Caracara

A friendly wrapper to help you interact with the CrowdStrike Falcon API. Less code, less fuss, better performance, and full interoperability with FalconPy.

• Features
• Installation
• Basic Usage
• Examples
• Documentation
• Contributing

Features

A few of the developer experience enhancements provided by the Caracara toolkit include: | Feature | Details | | :--- | :--- | | Automatic pagination with concurrency | Caracara will handle all request pagination for you, so you do not have to think about things like batch sizes, batch tokens or parallelisation. Caracara will also multithread batch data retrieval requests where possible, dramatically reducing data retrieval times for large datasets such as host lists. | | Friendly to your IDE (and you!) | Caracara is written with full support for IDE autocomplete in mind. We have tested autocomplete in Visual Studio Code and PyCharm, and will accept issues and patches for more IDE support where needed. Furthermore, all code, where possible, is written with type hints so you can be confident in parameters and return values. | | Logging | Caracara is built with the in-box logging library provided with Python 3. Simply set up your logging handlers in your main code file, and Caracara will forward over debug, info and error logs as they are produced. Note that the debug logs are very verbose, and we recommend writing these outputs to a file as opposed to the console when retrieving large amounts of lightly filtered data. | | Real Time Response (RTR) batch session abstraction | Caracara provides a rich interface to RTR session batching, allowing you to connect to as many hosts as possible. Want to download a specific file from every system in your Falcon tenant? Caracara will even extract it from the .7z container for you. | | Rich and detailed sample code | Every module of Caracara comes bundled with executable, fully configurable code samples that address frequent use cases. All samples are built around a common structure allowing for code reuse and easy reading. Just add your API credentials to config.yml, and all samples will be ready to go. | | Simple filter syntax | Caracara provides an object-orientated Falcon Query Language (FQL) generator. The FalconFilter object lets you specify filters such as Hostname, OS and Role, automatically converting them to valid FQL. Never write a FQL filter yourself again! | | Single authentication point of entry | Authenticate once and have access to every module. | | 100% FalconPy compatibility | Caracara is built on FalconPy, and can even be configured with a FalconPy OAuth2 object via the auth_object constructor parameter, allowing you to reuse FalconPy authentication objects across Caracara and FalconPy. Authenticate once with FalconPy, and access every feature of FalconPy and Caracara. |

Installation Instructions

Caracara supports all major Python packaging solutions. Instructions for Poetry and Pip are provided below.

Caracara supports Python versions that are still supported by the Python Software Foundation, i.e., Python 3.8 and up.

Basic Usage Examples

```python """List Windows devices.

This example will use the API credentials provided as keywords to list the IDs and hostnames of all systems within your Falcon tenant that run Windows. """

from caracara import Client

client = Client( clientid="12345abcde", clientsecret="67890fghij", )

filters = client.FalconFilter() filters.createnewfilter("OS", "Windows")

responsedata = client.hosts.describedevices(filters) print(f"Found {len(response_data)} devices running Windows")

for deviceid, devicedata in responsedata.items(): hostname = devicedata.get("hostname", "Unknown Hostname") print(f"{device_id} - {hostname}") ```

You can also leverage the built in context manager and environment variables.

```python """List stale sensors.

This example will use the API credentials set in the environment to list the hostnames and IDs of all systems within your Falcon tenant that have not checked into your CrowdStrike tenant within the past 7 days.

This is determined based on the filter LastSeen less than or equal (LTE) to 7 days ago (-7d). """

from caracara import Client

with Client(clientid="${CLIENTIDENVVARIABLE}", clientsecret="${CLIENTSECRETENVVARIABLE}") as client: filters = client.FalconFilter() filters.createnewfilter("LastSeen", "-7d", "LTE") responsedata = client.hosts.describedevices(filters)

print(f"Found {len(response_data)} stale devices")

for deviceid, devicedata in responsedata.items(): hostname = devicedata.get("hostname", "Unknown Hostname") print(f"{device_id} - {hostname}") ```

Examples Collection

Each API wrapper is provided alongside example code. Cloning or downloading/extracting this repository allows you to execute examples directly.

Using the examples collection requires that you install our Python packaging tool of choice, Poetry. Please refer to the Poetry project's installation guide if you do not yet have Poetry installed.

Once Poetry is installed, make sure you run poetry install within the root repository folder to set up the Python virtual environment.

To configure the examples, first copy examples/config.example.yml to examples/config.yml. Then, add your API credentials and example-specific settings to examples/config.yml. Once you have set up profiles for each Falcon tenant you want to test with, execute examples using one of the two options below.

Executing the Examples

There are two ways to use Poetry to execute the examples.

Documentation

Coming soon!

Contributing

Interested in taking part in the development of the Caracara project? Start here.

Why Caracara?

Simple! We like birds at CrowdStrike, so what better bird to name a Python project after one that eats just about anything, including snakes :)