AWS and CrowdStrike teamed to deliver this integration for AWS CloudTrail Lake that allows you to simplify and streamline the process of consolidating user activity data from CrowdStrike Falcon. With this integration, you gain unparalleled visibility into all user-relevant security activity within the Falcon console, including user creation, deletion, or modification, role changes, and authentication failures.
This integration provides CrowdStrike Falcon and AWS CloudTrail Lake consumers the ability to log and store user activity data from CrowdStrike Falcon using AWS CloudTrail Open Audit Events. This is accomplished by tapping into the CrowdStrike Falcon event-stream API, watching for relevant user activity events, and then publishing these events to AWS CloudTrail Lake.
The AWS CloudTrail Lake integration consists of the following components:
- The Falcon Integration Gateway Python application used for ingesting events from the CrowdStrike API
This application is commonly referred to as the FIG
- AWS SSM Parameter Store
This is used to keep track of event offsets with the
last_seen_offsetsparameter. This parameter will be created for you and used to prevent sending duplicate events. - AWS CloudTrail Lake - Event Data Store(s)
The FIG requires a Channel ARN in order to route the events to the correct EDS.
- The FIG application fetches the
last_seen_offsetsSSM parameter to ensure duplicate events aren't sent. The FIG then contacts the CrowdStrike Falcon API to request a list of available event streams.If the
last_seen_offsetsSSM parameter does not exist, it will be created the first time it is ran. - A connection is opened to each available event stream. As new events are received within CrowdStrike, these events are published to the event stream, which are then consumed by the FIG application.
- The FIG application:
- Filters events as they are received.
Only events designated as user activity data is passed through.
- Transforms events into the AWS CloudTrail Open Audit Events schema.
- Publishes transformed events into AWS CloudTrail Lake.
The destination is determined by the Channel resource from creating an Event Data Store in AWS CloudTrail Lake.
- Filters events as they are received.
- As events are successfully published to CloudTrail Lake, the FIG updates the
last_seen_offsetsSSM parameter.
-
Have a current CrowdStrike Subscription
-
Have appropriate AWS permissions to run CloudFormation and create resources
-
The Channel ARN from the CrowdStrike Partner Integration in AWS CloudTrail Lake
This sets up the Channel used to ingest events.
-
Have a CrowdStrike API Key Pair
This key pair will be used to read falcon events and supplementary information from CrowdStrike Falcon.
If you need to create a new API key pair, review our docs: CrowdStrike Falcon.
Make sure to assign only the following permissions to the key pair:
- Event streams: READ
The quickest deployment option is to deploy the Falcon Integration Gateway application via AWS ECS. With one CloudFormation template, we can take advantage of the serverless architecture via ECS Fargate to run our containerized application.
For more ways to deploy the FIG, see Other Deployment Options below.
⚠️ Skip this step if you already have your API credentials stored in AWS Secrets Manager. Retrieve and save the Secret ARN for later use.
It's important to safeguard your API credentials for authenticating to the Falcon platform. By leveraging AWS' Secrets Manager, we can ensure our credentials are safely stored.
For more information on AWS Secrets Manager, see AWS Secrets Manager.
The example workflow below uses the following values, but you can use your own:
- Secret Name:
falcon-fig-api - Key Name for Client ID:
client_id - Key Name for Client Secret:
client_secret
- Navigate to the AWS Secrets Manager console.
- Select Store a new secret
- Select Other type of secrets
- Under Key/Value, enter the following:
- Key:
client_id - Value:
<Falcon Client ID> - Key:
client_secret - Value:
<Falcon Client Secret>
- Key:
- Select Next
- Under Configure secret, enter the following:
- Secret name:
falcon-fig-api - Description:
Falcon API Credentials
- Secret name:
- Select Next
- Select Next
- Select Store
- Select the recently created secret
- Copy and save the Secret ARN for later use
Right Click here and Save Link As...
❗ Ensure you save the file with .yaml or .yml extension
VPC ID: VPC where to run the FIG containerSubnet ID: The Subnet ID where the FIG will be deployedFalcon API Secrets Manager secrets ARN: The ARN of the AWS Secrets Manager secret containing the Falcon API credentials created in Step 1.2Falcon API Client ID Key: The key name for the Falcon API Client IDFalcon API Client Secret Key: The key name for the Falcon API Client Secret
CloudTrail Lake Channel ARN: The ARN of the CloudTrail Lake Channel created in the CrowdStrike Partner IntegrationCloudTrail Lake Region: The region where the CloudTrail Lake Channel was created
- Navigate to the AWS CloudFormation console.
- Ensure you are in the correct region
❗ CloudFormation is a regional service. This should be the region where your VPC/Subnet and Secrets Manager secret are located.
- Select Create stack
- Select With new resources (standard)
- Select Upload a template file
- Select Choose file and select the CloudFormation template you downloaded in Step 2
- Select Next
- Give the stack a name and fill out the parameters with your appropriate values
- Select Next
- Select Next
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Select Submit
This will take a few minutes to deploy. You can monitor the progress in the CloudFormation console.
