From 094be08b8c49edd9a81d7fc27dd37664702af6a4 Mon Sep 17 00:00:00 2001
From: Carlos Matos <carlos.matos@crowdstrike.com>
Date: Wed, 2 Aug 2023 21:16:58 -0400
Subject: [PATCH] feat(generic): add new generic backend

---
 README.md                        |  1 +
 config/config.ini                |  6 +++++-
 config/defaults.ini              |  3 +++
 fig/backends/__init__.py         |  4 +++-
 fig/backends/generic/README.md   | 31 +++++++++++++++++++++++++++++++
 fig/backends/generic/__init__.py | 17 +++++++++++++++++
 fig/config/__init__.py           |  2 +-
 7 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 fig/backends/generic/README.md
 create mode 100644 fig/backends/generic/__init__.py

diff --git a/README.md b/README.md
index f076e13..4b852c0 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ FIG requires the following API scopes at a minimum:
 | CloudTrail Lake | Pushes events to AWS CloudTrail Lake | <ul><li>[Deployment to EKS](docs/cloudtrail-lake/eks)</li><li>[Manual Deployment](docs/cloudtrail-lake/manual)</li></ul> | [CloudTrail Lake backend](fig/backends/cloudtrail_lake) |
 | GCP | Pushes events to GCP Security Command Center | <ul><li>[Deployment to GKE](docs/listings/gke/UserGuide.md) (using [marketplace](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-scc))</li><li>[Deployment to GKE](docs/gke) (manual)</li></ul> | [GCP backend](fig/backends/gcp) |
 | Workspace ONE | Pushes events to VMware Workspace ONE Intelligence | *Coming Soon* | [Workspace ONE backend](fig/backends/workspaceone) |
+| Generic | Displays events to STDOUT (useful for dev/debugging) | N/A | [Generic Backend](fig/backends/generic) |
 
 ## Alternative Deployment Options
 
diff --git a/config/config.ini b/config/config.ini
index f1b9bea..a12011f 100644
--- a/config/config.ini
+++ b/config/config.ini
@@ -3,7 +3,7 @@
 [main]
 # Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
 # The gateway will push events to the cloud providers specified below
-#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE
+#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC
 
 # Uncomment to configure number of threads that process Falcon Events. Alternatively,
 # use FIG_WORKER_THREADS env variable.
@@ -40,6 +40,10 @@
 # Alternatively, use FALCON_APPLICATION_ID env variable.
 #application_id = my-acme-gcp-1
 
+[generic]
+# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
+# Generic backend can be used for outputting events to STDOUT
+
 [gcp]
 # GCP section is applicable only when GCP backend is enabled in the [main] section.
 
diff --git a/config/defaults.ini b/config/defaults.ini
index f073736..890f20c 100644
--- a/config/defaults.ini
+++ b/config/defaults.ini
@@ -20,6 +20,9 @@ application_id = fig-default-app-id
 reconnect_retry_count = 36
 rtr_quarantine_keyword = infected
 
+[generic]
+# Uses client_id and client_secret from [falcon] section
+
 [gcp]
 # Use GOOGLE_APPLICATION_CREDENTIALS env variable
 
diff --git a/fig/backends/__init__.py b/fig/backends/__init__.py
index 2a81d93..c1ffad3 100644
--- a/fig/backends/__init__.py
+++ b/fig/backends/__init__.py
@@ -5,6 +5,7 @@
 from . import gcp
 from . import workspaceone
 from . import cloudtrail_lake
+from . import generic
 from ..config import config
 from ..log import log
 
@@ -16,7 +17,8 @@
     'GCP': gcp,
     'WORKSPACEONE': workspaceone,
     'CHRONICLE': chronicle,
-    'CLOUDTRAIL_LAKE': cloudtrail_lake
+    'CLOUDTRAIL_LAKE': cloudtrail_lake,
+    'GENERIC': generic
 }
 
 
diff --git a/fig/backends/generic/README.md b/fig/backends/generic/README.md
new file mode 100644
index 0000000..5a1d025
--- /dev/null
+++ b/fig/backends/generic/README.md
@@ -0,0 +1,31 @@
+# Generic Backend
+
+Generic backend is useful for testing and development purposes. It is not recommended for production use.
+
+## Example Configuration file
+
+[config/config.ini](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/config/config.ini) configures Falcon Integration Gateway. Below is a minimal configuration example for GENERIC backend:
+
+```terminal
+[main]
+# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
+backends=GENERIC
+```
+
+## Developer Guide
+
+1. Build the image
+
+    ```shell
+    docker build . -t falcon-integration-gateway
+    ```
+
+1. Run the application
+
+    ```shell
+    docker run -it --rm \
+        -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \
+        -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \
+        -e FALCON_CLOUD_REGION="us-1" \
+        falcon-integration-gateway:latest
+    ```
diff --git a/fig/backends/generic/__init__.py b/fig/backends/generic/__init__.py
new file mode 100644
index 0000000..2a3ef64
--- /dev/null
+++ b/fig/backends/generic/__init__.py
@@ -0,0 +1,17 @@
+from ...log import log
+
+class Runtime():
+    RELEVANT_EVENT_TYPES = "ALL"
+
+    def __init__(self):
+        log.info("GENERIC Backend is enabled.")
+
+    def is_relevant(self, falcon_event):
+        return True
+
+    def process(self, falcon_event):
+        # Used to display falcon_evnts in the console
+        log.info(falcon_event.original_event)
+
+
+__all__ = ['Runtime']
diff --git a/fig/config/__init__.py b/fig/config/__init__.py
index 46f9100..578da88 100644
--- a/fig/config/__init__.py
+++ b/fig/config/__init__.py
@@ -4,7 +4,7 @@
 
 
 class FigConfig(configparser.SafeConfigParser):
-    ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE'}
+    ALL_BACKENDS = {'AWS', 'AWS_SQS', 'AZURE', 'GCP', 'WORKSPACEONE', 'CHRONICLE', 'CLOUDTRAIL_LAKE', 'GENERIC'}
     FALCON_CLOUD_REGIONS = {'us-1', 'us-2', 'eu-1', 'us-gov-1'}
     SENSOR_RECOGNIZED_CLOUDS = {'AWS', 'Azure', 'GCP', 'unrecognized'}
     ENV_DEFAULTS = [