talonctl 0.1.0__tar.gz

talonctl-0.1.0/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

talonctl-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,56 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Check linting
+        run: ruff check src/ tests/ --exclude src/talonctl/_version.py
+      - name: Check formatting
+        run: ruff format --check src/ tests/ --exclude src/talonctl/_version.py
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install package
+        run: pip install -e .
+      - name: Smoke test — CLI help
+        run: talonctl --help
+      - name: Smoke test — version
+        run: talonctl --version
+      - name: Smoke test — init and validate
+        run: |
+          talonctl init /tmp/smoke-test
+          cd /tmp/smoke-test
+          talonctl validate

talonctl-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,94 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Check linting
+        run: ruff check src/ tests/ --exclude src/talonctl/_version.py
+      - name: Check formatting
+        run: ruff format --check src/ tests/ --exclude src/talonctl/_version.py
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  build:
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install build tools
+        run: pip install build
+      - name: Build sdist and wheel
+        run: python -m build
+      - name: Verify package version matches tag
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(python -c "
+          import pathlib
+          whl = next(pathlib.Path('dist').glob('*.whl'))
+          print(whl.name.split('-')[1])
+          ")
+          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+            echo "::error::Version mismatch: built package is '$PKG_VERSION' but tag is 'v$TAG_VERSION'"
+            exit 1
+          fi
+          echo "Version verified: $TAG_VERSION"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-pypi:
+    needs: [build]
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  release:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create GitHub Release
+        run: gh release create "$GITHUB_REF_NAME" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

talonctl-0.1.0/.gitignore

@@ -0,0 +1,45 @@
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.eggs/
+*.egg
+venv/
+.venv/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# WSL artifacts
+*:Zone.Identifier
+
+# Project state (user-specific, created by setup/import)
+.crowdstrike/deployed_state.json
+.crowdstrike/backups/
+data/
+discovery_results.json
+
+# Credentials (NEVER commit)
+credentials.json
+
+# Superpowers plans and specs (local working docs)
+docs/superpowers/plans/
+docs/superpowers/specs/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# docs/superpowers (specs, plans — working documents, not committed)
+docs/superpowers/
+# Handoff docs (ephemeral working artifacts between skills)
+docs/handoffs/
+!docs/handoffs/.gitkeep
+
+# hatch-vcs generated version file
+src/talonctl/_version.py

