Falcon Integration Gateway (FIG) forwards threat detection findings from CrowdStrike Falcon platform to the backend of your choice. Consult the project page to learn more about its capabilities. This document describes a helm chart that can be used to deploy the FIG in various configurations.
- Requires a Kubernetes cluster
- Helm 3.x is installed and supported by the Kubernetes vendor.
- Must be a CrowdStrike customer
- At least one backend prepared to ingest events
The following tables lists the Falcon Sensor configurable parameters and their default values.
Parameter | Description | Default |
---|---|---|
falcon.client_id |
CrowdStrike API Client ID | None |
falcon.client_secret |
CrowdStrike API Client Secret | None |
falcon.cloud_region |
CrowdStrike Cloud Region (us-1, us-2, eu-1, us-gov-1) | None (Required) |
falcon.existingSecret |
Existing k8s secret name containing the above values | None |
credentials_store.store |
Use valid credentials store (ssm, secrets_manager) | None |
credentials_store.ssm.region |
AWS region for SSM | None |
credentials_store.ssm.client_id |
SSM parameter name for client_id | None |
credentials_store.ssm.client_secret |
SSM parameter name for client_secret | None |
credentials_store.secrets_manager.region |
AWS region for Secrets Manager | None |
credentials_store.secrets_manager.secret_name |
Secrets Manager secret name | None |
credentials_store.secrets_manager.client_id_key |
Secrets Manager key for client_id | None |
credentials_store.secrets_manager.client_secret_key |
Secrets Manager key for client_secret | None |
falcon.integration_gateway.application_id |
Unique string for each FIG instance within your CID | helm-chart-default |
falcon.integration_gateway.level |
Logging level (ERROR, WARN, INFO, DEBUG) | INFO |
falcon.integration_gateway.severity_threshold |
Filter events based on severity (1-5) | 2 |
falcon.integration_gateway.older_than_days_threshold |
Filter events based on age in days | 21 |
falcon.integration_gateway.detections_exclude_clouds |
Exclude events based on cloud origination | None |
falcon.integration_gateway.worker_threads |
Number of FIG application threads to process events | 4 |
falcon.integration_gateway.offset |
Offset number to start the stream from | 0 |
push.aws_security_hub.enabled |
Enable event forwarding to AWS Security Hub | false |
push.aws_security_hub.region |
AWS Region | None |
push.aws_security_hub.confirm_instance |
Confirm instance in AWS account supported region | true |
push.aws_sqs.enabled |
Enable event forwarding to AWS SQS | false |
push.aws_sqs.region |
AWS Region | None |
push.aws_sqs.sqs_queue_name |
AWS SQS Queue Name | None |
push.azure_log_analytics.enabled |
Enable event forwarding to Azure Log Analytics | false |
push.azure_log_analytics.workspace_id |
None | |
push.azure_log_analytics.primary_key |
None | |
push.azure_log_analytics.arc_autodiscovery |
false |
|
push.chronicle.enabled |
Enable event forwarding to Google Chronicle | false |
push.chronicle.region |
Google Cloud Chronicle Region | None |
push.chronicle.service_account |
Google Cloud Service Account | None |
push.chronicle.customer_id |
Google Chronicle Customer ID | None |
push.cloudtrail_lake.enabled |
Enable event forwarding to AWS CloudTrail Lake | false |
push.cloudtrail_lake.channel_arn |
CloudTrail Lake Channel for sending events | None |
push.cloudtrail_lake.region |
AWS Region | None |
push.gcp_security_command_center.enabled |
Enable event forwarding to GCP Security Command Center | false |
push.vmware_workspace_one.enabled |
Enable event forwarding to VMware Workspace ONE | false |
push.vmware_workspace_one.syslog_host |
None | |
push.vmware_workspace_one.syslog_port |
None | |
push.vmware_workspace_one.token |
None | |
push.generic.enabled |
Enable event forwarding to stdout (debugging) | false |
serviceAccount.annotations |
Annotations for serviceAccount | {} |
- Obtain OAuth2 API credentials for CrowdStrike Falcon
- Navigate to API Clients and Keys within CrowdStrike Falcon platform.
