### Install All Examples with Go Get Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/README.md Installs all gofalcon examples locally using the 'go get' command. Ensure you have Go installed and configured. ```bash go get -u github.com/crowdstrike/gofalcon/examples/... ``` -------------------------------- ### Install stream_new_detections Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/stream_new_detections/README.md Install the stream_new_detections example using go get. This command fetches the example code from the specified path. ```bash go get github.com/crowdstrike/gofalcon/examples/stream_new_detections ``` -------------------------------- ### Install Falcon Sensor Download Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_sensor_download/README.md Install the example using go get. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_sensor_download ``` -------------------------------- ### Install falcon_supported_kernels Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_supported_kernels/README.md Install the example tool using go get. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_supported_kernels ``` -------------------------------- ### Install gofalcon Example Dependency Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_read_only_command/README.md Use 'go get' to download the example program's dependencies. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_rtr_read_only_command ``` -------------------------------- ### Install All Examples with Package Manager Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/README.md Installs all gofalcon examples using a script fetched via curl. This method requires sudo privileges for installation. ```bash curl -sSfL https://raw.githubusercontent.com/crowdstrike/gofalcon/main/examples/install | sudo sh -s ``` -------------------------------- ### Install Falcon ZTA Example Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_zta/README.md Installs the stand-alone Falcon ZTA example tool using `go get`. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_zta ``` -------------------------------- ### Install Customize Transport Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/customize_transport/README.md Installs the GoFalcon customize transport example using go get. ```bash go get github.com/crowdstrike/gofalcon/examples/customize_transport ``` -------------------------------- ### Build the Example Program Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_admin_create_and_run_script/README.md Use 'go get' to download and build the example program. This is the first step before setting up environment variables and running the script. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_rtr_upload_and_run_script ``` -------------------------------- ### Install gofalcon Intel Rules Download Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_intel_rules_download/README.md Install the gofalcon example for downloading Falcon Intelligence Rules. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_intel_rules_download ``` -------------------------------- ### Install falcon_vulnerabilities Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_vulnerabilities/README.md Installs the falcon_vulnerabilities example tool using go get. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_vulnerabilities ``` -------------------------------- ### Install Falcon Event Stream Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_event_stream/README.md Install the Go example for the Falcon Streaming API. This command fetches the necessary package. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_event_stream ``` -------------------------------- ### Install Falcon CSPM AWS Accounts Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_cspm_aws_accounts/README.md Install the stand-alone tool using go get. This command fetches the necessary packages for the example tool. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_cspm_aws_accounts ``` -------------------------------- ### Install Gofalcon Module Source: https://github.com/crowdstrike/gofalcon/blob/main/README.md Use 'go get' to install the gofalcon library. This command fetches and installs the specified package and its dependencies. ```bash go get github.com/crowdstrike/gofalcon/falcon ``` -------------------------------- ### Install falcon_host_details Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Installs the falcon_host_details tool using the go get command. Ensure you have Go installed and configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_host_details ``` -------------------------------- ### Install falcon_intel_indicators Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_intel_indicators/README.md Installs the falcon_intel_indicators tool using go get. Ensure you have Go installed and configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_intel_indicators ``` -------------------------------- ### Install Falcon Discover Host Details Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_discover_host_details/README.md Installs the Falcon Discover Host Details tool using go get. Ensure you have Go installed and configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_discover_host_details ``` -------------------------------- ### Install Falcon Detection Details Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_detection_details/README.md Installs the tool using the go get command. Ensure you have Go installed and configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_detection_details ``` -------------------------------- ### Build the falcon_get_cid Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_get_cid/README.md Use 'go get' to download and build the falcon_get_cid example tool. