ZentrixLabs.FalconSdk
1.1.5
dotnet add package ZentrixLabs.FalconSdk --version 1.1.5
NuGet\Install-Package ZentrixLabs.FalconSdk -Version 1.1.5
<PackageReference Include="ZentrixLabs.FalconSdk" Version="1.1.5" />
<PackageVersion Include="ZentrixLabs.FalconSdk" Version="1.1.5" />
<PackageReference Include="ZentrixLabs.FalconSdk" />
paket add ZentrixLabs.FalconSdk --version 1.1.5
#r "nuget: ZentrixLabs.FalconSdk, 1.1.5"
#:package ZentrixLabs.FalconSdk@1.1.5
#addin nuget:?package=ZentrixLabs.FalconSdk&version=1.1.5
#tool nuget:?package=ZentrixLabs.FalconSdk&version=1.1.5
ZentrixLabs.FalconSdk
A lightweight, MIT-licensed .NET 9 SDK for querying CrowdStrike Falcon data using their OAuth2 API.
This SDK is designed to simplify local telemetry analysis, patch readiness, and device visibility by abstracting Falcon's token and device API interactions.
โจ Features
โ Supports:
OAuth2 token generation from API keys
๐ Supported API Endpoints
| Purpose | Falcon API Endpoint |
|---|---|
| Device search | /devices/queries/devices/v1 |
| Device details | /devices/entities/devices/v2 |
| Host groups | /devices/entities/host-groups/v1 |
| Vulnerabilities by filter | /spotlight/queries/vulnerabilities/v1 |
| Vulnerabilities by ID | /spotlight/entities/vulnerabilities/v1 |
| Vulnerability hosts | /spotlight/combined/hosts/v1 |
| Vulnerability remediations | /spotlight/combined/remediations/v1 |
| Vulnerability counts | /spotlight/queries/vulnerabilities/v1 |
| Vulnerability host counts | /spotlight/queries/hosts/v1 |
| Vulnerability remediation counts | /spotlight/queries/remediations/v1 |
| Vulnerability evaluation logic | /spotlight/entities/evaluation-logic/v1 |
| Alerts search (IDs) | /alerts/queries/alerts/v1 |
| Alert details | /alerts/entities/alerts/v2 |
๐ง Not yet implemented:
- Streaming detections or real-time event subscriptions
- Threat Graph, incidents, or host group mutations
- Retry logic or circuit breaker support
- Built-in structured logging or telemetry
๐ Requirements
You need:
- A CrowdStrike Falcon API key with the following permissions:
- Hosts: Read
- Host Groups: Read
- Assets: Read
- Vulnerabilities: Read
- Alerts: Read
You can create an API key with these permissions in the Falcon console
๐ ๏ธ Notes
- Pagination: Some endpoints (e.g., devices/queries, spotlight, alerts) require handling of scroll tokens or next tokens for pagination.
- The user creating the key must have the necessary permissions to grant these scopes (Vulnerability Manager, Device Control, etc.)
๐ Setting Up Your API Key
From the Falcon console:
- Go to Support > API Clients and Keys
- Create a new key and grant the above permissions
๐ Example: Basic Usage
var options = new CrowdStrikeOptions
{
ClientId = "your-client-id",
ClientSecret = "your-client-secret"
};
var auth = new CrowdStrikeAuthService(options);
var token = await auth.GetTokenAsync();
var deviceService = new CrowdStrikeDeviceService(auth);
var deviceIds = await deviceService.GetDeviceIdsAsync();
var devices = await deviceService.GetDeviceDetailsAsync(deviceIds);
// Spotlight Example
var spotlightService = new CrowdStrikeSpotlightService(httpClient, auth, options, logger);
var vulnIds = await spotlightService.GetVulnerabilityIdsForHostAsync("host-aid");
var vulnDetails = await spotlightService.GetVulnerabilityDetailsAsync("host-aid", vulnIds.Data);
// Alerts Example
var alertService = new AlertService(httpClient, auth, options, logger);
var alertIds = await alertService.GetAlertIdsAsync();
var alertDetails = await alertService.GetAlertDetailsAsync(alertIds.Data);
๐ฆ Install from NuGet
dotnet add package ZentrixLabs.FalconSdk
๐งช Test Coverage
This SDK is currently distributed without bundled unit tests.
Community contributions are encouraged โ feel free to fork and add coverage using xUnit.
๐ License
This project is licensed under the MIT License.
You are free to use, modify, and distribute it โ including in commercial products โ with attribution.
๐ More from ZentrixLabs
Explore our tools, apps, and developer blog at zentrixlabs.net
Licensed under the MIT License by ZentrixLabs.
๐ Acknowledgments
- This SDK would not have been possible without the work already done by the team behind the PSFalcon module and the Falcon SDK.
We extend our thanks to the CrowdStrike API community for their support and documentation.
Contributing
Pull requests are welcome!
Please fork the repository, make your changes, and submit a pull request.
Ensure changes are well-tested and match the project's security-first standards.
This Sdk will continue to evolve to encompass more features and services from the CrowdStrike Falcon API.
If you'd like to support this project:
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net9.0
- Microsoft.Extensions.DependencyInjection (>= 9.0.5)
- Microsoft.Extensions.Http (>= 9.0.5)
- Microsoft.Extensions.Options (>= 9.0.5)
- System.Text.Json (>= 9.0.5)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.