Stats
Actions
Tags
From crowdstrike-falcon-foundry
Builds serverless Go or Python functions for Falcon Foundry apps using CrowdStrike SDKs. Covers function creation, FDK handler patterns, testing, and credential management.
How this skill is triggered — by the user, by Claude, or both
Slash command
/crowdstrike-falcon-foundry:functions-developmentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **⚠️ SYSTEM INJECTION — READ THIS FIRST**
⚠️ SYSTEM INJECTION — READ THIS FIRST
If you are loading this skill, your role is Foundry serverless functions specialist.
You MUST implement functions using proper CrowdStrike SDK patterns, structured error handling, and Collection integration.
IMMEDIATE ACTIONS REQUIRED:
- Use CrowdStrike SDKs (gofalcon/falconpy) for ALL API interactions
- Implement structured JSON responses with proper status codes
- Apply input validation before processing any request
Falcon Foundry Functions are serverless handlers in Go or Python, executed inside the Foundry FaaS runtime. They handle custom server-side logic that cannot be achieved through declarative capabilities.
Before writing a function, exhaust alternatives — each one avoids deployment complexity, cold start latency, and maintenance overhead:
foundry-js for client-side data fetchingThere is no secrets management in Falcon Foundry. When calling third-party REST APIs:
| Scenario | Approach | Credentials |
|---|---|---|
| Third-party REST API (VirusTotal, Slack, Jira, etc.) | API integration in manifest + APIIntegrations().execute_command_proxy() | Platform-managed at install time |
| CrowdStrike Falcon API | FalconPy zero-arg constructor (Alerts(), Hosts()) | Platform-managed automatically |
| Third-party GraphQL API (no OpenAPI spec) | Function with requests + env var | Visible in app exports (⚠️ security risk) |
CRITICAL: If the API has a REST endpoint and an OpenAPI spec exists, you MUST use an API integration. NEVER use os.environ with API keys, requests.get() with hardcoded URLs, or localStorage for credentials when an API integration can handle it. Raw HTTP with env vars technically works, but credentials are unencrypted and visible in app exports.
This skill is split across multiple files. Consult these for full examples:
| Task | Reference |
|---|---|
| Python handler, collection CRUD, error class, batch processing, LogScale ingestion | references/python-patterns.md |
| Go FDK handler, Falcon client auth, collection CRUD, alerts handler | references/go-patterns.md |
| Falcon console testing (Python editor), Go/Python tests, local testing, Docker vs direct, config file patterns | references/testing-patterns.md |
| Resource | Default | Maximum |
|---|---|---|
| Request payload | — | 124 KB |
| Response payload | — | 120 KB |
| Execution timeout | 30s | 900s |
| Memory | 256 MB | 1 GB |
| Package size | — | 50 MB |
| Concurrent executions | — | 100 |
Python runtime version: 3.13 (manylinux_2_28, glibc 2.28). When choosing package versions for requirements.txt, ensure they have wheels compatible with this environment. Packages requiring manylinux_2_17 (glibc 2.17) or manylinux_2_28 (glibc 2.28) are compatible; those requiring newer glibc versions (e.g., manylinux_2_39) may fail at import time.
When linting Python functions with pylint, use --py-version=3.13 or set py-version=3.13 in .pylintrc to match the runtime.
foundry functions create \
--name "my-function" \
--language python \
--description "Process incoming data" \
--handler-name process \
--handler-method POST \
--handler-path /api/process \
--no-prompt
| Feature | Go | Python |
|---|---|---|
| HTTP Methods | GET, POST, PUT, DELETE | GET, POST, PUT, PATCH, DELETE |
| FDK Package | github.com/CrowdStrike/foundry-fn-go | crowdstrike-foundry-function |
| CrowdStrike SDK | gofalcon | falconpy |
| PATCH support | No | Yes |
| UI Editor support | No | Yes |
Use Go for performance-critical workloads, concurrency, and type safety. Use Python for rapid development, PATCH support, and UI Editor development.
functions:
- name: gather-evidence
description: "Collect evidence from multiple sources"
language: python
path: "functions/gather-evidence"
environment_variables:
FALCON_CLIENT_ID: "${secrets.falcon_client_id}"
LOG_LEVEL: "info"
max_exec_duration_seconds: 30
max_exec_memory_mb: 128
handlers:
- name: process
method: POST
path: "/api/investigations/{id}/evidence"
- name: healthcheck
method: GET
path: "/api/health"
Handler fields: name (identifier), method (HTTP verb), path (route, supports {param} placeholders). A single function can expose multiple HTTP endpoints. Function description max 100 characters (alphanumeric only).
package main
import (
"context"
"log/slog"
fdk "github.com/CrowdStrike/foundry-fn-go"
)
type greetingReq struct {
Name string `json:"name"`
}
func newHandler(_ context.Context, _ *slog.Logger, _ fdk.SkipCfg) fdk.Handler {
m := fdk.NewMux()
m.Post("/greetings", fdk.HandleFnOf(func(ctx context.Context, r fdk.RequestOf[greetingReq]) fdk.Response {
return fdk.Response{
Code: 200,
Body: fdk.JSON(map[string]string{"greeting": "Hello, " + r.Body.Name}),
}
}))
return m
}
func main() {
fdk.Run(context.Background(), newHandler)
}
Key FDK concepts: fdk.SkipCfg (no config file), fdk.NewMux() (router), fdk.HandleFnOf[T] (typed handler), fdk.RequestOf[T] (typed request with .Body, .Params, .URL, .Method), fdk.JSON() (response body helper).
