Add Falcon ZTA example

CHANGELOG.md

@@ -11,8 +11,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Falcon ZTA example
 - Change log using Keep a Changelog format
 
+### Fixed
+
+- Use `MsaspecPeriodMetaInfo` in `DomainPeriodAssessmentsResponse`:`Meta` field
+
 ## [<= 0.3.x] - Historical
 
 ### Added

examples/README.md

@@ -12,6 +12,7 @@ Some examples available here are rather similar to the [gofalcon (Golang-based S
 4. [Spotlight Vulnerabilities](#falcon_spotlight_vulnerabilities)
 5. [Intel Indicators](#intel_indicators)
 6. [Supported Kernels](#falcon_supported_kernels)
+7. [Falcon ZTA](#falcon_zta)
 
 ### simple
 
@@ -111,3 +112,44 @@ Supported kernels example:
 FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD="us-2" \
      cargo run --example falcon_supported_kernels -- --distro=rhel9 --arch=aarch64
 ```
+
+### falcon_zta
+
+CrowdStrike Falcon ZTA API is available to determine the Falcon ZTA stats for each of the Falcon managed endpoints that can be integrated with existing workflows.
+
+This example showcases use of Falcon ZTA API. To learn more about Falcon ZTA please visit [product announcement](https://www.crowdstrike.com/press-releases/crowdstrike-extends-zero-trust-to-endpoint-devices/). To learn more about the concepts of Zero Trust visit [cybersecurity-101](https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/).
+
+Please refer to [Falcon Zero Trust Assessment APIs](https://falcon.crowdstrike.com/documentation/156/zero-trust-assessment-apis) documentation to learn more about specific fields returned by this API.
+
+Please refer to [Falcon Hosts API documentation](https://falcon.crowdstrike.com/documentation/84/host-and-host-group-management-apis) to learn more about FQL filter parameter, about the meaning of the entity properties, and best practices.
+
+Example usage:
+
+Get ZTA details of each of the hosts
+
+```bash
+$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \
+cargo run --example falcon_zta
+```
+
+Get ZTA details for sub-set of hosts specified by FQL (Falcon Query Language). In this case, we query zta details for all the hosts running Linux.
+
+```bash
+$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \
+cargo run --example falcon_zta -- --filter "last_seen:>='2022-01-01'"
+```
+
+Get ZTA details for all hosts and transform the data to only show overall score:
+
+```bash
+$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \
+cargo run --example falcon_zta | jq -r 'map( { (.aid) : .assessment.overall } ) | add'
+```
+
+Get ZTA details for all the hosts that have been seen in the last 45 days and sort it by ZTA overall score from the worst to the best.
+
+```bash
+$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 \
+week_ago=$(date -jf %s $(( $(date +%s) - 86400 * 7 )) +%Y-%m-%d)
+cargo run --example falcon_zta -- --filter="last_seen:>='${week_ago}'" | jq -r 'sort_by(.assessment.overall)'
+```

examples/falcon_zta.rs

@@ -0,0 +1,57 @@
+use clap::Parser;
+
+use rusty_falcon::{
+    apis::{
+        hosts_api::query_devices_by_filter_scroll, zero_trust_assessment_api::get_assessment_v1,
+    },
+    easy::client::FalconHandle,
+};
+
+// We set API limits to a constant value as the `get_hosts` takes max 100 elements.
+const LIMIT: i32 = 100;
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+    #[arg(short, long)]
+    filter: Option<String>,
+}
+
+#[tokio::main]
+async fn main() {
+    let args = Args::parse();
+
+    let falcon = FalconHandle::from_env()
+        .await
+        .expect("Could not authenticate with CrowdStrike API");
+
+    let mut resources = vec![];
+    let mut offset: Option<String> = None;
+    loop {
+        let hosts = query_devices_by_filter_scroll(
+            &falcon.cfg,
+            offset.as_deref(),
+            Some(LIMIT),
+            None,
+            args.filter.as_deref(),
+        )
+        .await
+        .expect("Couldn't fetch hosts");
+
+        let response = get_assessment_v1(&falcon.cfg, hosts.resources)
+            .await
+            .expect("Couldn't fetch statistics");
+
+        resources.extend(response.resources);
+
+        offset = match hosts.meta.pagination {
+            Some(pagination) if !pagination.offset.is_empty() => Some(pagination.offset),
+            _ => break,
+        }
+    }
+
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&resources).expect("Couldn't convert the data to json.")
+    );
+}

src/models/domain_period_assessments_response.rs

@@ -13,15 +13,15 @@ pub struct DomainPeriodAssessmentsResponse {
     #[serde(rename = "errors")]
     pub errors: Vec<crate::models::MsaspecPeriodError>,
     #[serde(rename = "meta")]
-    pub meta: Box<crate::models::DomainPeriodMetaInfo>,
+    pub meta: Box<crate::models::MsaspecPeriodMetaInfo>,
     #[serde(rename = "resources")]
     pub resources: Vec<crate::models::DomainPeriodSignalProperties>,
 }
 
 impl DomainPeriodAssessmentsResponse {
     pub fn new(
         errors: Vec<crate::models::MsaspecPeriodError>,
-        meta: crate::models::DomainPeriodMetaInfo,
+        meta: crate::models::MsaspecPeriodMetaInfo,
         resources: Vec<crate::models::DomainPeriodSignalProperties>,
     ) -> DomainPeriodAssessmentsResponse {
         DomainPeriodAssessmentsResponse {