CrowdStrike · redhatrises · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024
diff --git a/helm-charts/falcon-integration-gateway/Chart.yaml b/helm-charts/falcon-integration-gateway/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm-charts/falcon-integration-gateway/README.md b/helm-charts/falcon-integration-gateway/README.md
@@ -15,24 +15,39 @@ The following tables lists the Falcon Sensor configurable parameters and their d
 
 | Parameter                                              | Description                                            | Default                    |
 | :----------------------------------------------------- | :----------------------------------------------------- | :------------------------- |
-| `falcon.client_id`                                     | CrowdStrike API Client ID                              | None       (Required)      |
-| `falcon.client_secret`                                 | CrowdStrike API Client Secret                          | None       (Required)      |
+| `falcon.client_id`                                     | CrowdStrike API Client ID                              | None                       |
+| `falcon.client_secret`                                 | CrowdStrike API Client Secret                          | None                       |
 | `falcon.cloud_region`                                  | CrowdStrike Cloud Region (us-1, us-2, eu-1, us-gov-1)  | None       (Required)      |
+| `falcon.existingSecret`                                | Existing k8s secret name containing the above values   | None                       |
+| `credentials_store.store`                              | Use valid credentials store (ssm, secrets_manager)     | None                       |
+| `credentials_store.ssm.region`                         | AWS region for SSM                                     | None                       |
+| `credentials_store.ssm.client_id`                      | SSM parameter name for client_id                       | None                       |
+| `credentials_store.ssm.client_secret`                  | SSM parameter name for client_secret                   | None                       |
+| `credentials_store.secrets_manager.region`             | AWS region for Secrets Manager                         | None                       |
+| `credentials_store.secrets_manager.secret_name`        | Secrets Manager secret name                            | None                       |
+| `credentials_store.secrets_manager.client_id_key`      | Secrets Manager key for client_id                      | None                       |
+| `credentials_store.secrets_manager.client_secret_key`  | Secrets Manager key for client_secret                  | None                       |
 | `falcon.integration_gateway.application_id`            | Unique string for each FIG instance within your CID    | helm-chart-default         |
 | `falcon.integration_gateway.level`                     | Logging level (ERROR, WARN, INFO, DEBUG)               | INFO                       |
 | `falcon.integration_gateway.severity_threshold`        | Filter events based on severity (1-5)                  | 2                          |
-| `falcon.integration_gateway.older_than_days_threshold` | Filter events based on age in days                     | 14                         |
+| `falcon.integration_gateway.older_than_days_threshold` | Filter events based on age in days                     | 21                         |
 | `falcon.integration_gateway.detections_exclude_clouds` | Exclude events based on cloud origination              | None                       |
 | `falcon.integration_gateway.worker_threads`            | Number of FIG application threads to process events    | 4                          |
+| `falcon.integration_gateway.offset`                    | Offset number to start the stream from                 | 0                          |
 | `push.aws_security_hub.enabled`                        | Enable event forwarding to AWS Security Hub            | `false`                    |
 | `push.aws_security_hub.region`                         | AWS Region                                             | None                       |
+| `push.aws_security_hub.confirm_instance`               | Confirm instance in AWS account supported region       | `true`                     |
+| `push.aws_sqs.enabled`                                 | Enable event forwarding to AWS SQS                     | `false`                    |
+| `push.aws_sqs.region`                                  | AWS Region                                             | None                       |
+| `push.aws_sqs.sqs_queue_name`                          | AWS SQS Queue Name                                     | None                       |
 | `push.azure_log_analytics.enabled`                     | Enable event forwarding to Azure Log Analytics         | `false`                    |
 | `push.azure_log_analytics.workspace_id`                |                                                        | None                       |
 | `push.azure_log_analytics.primary_key`                 |                                                        | None                       |
 | `push.azure_log_analytics.arc_autodiscovery`           |                                                        | `false`                    |
 | `push.chronicle.enabled`                               | Enable event forwarding to Google Chronicle            | `false`                    |
-| `push.chronicle.region`                                |                                                        | None                       |
-| `push.chronicle.security_key`                          |                                                        | None                       |
+| `push.chronicle.region`                                | Google Cloud Chronicle Region                          | None                       |
+| `push.chronicle.service_account`                       | Google Cloud Service Account                           | None                       |
+| `push.chronicle.customer_id`                           | Google Chronicle Customer ID                           | None                       |
 | `push.cloudtrail_lake.enabled`                         | Enable event forwarding to AWS CloudTrail Lake         | `false`                    |
 | `push.cloudtrail_lake.channel_arn`                     | CloudTrail Lake Channel for sending events             | None                       |
 | `push.cloudtrail_lake.region`                          | AWS Region                                             | None                       |
@@ -41,11 +56,10 @@ The following tables lists the Falcon Sensor configurable parameters and their d
 | `push.vmware_workspace_one.syslog_host`                |                                                        | None                       |
 | `push.vmware_workspace_one.syslog_port`                |                                                        | None                       |
 | `push.vmware_workspace_one.token`                      |                                                        | None                       |
+| `push.generic.enabled`                                 | Enable event forwarding to stdout (debugging)          | `false`                    |
 | `serviceAccount.annotations`                           | Annotations for serviceAccount                         | `{}`                       |
 
