLMClient, repo interfaces.Repository) (*agentModel.SubAgent, error)
- func (f *Factory) Flags() []cli.Flag

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Factory ¶

type Factory struct {
	// contains filtered or unexported fields
}

Factory implements agents.AgentFactory interface for CrowdStrike Falcon.

func (*Factory) Configure ¶

func (f *Factory) Configure(ctx context.Context, llmClient gollem.LLMClient, repo interfaces.Repository) (*agentModel.SubAgent, error)

Configure implements agents.AgentFactory. Returns (nil, nil) if client_id or client_secret is not set.

func (*Factory) Flags ¶

func (f *Factory) Flags() []cli.Flag

Flags implements agents.AgentFactory.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL