d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
302 lines
12 KiB
TypeScript
302 lines
12 KiB
TypeScript
import { CrowdStrikeIcon } from '@/components/icons'
|
||
import type { BlockConfig, BlockMeta } from '@/blocks/types'
|
||
import { AuthMode, IntegrationType } from '@/blocks/types'
|
||
import { parseOptionalJsonInput, parseOptionalNumberInput } from '@/blocks/utils'
|
||
import type { CrowdStrikeResponse } from '@/tools/crowdstrike/types'
|
||
|
||
export const CrowdStrikeBlock: BlockConfig<CrowdStrikeResponse> = {
|
||
type: 'crowdstrike',
|
||
name: 'CrowdStrike',
|
||
description: 'Query CrowdStrike Identity Protection sensors and documented aggregates',
|
||
longDescription:
|
||
'Integrate CrowdStrike Identity Protection into workflows to search sensors, fetch documented sensor details by device ID, and run documented sensor aggregate queries.',
|
||
docsLink: 'https://docs.sim.ai/integrations/crowdstrike',
|
||
category: 'tools',
|
||
integrationType: IntegrationType.Security,
|
||
bgColor: '#E01F3D',
|
||
iconColor: '#E01F3D',
|
||
icon: CrowdStrikeIcon,
|
||
authMode: AuthMode.ApiKey,
|
||
|
||
subBlocks: [
|
||
{
|
||
id: 'operation',
|
||
title: 'Operation',
|
||
type: 'dropdown',
|
||
options: [
|
||
{ label: 'Query Sensors', id: 'crowdstrike_query_sensors' },
|
||
{ label: 'Get Sensor Details', id: 'crowdstrike_get_sensor_details' },
|
||
{ label: 'Get Sensor Aggregates', id: 'crowdstrike_get_sensor_aggregates' },
|
||
],
|
||
value: () => 'crowdstrike_query_sensors',
|
||
required: true,
|
||
},
|
||
{
|
||
id: 'clientId',
|
||
title: 'Client ID',
|
||
type: 'short-input',
|
||
placeholder: 'CrowdStrike Falcon API client ID',
|
||
required: true,
|
||
},
|
||
{
|
||
id: 'clientSecret',
|
||
title: 'Client Secret',
|
||
type: 'short-input',
|
||
password: true,
|
||
placeholder: 'CrowdStrike Falcon API client secret',
|
||
required: true,
|
||
},
|
||
{
|
||
id: 'cloud',
|
||
title: 'Cloud Region',
|
||
type: 'dropdown',
|
||
options: [
|
||
{ label: 'US-1', id: 'us-1' },
|
||
{ label: 'US-2', id: 'us-2' },
|
||
{ label: 'EU-1', id: 'eu-1' },
|
||
{ label: 'US-GOV-1', id: 'us-gov-1' },
|
||
{ label: 'US-GOV-2', id: 'us-gov-2' },
|
||
],
|
||
value: () => 'us-1',
|
||
required: true,
|
||
},
|
||
{
|
||
id: 'filter',
|
||
title: 'Filter',
|
||
type: 'short-input',
|
||
placeholder: 'hostname:"server-01" or status:"protected"',
|
||
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
|
||
wandConfig: {
|
||
enabled: true,
|
||
prompt:
|
||
'Generate a CrowdStrike Identity Protection Falcon Query Language filter string for sensor search. Use exact field names, operators, and values only. Return ONLY the filter string - no explanations, no extra text.',
|
||
placeholder:
|
||
'Describe the sensors you want to search, for example "sensors with hostnames starting with web" or "sensors with protected status"...',
|
||
},
|
||
},
|
||
{
|
||
id: 'limit',
|
||
title: 'Limit',
|
||
type: 'short-input',
|
||
placeholder: '100',
|
||
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
|
||
mode: 'advanced',
|
||
},
|
||
{
|
||
id: 'offset',
|
||
title: 'Offset',
|
||
type: 'short-input',
|
||
placeholder: '0',
|
||
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
|
||
mode: 'advanced',
|
||
},
|
||
{
|
||
id: 'sort',
|
||
title: 'Sort',
|
||
type: 'short-input',
|
||
placeholder: 'status.asc',
|
||
condition: { field: 'operation', value: 'crowdstrike_query_sensors' },
|
||
mode: 'advanced',
|
||
},
|
||
{
|
||
id: 'ids',
|
||
title: 'Sensor IDs',
|
||
type: 'code',
|
||
language: 'json',
|
||
placeholder: '["device-id-1", "device-id-2"]',
|
||
condition: { field: 'operation', value: 'crowdstrike_get_sensor_details' },
|
||
required: { field: 'operation', value: 'crowdstrike_get_sensor_details' },
|
||
},
|
||
{
|
||
id: 'aggregateQuery',
|
||
title: 'Aggregate Query',
|
||
type: 'code',
|
||
language: 'json',
|
||
placeholder:
|
||
'{\n "field": "field_name",\n "name": "aggregate_name",\n "size": 10,\n "type": "aggregate_type"\n}',
|
||
condition: { field: 'operation', value: 'crowdstrike_get_sensor_aggregates' },
