feat: add falcon_intel_indicators datasource (#254)

.mockery.yaml

@@ -59,6 +59,7 @@ packages:
       CspmRegistrationClient:
       DetectsClient:
       SpotVulnerabilitiesClient:
+      IntelClient:
   github.com/blackstork-io/fabric/plugin/resolver:
     config:
       inpackage: true

docs/plugins/crowdstrike/data-sources/falcon_intel_indicators.md

@@ -0,0 +1,99 @@
+---
+title: "`falcon_intel_indicators` data source"
+plugin:
+  name: blackstork/crowdstrike
+  description: "The `falcon_intel_indicators` data source fetches intel indicators from Falcon API"
+  tags: []
+  version: "v0.4.2"
+  source_github: "https://github.com/blackstork-io/fabric/tree/main/internal/crowdstrike/"
+resource:
+  type: data-source
+type: docs
+---
+
+{{< breadcrumbs 2 >}}
+
+{{< plugin-resource-header "blackstork/crowdstrike" "crowdstrike" "v0.4.2" "falcon_intel_indicators" "data source" >}}
+
+## Description
+The `falcon_intel_indicators` data source fetches intel indicators from Falcon API.
+
+## Installation
+
+To use `falcon_intel_indicators` data source, you must install the plugin `blackstork/crowdstrike`.
+
+To install the plugin, add the full plugin name to the `plugin_versions` map in the Fabric global configuration block (see [Global configuration]({{< ref "configs.md#global-configuration" >}}) for more details), as shown below:
+
+```hcl
+fabric {
+  plugin_versions = {
+    "blackstork/crowdstrike" = ">= v0.4.2"
+  }
+}
+```
+
+Note the version constraint set for the plugin.
+
+## Configuration
+
+The data source supports the following configuration arguments:
+
+```hcl
+config data falcon_intel_indicators {
+  # Client ID for accessing CrowdStrike Falcon Platform
+  #
+  # Required string.
+  # Must be non-empty
+  # For example:
+  client_id = "some string"
+
+  # Client Secret for accessing CrowdStrike Falcon Platform
+  #
+  # Required string.
+  # Must be non-empty
+  # For example:
+  client_secret = "some string"
+
+  # Member CID for MSSP
+  #
+  # Optional string.
+  # Default value:
+  member_cid = null
+
+  # Falcon cloud abbreviation
+  #
+  # Optional string.
+  # Must be one of: "autodiscover", "us-1", "us-2", "eu-1", "us-gov-1", "gov1"
+  # For example:
+  # client_cloud = "us-1"
+  # 
+  # Default value:
+  client_cloud = null
+}
+```
+
+## Usage
+
+The data source supports the following execution arguments:
+
+```hcl
+data falcon_intel_indicators {
+  # limit the number of queried items
+  #
+  # Optional integer.
+  # Default value:
+  limit = 10
+
+  # Indicators filter expression using Falcon Query Language (FQL)
+  #
+  # Optional string.
+  # Default value:
+  filter = null
+
+  # Indicators sort expression using Falcon Query Language (FQL)
+  #
+  # Optional string.
+  # Default value:
+  sort = null
+}
+```

docs/plugins/plugins.json

@@ -165,6 +165,21 @@
           "limit"
         ]
       },
+      {
+        "name": "falcon_intel_indicators",
+        "type": "data-source",
+        "config_params": [
+          "client_cloud",
+          "client_id",
+          "client_secret",
+          "member_cid"
+        ],
+        "arguments": [
+          "filter",
+          "limit",
+          "sort"
+        ]
+      },
       {
         "name": "falcon_vulnerabilities",
         "type": "data-source",

examples/templates/crowdstrike/data_falcon_cspm_ioms.fabric

@@ -15,7 +15,7 @@ document "cspm_ioms" {
         client_secret = ""
         client_cloud = "eu-1"
     }
-    size = 100
+    limit = 100
   }
 
   title = "List of CSPM IOMS"

examples/templates/crowdstrike/data_falcon_detection_details.fabric

@@ -9,7 +9,7 @@ document "detection_details" {
         client_secret = "7X1M6lI4PtU9v5ObmJ8HCSB2jnLqzfacpGx30NWD"
         client_cloud = "eu-1"
     }
-    size = 100
+    limit = 100
   }
 
   title = "List of Detections"

