Skip to content

Latest commit

 

History

History
66 lines (44 loc) · 2.11 KB

File metadata and controls

66 lines (44 loc) · 2.11 KB

Azure Backend

Integration with Microsoft Azure Log Analytics.

Example Configuration file

config/config.ini configures Falcon Integration Gateway. Below is a minimal configuration example for Azure:

[main]
# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
backends=AZURE

[azure]
# Azure section is applicable only when AZURE backend is enabled in the [main] section.

# Uncomment to provide Azure Workspace ID. Alternatively, use WORKSPACE_ID env variable.
#workspace_id =
# Uncomment to provide Azure Primary Key. Alternatively, use PRIMARY_KEY env variable.
#primary_key =

# Uncomment to enable RTR based auto discovery of Azure Arc Systems. Alternatively,
# use ARC_AUTODISCOVERY env variable.
#arc_autodiscovery = true

API Scopes

Configure the following additional API scopes in your CrowdStrike Falcon console:

  • Real Time Response: [Read, Write]

    Required if using Azure Arc Autodiscovery feature.

Azure Arc Autodiscovery

Azure Arc is service within Microsoft Azure that allows users to connect and manage systems outside Azure using single pane of glass (Azure user interface).

Falcon Integration Gateway is able to identify Azure Arc system properties (resourceName, resourceGroup, subscriptionId, tenantId, and vmId) using RTR and send these details over to Azure Log Analytics.

To enable this feature:

  • set arc_autodiscovery=true inside [azure] section in your config.ini

Developer Guide

  • Build the image

    docker build . -t falcon-integration-gateway
  • Run the application

    docker run -it --rm \
        -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \
        -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \
        -e WORKSPACE_ID="$WORKSPACE_ID" \
        -e PRIMARY_KEY="$PRIMARY_KEY" \
        -e FALCON_CLOUD_REGION="us-1" \
        falcon-integration-gateway:latest

Developer Resources