Skip to content

CrowdStrike/cs-azure-integration-bicep

BranchesTags

Repository files navigation

CrowdStrike Falcon

Falcon Cloud Security Registration with Azure Bicep

The Azure Bicep templates in this repository allow for an easy and seamless integration of Azure environments into CrowdStrike Falcon Cloud Security.

Table of Contents

  1. Overview
  2. Prerequisites
  3. Required permissions
  4. Template Parameters
  5. Resource Names
  6. Deployment
  7. Troubleshooting
  8. Contributing
  9. Support
  10. License Information

Overview

The Bicep files in this repo register an Azure management group (and all Subscriptions in the management group) or an individual Azure Subscription, to CrowdStrike Falcon Cloud Security by performing the following actions:

  • Creates an app registration in Microsoft Entra ID, including Microsoft Graph API permissions and administrative consent
  • Makes the API calls necessary to register the management group/subscription with Falcon Cloud Security
  • Assigns the following Azure RBAC permissions to the created app registration with a scope of either the management group or individual Subscription, depending on which bicep file is being used:
    • Reader
    • Security Reader
    • Key Vault Reader
    • Azure Kubernetes Service RBAC Reader
  • Assigns the cs-website-reader custom role on the management group/subscription with the following actions:
    • Microsoft.Web/sites/Read
    • Microsoft.Web/sites/config/Read
    • Microsoft.Web/sites/config/list/Action
  • If the deployIOA parameter is set to true, the file also:
    • Deploys an Event Hub Namespace, two Event Hubs, two App Service Plans, and additional infrastructure to the subscription that has been designated as the default subscription (which is done via the defaultSubscriptionId parameter). This infrastructure is used to stream Entra ID Sign In and Audit Logs, as well as Azure Activity logs, to Falcon Cloud Security.
    • Creates a Microsoft Entra ID diagnostic setting that forwards Sign In and Audit Logs to the newly-created Event Hub
    • (Individual subscription deployments only) Creates an Azure Activity Log diagnostic setting in the subscription being registered with Falcon Cloud Security that forwards Activity Logs to the newly-created Event Hub
    • (Management group deployments only) Creates an Azure policy definition and management group assignment that will create an Azure Activity Log diagnostic settings that forwards Activity Logs to the newly-created Event Hub

Important

Management Group Deployments only support registration at the Azure root management group (Tenant root group).

Prerequisites

  1. Ensure you have a CrowdStrike API client ID and client secret for Falcon Cloud Security with the CSPM Registration Read and Write scopes. If you don't already have API credentials, you can set them up in the Falcon console (you must be a Falcon Admin to access the API clients page):

  2. Azure CLI must be installed on your local machine

Important

This Bicep template can only be deployed via Azure CLI running on a local machine. You cannot deploy using Azure CLI in Azure Cloud Shell.

Required permissions

  • Application Developer, Cloud Application Administrator, or Application Administrator role in Microsoft Entra ID to create the app registration in Microsoft Entra ID

  • Privileged Role Administrator or Global Administrator role in Microsoft Entra ID to provide administrative consent to the requested Microsoft Graph API permissions.

    [!NOTE] Use the optional grantAdminConsent parameter to disable granting administrative consent to the requested Microsoft Graph API permissions automatically.

  • Owner role for the Azure management group to be integrated into Falcon Cloud Security

  • Owner role for the Azure subscription to be used for deployment of the infrastructure for Indicator of Attack (IOA) assessment

Template Parameters

You can use any of these methods to pass parameters:

Parameter name Required Description
defaultSubscriptionId yes Subscription Id of the default Azure Subscription.
falconCID yes CID for the Falcon API.
falconClientId yes Client ID for the Falcon API.
falconClientSecret yes Client secret for the Falcon API.
falconCloudRegion yes Falcon cloud region. Allowed values are US-1, US-2, or EU-1.
useExistingAppRegistration no Use an existing Application Registration. Defaults to false.
grantAppRegistrationAdminConsent no Grant admin consent for Application Registration. Defaults to true.
azureClientId no Application Id of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureClientSecret no Application Secret of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azurePrincipalId no Principal Id of the Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureAccountType no Type of the Azure account to integrate.
location no Location for the resources deployed in this solution.
tags no Tags to be applied to all resources.
deployIOM no Deploy Indicator of Misconfiguration (IOM) integration. Defaults to true.
assignAzureSubscriptionPermissions no Assign required permissions on Azure Default Subscription automatically. Defaults to false when deploying to Management Group, defaults to true when deploying to indidvidual Subscription.
assignAzureManagementGroupPermissions no Assign required permissions Azure Management Group automatically. Defaults to true when deploying to Management Group, defaults to false when deploying to indidvidual Subscription.
deployIOA no Deploy Indicator of Attack (IOA) integration. Defaults to true.
enableAppInsights no Enable Application Insights for additional logging of Function Apps. Defaults to false.
deployActivityLogDiagnosticSettings no Deploy Activity Log Diagnostic Settings. Defaults to true.
deployEntraLogDiagnosticSettings no Deploy Entra Log Diagnostic Settings. Defaults to true.

