{"id":50126803,"url":"https://github.com/l-teles/tailpipe-plugin-crowdstrike","last_synced_at":"2026-05-23T20:04:59.669Z","repository":{"id":359506466,"uuid":"1235984036","full_name":"l-teles/tailpipe-plugin-crowdstrike","owner":"l-teles","description":"Tailpipe plugin that ingests CrowdStrike Falcon Data Replicator (FDR) data from S3 and exposes it as SQL.","archived":false,"fork":false,"pushed_at":"2026-05-22T06:31:46.000Z","size":149,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-22T14:55:23.440Z","etag":null,"topics":["crowdstrike","duckdb","falcon","fdr","go","siem","sql","tailpipe","tailpipe-plugin"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l-teles.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/security-tools/go.mod","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"docs/MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-11T20:58:06.000Z","updated_at":"2026-05-22T06:31:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/l-teles/tailpipe-plugin-crowdstrike","commit_stats":null,"previous_names":["l-teles/tailpipe-plugin-crowdstrike"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/l-teles/tailpipe-plugin-crowdstrike","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-teles%2Ftailpipe-plugin-crowdstrike","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-teles%2Ftailpipe-plugin-crowdstrike/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-teles%2Ftailpipe-plugin-crowdstrike/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-teles%2Ftailpipe-plugin-crowdstrike/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l-teles","download_url":"https://codeload.github.com/l-teles/tailpipe-plugin-crowdstrike/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-teles%2Ftailpipe-plugin-crowdstrike/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33410386,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T18:09:33.147Z","status":"ssl_error","status_checked_at":"2026-05-23T18:09:31.380Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crowdstrike","duckdb","falcon","fdr","go","siem","sql","tailpipe","tailpipe-plugin"],"created_at":"2026-05-23T20:04:44.550Z","updated_at":"2026-05-23T20:04:59.639Z","avatar_url":"https://github.com/l-teles.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CrowdStrike Plugin for Tailpipe\n\n[![tests](https://github.com/l-teles/tailpipe-plugin-crowdstrike/actions/workflows/test.yml/badge.svg)](https://github.com/l-teles/tailpipe-plugin-crowdstrike/actions/workflows/test.yml)\n[![security](https://github.com/l-teles/tailpipe-plugin-crowdstrike/actions/workflows/security.yml/badge.svg)](https://github.com/l-teles/tailpipe-plugin-crowdstrike/actions/workflows/security.yml)\n[![release](https://img.shields.io/github/v/release/l-teles/tailpipe-plugin-crowdstrike?include_prereleases\u0026sort=semver)](https://github.com/l-teles/tailpipe-plugin-crowdstrike/releases)\n[![license](https://img.shields.io/github/license/l-teles/tailpipe-plugin-crowdstrike)](LICENSE)\n[![Go Report Card](https://goreportcard.com/badge/github.com/l-teles/tailpipe-plugin-crowdstrike)](https://goreportcard.com/report/github.com/l-teles/tailpipe-plugin-crowdstrike)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/l-teles/tailpipe-plugin-crowdstrike/badge)](https://scorecard.dev/viewer/?uri=github.com/l-teles/tailpipe-plugin-crowdstrike)\n\n[Tailpipe](https://tailpipe.io) is an open-source CLI that collects logs and exposes them as SQL. This plugin reads [CrowdStrike Falcon Data Replicator](https://www.crowdstrike.com/) (FDR) data from an S3 bucket — primary sensor / external-API events plus the periodic secondary lookup snapshots — and surfaces them as five SQL tables.\n\n## Tables\n\n| Table | What it holds |\n|---|---|\n| `crowdstrike_fdr_event` | Primary FDR events. Sensor telemetry (`ProcessRollup2`, `EndOfProcess`, `DnsRequest`, …) and external-API events (`Event_ModuleSummaryInfoEvent`, `Event_AuthActivityAuditEvent`, …) share this table. Hot identifiers are typed columns; the full event JSON is preserved in a `payload` column. |\n| `crowdstrike_aid_master` | AIDMaster — one row per agent (host) with sensor / OS / hardware metadata. |\n| `crowdstrike_app_info` | AppInfo — installed-application inventory. |\n| `crowdstrike_managed_assets` | ManagedAssets — network interface / gateway info per managed agent. |\n| `crowdstrike_user_info` | UserInfo — local-account inventory per host. |\n\n`NotManaged` is intentionally absent in v1 (no reference data to validate the schema against).