https://github.com/m-mizutani/falconstream

Event forwarder for CrowdStrike Falcon
https://github.com/m-mizutani/falconstream

aws-s3 crowdstrike falcon golang

Last synced: 6 months ago
JSON representation

Event forwarder for CrowdStrike Falcon

• Host: GitHub
• URL: https://github.com/m-mizutani/falconstream
• Owner: m-mizutani
• Created: 2019-10-01T08:59:27.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2024-01-16T13:56:37.000Z (almost 2 years ago)
• Last Synced: 2025-04-26T07:08:35.312Z (6 months ago)
• Topics: aws-s3, crowdstrike, falcon, golang
• Language: Go
• Size: 29.3 KB
• Stars: 11
• Watchers: 3
• Forks: 3
• Open Issues: 3
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# FalconStream

`falconstream` is event forwarder of CrowdStrike Falcon. CrowdStrike Falcon has Event Stream API and the API provides events regarding audit, malware detection and so on. `falconstream` receives the events continuously and can store them to local file system or Amazon S3. (Also Amazon Kinesis Data Firehose is planned to implement)

## Architecture

![architecture](https://user-images.githubusercontent.com/605953/66090764-b635bc80-e5bf-11e9-9d2c-c7d35c247b59.png)

`falconstream` simply receives events from CrowdStrike Falcon Event Stream API by long time HTTPS connection.

## Getting Started

### Prerequisite

- Go >= 1.13

- API key (client_id + secret) of CrowdStrike Falcon

### Setup

```bsash

go get github.com/m-mizutani/falconstream

```

### Run and output to console

```bash

$ export FALCON_CLIENT_ID=xxxxxxxxxxxxx

$ export FALCON_SECRET=xxxxxxxxxxxxxxxxxxx

$ falconstream

falconstream.falconEvent{

  MetaData: &gofalcon.StreamEventMetaData{

    CustomerIDString:  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

    EventType:         "UserActivityAuditEvent",

    Offset:            12345,

    EventCreationTime: 1568947873000,

  },

  Event: map[string]interface {}{

    "AuditKeyValues": []interface {}{

      map[string]interface {}{

        "ValueString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

        "Key":         "quarantined_file_id",

      },

      map[string]interface {}{

        "Key":         "action_taken",

        "ValueString": "quarantined",

      },

    },

    "UTCTimestamp":  1568947873.000000,

    "UserId":        "Crowdstrike",

    "UserIp":        "",

    "OperationName": "quarantined_file_update",

    "ServiceName":   "quarantined_files",

  },

}

```

## Basic usage

### Output to local file system

```

$ falconstream -e fs &

$ tail -f falcon.log

{"metadata":{"customerIDString":"xxxxxxxxxxx","eventType":"AuthActivityAuditEvent","offset":1100,"eventCreationTime":1567079329516},"event":{"OperationName":"twoFactorAuthenticate","ServiceName":"CrowdStrike Authentication","Success":true,"UTCTimestamp":1567079329516,"UserId":"xxxxxxxxx","UserIp":"10.0.0.1"}}

...(snip)...

```

### Output to Amazon S3

NOTE: You need to prepare AWS credential. See [following document](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) for more detail.

```bash

$ falconstream -e s3 --aws-region ap-northeast-1 --aws-s3-bucket YOUR-BUCKET-NAME

```

### Use AWS Secrets Manager to save Falcon credentials

NOTE: You need to setup a `secret` including `falcon_client_id` and `falcon_secret` in Secrets Manager at first. Then see ARN of the `secret`.

```bash

$ falconstream --aws-secret-arn arn:aws:secretsmanager:ap-northeast-1:1234567890:secret:my-secret

```

## License

- MIT License

- Author: Masayoshi Mizutani < mizutani@sfc.wide.ad.jp >