Resource Names

Do not change the names of the following Azure resources as they are used for registration validation and must remain unchanged. Other resource names in the files can be changed according to your internal naming convention.

  • Diagnostic Setting in subscription:
    • Default name: cs-monitor-activity-to-eventhub
  • IOA Resource Group:
    • Default name: cs-ioa-group
  • Event Hub Namespace:
    • Default name: cs-horizon-ns-<sub_id>
  • Event Hubs:
    • Default name: cs-eventhub-monitor-activity-logs
    • Default name: cs-eventhub-monitor-aad-logs
  • Function apps:
    • Default name: cs-activity-func-<> (has to include activity-func)
    • Default name: cs-aad-func-<> (has to include aad-func)

Deployment

Preparation

  1. Download this repo to your local machine
  2. Open a new Terminal window and change directory to point at the downloaded repo
  3. Run az login to log into Azure via the Azure CLI.
    • If registering a management group: Be sure to log into a subscription that is in the tenant whose root Management Group you want to register with Falcon Cloud Security.
    • If registering an individual subscription: Be sure to log into the subscription you want to register with Falcon Cloud SEcurity
  4. Run the appropriate deployment command provided below.

Deployment Command for Registering a Management Group

az deployment mg create --name 'cs-managementgroup-deployment' --location westus \
  --management-group-id $(az account show --query tenantId -o tsv) \
  --template-file cs-deployment-managementGroup.bicep \
  --only-show-errors

To track progress of the deployment or if you encounter issues and want to see detailed error messages:

  • Open the Azure Portal
  • Go to Management Groups > Tenant Root Groups
  • Select Deployments from the left menu.
  • You will see the deployment in progress, whose default name is cs-managementgroup-deployment

Remediate Azure Policy Assignment

Once deployment has completed, in order to enable indicators of attack (IOAs) for all the existing subscriptions on Azure, you must remediate the CrowdStrike IOA Azure policy assignment manually.

  1. In the Azure portal, navigate to Management Groups and select the tenant root group.
  2. Go to Governance > Policy and select Authoring > Assignments.
  3. Click the CrowdStrike IOA assignment and then remediate the assignment by creating a remediation task from a non-compliant policy assignment.

Deployment Command for Registering an Individual Subscription

az deployment sub create --name 'cs-subscription-deployment' --location westus \
  --template-file cs-deployment-subscription.bicep \
  --only-show-errors

To track progress of the deployment or if you encounter issues and want to see detailed error messages:

  • Open the Azure Portal
  • Go to Subscriptions and select the Subscription you are registering
  • Select Deployments from the left menu.
  • You will see the deployment in progress, whose default name is cs-subscription-deployment

Note

The deployment command can be executed multiple times to register additional Azure subscriptions into CrowdStrike Falcon Cloud Security.

Troubleshooting

Existing Key Vault

When using our Bicep files to set up Indicator Of Attack, a Key Vault is created to store sensitive information. As per Microsoft's recommendation, the Key Vault is created with purge protection enabled.

When deleting the resource group cs-ioa-group, the Key Vault gets soft-deleted.

If you encounter any issues while trying to create the Key Vault, please follow Microsoft's instructions on how to recover a soft-deleted Key Vault.

IOAs appear inactive for discovered subscriptions after registering an Azure management group

After registering a management group and manually remediating the CrowdStrike IOA Azure policy assignment, IOAs can remain inactive for some discovered subscriptions. This can happen when the diagnostic settings are not configured in the registered subscriptions.

The evaluation of the assigned Azure policy responsible for the diagnostic settings creation can take some time to properly evaluate which resources need to be remediated (See Evaluation Triggers).

Make sure that all the existing subscriptions are properly listed under resources to remediate when creating the remediation tasks.

Tenant ID, application ID, principal ID, and scope are not allowed to be updated

You might encounter this error when registering a management group using Bicep.

This happens when you have pre-existing role assignments for the Monitoring Contributor, Lab Services Reader, and Azure Event Hubs Data Owner roles to a deleted management identity created by the CrowdStrike IOA policy assignment.

In the Azure portal, navigate to Management Groups and select the tenant root group. Then go to Access Control (IAM) and delete all role assignments of the Monitoring Contributor, Lab Services Reader, and Azure Event Hubs Data Owner roles assigned to Identity not found.

Contributing

If you want to develop new content or improve on this collection, please open an issue or create a pull request. All contributions are welcome!

Support

This is a community-driven, open source project aimed to register Falcon Cloud Security with Azure using Bicep. While not an official CrowdStrike product, this repository is maintained by CrowdStrike and supported in collaboration with the open source developer community.

For additional information, please refer to the SUPPORT.md file.

License Information

See the LICENSE for more information.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

6 watching

Forks

3 forks
Report repository

Releases 11

v0.0.11 Latest
Jan 24, 2025
+ 10 releases

Packages

No packages published

Contributors 6

Languages