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_registry_token ``` -------------------------------- ### Run Simple Access Token Authentication Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/simple_access_token/README.md Execute the GoFalcon example using environment variables for the access token and cloud. This sets up the client for API interactions. ```bash FALCON_ACCESS_TOKEN="abc" \ FALCON_CLOUD="us-1" \ go run github.com/crowdstrike/gofalcon/examples/simple_access_token ``` -------------------------------- ### Install gofalcon Development Tools Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Installs the necessary tools for selective SDK generation. This should be run before using the 'generate' command. ```bash make install-tools ``` -------------------------------- ### Basic Gofalcon Client Usage Source: https://github.com/crowdstrike/gofalcon/blob/main/README.md This example demonstrates the minimal setup for creating a gofalcon client and fetching incident data. Ensure FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables are set. ```go package main import ( "context" "fmt" "os" "github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/incidents" ) func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) } desc := "timestamp.desc" res, err := client.Incidents.CrowdScore(&incidents.CrowdScoreParams{ Context: context.Background(), Sort: &desc, }) if err != nil { panic(err) } payload := res.GetPayload() fmt.Printf("As of %s your CrowdScore is %d.\n", payload.Resources[0].Timestamp.String(), *payload.Resources[0].Score) } ``` -------------------------------- ### Install Falcon Cleanup Pods Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_cleanup_pods/README.md Use 'go get' to install the stand-alone tool. Ensure your Go environment is configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_cleanup_pods ``` -------------------------------- ### Run Simple GoFalcon Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/simple/README.md Execute the simple example by setting the FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables and running the Go program. This will authenticate the client and display the CrowdStrike Score. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" \ go run github.com/crowdstrike/gofalcon/examples/simple ``` -------------------------------- ### Install go-swagger Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Installs the go-swagger tool, which is a prerequisite for SDK regeneration. ```bash go install github.com/ffalor/go-swagger/cmd/swagger@latest ``` -------------------------------- ### Install Falcon CSPM IOMs Tool Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_cspm_ioms/README.md Use this command to install the falcon_cspm_ioms tool using go get. Ensure you have Go installed and configured. ```bash go get github.com/crowdstrike/gofalcon/examples/falcon_cspm_ioms ``` -------------------------------- ### Run the Example Program Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_admin_create_and_run_script/README.md Execute the built program with the required arguments. Specify permission type, target platforms, script details, and agent identifiers. Ensure environment variables are set before running. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_rtr_admin_create_and_run_script --permtype group --platforms="linux,mac" \ --script="relative path to script file from current working directory" \ --name="name of the file to use when invoking runscript with the `-CloudFile` option" \ --aid="def" ``` -------------------------------- ### Run Customize Transport Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/customize_transport/README.md Executes the customize transport example, setting necessary environment variables for authentication and rate limiting. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ FALCON_RATE_LIMIT_THRESHOLD="100" customize_transport ``` -------------------------------- ### Usage examples for falcon_ioc CLI Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_iocs/README.md Demonstrates various commands to add, delete, list, and show IOCs. ```bash ./falcon_ioc --add "123.123.132.231" ``` ```bash ./falcon_ioc --add "73cb3858a687a8494ca3323053016282f3dad39d42cf62ca4e79dda2aac7d9ac" --description "evilprogram.exe" ``` ```bash ./falcon_ioc --add "blockexample.com" ``` ```bash ./falcon_ioc --delete "blockexample.com" ``` ```bash ./falcon_ioc --list ``` ```bash ./falcon_ioc --show "123.123.132.231" ``` -------------------------------- ### Run Falcon Event Stream Example Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_event_stream/README.md Execute the Falcon Streaming API example. Ensure you set the FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables before running. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" falcon_event_stream ``` -------------------------------- ### Example Run Output Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_cspm_aws_accounts/README.md Lists registered AWS accounts and their status. The output format shows the AWS Account ID and its current status. ```text Output: AWS Account ID: 123123123121 Account Status Event_DiscoverAccountStatusProvisioned AWS Account ID: 123123123122 Account Status Event_DiscoverAccountStatusOperational AWS Account ID: 123123123123 Account Status Event_DiscoverAccountStatusOperational ``` -------------------------------- ### Example Output of Simple Access Token Authentication Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/simple_access_token/README.md The expected output when the simple access token authentication example is run successfully. It displays the CrowdScore at a specific timestamp. ```text As of 2021-01-29T13:47:55.362Z your CrowdScore is 0. ``` -------------------------------- ### Interactive Run with Filter Prompt Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_vulnerabilities/README.md Demonstrates an interactive run of the tool, prompting for a FQL filter when none is provided. Shows examples of valid FQL expressions. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_vulnerabilities Missing --filter attribute. Please provide FQL (Falcon Query Language) expression for vulnerability search. Examples: created_timestamp:>'2019-11-25T22:36:12Z' closed_timestamp:>'2019-11-25T22:36:12Z' aid:'abcde123456789a34a1af416424d6231' status:'open' cve.severity:'CRITICAL' cve.severity:'HIGH'+status:!'closed' last_seen_within:'10' filter: status:!'closed' ``` -------------------------------- ### Quick Start: Mocking API Calls in GoFalcon Tests Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Demonstrates how to set up a fake client, add a mock handler for a specific API operation (QueryDevicesByFilter), and then use the fake client to perform a test. This is useful for testing application logic that depends on Falcon API responses. ```go package myapp_test import ( "testing" faketest "github.com/crowdstrike/gofalcon/falcon/testing" "github.com/crowdstrike/gofalcon/falcon/client/hosts" "github.com/crowdstrike/gofalcon/falcon/models" ) func TestMyApplication(t *testing.T) { fakeClient := faketest.NewFakeClient() deviceIDs := faketest.GenerateDeviceIDs(3) fakeClient.AddMockHandler("QueryDevicesByFilter", func(request faketest.Request) (bool, interface{}, error) { queryTime := 0.1 traceID := "test-trace-id" total := int64(len(deviceIDs)) limit := int32(len(deviceIDs)) response := &hosts.QueryDevicesByFilterOK{ Payload: &models.MsaQueryResponse{ Meta: &models.MsaMetaInfo{ QueryTime: &queryTime, TraceID: &traceID, PoweredBy: "test-powered-by", Pagination: &models.MsaPaging{Total: &total, Limit: &limit}, }, Resources: deviceIDs, }, } return true, response, nil }) client := fakeClient.GetClient() result, err := client.Hosts.QueryDevicesByFilter(&hosts.QueryDevicesByFilterParams{}) if err != nil { t.Fatalf("unexpected error: %v", err) } // result.Payload.Resources == deviceIDs } ``` -------------------------------- ### Execute Falcon RTR Read-Only Command Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_read_only_command/README.md Run the example program with specified agent ID and command, overriding environment variables if necessary. This example executes the 'users' command. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_rtr_read_only_command --aid "def" --cmd "users" ``` -------------------------------- ### Run Falcon Intel Rules Download Interactively Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_intel_rules_download/README.md Download a rule file interactively by providing necessary environment variables and rule type. This example shows the output when a rule type is missing and then when a valid type is provided. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 falcon_intel_rules_download Missing--rule-type argument. Valid options are [snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness]. Requested Rule type: snort-suricata-master Downloading file snort-suricata-master.tar.gz ``` -------------------------------- ### Generate Client for a Specific Collection (Limitation Example) Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Demonstrates generating client code for only one collection. Be aware that this can lead to the removal of references to other collections in the main client file due to a go-swagger limitation. ```bash # Generate only the prevention-policies collection generate collection prevention-policies ``` -------------------------------- ### Get All Detection Details Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_detection_details/README.md Retrieves full details for all detections. Requires setting environment variables for client ID, secret, and cloud region. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_detection_details ``` -------------------------------- ### Run stream_new_detections with Credentials Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/stream_new_detections/README.md Execute the stream_new_detections example by setting the FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables. This is required for authentication with the CrowdStrike Falcon API. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" stream_new_detections ``` -------------------------------- ### Get All Host Details Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Retrieves full details for all hosts. Requires setting Falcon API credentials and cloud environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_host_details ``` -------------------------------- ### ID Format Example Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Demonstrates the format of generated IDs, which are 32-character lowercase hex strings with specific prefixes. ```APIDOC ## ID Format Generated IDs are 32-character lowercase hex strings: ```go faketest.GenerateDeviceIDs(2) // ["d0000000000000000000000000000001", "d0000000000000000000000000000002"] faketest.GenerateDetectionIDs(2) // ["a0000000000000000000000000000001", "a0000000000000000000000000000002"] ``` ``` -------------------------------- ### Get All Falcon Discover Host Details Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_discover_host_details/README.md Retrieves full details for all Falcon Discover assets. Requires setting Falcon API credentials and cloud environment as environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_discover_host_details ``` -------------------------------- ### Get Recent Hosts Sorted by ZTA Score Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_zta/README.md Retrieves ZTA details for hosts seen within the last 7 days and sorts them by their overall ZTA score from worst to best. Uses `date` to calculate the start date and `jq` for sorting. ```bash week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d) falcon_zta --filter="last_seen:>='${week_ago}'" | jq -r 'sort_by(.assessment.overall)' ``` -------------------------------- ### Execute Falcon RTR Batch Read-Only Command Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_batch_read_only_command/README.md Run the example program by providing agent IDs and the command as arguments, along with necessary environment variables for authentication and configuration. This demonstrates the final execution step. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ FALCON_RTR_BATCH_TIMEOUT="5m" FALCON_RTR_BATCH_HOST_TIMEOUT="3m" \ falcon_rtr_batch_read_only_command --aids "def,xyz" --cmd "users" ``` -------------------------------- ### Example Operation Structure in Swagger Spec Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Shows how a specific API operation is defined within the Swagger specification, highlighting the `operationId` which is used to target the operation for code generation. This example also includes parameters and responses for the operation. ```json { "paths": { "/alerts/entities/alerts/v1": { "post": { "operationId": "PostEntitiesAlertsV1", "tags": ["Alerts"], "summary": "Retrieves all Alerts given their ids.", "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/detectsapi.PostEntitiesAlertsV1Request" } } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/detectsapi.PostEntitiesAlertsV1Response" } } } } } } } ``` -------------------------------- ### Run Falcon CSPM IOMs and Parse with jq Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_cspm_ioms/README.md Execute the falcon_cspm_ioms tool with necessary environment variables and pipe the output to jq for structured parsing. This example shows how to list detected CSPM IOMs and view their details. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_cspm_ioms | jq '.[]' { "account_id": "0000000000", "account_name": "0000000000", "azure_tenant_id": "N/A", "cid": "00000000000000000000000000000000", "cloud_provider": "GCP", "finding": "Role: iam.serviceAccountUser, iam.serviceAccountAdmin", "policy_id": "463", "policy_statement": "IAM users have overly permissive service account privileges", "region": "global", "report_date_time": "2021-03-02 12:28:13", "resource_attributes": "{\"Project ID\" : \"marketing\", \"Member\" : \"user:username@domain.loc\", \"Role(s)\" : \"owner, iam.serviceAccountUser, iam.serviceAccountAdmin\"}", "resource_create_time": "N/A", "resource_id": "user:username@domain.loc", "resource_id_type": "IAM User Account", "resource_url": "N/A", "service": "IAM", "severity": "High", "status": "Reoccurring", "tags": "N/A" } ``` -------------------------------- ### Example Model Structure in Swagger Spec Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Illustrates the structure of a Go model within the Swagger specification, specifically showing the `definitions` section for `domain.IOACounts`. The model name used in the spec corresponds to the argument for the `generate model` command. ```json { "definitions": { "domain.IOACounts": { "required": ["critical", "high"], "properties": { "critical": { "type": "number", "format": "double" }, "high": { "type": "number", "format": "double" }, "informational": { "type": "number", "format": "double" }, "low": { "type": "number", "format": "double" }, "medium": { "type": "number", "format": "double" } } } } } ``` -------------------------------- ### Get Total Number of Detections Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_detection_details/README.md Pipes the output of the detection details tool to `jq` to count the total number of detections. ```bash falcon_detection_details | jq length ``` -------------------------------- ### Get Customer ID using falcon_get_cid Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_get_cid/README.md Execute the falcon_get_cid tool to retrieve your Customer ID and store it in the FALCON_CID environment variable. ```bash $ FALCON_CID=$(falcon_get_cid) ``` -------------------------------- ### Get Total Number of Hosts Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_discover_host_details/README.md Calculates the total number of hosts by piping the output of the falcon_discover_host_details command to the jq tool to count the length of the JSON array. ```bash falcon_discover_host_details | jq length ``` -------------------------------- ### Setup Environment Variables for Falcon RTR Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_batch_read_only_command/README.md Configure essential environment variables for authentication, cloud region, agent IDs, and the RTR command. It is highly recommended to set sensitive credentials as environment variables. ```bash # Highly recommended to set at least the client ID and secret # as environment variables. Credentials should not be entered # on the command line, so as not to pollute the command history. export FALCON_CLIENT_ID="your_falcon_id" export FALCON_CLIENT_SECRET="your_falcon_secret" export FALCON_CLOUD="us-1, us-2, eu-1, us-gov-1, etc" # Agent IDs and command are more likely to vary and are not sensitive, # so are a more natural fit for command line arguments. export FALCON_AGENT_IDS="def,xyz" export FALCON_RTR_COMMAND="users" # Further, while the values for timeout and host timeout are not sensitive, # they are unlikely to change across requests, so setting them is likely helpful. export FALCON_RTR_BATCH_TIMEOUT="5m" export FALCON_RTR_BATCH_HOST_TIMEOUT="3m" ``` -------------------------------- ### Get ZTA Details for All Hosts Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_zta/README.md Retrieves detailed Zero Trust Assessment information for each managed host. Requires setting Falcon API credentials and cloud region as environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_zta ``` -------------------------------- ### Get Environment-Wide ZTA Statistics Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_zta/README.md Fetches overall Zero Trust Assessment statistics for the entire environment. Requires setting Falcon API credentials and cloud region as environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_zta --statistics ``` -------------------------------- ### Generate Go Client Code for Endpoint Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Generates Go client code for all operations associated with a specific endpoint path. This includes client code for all HTTP methods (GET, POST, PUT, DELETE, PATCH) on that path and any models they reference. ```bash # Generate all operations for an endpoint generate endpoint /alerts/entities/alerts/v2 ``` -------------------------------- ### Build the falcon_ioc program Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_iocs/README.md Compile the Go source file into an executable binary. ```bash go build falcon_ioc.go ``` -------------------------------- ### Drop-in Replacement for Falcon Client Initialization Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Shows how to replace the standard Falcon client initialization with the fake client for testing purposes. This allows for easy switching between real and fake clients during development and testing. ```go // Instead of: // client, err := falcon.NewClient(&falcon.ApiConfig{...