Installation & Deployment
Falcon Orchestrator has only been tested on Windows Server 2012 R2, however it should also be functional on an older versions of Windows Server as long as .NET 4.5 framework is installed. It can be deployed on a single host running or across multiple servers.
Database Server – Ensure that a MS SQL Server database engine is installed on the server. It is suggested, although not required, to utilize an enterprise version as future updates will take advantage of SQL Server CDC functionality which is not available with the SQL Server Express editions. The software has only been tested with SQL Server 2014.
Web Server - The following Windows server roles must be installed:
- Web Server (IIS) > Web Server > Security > Windows Authentication
- Web Server (IIS) > Web Server > Application Development > ASP.NET 4.5
- Application Server > .NET Framework 4.5#
The project contains an MSI installer which is designed to handle all deployment related tasks. As new bug fixes, major features and changes are released an updated installer package version will be provided. Before beginning the installation, ensure you have all the aforementioned dependencies in place otherwise the setup will fail. Download the most current version of the installer here.
-
Execute the MSI installer on the host that will be running the full application or if using a distributed deployment on the web server host.
-
Select the path to install Falcon Orchestrator's web application. By default the web app is installed to
C:\Inetpub\Falcon Orchestratorand the client service toC:\Program Files (x86)\Falcon Orchestrator -
Next you will be prompted to supply the initialization configuration settings. These settings will be used to update the web and service configuration text files with initial values. If you wish to changes these in the future, you can simply modify the configuration files as needed.
| Database Server Name Or IP | If the database server resides on the same host as the installer you can supply localhost or the hostname of the server. When using localhost, you must first enabled TCP/IP within SQL Server Configuration Manager. If the database will reside on a separate server, supply the IP address or hostname accordingly. |
| Database Name | Name of database to be created. Defaults to FalconOrchestrator. |
| Database Login Username | The username of an account which has sufficient permissions to create and alter a database on the database server. |
| Database Login Password | The password of an account which has sufficient permission to create and alter a database on the database server. |
| Encryption Key | Key used to encrypt/decrypt sensitive data stored in the SQL database. |
| Allowed Users | Falcon Orchestrator leverages integrated Windows Authentication for maintaining access to the the web application. By default, all users are denied access to the system. Supply a comma delimited list (for multiple users) following the format of domain\username to allow access to these accounts. To add additional accounts in the future, modify the web.config file in the web application directory. |
- Click Next followed by Install to begin the install process. You will be prompted for UAC validation. If successful, the process will take a couple seconds and provide a confirmation message that the application has been successfully installed.
Upon successful installation, navigate to IIS Manager to ensure that the new site FalconOrchestrator has been deployed. This is where port binding and SSL based configuration changes can be made.
NOTE: By default the web application is installed on port 80 with regular HTTP. It is highly recommended you enforce the application to use SSL and import a certificate to be used. There are various resources on the internet to guide you through this process.
To verify the database and associated tables were created, upon SQL Server Management Studio and connect to the SQL database engine being used. A database with the name supplied during installation has now been created as seen below. For more information regarding the database structure, refer to the database schema wiki page.
The Falcon Orchestrator client executable and dependent libraries by default are setup in the directory C:\Program Files (x86)\Falcon Orchestrator. The Windows service is also configured by the installer. To confirm this, open Windows services and you should see a service with the name of Falcon Orchestrator Client.
The service is installed with a manual start type. We will first need to configure some settings within the Web application prior to starting the service.
Now that the MSI installer has successfully completed we will need to configure some items through the Falcon Orchestrator web application prior to starting the client service. As we’ve seen, the installer took care of deploying the IIS web application. As such we can now navigate to the web app by browsing to http://localhost from the local server or to the server IP/hostname from a remote system. If you have modified the web app to use a different port and/or SSL browse to that URL.
Through the navigation bar on the top browse to Admin > Configuration. This view displays the various configuration settings that we need to supply in order to get full functionality out of the system.
