diff --git a/README.md b/README.md
index f076e13..4b852c0 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ FIG requires the following API scopes at a minimum:
| CloudTrail Lake | Pushes events to AWS CloudTrail Lake |
- [Deployment to EKS](docs/cloudtrail-lake/eks)
- [Manual Deployment](docs/cloudtrail-lake/manual)
| [CloudTrail Lake backend](fig/backends/cloudtrail_lake) |
| GCP | Pushes events to GCP Security Command Center | - [Deployment to GKE](docs/listings/gke/UserGuide.md) (using [marketplace](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-scc))
- [Deployment to GKE](docs/gke) (manual)
| [GCP backend](fig/backends/gcp) |
| Workspace ONE | Pushes events to VMware Workspace ONE Intelligence | *Coming Soon* | [Workspace ONE backend](fig/backends/workspaceone) |
+| Generic | Displays events to STDOUT (useful for dev/debugging) | N/A | [Generic Backend](fig/backends/generic) |
## Alternative Deployment Options
diff --git a/config/config.ini b/config/config.ini
index f1b9bea..a12011f 100644
--- a/config/config.ini
+++ b/config/config.ini
@@ -3,7 +3,7 @@
[main]
# Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
# The gateway will push events to the cloud providers specified below
-#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE
+#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC
# Uncomment to configure number of threads that process Falcon Events. Alternatively,
# use FIG_WORKER_THREADS env variable.
@@ -40,6 +40,10 @@
# Alternatively, use FALCON_APPLICATION_ID env variable.
#application_id = my-acme-gcp-1
+[generic]
+# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
+# Generic backend can be used for outputting events to STDOUT
+
[gcp]
# GCP section is applicable only when GCP backend is enabled in the [main] section.
diff --git a/config/defaults.ini b/config/defaults.ini
index f073736..890f20c 100644
--- a/config/defaults.ini
+++ b/config/defaults.ini
@@ -20,6 +20,9 @@ application_id = fig-default-app-id
reconnect_retry_count = 36
rtr_quarantine_keyword = infected
+[generic]
+# Uses client_id and client_secret from [falcon] section
+
[gcp]
# Use GOOGLE_APPLICATION_CREDENTIALS env variable
diff --git a/fig/backends/__init__.py b/fig/backends/__init__.py
index 2a81d93..c1ffad3 100644
--- a/fig/backends/__init__.py
+++ b/fig/backends/__init__.py
@@ -5,6 +5,7 @@
from . import gcp
from . import workspaceone
from . import cloudtrail_lake
+from . import generic
from ..config import config
from ..log import log
@@ -16,7 +17,8 @@
'GCP': gcp,
'WORKSPACEONE': workspaceone,
'CHRONICLE': chronicle,
- 'CLOUDTRAIL_LAKE': cloudtrail_lake
+ 'CLOUDTRAIL_LAKE': cloudtrail_lake,
+ 'GENERIC': generic
}
diff --git a/fig/backends/generic/README.md b/fig/backends/generic/README.md
new file mode 100644
index 0000000..5a1d025
--- /dev/null
+++ b/fig/backends/generic/README.md
@@ -0,0 +1,31 @@
+# Generic Backend
+
+Generic backend is useful for testing and development purposes. It is not recommended for production use.
+
+## Example Configuration file
+
+[config/config.ini](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/config/config.ini) configures Falcon Integration Gateway. Below is a minimal configuration example for GENERIC backend:
+
+```terminal
+[main]
+# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
+backends=GENERIC
+```
+
+## Developer Guide
+
+1. Build the image
+
+ ```shell
+ docker build . -t falcon-integration-gateway
+ ```
+
+1. Run the application
+
+ ```shell
+ docker run -it --rm \
+ -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \
+ -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \
+ -e FALCON_CLOUD_REGION="us-1" \
+ falcon-integration-gateway:latest
+ ```
diff --git a/fig/backends/generic/__init__.py b/fig/backends/generic/__init__.py
new file mode 100644
index 0000000..2a3ef64
--- /dev/null
+++ b/fig/backends/generic/__init__.py
@@ -0,0 +1,17 @@
+from ...log import log
+
+class Runtime():
+ RELEVANT_EVENT_TYPES = "ALL"
+
+ def __init__(self):
+ log.info("GENERIC Backend is enabled.")
+
+ def is_relevant(self, falcon_event):
+ return True
+
+ def process(self, falcon_event):
+ # Used to display falcon_evnts in the console
+ log.info(falcon_event.original_event)
+
+
+__all__ = ['Runtime']
diff --git a/fig/config/__init__.py b/fig/config/__init__.py
index 46f9100..578da88 100644
--- a/fig/config/__init__.py
+++ b/fig/config/__init__.py
@@ -4,7 +4,7 @@
class FigConfig(configparser.SafeConfigParser):
- ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE'}
+ ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE', 'GENERIC'}
FALCON_CLOUD_REGIONS = {'us-1', 'us-2', 'eu-1', 'us-gov-1'}
SENSOR_RECOGNIZED_CLOUDS = {'AWS', 'Azure', 'GCP', 'unrecognized'}
ENV_DEFAULTS = [