examples/templates/crowdstrike/data_falcon_intel_indicators.fabric

@@ -0,0 +1,38 @@
+fabric {
+    plugin_versions = {
+        "blackstork/crowdstrike" = ">= 0.4 < 1.0 || 0.4.0-rev0"
+    }
+}
+
+document "intel_indicators" {
+  meta {
+    name = "example_document"
+  }
+
+  data falcon_intel_indicators "indicators" {
+    config {
+        client_id = ""
+        client_secret = ""
+        client_cloud = "eu-1"
+    }
+    limit = 100
+  }
+
+  title = "List of Intel Indicators"
+
+  content table {
+        rows = query_jq(".data.falcon_intel_indicators.indicators")
+        columns = [
+            {
+                "header" = "Id"
+                "value"  = "{{.row.value.id}}"
+            },
+            {
+                "header" = "Indicator"
+                "value"  = "{{.row.value.indicator}}"
+            }
+        ]
+  }
+
+}
+

internal/crowdstrike/data_falcon_intel_indicators.go

@@ -0,0 +1,95 @@
+package crowdstrike
+
+import (
+	"context"
+
+	"github.com/crowdstrike/gofalcon/falcon"
+	"github.com/crowdstrike/gofalcon/falcon/client/intel"
+	"github.com/hashicorp/hcl/v2"
+	"github.com/zclconf/go-cty/cty"
+
+	"github.com/blackstork-io/fabric/pkg/diagnostics"
+	"github.com/blackstork-io/fabric/plugin"
+	"github.com/blackstork-io/fabric/plugin/dataspec"
+	"github.com/blackstork-io/fabric/plugin/dataspec/constraint"
+	"github.com/blackstork-io/fabric/plugin/plugindata"
+)
+
+func makeFalconIntelIndicatorsDataSource(loader ClientLoaderFn) *plugin.DataSource {
+	return &plugin.DataSource{
+		Doc:      "The `falcon_intel_indicators` data source fetches intel indicators from Falcon API.",
+		DataFunc: fetchFalconIntelIndicatorsData(loader),
+		Config:   makeDataSourceConfig(),
+		Args: &dataspec.RootSpec{
+			Attrs: []*dataspec.AttrSpec{
+				{
+					Name:        "limit",
+					Type:        cty.Number,
+					Constraints: constraint.Integer,
+					DefaultVal:  cty.NumberIntVal(10),
+					Doc:         "limit the number of queried items",
+				},
+				{
+					Name: "filter",
+					Type: cty.String,
+					Doc:  " Indicators filter expression using Falcon Query Language (FQL)",
+				},
+				{
+					Name: "sort",
+					Type: cty.String,
+					Doc:  " Indicators sort expression using Falcon Query Language (FQL)",
+				},
+			},
+		},
+	}
+}
+
+func fetchFalconIntelIndicatorsData(loader ClientLoaderFn) plugin.RetrieveDataFunc {
+	return func(ctx context.Context, params *plugin.RetrieveDataParams) (plugindata.Data, diagnostics.Diag) {
+		cli, err := loader(makeApiConfig(ctx, params.Config))
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Unable to create falcon client",
+				Detail:   err.Error(),
+			}}
+		}
+		limit, _ := params.Args.GetAttrVal("limit").AsBigFloat().Int64()
+		apiParams := intel.NewQueryIntelIndicatorEntitiesParams().WithDefaults()
+		apiParams.SetLimit(&limit)
+		apiParams.SetContext(ctx)
+		if filter := params.Args.GetAttrVal("filter"); !filter.IsNull() {
+			filterStr := filter.AsString()
+			apiParams.SetFilter(&filterStr)
+		}
+		if sort := params.Args.GetAttrVal("sort"); !sort.IsNull() {
+			sortStr := sort.AsString()
+			apiParams.SetSort(&sortStr)
+		}
+		response, err := cli.Intel().QueryIntelIndicatorEntities(apiParams)
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to fetch Falcon Intel Indicators",
+				Detail:   err.Error(),
+			}}
+		}
+		if err = falcon.AssertNoError(response.GetPayload().Errors); err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to fetch Falcon Intel Indicators",
+				Detail:   err.Error(),
+			}}
+		}
+		events := response.GetPayload().Resources
+		data, err := encodeResponse(events)
+		if err != nil {
+			return nil, diagnostics.Diag{{
+				Severity: hcl.DiagError,
+				Summary:  "Failed to parse response",
+				Detail:   err.Error(),
+			}}
+		}
+		return data, nil
+	}
+}