falcon-integration-gateway 3.1.10

The CrowdStrike Demo Falcon Integration Gateway for GCP

falcon-integration-gateway

Falcon Integration Gateway (FIG) forwards threat detection findings and audit events from the CrowdStrike Falcon platform to the backend of your choice.

Detection findings and audit events generated by CrowdStrike Falcon platform inform you about suspicious files and behaviors in your environment. You will see detections on a range of activities from the presence of a bad file (indicator of compromise (IOC)) to a nuanced collection of suspicious behaviors (indicator of attack (IOA)) occurring on one of your hosts or containers. You can learn more about the individual detections in Falcon documentation.

This project facilitates the export of the individual detections and audit events from CrowdStrike Falcon to third-party security dashboards (so called backends). The export is useful in cases where security operation team workflows are tied to given third-party solution to get early real-time heads-up about malicious activities or unusual user activities detected by CrowdStrike Falcon platform.

Backends w/ Available Deployment Guide(s)

Backend	Description	Deployment Guide(s)	Developer Guide(s)
AWS	Pushes events to AWS Security Hub	Coming Soon	AWS backend
AWS_SQS	Pushes events to AWS SQS	Coming Soon	AWS SQS backend
Azure	Pushes events to Azure Log Analytics	Deployment to AKS	Azure backend
Chronicle	Pushes events to Google Chronicle	Deployment to GKE (using marketplace) Deployment to GKE (manual)	Chronicle backend
CloudTrail Lake	Pushes events to AWS CloudTrail Lake	Deployment to EKS Manual Deployment	CloudTrail Lake backend
GCP	Pushes events to GCP Security Command Center	Deployment to GKE (using marketplace) Deployment to GKE (manual)	GCP backend
Workspace ONE	Pushes events to VMware Workspace ONE Intelligence	Coming Soon	Workspace ONE backend

Alternative Deployment Options

:exclamation: Prior to any deployment, ensure you refer to the configuration options available to the application :exclamation:

Installation to Kubernetes using the helm chart

Please refer to the FIG helm chart documentation for detailed instructions on deploying the FIG via helm chart for your respective backend(s).

Manual Installation and Removal

With Docker/Podman

To install as a container:

1. Pull the image

   docker pull quay.io/crowdstrike/falcon-integration-gateway:latest
   

2. Run the application in the background passing in your backend CONFIG options

   docker run -d --rm \
     -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \
     -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \
     -e FALCON_CLOUD_REGION="us-1" \
     -e FIG_BACKENDS=<BACKEND> \
     -e CONFIG_OPTION=CONFIG_OPTION_VALUE \
     quay.io/crowdstrike/falcon-integration-gateway:latest
   

3. Confirm deployment

   docker logs <container>
   

From Git Repository

1. Clone the repository

   git clone https://github.com/CrowdStrike/falcon-integration-gateway.git
   

2. Modify the ./config/config.ini file with your backend options

3. Run the application

   python3 -m fig
   

Developers Guide

Statement of Support

Falcon Integration Gateway (FIG) is an open source project, not a CrowdStrike product. As such it carries no formal support, expressed or implied.