}) // Use: fakeClient := faketest.NewFakeClientFromConfig() fakeClient.AddMockHandler("QueryDevicesByFilter", myHandler) client := fakeClient.GetClient() ``` -------------------------------- ### Constructors Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Provides methods to create a new fake client instance for testing purposes. ```APIDOC ## Constructors ### `NewFakeClient()` #### Description Create a new fake client. ### `NewFakeClientFromConfig()` #### Description Convenience constructor (same as `NewFakeClient`). ``` -------------------------------- ### Injecting Mock Service into Full Client Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Use `faketest.NewMockClient()` to create a fully-wired mock client and then replace specific services with your own mocks. This allows testing interactions with multiple services. ```go import ( faketest "github.com/crowdstrike/gofalcon/falcon/testing" ) func TestWithFullClient(t *testing.T) { mock := &mockHosts{ QueryDevicesByFilterFunc: func(_ *hosts.QueryDevicesByFilterParams, _ ...hosts.ClientOption) (*hosts.QueryDevicesByFilterOK, error) { return &hosts.QueryDevicesByFilterOK{ Payload: &models.MsaQueryResponse{Resources: []string{"dev-1"}}, }, nil }, } // All services wired — unconfigured ones panic with a helpful message apiClient := faketest.NewMockClient() apiClient.Hosts = mock result, err := apiClient.Hosts.QueryDevicesByFilter(&hosts.QueryDevicesByFilterParams{}) // ... ``` -------------------------------- ### List Hosts and Agent Versions as Key-Value Dictionary Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Creates a JSON object where hostnames are keys and their corresponding agent versions are values. This is useful for mapping agents to specific hosts. ```bash falcon_host_details | jq -r ' map( { (.hostname) : .agent_version } ) | add' ``` -------------------------------- ### Run falcon_supported_kernels interactively Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_supported_kernels/README.md Run the tool interactively to discover available distributions and architectures. The tool will prompt for missing options. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" \ falcon_supported_kernels Missing --distro command-line option. Available distributions are: [amzn1, amzn2, debian10, debian9, elrepo7, oracle6, oracle7, oracle8, rhel6, rhel7, rhel8, suse11, suse12, suse15, ubuntu16, ubuntu18, ubuntu20] Selected distro: amzn2 Missing --arch command-line option. Available architectures are: [aarch64, x86_64] Selected architecture: aarch64 [ "4.14.173-137.228.amzn2.aarch64", ...... ] ``` -------------------------------- ### List Hostnames and Command Lines Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_detection_details/README.md Creates a key-value dictionary mapping hostnames to their latest associated detection command lines. Note: This shows only the most recent detection per hostname. ```bash falcon_detection_details | jq -r ' map( { (.device.hostname) : .behaviors[].cmdline } ) | add' ``` -------------------------------- ### Get ZTA Details for Linux Hosts Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_zta/README.md Fetches Zero Trust Assessment details specifically for hosts running the Linux operating system, using FQL for filtering. ```bash falcon_zta --filter="platform_name:'Linux'" ``` -------------------------------- ### Handler Precedence with Mock Handlers Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Demonstrates how to manage handler precedence using `AddMockHandler` and `PrependMockHandler`. Handlers are tried in chain order, with `PrependMockHandler` adding to the front for higher priority. Returning `(false, nil, nil)` allows fall-through to the next handler. ```go // General handler returns all devices fakeClient.AddMockHandler("QueryDevicesByFilter", func(request faketest.Request) (bool, interface{}, error) { return true, allDevicesResponse, nil }) ``` ```go // Override: when called with a Windows filter, return filtered results fakeClient.PrependMockHandler("QueryDevicesByFilter", func(request faketest.Request) (bool, interface{}, error) { params, ok := faketest.GetParamsAs[hosts.QueryDevicesByFilterParams](request) if ok && params.Filter != nil && strings.Contains(*params.Filter, "platform_name:'Windows'") { return true, windowsOnlyResponse, nil } return false, nil, nil // not handled, fall through to next handler }) ``` -------------------------------- ### Download All Sensor Packages Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_sensor_download/README.md Download the latest build of the sensor for all available OS versions. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" falcon_sensor_download --all ``` -------------------------------- ### Swagger Spec Example: Collection Tag Structure Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Illustrates how operations are grouped into collections using the 'tags' field within a Swagger specification. The tag name is used with the 'generate collection' command. ```json { "paths": { "/alerts/entities/alerts/v1": { "post": { "operationId": "PostEntitiesAlertsV1", "tags": ["Alerts"], "summary": "Retrieves all Alerts given their ids." } }, "/alerts/entities/alerts/v2": { "post": { "operationId": "GetV2", "tags": ["Alerts"], "summary": "Retrieves all Alerts given their composite ids." }, "patch": { "operationId": "PatchEntitiesAlertsV2", "tags": ["Alerts"], "summary": "Perform actions on Alerts identified by composite ids." } } } } ``` -------------------------------- ### Get Hosts Without Agent ID Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_discover_host_details/README.md Filters the host details to find assets that do not have an Agent ID assigned. This uses jq to select elements from the JSON output where the 'aid' key is not present. ```bash falcon_discover_host_details | jq -r 'map(select(has("aid") | not))' ``` -------------------------------- ### Create and Use Fake Falcon Client Source: https://github.com/crowdstrike/gofalcon/blob/main/README.md Instantiate a fake client for testing GoFalcon applications without API calls. Mock specific API handlers to control responses. ```go import ( faketest "github.com/crowdstrike/gofalcon/falcon/testing" ) fakeClient := faketest.NewFakeClient() fakeClient.AddMockHandler("QueryDevicesByFilter", func(request faketest.Request) (bool, interface{}, error) { return true, myResponse, nil }) client := fakeClient.GetClient() ``` -------------------------------- ### Create Mock Falcon Client for Unit Tests Source: https://github.com/crowdstrike/gofalcon/blob/main/README.md Use NewMockClient for focused unit tests by providing interface mocks for individual services. This allows mocking only the components under test. ```go mc := faketest.NewMockClient() mc.Hosts = &myMockHosts{} // only mock what you test ``` -------------------------------- ### Set Up Environment Variables for Falcon API Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_get_cid/README.md Export your CrowdStrike Falcon API credentials and cloud environment as environment variables. Replace placeholders with your actual credentials. ```bash export FALCON_CLIENT_ID="your_falcon_id" export FALCON_CLIENT_SECRET="your_falcon_secret" export FALCON_CLOUD="us-1, us-2, eu-1, us-gov-1, etc" ``` -------------------------------- ### Selective SDK Generation - Models Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Generates specific models for the SDK. Replace 'domain.IOACounts,domain.FileV2' with the desired model names. ```bash generate model domain.IOACounts,domain.FileV2 ``` -------------------------------- ### Example Endpoint Structure in Swagger Spec Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Demonstrates how an endpoint path is represented in the Swagger specification, including the different HTTP methods (e.g., `post`, `patch`) available for that path. The endpoint path is used as an argument for the `generate endpoint` command. ```json { "paths": { "/alerts/entities/alerts/v2": { "post": { "operationId": "GetV2", "tags": ["Alerts"], "summary": "Retrieves all Alerts given their composite ids." }, "patch": { "operationId": "PatchEntitiesAlertsV2", "tags": ["Alerts"], "summary": "Perform actions on Alerts identified by composite ids." } } } } ``` -------------------------------- ### List Kubernetes Pod Details Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Retrieves details for Kubernetes pods running within the last 7 days, including pod names, agent versions, and cloud information. It uses FQL for filtering and `jq` for structured output. ```bash week_ago=$(date -d "7 days ago" '+%Y-%m-%d' 2>/dev/null || date -v-1w +%F) falcon_host_details --filter="product_type_desc:'Pod'+last_seen:>='${week_ago}'" \ | jq -r 'map({(.device_id): {"agent_version": .agent_version, "cloud": .service_provider, "pod_name": .pod_name}}) | add' ``` -------------------------------- ### Full SDK Regeneration Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Command to clean and regenerate the entire gofalcon SDK. Ensure you have the latest swagger.json file in the specs directory. ```bash make clean-generate ``` -------------------------------- ### Download Specified Falcon Sensor Version (Ubuntu) Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_sensor_download/README.md Download a specific version of the Falcon Sensor for Ubuntu, specifying OS name, versions, and sensor version. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" falcon_sensor_download --os-name Ubuntu --os-version '14/16/18/20' --sensor-version=5.43.10807 Downloaded Falcon Kernel Sensor for Ubuntu 14.04LTS, 16.04LTS, 18.04LTS, and 20.04LTS to falcon-sensor_5.43.0-10807_amd64.deb ``` -------------------------------- ### Download Falcon Sensor Interactively (SLES) Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_sensor_download/README.md Download a single sensor package interactively by providing OS name and version when prompted. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" falcon_sensor_download Missing --os-name command-line option. Available OS names are: [Amazon Linux, Container, Debian, RHEL/CentOS/Oracle, SLES, Windows, macOS] Selected OS Name: SLES Missing --os-version command-line option. Available version are: [11, 12, 15] Selected OS Version: 15 Downloaded Falcon Kernel Sensor for SLES 15 to falcon-sensor-6.14.0-11110.suse15.x86_64.rpm $ ls falcon-sensor-6.14.0-11110.suse15.x86_64.rpm falcon-sensor-6.14.0-11110.suse15.x86_64.rpm ``` -------------------------------- ### Default Catch-All Mock Handlers Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Illustrates two strategies for default handlers: fail-fast for unexpected calls and permissive for exploratory testing. The fail-fast handler surfaces unexpected API calls as test failures, while the permissive handler returns nil for unhandled operations. ```go // Fail-fast: surface unexpected API calls as test failures fakeClient.SetDefaultHandler(func(request faketest.Request) (bool, interface{}, error) { return true, nil, fmt.Errorf("unexpected operation: %s", request.GetOperationID()) }) ``` ```go // Permissive: return nil for any unhandled operation (useful during