talonctl-0.1.0/CLAUDE.md

@@ -0,0 +1,139 @@
+# talonctl -- Project Instructions
+
+Pip-installable CLI tool for CrowdStrike NGSIEM infrastructure as code. Terraform-like plan/apply for detection rules, saved searches, dashboards, workflows, lookup files, and RTR resources.
+
+## Project Overview
+
+This repo is the **tool** -- a pip-installable Python package. It does not contain detection templates, knowledge bases, or project-specific content. Those live in user projects (e.g., [talonctl-demo](https://github.com/willwebster5/talonctl-demo)).
+
+- **Seven resource types** -- detections, saved searches, dashboards, workflows, lookup files, RTR scripts, RTR put files
+- **Terraform-like lifecycle** -- validate, plan, apply, import, sync, drift
+- **State management** -- tracks deployed resources and their CrowdStrike API IDs
+- **Scaffolding** -- `talonctl init` creates new projects with the correct directory structure
+
+## Package Structure
+
+```
+talonctl/
+├── pyproject.toml              # Package configuration (pip install -e .[dev])
+├── src/talonctl/               # Package source
+│   ├── __init__.py             # Version
+│   ├── cli.py                  # Click CLI entry point
+│   ├── project.py              # Project root finder
+│   ├── commands/               # CLI command modules
+│   │   ├── auth.py             # talonctl auth (setup + check)
+│   │   ├── health.py           # talonctl health (detection health check)
+│   │   ├── metrics.py          # talonctl metrics (update-detections + update-kpis)
+│   │   ├── backup.py           # talonctl backup (create, list, restore)
+│   │   ├── validate.py         # talonctl validate
+│   │   ├── plan.py             # talonctl plan
+│   │   ├── apply.py            # talonctl apply
+│   │   ├── show.py             # talonctl show
+│   │   ├── sync.py             # talonctl sync
+│   │   ├── drift.py            # talonctl drift
+│   │   ├── destroy.py          # talonctl destroy
+│   │   ├── import_cmd.py       # talonctl import
+│   │   ├── publish.py          # talonctl publish
+│   │   ├── validate_query.py   # talonctl validate-query
+│   │   ├── init.py             # talonctl init
+│   │   ├── discover.py         # talonctl discover
+│   │   └── _common.py          # Shared CLI helpers
+│   ├── core/                   # Orchestrator, state, plan, drift, template discovery
+│   ├── providers/              # Per-resource-type API adapters
+│   ├── utils/                  # Auth, NGSIEM client, MITRE processor
+│   └── templates/              # Scaffolding templates for `talonctl init`
+├── .crowdstrike/               # Empty state placeholder (for development)
+├── examples/resources/         # Format reference templates (7 YAML + README)
+└── tests/                      # Unit tests (pytest)
+```
+
+## CLI Command Reference
+
+```bash
+# IaC lifecycle
+talonctl validate                    # Validate all templates (no API calls)
+talonctl plan                        # Preview what would change
+talonctl apply                       # Deploy changes
+talonctl import --plan               # Preview importing existing resources
+talonctl sync                        # Reconcile state with live tenant
+talonctl drift                       # Detect manual console changes
+talonctl show                        # Show current state
+talonctl destroy                     # Destroy managed resources
+
+# Credential management
+talonctl auth setup                  # Interactive credential setup wizard
+talonctl auth check                  # Verify stored credentials
+
+# Operational
+talonctl health                      # Detection health check
+talonctl health --format json -o r.json  # Export health report
+talonctl metrics update-detections --report r.json  # Update detection metrics CSV
+talonctl metrics update-kpis --report r.json        # Update KPI CSV
+talonctl backup create               # Create state backup (GitHub Release)
+talonctl backup list                 # List available backups
+talonctl backup restore <tag>        # Restore from backup
+
+# Scaffolding
+talonctl init myproject              # Create a new project
+talonctl discover                    # Find new detection templates
+```
+
+## Development
+
+### Running Tests
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -e .[dev]
+pytest tests/ -v
+```
+
+### Adding a New CLI Command
+
+1. Create `src/talonctl/commands/mycommand.py` with a Click command or group
+2. Import the shared `console` from `talonctl.commands._common`
+3. Register in `src/talonctl/cli.py`: import and `cli.add_command()`
+4. Add tests in `tests/unit/test_mycommand.py` using `click.testing.CliRunner`
+5. Run `pytest tests/unit/test_mycommand.py -v`
+
+### Adding a New Resource Type
+
+1. Create a provider in `src/talonctl/providers/` implementing the `ProviderAdapter` interface
+2. Register the provider in `src/talonctl/core/__init__.py`
+3. Add a format reference template in `examples/resources/`
+4. Add the resource type to `talonctl init` scaffolding templates
+
+### Format Reference Templates
+
+`examples/resources/` contains annotated YAML examples for every resource type. These serve as documentation for template authors -- they are NOT deployed. Each example shows all supported fields with comments.
+
+### Init Template Scaffolding
+
+`src/talonctl/templates/init/` contains the directory structure and files created by `talonctl init`. Changes here affect all new projects.
+
+## Critical Concepts
+
+### resource_id vs name
+
+- **`resource_id`** -- stable key in the state file. Once deployed, **never change this**. Changing it = destroy + recreate.
+- **`name`** -- display name in the Falcon console. Can be updated freely.
+
+### State File
+
+- Location: `.crowdstrike/deployed_state.json` (in user projects)
+- Format version: v3.0
+- Do not edit manually -- use `sync` to reconcile
+
+## Credentials
+
+- **Location:** `~/.config/falcon/credentials.json`
+- **Setup:** `talonctl auth setup`
+- **Never commit credentials.**
+
+## Production Rules
+
+1. **Always plan before apply.** Never blind-deploy.
+2. **Never change `resource_id` after deploy.**
+3. **Saved search description limit: 2000 characters.** The API silently truncates.
+4. **Validate CQL syntax** before committing: `talonctl validate-query --template <path>`

talonctl-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Will Webster
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

