Crowdstrike module

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Falcon APIs

Variable	Description	Status
FALCON_CLIENT_ID	Required for authentication.	required
FALCON_CLIENT_SECRET	Required for authentication.	required
FALCON_CLOUD	Required for authentication.	required
FALCON_BASE_URL	API base override (default derived from FALCON_CLOUD region).	optional
FALCON_MEMBER_CID	Parent CID when operating in a Falcon multi-tenant / MSSP context.	optional

Sanity-check the wiring:

weave secrets check
weave crowdstrike --help
weave doctor   # reports FALCON_CLIENT_ID status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
detection	✓	✓	·	·	·	·	·
host	✓	✓	·	✓	·	·	·
incident	✓	✓	·	·	·	·	·
policies	·	✓	·	·	·	·	·
prevention-policies	·	·	·	·	✓	✓	✓

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (3)

find detection

read

Find a detection by ID.

weave crowdstrike find detection <detection-id>

find host

read

Find a host by hostname or AID (agent ID).

weave crowdstrike find host <identifier>

find incident

read

Find a Falcon incident by ID.

weave crowdstrike find incident <incident-id>

list (4)

list detections

read

List recent detections.

weave crowdstrike list detections <arg>

list hosts

read

List hosts in the Falcon tenant.

weave crowdstrike list hosts <arg>

list incidents

read

List Falcon incidents.

weave crowdstrike list incidents <arg>

list policies

read

List prevention policies (AV/EDR).

weave crowdstrike list policies <arg>

do (2)

do contain

write

Network-contain a host (isolate from network, EDR keeps comms).

weave crowdstrike do contain <aid>

do lift-containment

write

Lift network containment on a host.

weave crowdstrike do lift-containment <aid>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/crowdstrike/.

prevention-policies

snapshot diff apply

All prevention (AV/EDR) policies in the Falcon tenant.

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: crowdstrike
kind: prevention-policies
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Network-contain a compromised host

Isolate at the network layer while keeping the Falcon agent talking.

weave crowdstrike find host <hostname>
weave crowdstrike do contain <aid> --yes
# after remediation:
weave crowdstrike do lift-containment <aid> --yes

Triage a detection

weave crowdstrike list detections
weave crowdstrike find detection <detection-id>
weave crowdstrike find host <hostname>

Version-control prevention policies

weave crowdstrike snapshot prevention-policies
$EDITOR .weave-state/crowdstrike/prevention-policies.yaml
weave crowdstrike diff prevention-policies
weave crowdstrike apply prevention-policies --yes

Incident response handoff

weave crowdstrike list incidents
weave crowdstrike find incident <incident-id>
weave crowdstrike list policies

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
crowdstrike_prevention_policy	weave crowdstrike snapshot/diff/apply prevention-policies + list policies
crowdstrike_host	weave crowdstrike find/list host + do contain / lift-containment Containment is a live Falcon action — not modeled as Terraform drift.
crowdstrike_detection	weave crowdstrike find/list detection Read-only — detections are events, not desired state.
crowdstrike_incident	weave crowdstrike find/list incident
(Terraform provider — sensor policies)	Not exposed — prevention-policies only today IOA / sensor-update policies planned for a later weave release.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including FALCON_CLIENT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave crowdstrike diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/crowdstrike. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.