|
||
required: { field: 'operation', value: 'crowdstrike_get_sensor_aggregates' },
|
||
wandConfig: {
|
||
enabled: true,
|
||
prompt:
|
||
'Generate a CrowdStrike Identity Protection sensor aggregate query JSON object using documented aggregate body fields such as field, filter, size, sort, type, date_ranges, ranges, extended_bounds, and sub_aggregates. Return ONLY valid JSON.',
|
||
placeholder:
|
||
'Describe the aggregation you want to run, for example "count sensors by status"...',
|
||
generationType: 'json-object',
|
||
},
|
||
},
|
||
],
|
||
|
||
tools: {
|
||
access: [
|
||
'crowdstrike_get_sensor_aggregates',
|
||
'crowdstrike_get_sensor_details',
|
||
'crowdstrike_query_sensors',
|
||
],
|
||
config: {
|
||
tool: (params) =>
|
||
typeof params.operation === 'string' ? params.operation : 'crowdstrike_query_sensors',
|
||
params: (params) => {
|
||
const mapped: Record<string, unknown> = {
|
||
clientId: params.clientId,
|
||
clientSecret: params.clientSecret,
|
||
cloud: params.cloud,
|
||
}
|
||
|
||
if (params.operation === 'crowdstrike_query_sensors') {
|
||
if (params.filter) mapped.filter = params.filter
|
||
|
||
const limit = parseOptionalNumberInput(params.limit, 'limit', {
|
||
integer: true,
|
||
max: 200,
|
||
min: 1,
|
||
})
|
||
const offset = parseOptionalNumberInput(params.offset, 'offset', {
|
||
integer: true,
|
||
min: 0,
|
||
})
|
||
|
||
if (limit != null) mapped.limit = limit
|
||
if (offset != null) mapped.offset = offset
|
||
if (params.sort) mapped.sort = params.sort
|
||
}
|
||
|
||
if (params.operation === 'crowdstrike_get_sensor_details') {
|
||
const ids = parseOptionalJsonInput(params.ids, 'sensor IDs')
|
||
if (ids !== undefined) mapped.ids = ids
|
||
}
|
||
|
||
if (params.operation === 'crowdstrike_get_sensor_aggregates') {
|
||
const aggregateQuery = parseOptionalJsonInput(params.aggregateQuery, 'aggregate query')
|
||
if (aggregateQuery !== undefined) mapped.aggregateQuery = aggregateQuery
|
||
}
|
||
|
||
return mapped
|
||
},
|
||
},
|
||
},
|
||
|
||
inputs: {
|
||
operation: { type: 'string', description: 'Selected CrowdStrike operation' },
|
||
clientId: { type: 'string', description: 'CrowdStrike Falcon API client ID' },
|
||
clientSecret: { type: 'string', description: 'CrowdStrike Falcon API client secret' },
|
||
cloud: { type: 'string', description: 'CrowdStrike Falcon cloud region' },
|
||
filter: { type: 'string', description: 'Falcon Query Language filter' },
|
||
ids: { type: 'json', description: 'JSON array of CrowdStrike sensor device IDs' },
|
||
aggregateQuery: {
|
||
type: 'json',
|
||
description: 'CrowdStrike sensor aggregate query body as JSON',
|
||
},
|
||
limit: { type: 'number', description: 'Maximum number of records to return' },
|
||
offset: { type: 'number', description: 'Pagination offset' },
|
||
sort: { type: 'string', description: 'Sort expression' },
|
||
},
|
||
|
||
outputs: {
|
||
sensors: {
|
||
type: 'json',
|
||
description:
|
||
'CrowdStrike identity sensor records (agentVersion, cid, deviceId, heartbeatTime, hostname, idpPolicyId, idpPolicyName, ipAddress, kerberosConfig, ldapConfig, ldapsConfig, machineDomain, ntlmConfig, osVersion, rdpToDcConfig, smbToDcConfig, status, statusCauses, tiEnabled)',
|
||
},
|
||
aggregates: {
|
||
type: 'json',
|
||
description:
|
||
'CrowdStrike aggregate result groups (name, buckets, docCountErrorUpperBound, sumOtherDocCount)',
|
||
},
|
||
pagination: {
|
||
type: 'json',
|
||
description: 'Pagination metadata (limit, offset, total) for query responses',
|
||
},
|
||
count: { type: 'number', description: 'Number of records returned by the selected operation' },
|
||
},
|
||
}
|
||
|
||
export const CrowdStrikeBlockMeta = {
|
||
tags: ['identity', 'monitoring'],
|
||
url: 'https://www.crowdstrike.com',
|
||
templates: [
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike sensor coverage gaps',
|
||
prompt:
|
||
'Create a scheduled workflow that queries CrowdStrike Identity Protection sensors, identifies devices reporting an unprotected or degraded status, opens a PagerDuty incident for critical gaps, and posts the list to Slack.',