talonctl-0.1.0/PKG-INFO

@@ -0,0 +1,170 @@
+Metadata-Version: 2.4
+Name: talonctl
+Version: 0.1.0
+Summary: Infrastructure as code for CrowdStrike NGSIEM
+Author: Will Webster
+License-Expression: MIT
+License-File: LICENSE
+Keywords: crowdstrike,detection-as-code,ngsiem,security
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Requires-Python: >=3.11
+Requires-Dist: click>=8.0.0
+Requires-Dist: crowdstrike-falconpy>=1.6.1
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: requests>=2.28.0
+Requires-Dist: rich>=13.0.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == 'dev'
+Requires-Dist: ruff>=0.8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# talonctl
+
+Infrastructure as code for CrowdStrike. Manage detections, workflows, saved searches, and more with a Terraform-like lifecycle.
+
+## What This Is
+
+A pip-installable CLI tool for managing CrowdStrike NGSIEM resources as code. It started as the deployment engine behind an AI-assisted SOC project and works just as well standalone. If you use CrowdStrike NG-SIEM and want version-controlled, CI/CD-deployed resources -- this is it.
+
+What you get:
+- **Terraform-like deployment** -- plan/apply/import/drift/sync for CrowdStrike NGSIEM resources
+- **Seven resource types** -- detections, saved searches, dashboards, workflows, lookup files, RTR scripts, RTR put files
+- **State management** -- tracks deployed resources, content hashes, and CrowdStrike API IDs
+- **Dependency resolution** -- DAG-based ordering so resources deploy in the right sequence
+- **Drift detection** -- catch manual console changes that diverge from your templates
+- **Project scaffolding** -- `talonctl init` creates new projects with the correct directory structure
+
+## Getting Started
+
+```bash
+# Install
+python3 -m venv .venv
+source .venv/bin/activate
+pip install talonctl
+
+# Scaffold a new project
+talonctl init myproject
+cd myproject
+
+# Configure credentials
+talonctl auth setup
+
+# Import your existing detections
+talonctl import --plan              # preview what would be imported
+talonctl import --resources=detection  # import detection rules
+
+# Plan and deploy
+talonctl plan    # preview changes
+talonctl apply   # deploy
+```
+
+For a working example project, see [talonctl-demo](https://github.com/willwebster5/talonctl-demo).
+
+## Commands
+
+### IaC Lifecycle
+
+```bash
+talonctl validate                    # Check templates (no API calls)
+talonctl plan                        # Preview changes
+talonctl apply                       # Deploy changes
+talonctl import                      # Onboard existing resources
+talonctl import --plan               # Preview import
+talonctl sync                        # Reconcile state with tenant
+talonctl drift                       # Detect manual console changes
+talonctl show                        # Display current state
+talonctl init                        # Scaffold a new project
+talonctl validate-query              # Validate CQL syntax
+talonctl publish                     # Activate inactive detection rules
+talonctl discover                    # Find new detection templates
+```
+
+### Credential Management
+
+```bash
+talonctl auth setup                  # Interactive credential setup wizard
+talonctl auth check                  # Verify stored credentials
+```
+
+### Operational
+
+```bash
+talonctl health                      # Detection health check
