Skip to content

add crowdstrike falcon connector example #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add crowdstrike falcon connector example #439

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions connectors/CrowdStrike_Falcon/connector.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
"""
CrowdStrike Falcon connector for Fivetran Connector SDK.
Pulls endpoint detection and response data.
"""

import requests
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing inline comment explaining the purpose of this import. Add a comment like # For making HTTP API requests (NOTE: provided by SDK runtime) to follow SDK conventions.

Copilot generated this review using guidance from repository custom instructions.
from fivetran_connector_sdk import connector, config, state, records, log, schema
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: Wrong import statements for Fivetran Connector SDK. The SDK does not support connector, config, state, records, or schema imports. Use the correct imports: from fivetran_connector_sdk import Connector, from fivetran_connector_sdk import Logging as log, and from fivetran_connector_sdk import Operations as op.

Copilot generated this review using guidance from repository custom instructions.
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Import of 'log' is not used.

Suggested change
from fivetran_connector_sdk import connector, config, state, records, log, schema
from fivetran_connector_sdk import connector, config, state, records, schema

Copilot uses AI. Check for mistakes.

CONFIG = config.Config(
base_url=config.StringField(default="https://api.crowdstrike.com"),
client_id=config.SecretField(),
client_secret=config.SecretField()
)
Comment on lines +9 to +13
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: The Fivetran Connector SDK does not use config.Config objects. Configuration is provided via a configuration.json file and accessed as a dictionary parameter in the update() and schema() functions. Remove this configuration object and create a proper configuration.json file instead.

Copilot generated this review using guidance from repository custom instructions.

SCHEMA = schema.Schema(
name="falcon_detections",
columns={
"id": schema.StringColumn(),
"created_timestamp": schema.StringColumn(),
"status": schema.StringColumn(),
"severity": schema.StringColumn(),
"behavior": schema.JSONColumn(),
}
)
Comment on lines +15 to +24
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: The Fivetran Connector SDK does not use schema.Schema objects. Define a schema(configuration: dict) function that returns a list of table schema dictionaries. See the template for the correct format.

Copilot generated this review using guidance from repository custom instructions.

@connector(
name="CrowdStrikeFalconConnector",
version="0.1.0",
config=CONFIG,
schema=SCHEMA,
)
def run_connector(ctx: state.Context):
Comment on lines +26 to +32
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: The Fivetran Connector SDK does not use decorator-based patterns. Replace this with a standard update(configuration: dict, state: dict) function. The connector is initialized using connector = Connector(update=update, schema=schema) at the module level.

Copilot generated this review using guidance from repository custom instructions.
# Normally you'd authenticate via OAuth2 first
headers = {"Authorization": f"Bearer {ctx.config.client_secret}"}
Comment on lines +33 to +34
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment states 'Normally you'd authenticate via OAuth2 first' but the code directly uses client_secret as a bearer token. This is incorrect for OAuth2 authentication. Proper OAuth2 requires exchanging client credentials for an access token first. Implement proper token acquisition using the OAuth2 token endpoint before making API calls.

Suggested change
# Normally you'd authenticate via OAuth2 first
headers = {"Authorization": f"Bearer {ctx.config.client_secret}"}
# Authenticate via OAuth2 client credentials flow to obtain an access token
token_url = f"{ctx.config.base_url}/oauth2/token"
token_data = {
"client_id": ctx.config.client_id,
"client_secret": ctx.config.client_secret
}
token_headers = {"Content-Type": "application/x-www-form-urlencoded"}
token_response = requests.post(token_url, data=token_data, headers=token_headers)
token_response.raise_for_status()
access_token = token_response.json().get("access_token")
if not access_token:
raise Exception("Failed to obtain access token from CrowdStrike Falcon API.")
headers = {"Authorization": f"Bearer {access_token}"}

Copilot uses AI. Check for mistakes.
url = f"{ctx.config.base_url}/detects/queries/detects/v1"

response = requests.get(url, headers=headers)
response.raise_for_status()
Comment on lines +37 to +38
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: No error handling or retry logic for network requests. Wrap this in a try-except block catching specific exceptions like (requests.HTTPError, requests.Timeout, requests.ConnectionError). Implement retry logic with exponential backoff for transient failures.

Copilot generated this review using guidance from repository custom instructions.

for item in response.json().get("resources", []):
records.write("falcon_detections", {"id": item})
Comment on lines +40 to +41
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: The SDK does not have a records.write() function. Use op.upsert(table='falcon_detections', data=record) instead. Additionally, this line should be preceded by the required upsert comment explaining the operation.

Copilot generated this review using guidance from repository custom instructions.

return ctx.update_state({"last_sync": "now"})
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: The SDK does not use ctx.update_state(). State management is done via op.checkpoint(state). The update() function should not return anything (returns None). Add the required checkpoint comment before calling op.checkpoint(state).

Copilot generated this review using guidance from repository custom instructions.
Comment on lines +1 to +43
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BLOCKER: Missing required structure elements. The connector must include: (1) A schema(configuration: dict) function with the exact docstring from the template, (2) An update(configuration: dict, state: dict) function with the exact docstring from the template, (3) Connector initialization: connector = Connector(update=update, schema=schema), (4) Main block for debugging with if __name__ == '__main__': section. Refer to the template at template_example_connector/connector.py for the complete required structure.

Copilot generated this review using guidance from repository custom instructions.
Loading