Skip to main content

FQL generation engine for Caracara

Project description

CrowdStrike Falcon Twitter URL

Caracara Filters

PyPI OSS Lifecycle

A new filter system for Caracara.

Caracara's previous filter system was inflexible, and tailored too heavily toward the Hosts API module. This project aims to provide an FQL generator that is dialect-aware (i.e., contextual, based on the API module that the request will be sent to).

Basic Concepts

Instead of declaring each filter as a class, we now have them defined in a dictionary which is significantly easier to work with. Dynamic functionality is provided by storing (partial) functions into each filter.

Each filter derives from the 'default' / base filter, which is configured with identity transforms and validators that return the input value and True, respectively, and expects a string input. These settings can be overridden per-filter, and are enforced when a filter is added to the FQLGenerator object. We call this process rebasing, as each filter is rebased from a smaller dictionary over the top of the default filter, thus ensuring that all expected values will be present.

When a filter is created, the input goes through these processing stages:

  • Validation: the filter's input is passed into a validation function that always returns a bool. True means that the input is valid, and False will raise a ValueError exception. At this stage, we also validate the input type; incorrect input types will result in a TypeError.
  • Transformation: each filter value can be transformed from a human-defined input into something machine-readable, expected by the API. For example, relative timestamps (such as -30m) are transformed to a UTC ISO8601 timestamp ready for the Falcon API, and Containment Pending is rewritten to containment_pending as expected by the Hosts API.
  • Storage: the validated, transformed input is stored alongside the FQL property name and the operator (e.g., equality, >=, etc.), ready for FQL generation.

When FQL is generated, each of the filters are iterated over and converted to FQL individually, and then chained together with + to form an AND condition.

Limitations

We currently only support a limited subset of FQL. For example:

  • We can generate a condition like "all systems that run Windows or Linux, AND have an IP address in the range 192.168.0.0/16 OR 10.0.0.0/8".
  • We cannot generate a condition like "all systems that run Windows AND have an IP address in the 192.168.0.0/16 range, as well as all Linux systems in the 10.0.0.0/8 range".

The latter is out of scope as it requires chaining together multiple filters. You can effectively create this functionality for yourself by creating two FQL generators, wrapping their outputs in parentheses, and chaining them together with a '+'.join().

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

caracara_filters-0.1.4.tar.gz (13.0 kB view details)

Uploaded Source

Built Distribution

caracara_filters-0.1.4-py3-none-any.whl (18.2 kB view details)

Uploaded Python 3

File details

Details for the file caracara_filters-0.1.4.tar.gz.

File metadata

  • Download URL: caracara_filters-0.1.4.tar.gz
  • Upload date:
  • Size: 13.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: poetry/1.6.1 CPython/3.9.17 Linux/5.15.0-1041-azure

File hashes

Hashes for caracara_filters-0.1.4.tar.gz
Algorithm Hash digest
SHA256 5d28a3be0c8d88f6b03555f2aff7530b6dd55f9fa43ae570a3c5fea5123651af
MD5 1e6da4eaac7107890ebdb7d72bdaec74
BLAKE2b-256 54fc78b3bf99cd8b9488f65c2512f87532d211f8cf2290422dfd8ee6dd7aa5c3

See more details on using hashes here.

File details

Details for the file caracara_filters-0.1.4-py3-none-any.whl.

File metadata

  • Download URL: caracara_filters-0.1.4-py3-none-any.whl
  • Upload date:
  • Size: 18.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: poetry/1.6.1 CPython/3.9.17 Linux/5.15.0-1041-azure

File hashes

Hashes for caracara_filters-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 d9a39510cc40cfc2cf9f6115314bb65acd71af96eb662e6b93a3c1262ca97ef8
MD5 d894c19feb2d57a838d977c2b7fdffa8
BLAKE2b-256 115d1b342b03831411c6626ffff00775ad23f93a84c6881ffd1a9c0f0b49b27d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page