Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/crowdstrike/caracara-filters

A new filter backend for Caracara

https://github.com/crowdstrike/caracara-filters

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.0%) to scientific vocabulary

Keywords

api caracara crowdstrike-apis crowdstrike-falcon crowdstrike-falconpy falconpy falconpy-tools python python3 sdk

Keywords from Contributors

archival projection profiles interactive sequences generic observability autograding hacking shellcodes
Last synced: 5 months ago · JSON representation

Repository

A new filter backend for Caracara

Basic Info
  • Host: GitHub
  • Owner: CrowdStrike
  • License: mit
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 197 KB
Statistics
  • Stars: 2
  • Watchers: 6
  • Forks: 2
  • Open Issues: 1
  • Releases: 8
Topics
api caracara crowdstrike-apis crowdstrike-falcon crowdstrike-falconpy falconpy falconpy-tools python python3 sdk
Created over 2 years ago · Last pushed 10 months ago
Metadata Files
Readme License

README.md

CrowdStrike Falcon Twitter URL

Caracara Filters

PyPI OSS Lifecycle

A new filter system for Caracara.

Caracara's previous filter system was inflexible, and tailored too heavily toward the Hosts API module. This project aims to provide an FQL generator that is dialect-aware (i.e., contextual, based on the API module that the request will be sent to).

Basic Concepts

Instead of declaring each filter as a class, we now have them defined in a dictionary which is significantly easier to work with. Dynamic functionality is provided by storing (partial) functions into each filter.

Each filter derives from the 'default' / base filter, which is configured with identity transforms and validators that return the input value and True, respectively, and expects a string input. These settings can be overridden per-filter, and are enforced when a filter is added to the FQLGenerator object. We call this process rebasing, as each filter is rebased from a smaller dictionary over the top of the default filter, thus ensuring that all expected values will be present.

When a filter is created, the input goes through these processing stages:

  • Validation: the filter's input is passed into a validation function that always returns a bool. True means that the input is valid, and False will raise a ValueError exception. At this stage, we also validate the input type; incorrect input types will result in a TypeError.
  • Transformation: each filter value can be transformed from a human-defined input into something machine-readable, expected by the API. For example, relative timestamps (such as -30m) are transformed to a UTC ISO8601 timestamp ready for the Falcon API, and Containment Pending is rewritten to containment_pending as expected by the Hosts API.
  • Storage: the validated, transformed input is stored alongside the FQL property name and the operator (e.g., equality, >=, etc.), ready for FQL generation.

When FQL is generated, each of the filters are iterated over and converted to FQL individually, and then chained together with + to form an AND condition.

Limitations

We currently only support a limited subset of FQL. For example:

  • We can generate a condition like "all systems that run Windows or Linux, AND have an IP address in the range 192.168.0.0/16 OR 10.0.0.0/8".
  • We cannot generate a condition like "all systems that run Windows AND have an IP address in the 192.168.0.0/16 range, as well as all Linux systems in the 10.0.0.0/8 range".

The latter is out of scope as it requires chaining together multiple filters. You can effectively create this functionality for yourself by creating two FQL generators, wrapping their outputs in parentheses, and chaining them together with a '+'.join().

Owner

  • Name: CrowdStrike
  • Login: CrowdStrike
  • Kind: organization
  • Email: github@crowdstrike.com
  • Location: United States of America

GitHub Events

Total
  • Create event: 12
  • Release event: 1
  • Issues event: 6
  • Delete event: 12
  • Member event: 1
  • Issue comment event: 12
  • Push event: 12
  • Pull request review comment event: 9
  • Pull request review event: 8
  • Pull request event: 25
  • Fork event: 1
Last Year
  • Create event: 12
  • Release event: 1
  • Issues event: 6
  • Delete event: 12
  • Member event: 1
  • Issue comment event: 12
  • Push event: 12
  • Pull request review comment event: 9
  • Pull request review event: 8
  • Pull request event: 25
  • Fork event: 1

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 65
  • Total Committers: 4
  • Avg Commits per committer: 16.25
  • Development Distribution Score (DDS): 0.231
Past Year
  • Commits: 37
  • Committers: 4
  • Avg Commits per committer: 9.25
  • Development Distribution Score (DDS): 0.405
Top Committers
Name Email Commits
Chris Hammond c****d@c****m 50
Atte Niemi a****i@c****m 10
dependabot[bot] 4****] 4
Elias Griffith 1****0 1
Committer Domains (Top 20 + Academic)
crowdstrike.com: 2

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 8
  • Total pull requests: 33
  • Average time to close issues: 25 days
  • Average time to close pull requests: 14 days
  • Total issue authors: 2
  • Total pull request authors: 4
  • Average comments per issue: 0.0
  • Average comments per pull request: 0.61
  • Merged pull requests: 18
  • Bot issues: 0
  • Bot pull requests: 16
Past Year
  • Issues: 5
  • Pull requests: 27
  • Average time to close issues: about 1 month
  • Average time to close pull requests: 18 days
  • Issue authors: 2
  • Pull request authors: 4
  • Average comments per issue: 0.0
  • Average comments per pull request: 0.74
  • Merged pull requests: 12
  • Bot issues: 0
  • Bot pull requests: 16
View more stats
Top Authors
Issue Authors
  • ChristopherHammond13 (6)
  • hur (1)
  • dependabot[bot] (1)
Pull Request Authors
  • dependabot[bot] (21)
  • ChristopherHammond13 (14)
  • bb00 (2)
  • hur (2)
Top Labels
Issue Labels
enhancement (4) bug (1) dependencies (1) github_actions (1)
Pull Request Labels
dependencies (21) python (18) enhancement (6) github_actions (3)

Packages

  • Total packages: 1
  • Total downloads:
    • pypi 371 last-month
  • Total dependent packages: 1
  • Total dependent repositories: 0
  • Total versions: 8
  • Total maintainers: 1
pypi.org: caracara-filters

FQL generation engine for Caracara

  • Versions: 8
  • Dependent Packages: 1
  • Dependent Repositories: 0
  • Downloads: 371 Last month
Rankings
Dependent packages count: 7.5%
Downloads: 10.4%
Average: 30.0%
Forks count: 30.2%
Stargazers count: 32.2%
Dependent repos count: 69.8%
Maintainers (1)
ChrisHammond
Last synced: 6 months ago

Dependencies

.github/workflows/code-quality.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
.github/workflows/release-deploy.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
poetry.lock pypi
  • astroid 2.15.6
  • colorama 0.4.6
  • coverage 7.2.7
  • dill 0.3.7
  • exceptiongroup 1.1.3
  • flake8 5.0.4
  • freezegun 1.2.2
  • importlib-metadata 4.2.0
  • iniconfig 2.0.0
  • isort 5.11.5
  • lazy-object-proxy 1.9.0
  • mccabe 0.7.0
  • packaging 23.1
  • platformdirs 3.10.0
  • pluggy 1.2.0
  • pycodestyle 2.9.1
  • pydocstyle 6.3.0
  • pyflakes 2.5.0
  • pylint 2.17.5
  • pytest 7.4.0
  • python-dateutil 2.8.2
  • six 1.16.0
  • snowballstemmer 2.2.0
  • tomli 2.0.1
  • tomlkit 0.12.1
  • typed-ast 1.5.5
  • typing-extensions 4.7.1
  • wrapt 1.15.0
  • zipp 3.15.0
pyproject.toml pypi
  • python ^3.7.2