Falcon Integration Gateway (FIG) forwards threat detection findings and audit events from the CrowdStrike Falcon platform to the backend of your choice.
Detection findings and audit events generated by CrowdStrike Falcon platform inform you about suspicious files and behaviors in your environment. You will see detections on a range of activities from the presence of a bad file (indicator of compromise (IOC)) to a nuanced collection of suspicious behaviors (indicator of attack (IOA)) occurring on one of your hosts or containers. You can learn more about the individual detections in Falcon documentation.
This project facilitates the export of the individual detections and audit events from CrowdStrike Falcon to third-party security dashboards (so called backends). The export is useful in cases where security operation team workflows are tied to given third-party solution to get early real-time heads-up about malicious activities or unusual user activities detected by CrowdStrike Falcon platform.
API clients are granted one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform.
FIG requires the following API scopes at a minimum:
- Event streams: [Read]
- Hosts: [Read]
Consult the backend guides for additional API scopes that may be required.
Backend | Description | Deployment Guide(s) | General Guide(s) |
---|---|---|---|
AWS | Pushes events to AWS Security Hub | AWS backend | |
AWS_SQS | Pushes events to AWS SQS | Coming Soon | AWS SQS backend |
Azure | Pushes events to Azure Log Analytics | Azure backend | |
Chronicle | Pushes events to Google Chronicle |
|
Chronicle backend |
CloudTrail Lake | Pushes events to AWS CloudTrail Lake | CloudTrail Lake backend | |
GCP | Pushes events to GCP Security Command Center |
|
GCP backend |
Workspace ONE | Pushes events to VMware Workspace ONE Intelligence | Coming Soon | Workspace ONE backend |
Generic | Displays events to STDOUT (useful for dev/debugging) | N/A | Generic Backend |
❗ Prior to any deployment, ensure you refer to the configuration options available to the application ❗
Please refer to the FIG helm chart documentation for detailed instructions on deploying the FIG via helm chart for your respective backend(s).
To install as a container:
-
Pull the image
docker pull quay.io/crowdstrike/falcon-integration-gateway:latest
-
Run the application in the background passing in your backend CONFIG options as environment variables
docker run -d --rm \ -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \ -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \ -e FALCON_CLOUD_REGION="us-1" \ -e FIG_BACKENDS=<BACKEND> \ -e CONFIG_OPTION=CONFIG_OPTION_VALUE \ quay.io/crowdstrike/falcon-integration-gateway:latest
-
Confirm deployment
docker logs <container>
-
Clone the repository
git clone https://github.com/CrowdStrike/falcon-integration-gateway.git
-
Install the python dependencies.
pip install -r requirements.txt
-
Modify the
./config/config.ini
file with your backend options -
Run the application
python3 -m fig
Falcon Integration Gateway (FIG) is a community-driven, open source project designed to forward threat detection findings and audit events from the CrowdStrike Falcon platform to the backend of your choice. While not a formal CrowdStrike product, FIG is maintained by CrowdStrike and supported in partnership with the open source community.