exploratory testing) fakeClient.SetDefaultHandler(func(request faketest.Request) (bool, interface{}, error) { return true, nil, nil }) ``` -------------------------------- ### Filter Hosts by Platform Name Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_discover_host_details/README.md Fetches a subset of assets by applying a server-side filter for a specific platform name, in this case, 'Windows'. The result is then piped to jq to count the number of hosts returned. ```bash falcon_discover_host_details --filter='platform_name:"Windows"' | jq length ``` -------------------------------- ### List Detection Command Lines Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_detection_details/README.md Extracts and lists the command lines of processes that triggered detections using `jq`. ```bash falcon_detection_details | jq 'map(.behaviors[].cmdline)' ``` -------------------------------- ### List Critical Vulnerabilities with Hostname using jq Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_vulnerabilities/README.md Retrieves critical vulnerabilities and formats the output to show CVE ID and hostname using `jq`. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_vulnerabilities --filter="cve.severity:'CRITICAL'" \ | jq -r 'map( {"cve":.cve.id, "hostname": .host_info.hostname})' ``` -------------------------------- ### Generate Multiple Go Models Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Generates multiple Go model structs from the Swagger specification. Model names are provided as a comma-separated list to the `generate model` command. ```bash # Generate multiple models generate model domain.IOACounts,domain.FileV2,policymanager.ExternalPolicyPatch ``` -------------------------------- ### Run falcon_intel_indicators Without Filter Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_intel_indicators/README.md Executes the tool without a specific filter, prompting the user for FQL input. Requires Falcon API credentials and cloud environment to be set as environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_intel_indicators Missing --filter attribute. Please provide FQL (Falcon Query Language) expression for Intelligence Indicators search. filter: ``` -------------------------------- ### Filter Hosts by Operating System Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Retrieves details for hosts matching a specific operating system using the `--filter` parameter with FQL. This allows for targeted host information retrieval. ```bash falcon_host_details --filter="platform_name:'Windows'" ``` -------------------------------- ### Download Falcon Container Sensor Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_sensor_download/README.md Download the Falcon Container Sensor. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" falcon_sensor_download --os-name=Container Downloaded Falcon Usermode Container Sensor to falcon-sensor-6.18.0-106.container.x86_64.tar.bz2 ``` -------------------------------- ### List Hostnames of All Hosts Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Extracts and lists the hostnames of all hosts from the `falcon_host_details` output using `jq`. This helps in quickly identifying individual machines. ```bash falcon_host_details | jq 'map(.hostname)' ``` -------------------------------- ### Index Critical Vulnerabilities by Hostname using jq Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_vulnerabilities/README.md Indexes critical vulnerabilities by hostname, grouping CVE IDs under each affected system using `jq`. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_vulnerabilities --filter="cve.severity:'CRITICAL'" \ | jq -r 'map( {"cve":.cve.id, "hostname": .host_info.hostname} ) | group_by(.hostname)[] | {(.[0].hostname): [.[] | .cve]}' ``` -------------------------------- ### Run falcon_supported_kernels non-interactively Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_supported_kernels/README.md Run the tool non-interactively by specifying the distribution and architecture as command-line arguments. This is useful for scripting. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" \ falcon_supported_kernels --distro=ubuntu20 [ "5.4.0-1049-aws", "5.4.0-1016-azure", "5.4.0-1068-gcp", .... ] ``` -------------------------------- ### Mocking Individual Services with Interface Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Implement a mock struct that embeds the ClientService interface to mock individual Falcon API services. This is ideal for focused unit tests. ```go package myapp_test import ( "testing" "github.com/crowdstrike/gofalcon/falcon/client/hosts" "github.com/crowdstrike/gofalcon/falcon/models" ) // mockHosts implements hosts.ClientService — only override what you need. type mockHosts struct { hosts.ClientService // embedded interface covers methods you don't call QueryDevicesByFilterFunc func(params *hosts.QueryDevicesByFilterParams, opts ...hosts.ClientOption) (*hosts.QueryDevicesByFilterOK, error) } func (m *mockHosts) QueryDevicesByFilter(params *hosts.QueryDevicesByFilterParams, opts ...hosts.ClientOption) (*hosts.QueryDevicesByFilterOK, error) { return m.QueryDevicesByFilterFunc(params, opts...) } func TestListDevices(t *testing.T) { mock := &mockHosts{ QueryDevicesByFilterFunc: func(_ *hosts.QueryDevicesByFilterParams, _ ...hosts.ClientOption) (*hosts.QueryDevicesByFilterOK, error) { return &hosts.QueryDevicesByFilterOK{ Payload: &models.MsaQueryResponse{ Resources: []string{"device-1", "device-2"}, }, }, nil }, } // Pass mock to your application code that accepts hosts.ClientService devices, err := listDevices(mock) if err != nil { t.Fatalf("unexpected error: %v", err) } if len(devices) != 2 { t.Fatalf("expected 2 devices, got %d", len(devices)) } } // Your application code accepts the interface, not the concrete client func listDevices(client hosts.ClientService) ([]string, error) { resp, err := client.QueryDevicesByFilter(&hosts.QueryDevicesByFilterParams{}) if err != nil { return nil, err } return resp.Payload.Resources, nil } ``` -------------------------------- ### Count Indicators by FQL Filter Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_intel_indicators/README.md Runs the tool with a specific FQL filter to search for URLs with 'Medium' malicious confidence and pipes the JSON output to `jq` to count the results. Requires Falcon API credentials and cloud environment to be set as environment variables. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_intel_indicators \ --filter="type:'url'+malicious_confidence:'Medium'" | jq length ``` -------------------------------- ### Handler Configuration Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Methods for configuring mock handlers to simulate API responses and errors during testing. ```APIDOC ## Handler Configuration ### `AddMockHandler(operationID, handler)` #### Description Append handler to chain. ### `PrependMockHandler(operationID, handler)` #### Description Prepend handler (higher priority). ### `AddStaticMockHandler(operationID, response)` #### Description Always return the same response. ### `AddErrorMockHandler(operationID, err)` #### Description Always return an error. ### `SetDefaultHandler(handler)` #### Description Catch-all for unmatched operations (uses `*` wildcard). ``` -------------------------------- ### Inspect Model Dependencies Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Analyze the dependencies of a specific model to understand its impact and usage within the API. This command shows which other models and operations reference the specified model. ```bash # Inspect what depends on a model generate inspect domain.IOACounts # Verbose output generate inspect domain.IOACounts --verbose ``` -------------------------------- ### Set Environment Variables for Falcon API Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_rtr_read_only_command/README.md Configure necessary environment variables for Falcon API authentication and cloud region. Client ID and secret are sensitive and should be set securely. ```bash # Highly recommended to set at least the client ID and secret # as environment variables. Credentials should not be entered # on the command line, so as not to pollute the command history. export FALCON_CLIENT_ID="your_falcon_id" export FALCON_CLIENT_SECRET="your_falcon_secret" export FALCON_CLOUD="us-1, us-2, eu-1, us-gov-1, etc" # AID and command are more likely to vary and are not sensitive, # so are a more natural fit for command line arguments. export FALCON_AGENT_ID="def" export FALCON_RTR_COMMAND="users" ``` -------------------------------- ### Selective SDK Generation - Collection Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Generates an entire collection of models and operations for the SDK. Replace 'Alerts' with the desired collection name. ```bash generate collection Alerts ``` -------------------------------- ### Use Falcon Registry Token with Docker Login Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_registry_token/README.md Pipes the output of the falcon_registry_token program to Docker's login command, authenticating with the CrowdStrike Container Registry. The CID is parsed to format the username correctly. ```bash falcon_registry_token | docker login --username $(echo $CID | awk -F- '{print("fc-" tolower($1))}') --password-stdin registry.crowdstrike.com ``` -------------------------------- ### Generate Go Client for a Collection Source: https://github.com/crowdstrike/gofalcon/blob/main/CONTRIBUTING.md Generate Go client code for all operations associated with a specific tag in the Swagger specification. This is useful for creating clients for logically grouped API endpoints. ```bash # Generate all operations in a collection generate collection Alerts ``` -------------------------------- ### Utility Functions Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Helper functions for generating deterministic IDs and processing requests within the testing framework. ```APIDOC ## Utility Functions ### `GenerateDeviceIDs(count)` #### Description Generate a specified number of deterministic 32-character hex IDs with a `d` prefix. ### `GenerateDetectionIDs(count)` #### Description Generate a specified number of deterministic 32-character hex IDs with an `a` prefix. ### `GetParamsAs[T](request)` #### Description Extract parameters from a request in a type-safe manner. ### `MatchesOperation(request, operationID)` #### Description Check if a given request matches the specified operation ID. ### `NewRequest(operationID, params)` #### Description Create a new `Request` object for testing purposes. ``` -------------------------------- ### Count Total Number of Hosts Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_host_details/README.md Counts the total number of hosts by piping the output of `falcon_host_details` to `jq length`. This is useful for quick host inventory. ```bash falcon_host_details | jq length ``` -------------------------------- ### List Critical Severity Vulnerabilities Source: https://github.com/crowdstrike/gofalcon/blob/main/examples/falcon_vulnerabilities/README.md Queries and lists all vulnerabilities with a 'CRITICAL' severity using the Falcon Spotlight API. ```bash $ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \ falcon_vulnerabilities --filter="cve.severity:'CRITICAL'" .... ``` -------------------------------- ### Verify Request Calls with FakeClient Source: https://github.com/crowdstrike/gofalcon/blob/main/falcon/testing/README.md Use FakeClient to verify the number and order of API calls made by your application. This is useful for integration tests. ```go client.Hosts.QueryDevicesByFilter(params) client.Hosts.GetDeviceDetailsV2(params) // Verify call count if fakeClient.CountRequests("QueryDevicesByFilter") != 1 { t.Fatal("expected exactly 1 query call") } // Verify call order requests := fakeClient.Requests() if requests[0].GetOperationID() != "QueryDevicesByFilter" { t.Fatal("expected query first") } ```