-
Notifications
You must be signed in to change notification settings - Fork 17
/
config.ini
122 lines (88 loc) · 4.62 KB
/
config.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Falcon Integration Gateway
[main]
# Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
# The gateway will push events to the cloud providers specified below
#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC
# Uncomment to configure number of threads that process Falcon Events. Alternatively,
# use FIG_WORKER_THREADS env variable.
#worker_threads = 4
[events]
# Uncomment to filter out events based on severity (allowed values 1-5, default 2).
# Alternatively, use EVENTS_SEVERITY_THRESHOLD env variable.
#severity_threshold = 3
# Uncomment to filter out events based on number of days past the event (default 21).
# Alternatively, use EVENTS_OLDER_THAN_DAYS_THRESHOLD env variable.
#older_than_days_threshold = 14
# Exclude events originating from certain cloud environments (AWS, Azure, GCP, or unrecognized)
# detections_exclude_clouds =
# Pass in the offset to start the stream from. This is useful to prevent duplicate events.
# Alternatively, use EVENTS_OFFSET env variable. (default: 0)
#offset = 0
[logging]
# Uncomment to request logging level (ERROR, WARN, INFO, DEBUG). Alternatively, use
# LOG_LEVEL env variable.
#level = DEBUG
[falcon]
# Uncomment to provide Falcon Cloud. Alternatively, use FALCON_CLOUD_REGION env variable.
#cloud_region = us-1
# Uncomment to provide OAuth Secret. Alternatively, use FALCON_CLIENT_ID env variable.
#client_id = ABCD
# Uncomment to provide OAuth Secret. Alternatively, use FALCON_CLIENT_SECRET env variable.
#client_secret = ABCD
# Uncomment to provide application id. Needs to be different per each fig instance.
# Alternatively, use FALCON_APPLICATION_ID env variable.
#application_id = my-acme-gcp-1
[generic]
# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
# Generic backend can be used for outputting events to STDOUT
[gcp]
# GCP section is applicable only when GCP backend is enabled in the [main] section.
# Use GOOGLE_APPLICATION_CREDENTIALS env variable to configure GCP Backend. GOOGLE_APPLICATION_CREDENTIALS
# is an environment variable used to configure GCP Service accounts, it should point out to the credentials
# file for given service account.
[azure]
# Azure section is applicable only when AZURE backend is enabled in the [main] section.
# Uncomment to provide Azure Workspace ID. Alternatively, use WORKSPACE_ID env variable.
#workspace_id =
# Uncomment to provide Azure Primary Key. Alternatively, use PRIMARY_KEY env variable.
#primary_key =
# Uncomment to enable RTR based auto discovery of Azure Arc Systems. Alternatively,
# use ARC_AUTODISCOVERY env variable.
#arc_autodiscovery = true
[aws]
# AWS section is applicable only when AWS backend is enabled in the [main] section.
# Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
#region = eu-west-1
# Uncomment to manage whether or not to confirm instance in AWS account supported region.
# Alternatively, use AWS_CONFIRM_INSTANCE env variable.
#confirm_instance = true
[cloudtrail_lake]
# AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
# Uncomment to provide the Channel ARN. Alternatively, use CLOUDTRAIL_LAKE_CHANNEL_ARN env variable.
#channel_arn =
# Uncomment to provide the AWS region. Should match the same region as the Channel.
# Alternatively, use CLOUDTRAIL_LAKE_REGION env variable.
#region =
[aws_sqs]
# AWS SQS section is applicable only when AWS backend is enabled in the [main] section.
# AWS SQS Backend publishes raw events to SQS queue
# Uncomment to provide AWS region. Alternatively, use AWS_REGION env variable
#region = eu-west-1
# Uncomment to provide name of AWS SQS. Alternatively, use AWS_SQS env variable
#sqs_queue_name = my-sqs-queue-for-falcon
[workspaceone]
# Workspace One section is applicable only when Workspace One backend is enabled in the [main] section.
# Uncomment to provide Workspace One token. Alternatively, use WORKSPACEONE_TOKEN env variable
#token =
# Uncomment to provide syslog host. Alternatively, use SYSLOG_HOST env variable
#syslog_host =
# Uncomment to provide syslog port. Alternatively, use SYSLOG_PORT env variable
#syslog_port =
[chronicle]
# Chronicle section is applicable only when Chronicle backend is enabled in the [main] section
# Uncomment to provide Google Service Account filepath. Alternatively, use GOOGLE_SERVICE_ACCOUNT_FILE variable
#service_account = apikeys-demo.json
# Uncomment to provide Chronicle Customer ID. Alternatively, use GOOGLE_CUSTOMER_ID variable
#customer_id = XXX
# Uncomment to provide Chronicle region (us, europe, asia-southeast1). Alternatively, use CHRONICLE_REGION variable
#region =