+talonctl health --format json -o r.json  # Export health report
+talonctl metrics update-detections --report r.json  # Update detection metrics CSV
+talonctl metrics update-kpis --report r.json        # Update KPI CSV
+talonctl backup create               # Create state backup (GitHub Release)
+talonctl backup list                 # List available backups
+talonctl backup restore <tag>        # Restore from backup
+```
+
+## What It Manages
+
+| Resource Type | Template Dir | Description |
+|--------------|-------------|-------------|
+| Detection | `resources/detections/` | Correlation rules (CQL queries with severity, MITRE mapping) |
+| Saved Search | `resources/saved_searches/` | Reusable CQL functions called with `$function_name()` |
+| Dashboard | `resources/dashboards/` | LogScale dashboards with sections and widgets |
+| Workflow | `resources/workflows/` | Falcon Fusion automation workflows |
+| Lookup File | `resources/lookup_files/` | CSV lookup tables for enrichment |
+| RTR Script | `resources/rtr_scripts/` | Real Time Response scripts |
+| RTR Put File | `resources/rtr_put_files/` | Files pushed to endpoints via RTR |
+
+## Prerequisites
+
+- CrowdStrike Falcon tenant with NG-SIEM (LogScale)
+- Python 3.11+
+- CrowdStrike API credentials (Falcon Console > Support & Resources > API Clients and Keys)
+
+## Required API Scopes
+
+### By Resource Type
+
+| Resource Type | Read (plan/sync/drift/import) | Write (apply) |
+|--------------|-------------------------------|---------------|
+| Detection | `correlation-rules:read` | `correlation-rules:write` |
+| Saved Search | `ngsiem:read` | `ngsiem:write` |
+| Dashboard | `ngsiem:read` | `ngsiem:write` |
+| Lookup File | `ngsiem:read` | `ngsiem:write` |
+| Workflow | `workflow:read` | `workflow:write` |
+| RTR Script | `real-time-response-admin:write` | `real-time-response-admin:write` |
+| RTR Put File | `real-time-response-admin:write` | `real-time-response-admin:write` |
+
+### Minimum Scopes by Workflow
+
+| Workflow | Scopes |
+|----------|--------|
+| **Just detections** (plan/apply) | `correlation-rules:read`, `correlation-rules:write` |
+| **Detections + saved searches** | Above + `ngsiem:read`, `ngsiem:write` |
+| **Full IaC** (all resource types) | All read + write scopes above |
+| **Import only** (onboarding) | Read scopes for target resource types |
+
+## Ecosystem
+
+talonctl was built alongside a set of AI-assisted security skills and a CrowdStrike MCP server. Together they form a detection engineering and SOC operations toolkit:
+
+- **[talonctl-demo](https://github.com/willwebster5/talonctl-demo)** -- Working example project with saved searches, lookup files, knowledge base, and CI/CD workflows
+- **[agent-skills](https://github.com/willwebster5/agent-skills)** -- Claude Code plugins for SOC triage, detection engineering, threat hunting, and more
+- **[crowdstrike-mcp](https://github.com/willwebster5/crowdstrike-mcp)** -- MCP server for querying alerts, running CQL, host lookup, and case management
+
+## Development
+
+```bash
+git clone https://github.com/willwebster5/talonctl.git
+cd talonctl
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -e .[dev]
+pytest tests/ -v
+```
+
+Format reference templates are in `examples/resources/` -- annotated YAML examples for every resource type.
+
+## License
+
+MIT -- do whatever you want, no warranty, no liability. See [LICENSE](LICENSE).

