{"id":19561378,"url":"https://github.com/m-mizutani/falconstream","last_synced_at":"2025-04-27T00:31:11.942Z","repository":{"id":54227465,"uuid":"212052751","full_name":"m-mizutani/falconstream","owner":"m-mizutani","description":"Event forwarder for CrowdStrike Falcon","archived":false,"fork":false,"pushed_at":"2024-01-16T13:56:37.000Z","size":30,"stargazers_count":11,"open_issues_count":3,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-26T07:08:35.312Z","etag":null,"topics":["aws-s3","crowdstrike","falcon","golang"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m-mizutani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-01T08:59:27.000Z","updated_at":"2024-11-06T21:41:43.000Z","dependencies_parsed_at":"2024-01-02T01:55:37.278Z","dependency_job_id":"da0f79a6-6b6e-4c74-ab21-58a8cb030886","html_url":"https://github.com/m-mizutani/falconstream","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Ffalconstream","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Ffalconstream/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Ffalconstream/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Ffalconstream/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m-mizutani","download_url":"https://codeload.github.com/m-mizutani/falconstream/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251072279,"owners_count":21532004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-s3","crowdstrike","falcon","golang"],"created_at":"2024-11-11T05:11:15.576Z","updated_at":"2025-04-27T00:31:11.686Z","avatar_url":"https://github.com/m-mizutani.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FalconStream\n\n`falconstream` is event forwarder of CrowdStrike Falcon. CrowdStrike Falcon has Event Stream API and the API provides events regarding audit, malware detection and so on. `falconstream` receives the events continuously and can store them to local file system or Amazon S3. (Also Amazon Kinesis Data Firehose is planned to implement)\n\n## Architecture\n\n![architecture](https://user-images.githubusercontent.com/605953/66090764-b635bc80-e5bf-11e9-9d2c-c7d35c247b59.png)\n\n`falconstream` simply receives events from CrowdStrike Falcon Event Stream API by long time HTTPS connection.\n\n## Getting Started\n\n### Prerequisite\n\n- Go \u003e= 1.13\n- API key (client_id + secret) of CrowdStrike Falcon\n\n### Setup\n\n```bsash\ngo get github.com/m-mizutani/falconstream\n```\n\n### Run and output to console\n\n```bash\n$ export FALCON_CLIENT_ID=xxxxxxxxxxxxx\n$ export FALCON_SECRET=xxxxxxxxxxxxxxxxxxx\n$ falconstream\nfalconstream.falconEvent{\n MetaData: \u0026gofalcon.StreamEventMetaData{\n CustomerIDString: \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\n EventType: \"UserActivityAuditEvent\",\n Offset: 12345,\n EventCreationTime: 1568947873000,\n },\n Event: map[string]interface {}{\n \"AuditKeyValues\": []interface {}{\n map[string]interface {}{\n \"ValueString\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\n \"Key\": \"quarantined_file_id\",\n },\n map[string]interface {}{\n \"Key\": \"action_taken\",\n \"ValueString\": \"quarantined\",\n },\n },\n \"UTCTimestamp\": 1568947873.000000,\n \"UserId\": \"Crowdstrike\",\n \"UserIp\": \"\",\n \"OperationName\": \"quarantined_file_update\",\n \"ServiceName\": \"quarantined_files\",\n },\n}\n```\n\n## Basic usage\n\n### Output to local file system\n\n```\n$ falconstream -e fs \u0026\n$ tail -f falcon.log\n{\"metadata\":{\"customerIDString\":\"xxxxxxxxxxx\",\"eventType\":\"AuthActivityAuditEvent\",\"offset\":1100,\"eventCreationTime\":1567079329516},\"event\":{\"OperationName\":\"twoFactorAuthenticate\",\"ServiceName\":\"CrowdStrike Authentication\",\"Success\":true,\"UTCTimestamp\":1567079329516,\"UserId\":\"xxxxxxxxx\",\"UserIp\":\"10.0.0.1\"}}\n...(snip)...\n```\n\n### Output to Amazon S3\n\nNOTE: You need to prepare AWS credential. See [following document](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) for more detail.\n\n```bash\n$ falconstream -e s3 --aws-region ap-northeast-1 --aws-s3-bucket YOUR-BUCKET-NAME\n```\n\n### Use AWS Secrets Manager to save Falcon credentials\n\nNOTE: You need to setup a `secret` including `falcon_client_id` and `falcon_secret` in Secrets Manager at first. Then see ARN of the `secret`.\n\n```bash\n$ falconstream --aws-secret-arn arn:aws:secretsmanager:ap-northeast-1:1234567890:secret:my-secret\n```\n\n## License\n\n- MIT License\n- Author: Masayoshi Mizutani \u003c mizutani@sfc.wide.ad.jp \u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Ffalconstream","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm-mizutani%2Ffalconstream","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Ffalconstream/lists"}