Skip to content
This repository has been archived by the owner on Dec 4, 2023. It is now read-only.

Commit

Permalink
adjust some code
Browse files Browse the repository at this point in the history
  • Loading branch information
@RonaldEAM
RonaldEAM committed Sep 12, 2023
1 parent 48d96d7 commit 7d1cda8
Show file tree
Hide file tree
Showing 11 changed files with 1,231 additions and 5,755 deletions.
22 changes: 11 additions & 11 deletions docs/jupiterone.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,8 @@ The following entities are created:
| --------------------- | ----------------------------------- | --------------- |
| Account | `crowdstrike_account` | `Account` |
| Application | `crowdstrike_detected_application` | `Application` |
| Application | `crowdstrike_application` | `Application` |
| Device Sensor Agent | `crowdstrike_sensor` | `HostAgent` |
| Discover Application | `crowdstrike_discover_application` | `Application` |
| Prevention Policy | `crowdstrike_prevention_policy` | `ControlPolicy` |
| Service | `crowdstrike_endpoint_protection` | `Service` |
| Vulnerability | `crowdstrike_vulnerability` | `Finding` |
Expand All @@ -112,16 +112,16 @@ The following entities are created:

The following relationships are created:

| Source Entity `_type` | Relationship `_class` | Target Entity `_type` |
| ------------------------------- | --------------------- | ----------------------------------- |
| `crowdstrike_account` | **HAS** | `crowdstrike_endpoint_protection` |
| `crowdstrike_account` | **HAS** | `crowdstrike_sensor` |
| `crowdstrike_application` | **HAS** | `crowdstrike_vulnerability` |
| `crowdstrike_prevention_policy` | **ENFORCES** | `crowdstrike_endpoint_protection` |
| `crowdstrike_sensor` | **ASSIGNED** | `crowdstrike_prevention_policy` |
| `crowdstrike_sensor` | **HAS** | `crowdstrike_application` |
| `crowdstrike_sensor` | **HAS** | `crowdstrike_zero_trust_assessment` |
| `crowdstrike_vulnerability` | **EXPLOITS** | `crowdstrike_sensor` |
| Source Entity `_type` | Relationship `_class` | Target Entity `_type` |
| ---------------------------------- | --------------------- | ----------------------------------- |
| `crowdstrike_account` | **HAS** | `crowdstrike_endpoint_protection` |
| `crowdstrike_account` | **HAS** | `crowdstrike_sensor` |
| `crowdstrike_discover_application` | **HAS** | `crowdstrike_vulnerability` |
| `crowdstrike_prevention_policy` | **ENFORCES** | `crowdstrike_endpoint_protection` |
| `crowdstrike_sensor` | **ASSIGNED** | `crowdstrike_prevention_policy` |
| `crowdstrike_sensor` | **HAS** | `crowdstrike_discover_application` |
| `crowdstrike_sensor` | **HAS** | `crowdstrike_zero_trust_assessment` |
| `crowdstrike_vulnerability` | **EXPLOITS** | `crowdstrike_sensor` |

<!--
********************************************************************************
Expand Down
13 changes: 8 additions & 5 deletions src/crowdstrike/CrowdStrikeApiGateway.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import {
RateLimitState,
ResourcesResponse,
} from './types';
import { RequestInit } from 'node-fetch';
import fetch, { RequestInit } from 'node-fetch';
import { FalconAPIResourceIterationCallback } from './FalconAPIClient';
import { ICrowdStrikeApiClientQueryBuilder } from './CrowdStrikeApiClientQueryBuilder';
import { Total } from './Total';
Expand All @@ -24,7 +24,7 @@ function getUnixTimeNow() {
return Date.now() / 1000;
}

async function sleep(ms) {
async function sleep(ms: number) {
return new Promise((resolve) => setTimeout(resolve, ms));
}

Expand Down Expand Up @@ -56,13 +56,13 @@ export class CrowdStrikeApiGateway {
private readonly rateLimitConfig: RateLimitConfig = DEFAULT_RATE_LIMIT_CONFIG;
private total: Total;
private queryBuilder: ICrowdStrikeApiClientQueryBuilder;
private fetcher;
private fetcher: typeof fetch;

constructor(
credentials: OAuth2ClientCredentials,
logger: IntegrationLogger,
queryBuilder: ICrowdStrikeApiClientQueryBuilder,
fetcher,
fetcher: typeof fetch,
attemptOptions?: AttemptOptions,
) {
this.queryBuilder = queryBuilder;
Expand Down Expand Up @@ -361,8 +361,11 @@ export class CrowdStrikeApiGateway {
'pagination response details',
);

paginationParams = response.meta.pagination as PaginationMeta;
seen += response.resources.length;
paginationParams = {
...response.meta.pagination,
offset: seen,
} as PaginationMeta;

const baseUrl = this.queryBuilder.buildResourcePathUrl(
availabilityZone,
Expand Down
35 changes: 19 additions & 16 deletions src/crowdstrike/FalconAPIClient.ts
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { URLSearchParams } from 'url';

import {
Application,
ApplicationIdentifier,
DiscoverApplication,
DiscoverApplicationIdentifier,
Device,
DeviceIdentifier,
OAuth2Token,
Expand Down Expand Up @@ -150,18 +150,20 @@ export class FalconAPIClient {
* @returns Promise
*/
public async iterateApplications(input: {
callback: FalconAPIResourceIterationCallback<Application>;
callback: FalconAPIResourceIterationCallback<DiscoverApplication>;
query?: QueryParams;
}): Promise<void> {
return this.crowdStrikeApiGateway.paginateResources<ApplicationIdentifier>({
callback: async (appsIds) => {
if (appsIds.length) {
return input.callback(await this.fetchApplications(appsIds));
}
return this.crowdStrikeApiGateway.paginateResources<DiscoverApplicationIdentifier>(
{
callback: async (appsIds) => {
if (appsIds.length) {
return input.callback(await this.fetchApplications(appsIds));
}
},
query: input.query,
resourcePath: '/discover/queries/applications/v1',
},
query: input.query,
resourcePath: '/discover/queries/applications/v1',
});
);
}

/**
Expand Down Expand Up @@ -253,15 +255,16 @@ export class FalconAPIClient {
* Discover Service - applications.
* Swagger: https://assets.falcon.us-2.crowdstrike.com/support/api/swagger-us2.html#/discover/get-applications
*/
private async fetchApplications(ids: string[]): Promise<Application[]> {
private async fetchApplications(
ids: string[],
): Promise<DiscoverApplication[]> {
const availabilityZone = this.crowdStrikeApiGateway.getAvailabilityZone();
const queryParams = ids.map((id) => `ids=${id}`).join('&');
const response =
await this.crowdStrikeApiGateway.executeAPIRequestWithRetries<
ResourcesResponse<Application>
ResourcesResponse<DiscoverApplication>
>(
`https://api.${availabilityZone}crowdstrike.com/discover/entities/applications/v1?ids=${ids.join(
'&ids=',
)}`,
`https://api.${availabilityZone}crowdstrike.com/discover/entities/applications/v1?${queryParams}`,
{
method: 'GET',
headers: {
Expand Down
51 changes: 30 additions & 21 deletions src/crowdstrike/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ export type ResourcesResponse<T> = {
* The identifier of a discovered device within the CrowdStrike Falcon platform.
*/
export type DeviceIdentifier = string;
export type ApplicationIdentifier = string;
export type DiscoverApplicationIdentifier = string;

export type Device = {
device_id: DeviceIdentifier;
Expand Down Expand Up @@ -202,39 +202,48 @@ export type DetectedApplication = {
};
};

export type Application = {
id: string;
export interface DiscoverApplication {
id: DiscoverApplicationIdentifier;
category?: string;
cid: string;
name?: string;
vendor?: string;
version?: string;
name_vendor: string;
name_vendor?: string;
name_vendor_version?: string;
versioning_scheme?: string;
architectures?: string[];
groups?: string[];
installation_paths?: string[];
installation_timestamp?: string;
first_seen_timestamp?: string;
last_updated_timestamp?: string;
last_used_timestamp?: string;
is_suspicious?: boolean;
is_normalized?: boolean;
host?: {
id?: string;
aid?: string;
country?: string;
platform_name?: string;
os_version?: string;
kernel_version?: string;
product_type_desc?: string;
system_manufacturer?: string;
agent_version?: string;
external_ip?: string;
hostname?: string;
current_mac_address?: string;
current_network_prefix?: string;
internet_exposure?: string;
};
};
host?: Host;
last_used_file_hash?: string;
last_used_file_name?: string;
last_used_user_name?: string;
last_used_user_sid?: string;
}