talonctl-0.1.0/README.md

@@ -0,0 +1,145 @@
+# talonctl
+
+Infrastructure as code for CrowdStrike. Manage detections, workflows, saved searches, and more with a Terraform-like lifecycle.
+
+## What This Is
+
+A pip-installable CLI tool for managing CrowdStrike NGSIEM resources as code. It started as the deployment engine behind an AI-assisted SOC project and works just as well standalone. If you use CrowdStrike NG-SIEM and want version-controlled, CI/CD-deployed resources -- this is it.
+
+What you get:
+- **Terraform-like deployment** -- plan/apply/import/drift/sync for CrowdStrike NGSIEM resources
+- **Seven resource types** -- detections, saved searches, dashboards, workflows, lookup files, RTR scripts, RTR put files
+- **State management** -- tracks deployed resources, content hashes, and CrowdStrike API IDs
+- **Dependency resolution** -- DAG-based ordering so resources deploy in the right sequence
+- **Drift detection** -- catch manual console changes that diverge from your templates
+- **Project scaffolding** -- `talonctl init` creates new projects with the correct directory structure
+
+## Getting Started
+
+```bash
+# Install
+python3 -m venv .venv
+source .venv/bin/activate
+pip install talonctl
+
+# Scaffold a new project
+talonctl init myproject
+cd myproject
+
+# Configure credentials
+talonctl auth setup
+
+# Import your existing detections
+talonctl import --plan              # preview what would be imported
+talonctl import --resources=detection  # import detection rules
+
+# Plan and deploy
+talonctl plan    # preview changes
+talonctl apply   # deploy
+```
+
+For a working example project, see [talonctl-demo](https://github.com/willwebster5/talonctl-demo).
+
+## Commands
+
+### IaC Lifecycle
+
+```bash
+talonctl validate                    # Check templates (no API calls)
+talonctl plan                        # Preview changes
+talonctl apply                       # Deploy changes
+talonctl import                      # Onboard existing resources
+talonctl import --plan               # Preview import
+talonctl sync                        # Reconcile state with tenant
+talonctl drift                       # Detect manual console changes
+talonctl show                        # Display current state
+talonctl init                        # Scaffold a new project
+talonctl validate-query              # Validate CQL syntax
+talonctl publish                     # Activate inactive detection rules
+talonctl discover                    # Find new detection templates
+```
+
+### Credential Management
+
+```bash
+talonctl auth setup                  # Interactive credential setup wizard
+talonctl auth check                  # Verify stored credentials
+```
+
+### Operational
+
+```bash
+talonctl health                      # Detection health check
+talonctl health --format json -o r.json  # Export health report
+talonctl metrics update-detections --report r.json  # Update detection metrics CSV
+talonctl metrics update-kpis --report r.json        # Update KPI CSV
+talonctl backup create               # Create state backup (GitHub Release)
+talonctl backup list                 # List available backups
+talonctl backup restore <tag>        # Restore from backup
+```
+
+## What It Manages
+
+| Resource Type | Template Dir | Description |
+|--------------|-------------|-------------|
+| Detection | `resources/detections/` | Correlation rules (CQL queries with severity, MITRE mapping) |
+| Saved Search | `resources/saved_searches/` | Reusable CQL functions called with `$function_name()` |
+| Dashboard | `resources/dashboards/` | LogScale dashboards with sections and widgets |
+| Workflow | `resources/workflows/` | Falcon Fusion automation workflows |
+| Lookup File | `resources/lookup_files/` | CSV lookup tables for enrichment |
+| RTR Script | `resources/rtr_scripts/` | Real Time Response scripts |
+| RTR Put File | `resources/rtr_put_files/` | Files pushed to endpoints via RTR |
+
+## Prerequisites
+
+- CrowdStrike Falcon tenant with NG-SIEM (LogScale)
+- Python 3.11+
+- CrowdStrike API credentials (Falcon Console > Support & Resources > API Clients and Keys)
+
+## Required API Scopes
+
+### By Resource Type
+
+| Resource Type | Read (plan/sync/drift/import) | Write (apply) |
+|--------------|-------------------------------|---------------|
+| Detection | `correlation-rules:read` | `correlation-rules:write` |
+| Saved Search | `ngsiem:read` | `ngsiem:write` |
+| Dashboard | `ngsiem:read` | `ngsiem:write` |
+| Lookup File | `ngsiem:read` | `ngsiem:write` |
+| Workflow | `workflow:read` | `workflow:write` |
+| RTR Script | `real-time-response-admin:write` | `real-time-response-admin:write` |
+| RTR Put File | `real-time-response-admin:write` | `real-time-response-admin:write` |
+
+### Minimum Scopes by Workflow
+
+| Workflow | Scopes |
+|----------|--------|
+| **Just detections** (plan/apply) | `correlation-rules:read`, `correlation-rules:write` |
+| **Detections + saved searches** | Above + `ngsiem:read`, `ngsiem:write` |
+| **Full IaC** (all resource types) | All read + write scopes above |
+| **Import only** (onboarding) | Read scopes for target resource types |
+
+## Ecosystem
+
+talonctl was built alongside a set of AI-assisted security skills and a CrowdStrike MCP server. Together they form a detection engineering and SOC operations toolkit:
+
+- **[talonctl-demo](https://github.com/willwebster5/talonctl-demo)** -- Working example project with saved searches, lookup files, knowledge base, and CI/CD workflows
+- **[agent-skills](https://github.com/willwebster5/agent-skills)** -- Claude Code plugins for SOC triage, detection engineering, threat hunting, and more
+- **[crowdstrike-mcp](https://github.com/willwebster5/crowdstrike-mcp)** -- MCP server for querying alerts, running CQL, host lookup, and case management
+
+## Development
+
+```bash
+git clone https://github.com/willwebster5/talonctl.git
+cd talonctl
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -e .[dev]
+pytest tests/ -v
+```
+
+Format reference templates are in `examples/resources/` -- annotated YAML examples for every resource type.
+
+## License
+
+MIT -- do whatever you want, no warranty, no liability. See [LICENSE](LICENSE).