- Use Add new API client button in the top right corner to create a new key pair
- Make sure only the following permissions are assigned to the key pair:
- Event streams: [Read]
- Hosts: [Read]
Consult the backend guides for additional API scopes that may be required.
FIG requires the authentication of an API client ID and client secret, along with its associated cloud region, to establish a connection with the CrowdStrike API.
FIG supports auto-discovery of the Falcon cloud region. If you do not specify a cloud region, FIG will attempt to auto-discover the cloud region based on the API client ID and client secret provided.
Important
Auto-discovery is only available for [us-1, us-2, eu-1] regions.
Below are a few examples of how to provide the Falcon API credentials to the FIG helm chart.
falcon:
client_id: "YOUR_FALCON_CLIENT_ID"
client_secret: "YOUR FALCON_CLIENT_SECRET"
cloud_region: "us-1"
falcon:
cloud_region: "us-1"
credentials_store:
store: "secrets_manager"
secrets_manager:
region: "us-west-2"
secret_name: "falcon-k8s-secret"
client_id_key: "client_id"
client_secret_key: "client_secret"
falcon:
existingSecret: "falcon-k8s-secret"
You can also use the helm CLI to provide the Falcon API credentials.
helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \
--set falcon.client_id=$FALCON_CLIENT_ID \
--set falcon.client_secret=$FALCON_CLIENT_SECRET \
--set falcon.cloud_region=$FALCON_CLOUD
...
helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \
--set falcon.cloud_region=$FALCON_CLOUD \
--set credentials_store.store="ssm" \
--set credentials_store.ssm.region="us-east-2" \
--set credentials_store.ssm.client_id="/falcon/fig/client_id" \
--set credentials_store.ssm.client_secret="/falcon/fig/client_secret"
...
The helm chart is under active development. Contributors are welcomed to install either directly from the git repository or from the helm repository.
-
Add the CrowdStrike Falcon Helm repository
helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
-
Update the local Helm repository Cache
helm repo update
-
Example install with Azure Log Analytics enabled:
helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \ --set falcon.client_id=$FALCON_CLIENT_ID \ --set falcon.client_secret=$FALCON_CLIENT_SECRET \ --set falcon.cloud_region=$FALCON_CLOUD \ --set push.azure_log_analytics.enabled=true \ --set push.azure_log_analytics.workspace_id=1234ab-cdef-abc7d-acdb-82321223 \ --set push.azure_log_analytics.primary_key=ASDFzxy/vgC/m6HKOY6bqi5g==
-
Alternative example install with AWS Security Hub enabled:
helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \ --set falcon.client_id=$FALCON_CLIENT_ID \ --set falcon.client_secret=$FALCON_CLIENT_SECRET \ --set falcon.cloud_region=$FALCON_CLOUD \ --set push.aws_security_hub.enabled=true \ --set push.aws_security_hub.region="eu-west-2" \ --set serviceAccount.annotations."eks.amazonaws.com/role-arn"="arn:aws:iam::12345678910:role/fig-demo-J78KUNY32R1"
Example run with Azure Log Analytics enabled:
helm install -n test --create-namespace --generate-name ./falcon-integration-gateway \
--set falcon.client_id=$FALCON_CLIENT_ID \
--set falcon.client_secret=$FALCON_CLIENT_SECRET \
--set falcon.cloud_region=$FALCON_CLOUD \
--set push.azure_log_analytics.enabled=true \
--set push.azure_log_analytics.workspace_id=1234ab-cdef-abc7d-acdb-82321223 \
--set push.azure_log_analytics.primary_key=ASDFzxy/vgC/m6HKOY6bqi5g==