Integration with Microsoft Azure Log Analytics.
config/config.ini configures Falcon Integration Gateway. Below is a minimal configuration example for Azure:
[main]
# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
backends=AZURE
[azure]
# Azure section is applicable only when AZURE backend is enabled in the [main] section.
# Uncomment to provide Azure Workspace ID. Alternatively, use WORKSPACE_ID env variable.
#workspace_id =
# Uncomment to provide Azure Primary Key. Alternatively, use PRIMARY_KEY env variable.
#primary_key =
# Uncomment to enable RTR based auto discovery of Azure Arc Systems. Alternatively,
# use ARC_AUTODISCOVERY env variable.
#arc_autodiscovery = true
Configure the following additional API scopes in your CrowdStrike Falcon console:
- Real Time Response: [Read, Write]
Required if using Azure Arc Autodiscovery feature.
Azure Arc is service within Microsoft Azure that allows users to connect and manage systems outside Azure using single pane of glass (Azure user interface).
Falcon Integration Gateway is able to identify Azure Arc system properties (resourceName, resourceGroup, subscriptionId, tenantId, and vmId) using RTR and send these details over to Azure Log Analytics.
To enable this feature:
- set
arc_autodiscovery=true
inside[azure]
section in your config.ini
-
Build the image
docker build . -t falcon-integration-gateway
-
Run the application
docker run -it --rm \ -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \ -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \ -e WORKSPACE_ID="$WORKSPACE_ID" \ -e PRIMARY_KEY="$PRIMARY_KEY" \ -e FALCON_CLOUD_REGION="us-1" \ falcon-integration-gateway:latest