CrowdStrike + Steampipe
Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.
CrowdStrike provides cloud workload and endpoint security, threat intelligence, and cyberattack response services.
For example:
select created_timestamp, host_info -> 'hostname' AS hostname, statusfrom crowdstrike_spotlight_vulnerabilitywhere created_timestamp > now() - interval '15 days';Documentation
Get started
Install
Download and install the latest CrowdStrike plugin:
steampipe plugin install crowdstrikeConfiguration
Installing the latest crowdstrike plugin will create a config file (~/.steampipe/config/crowdstrike.spc) with a single connection named crowdstrike:
connection "crowdstrike" { plugin = "crowdstrike"
# CrowdStrike client ID # Can also be set with the FALCON_CLIENT_ID environment variable # client_id = "4fe29d3fakeclientid"
# CrowdStrike client secret # Can also be set with the FALCON_CLIENT_SECRET environment variable # client_secret = "Z0F3MTfakesecret"
# Falcon cloud (us-1, us-2, eu-1, us-gov-1) # Can also be set with the FALCON_CLOUD environment variable # client_cloud = "us-2"}client_cloud- (Required) The Falcon cloud abbreviation (us-1, us-2, eu-1, us-gov-1). Can also be set with theFALCON_CLOUDenvironment variable.client_id- (Required) The client ID. Can also be set with theFALCON_CLIENT_IDenvironment variable.client_secret- (Required) The client secret. Can also be set with theFALCON_CLIENT_SECRETenvironment variable.
Postgres FDW
This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- crowdstrikeThe installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.
To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.
CREATE EXTENSION IF NOT EXISTS steampipe_postgres_crowdstrike;CREATE SERVER steampipe_crowdstrike FOREIGN DATA WRAPPER steampipe_postgres_crowdstrike OPTIONS (config '<your_config>');CREATE SCHEMA crowdstrike;IMPORT FOREIGN SCHEMA crowdstrike FROM SERVER steampipe_crowdstrike INTO crowdstrike;SQLite Extension
This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- crowdstrikeThe installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.
To configure the SQLite extension, load the extension module and then run the steampipe_configure_crowdstrike function to configure it with plugin-specific options.
$ sqlite3sqlite> .load ./steampipe_sqlite_extension_crowdstrike.sosqlite> select steampipe_configure_crowdstrike('<your_config>');Export
This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrikeYou can pass the configuration to the command with the --config argument:
steampipe_export_crowdstrike --config '<your_config>' <table_name>