export interface Host {
id: string;
aid?: string;
country?: string;
platform_name?: string;
os_version?: string;
kernel_version?: string;
product_type_desc?: string;
system_manufacturer?: string;
agent_version?: string;
external_ip?: string;
hostname?: string;
current_mac_address?: string;
current_network_prefix?: string;
internet_exposure?: string;
}

export type ZTA_Score = {
aid: string;
Expand Down
47 changes: 15 additions & 32 deletions src/jupiterone/converters.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import {
import { Entities } from '../steps/constants';

import {
Application,
DiscoverApplication,
DetectedApplication,
Device,
PreventionPolicy,
Expand Down Expand Up @@ -94,6 +94,10 @@ export function buildEc2InstanceArn(source: Device): string | undefined {
return `arn:aws:ec2:${region}:${serviceProviderAccountId}:instance/${instanceId}`;
}

export function createSensorAgentKey(deviceId: string): string {
return deviceId;
}

export function createSensorAgentEntity(source: Device) {
return createIntegrationEntity({
entityData: {
Expand All @@ -107,7 +111,7 @@ export function createSensorAgentEntity(source: Device) {
// version is upgraded. This is listed in their API documentation
// and it notes that this means that it's a valid case for a Host to
// potentially have multiple sensors protecting it.
_key: source.device_id,
_key: createSensorAgentKey(source.device_id),
name: source.hostname,
function: ['anti-malware', 'activity-monitor'],
firstSeenOn: parseTimePropertyValue(source.first_seen),
Expand Down Expand Up @@ -234,48 +238,27 @@ export function createDetectedApplicationEntity(source: DetectedApplication) {
});
}

export function createApplicationEntity(source: Application) {
export function createDiscoverApplicationEntity(source: DiscoverApplication) {
return createIntegrationEntity({
entityData: {
source,
assign: {
_class: Entities.APPLICATION._class,
_type: Entities.APPLICATION._type,
_class: Entities.DISCOVER_APPLICATION._class,
_type: Entities.DISCOVER_APPLICATION._type,
_key: source.id,
name: source.name || source.name_vendor,
name: source.name || source.id,
id: source.id,
vendor: source.vendor,
version: source.version,
nameVendor: source.name_vendor,
nameVendorVersion: source.name_vendor,
versioningScheme: source.versioning_scheme,
architectures: source.architectures,
isSuspicious: source.is_suspicious,
isNormalized: source.is_normalized,
installationPaths: source.installation_paths?.map(
(installationPath) => installationPath,
),
installationTimestamp: parseTimePropertyValue(
source.installation_timestamp,
),
firstSeenTimestamp: parseTimePropertyValue(source.first_seen_timestamp),
lastUpdatedTimestamp: parseTimePropertyValue(
source.last_updated_timestamp,
),
'host.id': source?.host?.id,
'host.aid': source?.host?.aid,
'host.country': source?.host?.country,
'host.platformName': source?.host?.platform_name,
'host.osVersion': source?.host?.os_version,
'host.kernelVersion': source?.host?.kernel_version,
'host.productTypeDesc': source?.host?.product_type_desc,
'host.systemManufacturer': source?.host?.system_manufacturer,
'host.agentVersion': source?.host?.agent_version,
'host.externalIp': source?.host?.external_ip,
'host.hostname': source?.host?.hostname,
'host.currentMacAddress': source?.host?.current_mac_address,
'host.currentNetworkPrefix': source?.host?.current_network_prefix,
'host.internetExposure': source?.host?.internet_exposure,
installationPaths: source.installation_paths,
installedOn: parseTimePropertyValue(source.installation_timestamp),
firstSeenOn: parseTimePropertyValue(source.first_seen_timestamp),
lastUpdatedOn: parseTimePropertyValue(source.last_updated_timestamp),
lastUsedOn: parseTimePropertyValue(source.last_used_timestamp),
},
},
});
Expand Down
Loading

0 comments on commit 7d1cda8

Please sign in to comment.