|
||
modules: ['scheduled', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['devops', 'monitoring'],
|
||
alsoIntegrations: ['pagerduty', 'slack'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike weekly sensor digest',
|
||
prompt:
|
||
'Create a scheduled weekly workflow that runs CrowdStrike sensor aggregate queries by status and OS version, summarizes coverage and unprotected counts, and writes a digest file for security leadership.',
|
||
modules: ['scheduled', 'agent', 'files', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'reporting'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike + Okta coverage check',
|
||
prompt:
|
||
'Build a workflow that lists CrowdStrike Identity Protection sensors and cross-references them with Okta users and devices to find accounts active on endpoints that have no protected sensor, then writes the findings to a security table.',
|
||
modules: ['tables', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'analysis'],
|
||
alsoIntegrations: ['okta'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike asset inventory',
|
||
prompt:
|
||
'Create a scheduled workflow that queries CrowdStrike Identity Protection sensors per device, identifies endpoints reporting an unprotected status, and writes the gap list to a compliance table.',
|
||
modules: ['scheduled', 'tables', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'monitoring'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike stale sensor finder',
|
||
prompt:
|
||
'Build a scheduled workflow that queries CrowdStrike sensors, flags devices whose last heartbeat is older than a threshold, and writes the stale-sensor list to a SOC investigation table for follow-up.',
|
||
modules: ['scheduled', 'tables', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'analysis'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike coverage report doc',
|
||
prompt:
|
||
'Create a scheduled workflow that aggregates CrowdStrike sensor status, OS version, and policy assignment, and generates a coverage report doc in Google Docs for the security team.',
|
||
modules: ['scheduled', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'reporting'],
|
||
alsoIntegrations: ['google_docs'],
|
||
},
|
||
{
|
||
icon: CrowdStrikeIcon,
|
||
title: 'CrowdStrike policy drift watcher',
|
||
prompt:
|
||
'Build a scheduled workflow that queries CrowdStrike Identity Protection sensors, compares each device’s assigned IdP policy against the expected baseline, and writes mismatches to a SOC review queue.',
|
||
modules: ['scheduled', 'tables', 'agent', 'workflows'],
|
||
category: 'operations',
|
||
tags: ['enterprise', 'analysis'],
|
||
},
|
||
],
|
||
skills: [
|
||
{
|
||
name: 'audit-identity-sensors',
|
||
description:
|
||
'Query CrowdStrike Identity Protection sensors and report on coverage, status, and devices missing protection.',
|
||
content:
|
||
'# Audit CrowdStrike Identity Sensors\n\nReview Identity Protection sensor coverage across the fleet.\n\n## Steps\n1. Query sensors, optionally filtered by status or hostname.\n2. For sensors of interest, pull detailed attributes (version, last seen, assigned policy).\n3. Flag sensors that are offline, stale, or out of policy.\n\n## Output\nA coverage report listing healthy sensors, plus any that are offline, stale, or misconfigured for SOC review.',
|
||
},
|
||
{
|
||
name: 'summarize-sensor-aggregates',
|
||
description:
|
||
'Pull documented CrowdStrike sensor aggregates and summarize the fleet distribution by version, status, or platform.',
|
||
content:
|
||
'# Summarize CrowdStrike Sensor Aggregates\n\nBuild a high-level picture of the sensor fleet.\n\n## Steps\n1. Request the documented sensor aggregates (e.g. counts by version, status, or platform).\n2. Compute the distribution and identify outliers, such as a large share of outdated versions.\n3. Compare against the expected baseline.\n\n## Output\nA fleet summary with key counts and any segments that need attention (outdated, offline).',
|
||
},
|
||
],
|
||
} as const satisfies BlockMeta
|