CrowdStrike to Chronicle Intel Bridge forwards CrowdStrike Falcon Intelligence Indicators to Chronicle.
-
Create new API key pair at CrowdStrike Falcon. This key pair will be used to read falcon events and supplementary information from CrowdStrike Falcon.
Make sure only the following permissions are assigned to the key pair:
- Indicators (Falcon Intelligence): READ
-
Obtain Chronicle Service Account file. Your Chronicle Support representative will provide you Chronicle Customer ID and Service Account JSON file.
-
Run the bridge application
docker run -it --rm \ -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \ -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \ -e FALCON_CLOUD="$FALCON_CLOUD" \ -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID" \ -e GOOGLE_APPLICATION_CREDENTIALS=/gcloud/sa.json \ -v ~/my/path/to/service/account/file/sa.json:/gcloud/ \ quay.io/crowdstrike/chronicle-intel-bridge:latest
- Consult configuration file template for available configuration options:
- Modify template to suite your needs
- Mount configuration file to the container
-v config.ini:/ccib/config.ini
- Build container
docker build . -t ccib:latest - Run the Bridge
docker run -it --rm \ -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \ -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \ -e FALCON_CLOUD="$FALCON_CLOUD" \ -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID" \ -e GOOGLE_APPLICATION_CREDENTIALS=/gcloud/sa.json \ -v ~/my/path/to/service/account/file/sa.json:/gcloud/ \ ccib:latest
This project is a community-driven, open source project designed to forward CrowdStrike Falcon Intelligence Indicators to Chronicle.
While not a formal CrowdStrike product, this project is maintained by CrowdStrike and supported in partnership with the open source developer community.
For additional support, please see the SUPPORT file.