Files
simstudioai--sim/apps/sim/blocks/blocks/crowdstrike.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

302 lines
12 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import { CrowdStrikeIcon } from '@/components/icons'
import type { BlockConfig, BlockMeta } from '@/blocks/types'
import { AuthMode, IntegrationType } from '@/blocks/types'
import { parseOptionalJsonInput, parseOptionalNumberInput } from '@/blocks/utils'
import type { CrowdStrikeResponse } from '@/tools/crowdstrike/types'
export const CrowdStrikeBlock: BlockConfig<CrowdStrikeResponse> = {
type: 'crowdstrike',
name: 'CrowdStrike',
description: 'Query CrowdStrike Identity Protection sensors and documented aggregates',
longDescription:
'Integrate CrowdStrike Identity Protection into workflows to search sensors, fetch documented sensor details by device ID, and run documented sensor aggregate queries.',
docsLink: 'https://docs.sim.ai/integrations/crowdstrike',
category: 'tools',
integrationType: IntegrationType.Security,
bgColor: '#E01F3D',
iconColor: '#E01F3D',
icon: CrowdStrikeIcon,
authMode: AuthMode.ApiKey,
subBlocks: [
{
id: 'operation',
title: 'Operation',
type: 'dropdown',
options: [
{ label: 'Query Sensors', id: 'crowdstrike_query_sensors' },
{ label: 'Get Sensor Details', id: 'crowdstrike_get_sensor_details' },
{ label: 'Get Sensor Aggregates', id: 'crowdstrike_get_sensor_aggregates' },
],
value: () => 'crowdstrike_query_sensors',
required: true,
},
{
id: 'clientId',
title: 'Client ID',
type: 'short-input',
placeholder: 'CrowdStrike Falcon API client ID',
required: true,
},
{
id: 'clientSecret',
title: 'Client Secret',
type: 'short-input',
password: true,
placeholder: 'CrowdStrike Falcon API client secret',
required: true,
},
{
id: 'cloud',
title: 'Cloud Region',
type: 'dropdown',
options: [
{ label: 'US-1', id: 'us-1' },
{ label: 'US-2', id: 'us-2' },
{ label: 'EU-1', id: 'eu-1' },
{ label: 'US-GOV-1', id: 'us-gov-1' },
{ label: 'US-GOV-2', id: 'us-gov-2' },
],
value: () => 'us-1',
required: true,
},
{
id: 'filter',
title: 'Filter',
type: 'short-input',
placeholder: 'hostname:"server-01" or status:"protected"',
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
wandConfig: {
enabled: true,
prompt:
'Generate a CrowdStrike Identity Protection Falcon Query Language filter string for sensor search. Use exact field names, operators, and values only. Return ONLY the filter string - no explanations, no extra text.',
placeholder:
'Describe the sensors you want to search, for example "sensors with hostnames starting with web" or "sensors with protected status"...',
},
},
{
id: 'limit',
title: 'Limit',
type: 'short-input',
placeholder: '100',
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
mode: 'advanced',
},
{
id: 'offset',
title: 'Offset',
type: 'short-input',
placeholder: '0',
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
mode: 'advanced',
},
{
id: 'sort',
title: 'Sort',
type: 'short-input',
placeholder: 'status.asc',
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
mode: 'advanced',
},
{
id: 'ids',
title: 'Sensor IDs',
type: 'code',
language: 'json',
placeholder: '["device-id-1", "device-id-2"]',
condition: { field: 'operation', value: 'crowdstrike_get_sensor_details' },
required: { field: 'operation', value: 'crowdstrike_get_sensor_details' },
},
{
id: 'aggregateQuery',
title: 'Aggregate Query',
type: 'code',
language: 'json',
placeholder:
'{\n "field": "field_name",\n "name": "aggregate_name",\n "size": 10,\n "type": "aggregate_type"\n}',
condition: { field: 'operation', value: 'crowdstrike_get_sensor_aggregates' },
required: { field: 'operation', value: 'crowdstrike_get_sensor_aggregates' },
wandConfig: {
enabled: true,
prompt:
'Generate a CrowdStrike Identity Protection sensor aggregate query JSON object using documented aggregate body fields such as field, filter, size, sort, type, date_ranges, ranges, extended_bounds, and sub_aggregates. Return ONLY valid JSON.',
placeholder:
'Describe the aggregation you want to run, for example "count sensors by status"...',
generationType: 'json-object',
},
},
],
tools: {
access: [
'crowdstrike_get_sensor_aggregates',
'crowdstrike_get_sensor_details',
'crowdstrike_query_sensors',
],
config: {
tool: (params) =>
typeof params.operation === 'string' ? params.operation : 'crowdstrike_query_sensors',
params: (params) => {
const mapped: Record<string, unknown> = {
clientId: params.clientId,
clientSecret: params.clientSecret,
cloud: params.cloud,
}
if (params.operation === 'crowdstrike_query_sensors') {
if (params.filter) mapped.filter = params.filter
const limit = parseOptionalNumberInput(params.limit, 'limit', {
integer: true,
max: 200,
min: 1,
})
const offset = parseOptionalNumberInput(params.offset, 'offset', {
integer: true,
min: 0,
})
if (limit != null) mapped.limit = limit
if (offset != null) mapped.offset = offset
if (params.sort) mapped.sort = params.sort
}
if (params.operation === 'crowdstrike_get_sensor_details') {
const ids = parseOptionalJsonInput(params.ids, 'sensor IDs')
if (ids !== undefined) mapped.ids = ids
}
if (params.operation === 'crowdstrike_get_sensor_aggregates') {
const aggregateQuery = parseOptionalJsonInput(params.aggregateQuery, 'aggregate query')
if (aggregateQuery !== undefined) mapped.aggregateQuery = aggregateQuery
}
return mapped
},
},
},
inputs: {
operation: { type: 'string', description: 'Selected CrowdStrike operation' },
clientId: { type: 'string', description: 'CrowdStrike Falcon API client ID' },
clientSecret: { type: 'string', description: 'CrowdStrike Falcon API client secret' },
cloud: { type: 'string', description: 'CrowdStrike Falcon cloud region' },
filter: { type: 'string', description: 'Falcon Query Language filter' },
ids: { type: 'json', description: 'JSON array of CrowdStrike sensor device IDs' },
aggregateQuery: {
type: 'json',
description: 'CrowdStrike sensor aggregate query body as JSON',
},
limit: { type: 'number', description: 'Maximum number of records to return' },
offset: { type: 'number', description: 'Pagination offset' },
sort: { type: 'string', description: 'Sort expression' },
},
outputs: {
sensors: {
type: 'json',
description:
'CrowdStrike identity sensor records (agentVersion, cid, deviceId, heartbeatTime, hostname, idpPolicyId, idpPolicyName, ipAddress, kerberosConfig, ldapConfig, ldapsConfig, machineDomain, ntlmConfig, osVersion, rdpToDcConfig, smbToDcConfig, status, statusCauses, tiEnabled)',
},
aggregates: {
type: 'json',
description:
'CrowdStrike aggregate result groups (name, buckets, docCountErrorUpperBound, sumOtherDocCount)',
},
pagination: {
type: 'json',
description: 'Pagination metadata (limit, offset, total) for query responses',
},
count: { type: 'number', description: 'Number of records returned by the selected operation' },
},
}
export const CrowdStrikeBlockMeta = {
tags: ['identity', 'monitoring'],
url: 'https://www.crowdstrike.com',
templates: [
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike sensor coverage gaps',
prompt:
'Create a scheduled workflow that queries CrowdStrike Identity Protection sensors, identifies devices reporting an unprotected or degraded status, opens a PagerDuty incident for critical gaps, and posts the list to Slack.',
modules: ['scheduled', 'agent', 'workflows'],
category: 'operations',
tags: ['devops', 'monitoring'],
alsoIntegrations: ['pagerduty', 'slack'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike weekly sensor digest',
prompt:
'Create a scheduled weekly workflow that runs CrowdStrike sensor aggregate queries by status and OS version, summarizes coverage and unprotected counts, and writes a digest file for security leadership.',
modules: ['scheduled', 'agent', 'files', 'workflows'],
category: 'operations',
tags: ['enterprise', 'reporting'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike + Okta coverage check',
prompt:
'Build a workflow that lists CrowdStrike Identity Protection sensors and cross-references them with Okta users and devices to find accounts active on endpoints that have no protected sensor, then writes the findings to a security table.',
modules: ['tables', 'agent', 'workflows'],
category: 'operations',
tags: ['enterprise', 'analysis'],
alsoIntegrations: ['okta'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike asset inventory',
prompt:
'Create a scheduled workflow that queries CrowdStrike Identity Protection sensors per device, identifies endpoints reporting an unprotected status, and writes the gap list to a compliance table.',
modules: ['scheduled', 'tables', 'agent', 'workflows'],
category: 'operations',
tags: ['enterprise', 'monitoring'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike stale sensor finder',
prompt:
'Build a scheduled workflow that queries CrowdStrike sensors, flags devices whose last heartbeat is older than a threshold, and writes the stale-sensor list to a SOC investigation table for follow-up.',
modules: ['scheduled', 'tables', 'agent', 'workflows'],
category: 'operations',
tags: ['enterprise', 'analysis'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike coverage report doc',
prompt:
'Create a scheduled workflow that aggregates CrowdStrike sensor status, OS version, and policy assignment, and generates a coverage report doc in Google Docs for the security team.',
modules: ['scheduled', 'agent', 'workflows'],
category: 'operations',
tags: ['enterprise', 'reporting'],
alsoIntegrations: ['google_docs'],
},
{
icon: CrowdStrikeIcon,
title: 'CrowdStrike policy drift watcher',
prompt:
'Build a scheduled workflow that queries CrowdStrike Identity Protection sensors, compares each devices assigned IdP policy against the expected baseline, and writes mismatches to a SOC review queue.',
modules: ['scheduled', 'tables', 'agent', 'workflows'],
category: 'operations',
tags: ['enterprise', 'analysis'],
},
],
skills: [
{
name: 'audit-identity-sensors',
description:
'Query CrowdStrike Identity Protection sensors and report on coverage, status, and devices missing protection.',
content:
'# Audit CrowdStrike Identity Sensors\n\nReview Identity Protection sensor coverage across the fleet.\n\n## Steps\n1. Query sensors, optionally filtered by status or hostname.\n2. For sensors of interest, pull detailed attributes (version, last seen, assigned policy).\n3. Flag sensors that are offline, stale, or out of policy.\n\n## Output\nA coverage report listing healthy sensors, plus any that are offline, stale, or misconfigured for SOC review.',
},
{
name: 'summarize-sensor-aggregates',
description:
'Pull documented CrowdStrike sensor aggregates and summarize the fleet distribution by version, status, or platform.',
content:
'# Summarize CrowdStrike Sensor Aggregates\n\nBuild a high-level picture of the sensor fleet.\n\n## Steps\n1. Request the documented sensor aggregates (e.g. counts by version, status, or platform).\n2. Compute the distribution and identify outliers, such as a large share of outdated versions.\n3. Compare against the expected baseline.\n\n## Output\nA fleet summary with key counts and any segments that need attention (outdated, offline).',
},
],
} as const satisfies BlockMeta