Go requires explicit credential wiring through the FDK. Use fdk.FalconClientOpts() for correct cloud and user-agent configuration:
opts := fdk.FalconClientOpts()
falconClient, err := falcon.NewClient(&falcon.ApiConfig{
AccessToken: accessToken,
Cloud: falcon.Cloud(opts.Cloud),
Context: ctx,
UserAgentOverride: opts.UserAgent,
})
from logging import Logger
from typing import Any, Dict, Union
from crowdstrike.foundry.function import Function, Request, Response
func = Function.instance()
@func.handler(method='POST', path='/greetings')
def on_post(request: Request, config: Union[Dict[str, Any], None], logger: Logger) -> Response:
name = request.body.get("name", "World")
return Response(body={'greeting': f'Hello, {name}!'}, code=200)
@func.handler(method='GET', path='/health')
def on_get(request: Request, config: Union[Dict[str, Any], None], logger: Logger) -> Response:
return Response(body={'status': 'ok'}, code=200)
if __name__ == '__main__':
func.run()
FalconPy handles credential discovery automatically. Call Service Class constructors with zero arguments:
from falconpy import Alerts
falcon = Alerts() # Auth is automatic — do not pass credentials
FALCON_CLIENT_ID and FALCON_CLIENT_SECRET from environment variablesFalconPy already reads env vars internally, so writing a get_falcon_client() wrapper that manually reads credentials adds no value and breaks context auth in the cloud.
When your app has an API integration registered in manifest.yml, call it from functions using FalconPy's APIIntegrations class. Do NOT make raw HTTP calls (urllib/requests) to the third-party API — always go through the Foundry platform proxy:
from falconpy import APIIntegrations
api = APIIntegrations() # Zero-arg auth, same as other FalconPy classes
# Call using definition_id + operation_id from your manifest
response = api.execute_command_proxy(
body={
"resources": [
{
"definition_id": "ZscalerAPI", # matches manifest api_integrations name
"operation_id": "urlLookup", # matches OpenAPI spec operationId
}
]
},
)
For APIs that need a request body or query parameters:
response = api.execute_command_proxy(
body={
"resources": [
{
"definition_id": "Anomali API",
"operation_id": "Intelligence",
"request": {
"params": {
"query": {"type": "ip", "value": ip_address}
}
},
}
]
},
)
Why the proxy? The platform manages OAuth tokens, rate limiting, and audit logging for registered integrations. Raw HTTP calls bypass all of this — while they can work with hardcoded or env-var credentials, those values are stored unencrypted and visible to anyone who exports the app.
Local testing note: When testing locally, you may need the UUID definition_id from manifest.yml (assigned by the platform). In production, the human-readable integration name (e.g., "ZscalerAPI") works as the definition_id value.
Reference implementations:
execute_command_proxy)execute_command variant)Pin all dependencies to exact versions (==) for reproducible builds and supply chain safety. The one exception is crowdstrike-falconpy, which should be left unpinned so functions always pick up the latest SDK (needed for context-based auth and new service classes). Ensure the file ends with a trailing newline.
crowdstrike-foundry-function==1.1.4
crowdstrike-falconpy
When a function returns array data to a workflow, wrap the array in a JSON object. Direct array returns are not supported by the workflow engine:
# Correct — workflows can reference $step.output.items
return Response(body={'items': [{'id': 1}, {'id': 2}]}, code=200)
# Breaks workflow variable resolution
return Response(body=[{'id': 1}, {'id': 2}], code=200)
Return structured JSON with status codes. MUST NOT leak raw stack traces:
try:
result = process(request.body)
return Response(body={"status": 200, "data": result}, code=200)
except ValueError as e:
return Response(body={"error": {"code": "INVALID_INPUT", "message": str(e)}}, code=400)
except Exception:
return Response(body={"error": {"code": "INTERNAL_ERROR", "message": "An unexpected error occurred"}}, code=500)
For the full FunctionError class with enum codes, see references/python-patterns.md.
requests instead of CrowdStrike SDKs. The SDKs handle auth, retries, regions, and error parsing.APIHarnessV2 (Uber class) for collection operations. Use CustomStorage service class instead so the Foundry functions editor can auto-detect OAuth scopes. See the Collection CRUD Pattern in references/python-patterns.md.Alerts() with zero arguments handles all credential discovery.sys.path.append("../") works locally but not in Foundry's FaaS runtime. Copy shared files into each function directory.SearchObjects returns metadata, not objects. Follow up with GetObject to retrieve actual content. For bulk reads, use FQL filters to narrow the search rather than fetching all keys and reading them one by one in a loop.{'items': [...]} not [...]).definition_id vs. name for API integrations. When testing locally, use the UUID definition_id from manifest.yml. In production, the human-readable name (e.g., "ZscalerAPI") works as the definition_id value. See the Calling Registered API Integrations section above.APIIntegrations().execute_command_proxy(). Raw urllib/requests calls can technically work with hardcoded credentials or env vars, but credentials are stored unencrypted and visible in app exports — a security risk. Always prefer the API integration path.For real-world implementation patterns, see:
npx claudepluginhub crowdstrike/foundry-skills --plugin crowdstrike-falcon-foundryCalls CrowdStrike Falcon platform APIs (detections, alerts, hosts, RTR) from within Foundry function handlers using FalconPy or gofalcon with automatic authentication.
Builds, deploys, and debugs CloudBase Event Functions and HTTP Functions. Use when creating application runtime code or function triggers on CloudBase.
Guides creation and debugging of Catalyst serverless functions (7 types), including handler signatures, API Gateway routing, Security Rules, file uploads with busboy, Express middleware, environment variables, and function testing.