From b0e152b52eec309bba03e25c0ebc5b39c2afc399 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Wed, 31 May 2023 13:05:57 -0500 Subject: [PATCH] initial documentation --- guide/content/_index.md | 8 ++++---- guide/content/additional-resources.md | 10 ++++++---- guide/content/architecture.md | 25 +++++++++++++++++++------ guide/content/costandlicenses.md | 4 ++-- guide/content/deployment-steps.md | 4 ++-- guide/content/faqs.md | 12 ++++++++++++ guide/content/overview.md | 7 ++++--- guide/content/post-deployment-steps.md | 9 +++++---- guide/content/pre-deployment-steps.md | 3 +-- guide/content/terminologies.md | 11 ++++++++++- guide/content/test-deployment.md | 16 ++++++++++++++-- guide/content/troubleshooting.md | 2 ++ 12 files changed, 81 insertions(+), 30 deletions(-) diff --git a/guide/content/_index.md b/guide/content/_index.md index 8fe9435..fa6640c 100644 --- a/guide/content/_index.md +++ b/guide/content/_index.md @@ -1,12 +1,12 @@ --- weight: 1 -title: -description: +title: CrowdStrike Falcon Horizon +description: CrowdStrike Falcon Horizon monitors your AWS cloud services to detect critical security issues, common configuration errors, and patterns of suspicious behavior. --- -# Project Title +# CrowdStrike Falcon Horizon -The purpose of this document is to walk you through the process of . This document is intended for Customers who are using the AWS Built In program(ABI) and in process of building an ABI project. +The purpose of this document is to walk you through the process of onboarding your AWS Organization with CrowdStrike Falcon Horizon. This document is intended for Customers who are using the CrowdStrike Falcon Horizon AWS Built In program(ABI) and in process of building an ABI project. The AWS Built-in program is a differentiation program that validates Partner solutions which have automated their solution integrations with relevant AWS foundational services like identity, management, security and operations. This program helps customers find and deploy a validated Partner solution that addresses specific customer use cases while providing deep visibility and control of AWS native service integration. diff --git a/guide/content/additional-resources.md b/guide/content/additional-resources.md index 7a70162..932e51e 100644 --- a/guide/content/additional-resources.md +++ b/guide/content/additional-resources.md @@ -6,13 +6,15 @@ description: Additional Resources ## Partner documentation -* Reference-1 -* Reference-2 +* In CrowdStrike Falcon Console, navigate to Documentation/Falcon Horizon Overview ## AWS Services -* Reference-1 -* Reference-2 +* [CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) +* [Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) +* [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) +* [EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) +* [Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) ## Frequently asked questions (FAQs) diff --git a/guide/content/architecture.md b/guide/content/architecture.md index 7c15752..4e39bd6 100644 --- a/guide/content/architecture.md +++ b/guide/content/architecture.md @@ -10,17 +10,30 @@ Deploying this ABI package with default parameters builds the following architec As shown in the diagram, the Quick Start sets up the following: -* In all current and AWS accounts in your AWS organization: - * to and . - * to perform and . +* In all current and AWS accounts in your AWS organization: + * IAM Role for Horizon to perform Read-Only activities. + * IAM Role too allow EventBridge to PutEvents against CrowdStrike's EventBus. + * EventBridge Rules in each region with CrowdStrike EventBus as target. * In the management account: - * to perform and . + * Secrets Manager Secret to store CrowdStrike API Keys. + * IAM Role for Horizon to perform Read-Only activities. + * IAM Role for EventBridge to PutEvents against CrowdStrike's EventBus. + * IAM Role for Lambda Execution. + * Lambda function to perform account registration with CrowdStrike. + * Custom CloudFormation Resource to trigger Lambda Function. + * CloudFormation StackSet to create EventBridge Rules in each region. + * CloudFormation StackSet to create IAM Roles in member accounts. + * CloudFormation StackSet to create EventBridge Rules in member accounts. * In the log archive account: - * to perform and . + * IAM Role for Horizon to