-
Notifications
You must be signed in to change notification settings - Fork 19
/
falcon_data_replicator.ini
88 lines (87 loc) · 4.06 KB
/
falcon_data_replicator.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# ____ __ ___ __ ___ ___ __
# / __/__ _/ /______ ___ / _ \___ _/ /____ _ / _ \___ ___ / (_)______ _/ /____ ____
# / _// _ `/ / __/ _ \/ _ \ / // / _ `/ __/ _ `/ / , _/ -_) _ \/ / / __/ _ `/ __/ _ \/ __/
# /_/ \_,_/_/\__/\___/_//_/ /____/\_,_/\__/\_,_/ /_/|_|\__/ .__/_/_/\__/\_,_/\__/\___/_/
# /_/
# falcon_data_replicator.ini
# Creation date: 04.03.21, jshcodes@CrowdStrike
#
# Local configuration file for Falcon Data Replicator integration
#
# =========================================================================================================
# ____ ____ _
# / ___| ___ _ _ _ __ ___ ___ | _ \ __ _| |_ __ _
# \___ \ / _ \| | | | '__/ __/ _ \ | | | |/ _` | __/ _` |
# ___) | (_) | |_| | | | (_| __/ | |_| | (_| | || (_| |
# |____/ \___/ \__,_|_| \___\___| |____/ \__,_|\__\__,_|
#
# These values must be populated in order for this solution to operate
#
[Source Data]
# AWS security credentials, provided to you by the CrowdStrike console (String)
AWS_KEY = AWS_KEY_GOES_HERE
# (String)
AWS_SECRET = AWS_SECRET_GOES_HERE
# URL of the SQS queue provided to you by CrowdStrike (String)
# Should be a SQS URL
QUEUE_URL = https://AWS_QUEUE_URL_GOES_HERE
# This is the folder where downloads are stored. If you are immediately uploading these files to another
# s3 bucket, then you can name this folder anything. If you plan on storing this data on the file system
# then this would represent that location. (String)
OUTPUT_PATH = downloaded
# Time in seconds before a message is added back to the SQS queue if not deleted.
# Ensure this is large enough for you to safely finish processing any downloaded files. (Integer)
# Example: 300
VISIBILITY_TIMEOUT = 300
# Name of the AWS region for our source bucket (String)
# This should match the region of your CrowdStrike FDR source bucket
REGION_NAME = us-west-1
# Delay (in seconds) to wait in between messages
MESSAGE_DELAY = 1
# Delay (in seconds) to wait in between message runs
QUEUE_DELAY = 5
# Log file
LOG_FILE = falcon_data_replicator.log
# Maximum number of processor threads to use for processing
# Leaving this value blank will tell the application to make
# it's best guess. The maximum number of threads that will
# be generated at one time should not exceed 10.
# (Max number of SQS received per iteration.)
MAX_THREADS = 5
# Logging level, INFO or DEBUG
LOG_LEVEL = INFO
# ____ _ _ _ _ ____ _
# | _ \ ___ ___| |_(_)_ __ __ _| |_(_) ___ _ __ | _ \ __ _| |_ __ _
# | | | |/ _ \/ __| __| | '_ \ / _` | __| |/ _ \| '_ \ | | | |/ _` | __/ _` |
# | |_| | __/\__ \ |_| | | | | (_| | |_| | (_) | | | | | |_| | (_| | || (_| |
# |____/ \___||___/\__|_|_| |_|\__,_|\__|_|\___/|_| |_| |____/ \__,_|\__\__,_|
#
# If these values are not defined, this solution will save downloaded files to the OUTPUT_PATH location only.
#
[Destination Data]
# Target bucket (String)
# The name of your bucket. This bucket must exist.
TARGET_BUCKET = TARGET_BUCKET_NAME_GOES_HERE
# Name of our target AWS region (String)
# Example: us-east-1
TARGET_REGION = TARGET_REGION_NAME_GOES_HERE
# Remove local files after upload (Boolean)
# Allowed values: True, False, Yes, No
REMOVE_LOCAL_FILE = yes
# No local file system usage
# Allowed values: True, False, Yes, No
IN_MEMORY_TRANSFER_ONLY = yes
# Convert inbound data into OCSF format before
# publishing it to the target bucket or folder
DO_OCSF_CONVERSION = No
# OCSF Target AWS Account Id
TARGET_ACCOUNT_ID= TARGET_ACCOUNT_ID
# The role name to assume to write to Security Lake bucket
OCSF_ROLE_NAME =
# The external ID used to assume the role in the target account
OCSF_ROLE_EXTERNAL_ID = CrowdStrikeCustomSource
# Security Lake performance is sensitive to the number of files that must be read for a query.
# The max amount of time (in minutes) to buffer records before publishing. Min: 5 Max: 60 Default: 5
OCSF_INGEST_LATENCY = 5
# Maximum size of a file in MB before it is uploaded. Min: 200 Max: 256 Default: 256
OCSF_MAX_FILE_SIZE = 256