From the CloudFormation console, you can view the status of the stack deployment. Once the stack is in a CREATE_COMPLETE state, we can take advantage of the CloudWatch logs set by ECS to verify the FIG is running successfully.
- In the AWS CloudFormation console, select the stack you just created.
- Select the Outputs tab
- Copy and save the
FIGLakeLogGroupvalue
- Copy and save the
- Navigate to the AWS CloudWatch console.
- Select Logs -> Log groups
- Paste the
FIGLakeLogGroupvalue from the CloudFormation Outputs into the search bar and select the log group - Under Log streams, select the most recent log stream
- Paste the
A successful deployment will have a similar log output:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| timestamp | message |
|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1674782681224 | 2023-01-27 01:24:41 fig MainThread INFO AWS CloudTrail Lake Backend is enabled. |
| 1674782681809 | 2023-01-27 01:24:41 fig MainThread INFO SSM parameter last_seen_offsets does not exist. Creating... |
| 1674782681907 | 2023-01-27 01:24:41 fig MainThread INFO Enabled backends will only process events with types: {'AuthActivityAuditEvent'} |
| 1674782682522 | 2023-01-27 01:24:42 fig cs_stream INFO Opening Streaming Connection |
| 1674782682882 | 2023-01-27 01:24:42 fig cs_stream INFO Established Streaming Connection: 200 OK |
| 1674782683429 | 2023-01-27 01:24:43 fig worker-2 INFO Processing user activity event: userAuthenticate ID: 0_42593 |
| 1674782683430 | 2023-01-27 01:24:43 fig worker-3 INFO Processing user activity event: userAuthenticate ID: 0_42594 |
| 1674782683431 | 2023-01-27 01:24:43 fig worker-0 INFO Processing user activity event: userAuthenticate ID: 0_42595 |
| 1674782683432 | 2023-01-27 01:24:43 fig worker-1 INFO Processing user activity event: twoFactorAuthenticate ID: 0_42596 |
| 1674782684119 | 2023-01-27 01:24:44 fig worker-1 INFO Successfully sent event ID: 0_42596 to CloudTrail Lake. (Request ID: 7e576b02-df2b-46c7-9a33-b288c93813a3) |
| 1674782684212 | 2023-01-27 01:24:44 fig worker-0 INFO Successfully sent event ID: 0_42595 to CloudTrail Lake. (Request ID: a3909162-f47e-4d4d-8e23-eca930a931f3) |
| 1674782684214 | 2023-01-27 01:24:44 fig worker-3 INFO Successfully sent event ID: 0_42594 to CloudTrail Lake. (Request ID: 95f12445-3518-4c1d-9b5c-d5f3350dd5dd) |
| 1674782684216 | 2023-01-27 01:24:44 fig worker-2 INFO Successfully sent event ID: 0_42593 to CloudTrail Lake. (Request ID: 12a1175f-9f44-4d34-9a16-ccf4d959d011) |
| 1674782684217 | 2023-01-27 01:24:44 fig worker-1 INFO Updated last seen offset for stream feed: 0 to: 42596 |
| 1674782684217 | 2023-01-27 01:24:44 fig worker-1 INFO Processing user activity event: twoFactorAuthenticate ID: 0_42599 |
| 1674782684315 | 2023-01-27 01:24:44 fig worker-3 INFO Processing user activity event: userAuthenticate ID: 0_48643 |
| 1674782684499 | 2023-01-27 01:24:44 fig worker-1 INFO Successfully sent event ID: 0_42599 to CloudTrail Lake. (Request ID: 38b97996-de9f-4c8b-aec8-18b9328dd2c3) |
| 1674782684545 | 2023-01-27 01:24:44 fig worker-1 INFO Updated last seen offset for stream feed: 0 to: 42599 |
| 1674782684668 | 2023-01-27 01:24:44 fig worker-3 INFO Successfully sent event ID: 0_48643 to CloudTrail Lake. (Request ID: de4e7646-1897-4995-90fe-9fa3a59e72da) |
| 1674782684726 | 2023-01-27 01:24:44 fig worker-3 INFO Updated last seen offset for stream feed: 0 to: 48643 |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In order to use this integration with other deployment options, create an IAM Managed Policy that grants the FIG application access to the SSM Parameter Store and ability to send events to the CloudTrail Lake Channel ARN.
Below are 2 ways to accomplish this:
-
Launch a CloudFormation Stack using the CloudFormation template
The Policy ARN is an output
-
Or, you can manually create a Managed Policy with the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": "cloudtrail-data:PutAuditEvents", "Resource": "<Channel ARN>", "Effect": "Allow" }, { "Action": [ "ssm:PutParameter", "ssm:GetParameter" ], "Resource": "*", "Effect": "Allow" } ] }Make note of the Policy ARN after policy is created
Regardless of which deployment method you choose, the following values should be known ahead of time:
- Falcon API Credentials:
- Falcon Client ID
- Falcon Client Secret
- Falcon Client Region
- CloudTrail Lake:
- Channel ARN
- AWS Region associated with the Channel
- Policy ARN
Prior to Deployment, please familiarize yourself with the available FIG Configuration options.
Deploy FIG on EKS with Helm chart or Kube spec
Deploy FIG via Docker