Skip to content

m-mizutani/falconstream

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
pkg/falconstream
pkg/falconstream
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

FalconStream

falconstream is event forwarder of CrowdStrike Falcon. CrowdStrike Falcon has Event Stream API and the API provides events regarding audit, malware detection and so on. falconstream receives the events continuously and can store them to local file system or Amazon S3. (Also Amazon Kinesis Data Firehose is planned to implement)

Architecture

architecture

falconstream simply receives events from CrowdStrike Falcon Event Stream API by long time HTTPS connection.

Getting Started

Prerequisite

  • Go >= 1.13
  • API key (client_id + secret) of CrowdStrike Falcon

Setup

go get github.com/m-mizutani/falconstream

Run and output to console

$ export FALCON_CLIENT_ID=xxxxxxxxxxxxx
$ export FALCON_SECRET=xxxxxxxxxxxxxxxxxxx
$ falconstream
falconstream.falconEvent{
  MetaData: &gofalcon.StreamEventMetaData{
    CustomerIDString:  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    EventType:         "UserActivityAuditEvent",
    Offset:            12345,
    EventCreationTime: 1568947873000,
  },
  Event: map[string]interface {}{
    "AuditKeyValues": []interface {}{
      map[string]interface {}{
        "ValueString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Key":         "quarantined_file_id",
      },
      map[string]interface {}{
        "Key":         "action_taken",
        "ValueString": "quarantined",
      },
    },
    "UTCTimestamp":  1568947873.000000,
    "UserId":        "Crowdstrike",
    "UserIp":        "",
    "OperationName": "quarantined_file_update",
    "ServiceName":   "quarantined_files",
  },
}

Basic usage

Output to local file system

$ falconstream -e fs &
$ tail -f falcon.log
{"metadata":{"customerIDString":"xxxxxxxxxxx","eventType":"AuthActivityAuditEvent","offset":1100,"eventCreationTime":1567079329516},"event":{"OperationName":"twoFactorAuthenticate","ServiceName":"CrowdStrike Authentication","Success":true,"UTCTimestamp":1567079329516,"UserId":"xxxxxxxxx","UserIp":"10.0.0.1"}}
...(snip)...

Output to Amazon S3

NOTE: You need to prepare AWS credential. See following document for more detail.

$ falconstream -e s3 --aws-region ap-northeast-1 --aws-s3-bucket YOUR-BUCKET-NAME

Use AWS Secrets Manager to save Falcon credentials

NOTE: You need to setup a secret including falcon_client_id and falcon_secret in Secrets Manager at first. Then see ARN of the secret.

$ falconstream --aws-secret-arn arn:aws:secretsmanager:ap-northeast-1:1234567890:secret:my-secret

License

About

Event forwarder for CrowdStrike Falcon

Topics

golang aws-s3 falcon crowdstrike

Resources

Readme
Activity

Stars

11 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases 1

v0.2.0 Latest
Mar 2, 2021

Packages

No packages published

Languages