Integration into your email environment allows Falcon Orchestrator to send email notifications for new detection alerts or when tickets are generated and dispatched to a recipient. You will need to supply the hostname or IP address and port of your email server. Most email servers will also require you to authenticate prior to sending email message, provide those credentials in this section as well. These settings only need to be configured if you intend to use the notification capabilities as outlined below.
Issued whenever a new detection event is generated from the Falcon Host platform and consumed by the Falcon Orchestrator client service. The email notification is the last processing rule to execute. As such, any events matching a whitelisting rule will not result in an email notification. Also, taxonomy rules are applied first and therefore can upgrade a detection severity if the matched rule is defined as critical.
The ticketing module allows you to generate tickets for actions such as re-imaging/remediation, further investigation or any other purpose you see fit. More details on this are covered in the Ticketing section. Each type of notification has its own template associated with it. This is formatted in HTML and will be used as the body of the email message. You need to supply the full path to the template files located on the Falcon Orchestrator server.
When you provide one of the following values in an email HTML template or the subject field. The result will dynamically be resolved based on the corresponding detection or ticket. For example, supplying a subject of A {{Severity}} Severity Detection on {{Username}}\ {{Hostname}} would resolve to A High Severity Detection on jdoe\home-pc. Any values highlighted in blue are only resolved if the Active Directory Lookup rule is enabled and successfully resolves metadata for the associated user account.
| {{Severity}} | The custom severity rating of the detection, defaults to rating provided by CrowdStrike. |
| {{DetectionDescription}} | The description of the detection, providing details of the activity that is being alerted on. |
| {{Hostname}} | The hostname of the computer detection was seen on. |
| {{IPAddress} | The IP address of the computer detection was seen on. This is only provided if the DNS lookup processing rule is enabled and is able to resolve the hostname to and IP. |
| {{ProcessStartTime}} | The start time of the process identified in the detection event |
| {{ProcessEndTime}} | The end time of the process identified in the detection event |
| {{FileName}} | The file name of the process identified in the detection event. |
| {{FilePath}} | The file path of the process identified in the detection event. |
| {{FalconOrchestratorLink}} | The URL to the detection edit view within the Falcon Orchestrator web application |
| {{FalconHostLink}} | The URL to the detection event in the Falcon Host UI. |
| {{Username}} | The user account name identified in the detection event |
| {{FirstName}} | The first name of the user associated with the account. |
| {{LastName}} | The last name of the user associated with the account. |
| {{Department}} | The department of the user associated with the account. |
| {{JobTitle}} | The job title of the user associated with the account. |
| {{EmailAddress}} | The email address of the user associated with the account. |
| {{Manager}} | The email address of the manager of the user associated with the account. |
| {{Country}} | The country of the user associated with the account. |
| {{StateProvince}} | The state or province of the user associated with the account. |
| {{City}} | The city of the user associated with the account. |
| {{StreetAddress} | The street address of the user associated with the account. |
| {{PhoneNumber}} | The phone number of the user associated with the account. |
Integration to active directory enables a number of workflow & management capabilities within Falcon Orchestrator. In order to enable this functionality, you will need to supply the required information by navigating to Admin > Configuration > Active Directory. Currently AD integration only supports one domain/LDAP server. Future updates will provide support for multi-domain/forest based environments. Configuring these settings is only required if you intend to leverage the AD based features. More details, regarding how AD is used, can be found under the Active Directory wiki page.
| Server | Hostname or IP address of the LDAP server, |
| Username | Username for the credentials being used to integrate with AD. |
| Password | Password for the credentials being used to integrate with AD. |
| Description | The text that is used to update the Description attribute of the account in Active Directory when a containment action is taken. This should be some standard messaging to provide a rationale of the why account was disabled, etc. |
| Days Valid | Number of days locally stored account information is considered valid. Defaults to 30 days, if a detection occurs for an account which has not been updated in the database in X number of days, a new call to Active Directory is made for updated metadata. |