Merge pull request #115 from makr11st/feature/add_custom_ioas_example

Add example to fetch custom IOAs with filters.

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Example: Falcon Custom IOAs
 - Change log using Keep a Changelog format
 
 ## [<= 0.3.x] - Historical

examples/README.md

@@ -12,6 +12,7 @@ Some examples available here are rather similar to the [gofalcon (Golang-based S
 4. [Spotlight Vulnerabilities](#falcon_spotlight_vulnerabilities)
 5. [Intel Indicators](#intel_indicators)
 6. [Supported Kernels](#falcon_supported_kernels)
+7. [Falcon Custom IOAs](#falcon_custom_ioas)
 
 ### simple
 
@@ -111,3 +112,38 @@ Supported kernels example:
 FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD="us-2" \
      cargo run --example falcon_supported_kernels -- --distro=rhel9 --arch=aarch64
 ```
+
+### falcon_custom_ioas
+
+[falcon_custom_ioas.rs](falcon_custom_ioas.rs)
+
+This example shows listing of the custom IOAs.
+The cli allows to provide parameters to the call to sort or filter the results, more details can be found in the API documentation.
+
+```bash
+Options:
+  -f, --filter <FILTER>
+  -s, --sort <SORT>
+  -q, --query <QUERY>
+  -l, --limit <LIMIT>    [default: 100]
+```
+
+To run the example:
+
+```bash
+FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD="us-2" \
+     cargo run --example falcon_custom_ioas
+```
+
+Sorted by `created_on`:
+
+```bash
+FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD="us-2" \
+cargo run --example falcon_custom_ioas -- --sort created_on
+```
+
+Filtered by `enabled`:
+
+```bash
+cargo run --example falcon_custom_ioas -- --filter enabled:true
+```

examples/falcon_custom_ioas.rs

@@ -0,0 +1,71 @@
+use clap::Parser;
+
+use rusty_falcon::{
+    apis::custom_ioa_api::{get_rule_groups_mixin0, query_rule_groups_mixin0},
+    easy::client::FalconHandle,
+};
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+    #[arg(short, long)]
+    filter: Option<String>,
+
+    #[arg(short, long)]
+    sort: Option<String>,
+
+    #[arg(short, long)]
+    query: Option<String>,
+
+    #[arg(short, long, default_value_t = 100, value_parser = clap::value_parser!(u16).range(1..=500))]
+    limit: u16,
+}
+
+#[tokio::main]
+async fn main() {
+    let args = Args::parse();
+
+    let falcon = FalconHandle::from_env()
+        .await
+        .expect("Could not authenticate with CrowdStrike API");
+
+    let mut details = vec![];
+    let mut offset = 0;
+    loop {
+        let response = query_rule_groups_mixin0(
+            &falcon.cfg,
+            args.sort.as_deref(),
+            args.filter.as_deref(),
+            args.query.as_deref(),
+            Some(offset.to_string().as_str()),
+            Some(args.limit.into()),
+        )
+        .await
+        .expect("Could not fetch CCID");
+
+        if !response.errors.is_empty() {
+            eprintln!(
+                "Errors occurred while getting Falcon CCID: {:?}",
+                response.errors
+            );
+            std::process::exit(1);
+        }
+
+        if response.resources.is_empty() {
+            eprintln!("No CCID returned");
+            break;
+        }
+
+        let details_response = get_rule_groups_mixin0(&falcon.cfg, response.resources)
+            .await
+            .map(|detail| detail.resources.into_iter().collect::<Vec<_>>());
+        details.extend(details_response);
+
+        offset = match response.meta.pagination {
+            Some(pagination) if pagination.offset < pagination.total as i32 => pagination.offset,
+            _ => break,
+        };
+    }
+
+    println!("{}", serde_json::to_string_pretty(&details).unwrap());
+}