-## Installation
-
-### API Scopes
+## API Scopes
 
 - Obtain OAuth2 API credentials for CrowdStrike Falcon
   - Navigate to [API Clients and Keys](https://falcon.crowdstrike.com/support/api-clients-and-keys) within CrowdStrike Falcon platform.
@@ -56,6 +70,77 @@ The following tables lists the Falcon Sensor configurable parameters and their d
 
 > ***Consult the [backend](https://github.com/CrowdStrike/falcon-integration-gateway/tree/main#backends-w-available-deployment-guides) guides for additional API scopes that may be required.***
 
+## Authentication
+
+FIG requires the authentication of an API client ID and client secret, along with its associated cloud region, to establish a connection with the CrowdStrike API.
+
+FIG supports auto-discovery of the Falcon cloud region. If you do not specify a cloud region, FIG will attempt to auto-discover the cloud region based on the API client ID and client secret provided.
+
+> [!IMPORTANT]
+> Auto-discovery is only available for [us-1, us-2, eu-1] regions.
+
+Below are a few examples of how to provide the Falcon API credentials to the FIG helm chart.
+
+### Via values.yaml
+
+#### Example declaring the Falcon API credentials directly
+
+```yaml
+falcon:
+   client_id: "YOUR_FALCON_CLIENT_ID"
+   client_secret: "YOUR FALCON_CLIENT_SECRET"
+   cloud_region: "us-1"
+```
+
+#### Example using AWS Secrets Manager
+
+```yaml
+falcon:
+   cloud_region: "us-1"
+   credentials_store:
+      store: "secrets_manager"
+      secrets_manager:
+         region: "us-west-2"
+         secret_name: "falcon-k8s-secret"
+         client_id_key: "client_id"
+         client_secret_key: "client_secret"
+```
+
+#### Example using an existing k8s secret
+
+```yaml
+falcon:
+   existingSecret: "falcon-k8s-secret"
+```
+
+### Via Helm CLI
+
+You can also use the helm CLI to provide the Falcon API credentials.
+
+#### Example specifying the Falcon API credentials directly
+
+```bash
+helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \
+     --set falcon.client_id=$FALCON_CLIENT_ID \
+     --set falcon.client_secret=$FALCON_CLIENT_SECRET \
+     --set falcon.cloud_region=$FALCON_CLOUD
+     ...
+```
+
+#### Example using AWS SSM parameter store as the credentials store
+
+```bash
+helm upgrade --install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \
+     --set falcon.cloud_region=$FALCON_CLOUD \
+     --set credentials_store.store="ssm" \
+     --set credentials_store.ssm.region="us-east-2" \
+     --set credentials_store.ssm.client_id="/falcon/fig/client_id" \
+     --set credentials_store.ssm.client_secret="/falcon/fig/client_secret"
+     ...
+```
+
+## Installation
+
 ### Helm Chart
 
 The helm chart is under active development. Contributors are welcomed to install either directly from the git repository or from the helm repository.