feat(generic): add new generic backend

carlosmmatos · Aug 3, 2023 · 094be08 · 094be08
1 parent fb55d71
commit 094be08
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -30,6 +30,7 @@ FIG requires the following API scopes at a minimum:
 | CloudTrail Lake | Pushes events to AWS CloudTrail Lake | <ul><li>[Deployment to EKS](docs/cloudtrail-lake/eks)</li><li>[Manual Deployment](docs/cloudtrail-lake/manual)</li></ul> | [CloudTrail Lake backend](fig/backends/cloudtrail_lake) |
 | GCP | Pushes events to GCP Security Command Center | <ul><li>[Deployment to GKE](docs/listings/gke/UserGuide.md) (using [marketplace](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-scc))</li><li>[Deployment to GKE](docs/gke) (manual)</li></ul> | [GCP backend](fig/backends/gcp) |
 | Workspace ONE | Pushes events to VMware Workspace ONE Intelligence | *Coming Soon* | [Workspace ONE backend](fig/backends/workspaceone) |
+| Generic | Displays events to STDOUT (useful for dev/debugging) | N/A | [Generic Backend](fig/backends/generic) |
 
 ## Alternative Deployment Options
 

diff --git a/config/config.ini b/config/config.ini
@@ -3,7 +3,7 @@
 [main]
 # Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
 # The gateway will push events to the cloud providers specified below
-#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE
+#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC
 
 # Uncomment to configure number of threads that process Falcon Events. Alternatively,
 # use FIG_WORKER_THREADS env variable.
@@ -40,6 +40,10 @@
 # Alternatively, use FALCON_APPLICATION_ID env variable.
 #application_id = my-acme-gcp-1
 
+[generic]
+# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
+# Generic backend can be used for outputting events to STDOUT
+
 [gcp]
 # GCP section is applicable only when GCP backend is enabled in the [main] section.
 

diff --git a/config/defaults.ini b/config/defaults.ini
@@ -20,6 +20,9 @@ application_id = fig-default-app-id
 reconnect_retry_count = 36
 rtr_quarantine_keyword = infected
 
+[generic]
+# Uses client_id and client_secret from [falcon] section
+
 [gcp]
 # Use GOOGLE_APPLICATION_CREDENTIALS env variable
 

diff --git a/fig/backends/__init__.py b/fig/backends/__init__.py
@@ -5,6 +5,7 @@
 from . import gcp
 from . import workspaceone
 from . import cloudtrail_lake
+from . import generic
 from ..config import config
 from ..log import log
 
@@ -16,7 +17,8 @@
     'GCP': gcp,
     'WORKSPACEONE': workspaceone,
     'CHRONICLE': chronicle,
-    'CLOUDTRAIL_LAKE': cloudtrail_lake
+    'CLOUDTRAIL_LAKE': cloudtrail_lake,
+    'GENERIC': generic
 }
 
 

diff --git a/fig/backends/generic/README.md b/fig/backends/generic/README.md
@@ -0,0 +1,31 @@
+# Generic Backend
+
+Generic backend is useful for testing and development purposes. It is not recommended for production use.
+
+## Example Configuration file
+
+[config/config.ini](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/config/config.ini) configures Falcon Integration Gateway. Below is a minimal configuration example for GENERIC backend:
+
+```terminal
+[main]
+# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
+backends=GENERIC
+```
+
+## Developer Guide
+
+1. Build the image
+
+    ```shell
+    docker build . -t falcon-integration-gateway
+    ```
+
+1. Run the application
+
+    ```shell
+    docker run -it --rm \
+        -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \
+        -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \
+        -e FALCON_CLOUD_REGION="us-1" \
+        falcon-integration-gateway:latest
+    ```
diff --git a/fig/backends/generic/__init__.py b/fig/backends/generic/__init__.py
@@ -0,0 +1,17 @@
+from ...log import log
+
+class Runtime():
+    RELEVANT_EVENT_TYPES = "ALL"
+
+    def __init__(self):
+        log.info("GENERIC Backend is enabled.")
+
+    def is_relevant(self, falcon_event):
+        return True
+
+    def process(self, falcon_event):
+        # Used to display falcon_evnts in the console
+        log.info(falcon_event.original_event)
+
+
+__all__ = ['Runtime']
diff --git a/fig/config/__init__.py b/fig/config/__init__.py
@@ -4,7 +4,7 @@
 
 
 class FigConfig(configparser.SafeConfigParser):
-    ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE'}
+    ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE', 'GENERIC'}
     FALCON_CLOUD_REGIONS = {'us-1', 'us-2', 'eu-1', 'us-gov-1'}
     SENSOR_RECOGNIZED_CLOUDS = {'AWS', 'Azure', 'GCP', 'unrecognized'}
     ENV_DEFAULTS = [