\n\n## Sources\n\n| Source | Description |\n|---|---|\n| `crowdstrike_s3_bucket` | Reads `.txt.gz` / `.gz` files from the FDR bucket (or its `*-s3alias` access-point alias). Authenticates via the standard AWS credential chain. Default grok layout matches both the classic Hive-style (`batch=\u003cuuid\u003e/year=…/platform=…/`) and the newer flat (`\u003cuuid\u003e/`) FDR layouts. |\n| `file` | SDK-provided local-file source. Use it to replay FDR files downloaded out-of-band, for testing or air-gapped review. |\n\n## Requirements\n\n- [Tailpipe](https://tailpipe.io/downloads) v0.7+\n- Go 1.25+ (only if building from source; `toolchain` directive in `go.mod` auto-fetches a patched version)\n- Read access to a CrowdStrike FDR S3 bucket — recommended: an IAM principal scoped to `s3:GetObject` + `s3:ListBucket` on the tenant prefix only\n\n## Quick start\n\n```bash\ngit clone https://github.com/l-teles/tailpipe-plugin-crowdstrike\ncd tailpipe-plugin-crowdstrike\nmake install      # drops the plugin under ~/.tailpipe/plugins/hub.tailpipe.io/plugins/l-teles/crowdstrike@latest\n```\n\nConfigure credentials any way the AWS SDK can find them — named profile, `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY`, SSO, IRSA, instance role. Then drop a `crowdstrike.tpc` into `~/.tailpipe/config/`:\n\n```hcl\nconnection \"crowdstrike\" \"default\" {\n  profile = \"crowdstrike-fdr\"\n  region  = \"eu-central-1\"  # required for *-s3alias buckets — the bucket-region probe doesn't work for access-point aliases\n}\n\npartition \"crowdstrike_fdr_event\" \"prod\" {\n  source \"crowdstrike_s3_bucket\" {\n    connection = connection.crowdstrike.default\n    bucket     = \"cs-lion-cannon-XXXXXX-s3alias\"\n    prefix     = \"\u003ctenant-id\u003e/data/\"\n  }\n}\n\npartition \"crowdstrike_aid_master\"     \"prod\" { source \"crowdstrike_s3_bucket\" { connection = connection.crowdstrike.default  bucket = \"cs-lion-cannon-XXXXXX-s3alias\"  prefix = \"\u003ctenant-id\u003e/fdrv2/aidmaster/\" } }\npartition \"crowdstrike_app_info\"       \"prod\" { source \"crowdstrike_s3_bucket\" { connection = connection.crowdstrike.default  bucket = \"cs-lion-cannon-XXXXXX-s3alias\"  prefix = \"\u003ctenant-id\u003e/fdrv2/appinfo/\" } }\npartition \"crowdstrike_managed_assets\" \"prod\" { source \"crowdstrike_s3_bucket\" { connection = connection.crowdstrike.default  bucket = \"cs-lion-cannon-XXXXXX-s3alias\"  prefix = \"\u003ctenant-id\u003e/fdrv2/managedassets/\" } }\npartition \"crowdstrike_user_info\"      \"prod\" { source \"crowdstrike_s3_bucket\" { connection = connection.crowdstrike.default  bucket = \"cs-lion-cannon-XXXXXX-s3alias\"  prefix = \"\u003ctenant-id\u003e/fdrv2/userinfo/\" } }\n```\n\nReplay a local dump instead:\n\n```hcl\npartition \"crowdstrike_fdr_event\" \"local\" {\n  source \"file\" {\n    paths       = [\"/path/to/fdr-samples\"]\n    file_layout = \"%{DATA}.gz\"\n  }\n}\n```\n\nThen collect and query:\n\n```bash\ntailpipe collect crowdstrike_fdr_event.prod --from T-1d\ntailpipe query \"select event_simple_name, count(*) from crowdstrike_fdr_event group by 1 order by 2 desc limit 20\"\n```\n\nPer-table docs and example queries live under [`docs/tables/`](docs/tables/).\n\n## Notes\n\n- **Wire format** — every value in FDR JSON is delivered as a string (timestamps, integers, floats included). All row columns are `*string`; cast at query time, e.g. `cast(payload-\u003e\u003e'$.RawProcessId' as bigint)` or `to_timestamp(cast(time as bigint))`.\n- **Timestamps** — sensor `ContextTimeStamp` is epoch-seconds with optional fractional ms (`\"1778159119.283\"`); sensor `timestamp` and external-API `UTCTimestamp` are epoch-milliseconds; external-API `timestamp` is RFC3339. `tp_timestamp` resolves the best available.\n- **`payload` JSON column** — every table carries one. Anything not promoted to a typed column stays queryable via `payload-\u003e\u003e'$.Field'`.\n- **PII** — `aip`, `LocalAddressIP4`, `UserName`, `User`, `MAC`, `ExternalIP`, `UserSid_readable`, and others are personally identifying. They are ingested as-is. Restrict access to the local DuckLake store and downstream queries; see [SECURITY.md](SECURITY.md).\n- **Operator hardening** — use an IAM principal scoped to the tenant prefix only, not the whole bucket. Prefer profile / SSO / IRSA over static keys in HCL.\n\n## Contributing \u0026 security\n\n- Bugs and features → [GitHub Issues](https://github.com/l-teles/tailpipe-plugin-crowdstrike/issues).\n- Code contributions → [CONTRIBUTING.md](CONTRIBUTING.md).\n- Vulnerabilities → [SECURITY.md](SECURITY.md) (private vuln reporting, please).\n\n## License\n\nApache-2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl-teles%2Ftailpipe-plugin-crowdstrike","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl-teles%2Ftailpipe-plugin-crowdstrike","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl-teles%2Ftailpipe-plugin-crowdstrike/lists"}