perform Read-Only activities. + * IAM Role to allow EventBridge to PutEvents against CrowdStrike's EventBus. + * EventBridge Rules in each region with CrowdStrike EventBus as target. * In the security tooling account: - * to perform and . + * IAM Role for Horizon to perform Read-Only activities. + * IAM Role to allow EventBridge to PutEvents against CrowdStrike's EventBus. + * EventBridge Rules in each region with CrowdStrike EventBus as target. **Next:** Choose [Deployment Options](/deployment-options/index.html) to get started. \ No newline at end of file diff --git a/guide/content/costandlicenses.md b/guide/content/costandlicenses.md index e06f49a..ce0cc3f 100644 --- a/guide/content/costandlicenses.md +++ b/guide/content/costandlicenses.md @@ -4,13 +4,13 @@ title: Cost and licenses description: Cost of the solution and licenses required. --- - +[CrowdStrike Bundles and Pricing](https://www.crowdstrike.com/products/?ct-q2-2023-bn-products-nav) - +[CrowdStrike End User License Agreement](https://s3.amazonaws.com/EULA/314ae52f-b319-4413-9052-fe03bfbd6b21-Crowdstrike-EULA.pdf) diff --git a/guide/content/deployment-steps.md b/guide/content/deployment-steps.md index 7ccc3fc..b5418ed 100644 --- a/guide/content/deployment-steps.md +++ b/guide/content/deployment-steps.md @@ -10,9 +10,9 @@ description: Deployment steps 1. Download the cloudformation template from source: https:// 2. Launch CloudFormation template in your AWS Control Tower home region. - * Stack name: `template--enable-integrations` + * Stack name: `template-crowdstrike-enable-integrations` * List Parameters with [call out default values and update below example as needed] - * **EnableIntegrationsStackName**: `template--enable-integrations` + * **EnableIntegrationsStackName**: `template-crowdstrike-enable-integrations` * **EnableIntegrationsStackRegion**: `us-east-1` * **EnableIntegrationsStackSetAdminRoleName**: `AWSCloudFormationStackSetAdministrationRole` * **EnableIntegrationsStackSetExecutionRoleName**: `AWSCloudFormationStackSetExecutionRole` diff --git a/guide/content/faqs.md b/guide/content/faqs.md index 0e7df70..6b5e3c2 100644 --- a/guide/content/faqs.md +++ b/guide/content/faqs.md @@ -4,6 +4,18 @@ title: FAQs description: Frequently asked questions --- +## How frequently will CrowdStrike Horizon scan my environment for Configuration (IOM) assessment? + +You may configure your settings to determine how often the assessments will occur. The default rate is 2 hours after the last successfull assessment. Optional intervals: 6 hours, 12 hours and 24 hours + +## How frequently will CrowdStrike Horizon scan my environment for Behavioral (IOA) assessment? + +IOA findings are not generated by scheduled scans, but instead are forwarded to CrowdStrike at the time of the event via EventBridge. This means IOA findings will appear in your Falcon Horizon console in near-real time. + +## Can I create custom policies with CrowdStrike Falcon Horizon? + +You can create custom policies for misconfiguration detections in your cloud accounts in Horizon. By defining your own rules, you get more coverage with fine-tuned policies that meet your own security and compliance requirements. + ## Can I contribute to this repository? Yes, this shared under Apache License, version 2.0 (the "License"). Please submit a GitHub issue if you see an issues or improvements. If you like to build and contribute a fix or enhancement, please submit a GitHub pull request with your changes. diff --git a/guide/content/overview.md b/guide/content/overview.md index fa8f28a..9454f82 100644 --- a/guide/content/overview.md +++ b/guide/content/overview.md @@ -5,15 +5,16 @@ description: --- -This ABI deploys Integrations for AWS Organizations on the AWS Cloud. It’s for and that want to provide across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin). +This ABI deploys CrowdStrike Falcon Horizon Integrations for AWS Organizations on the AWS Cloud. It’s for and that want to provide Cloud Security Posture Management across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin). Deploying this ABI package does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations. +Avoid breaches and make sure your cloud security configuration meets industry security recommendations with the CrowdStrike Cloud Security Posture Management platform, Falcon Horizon. Falcon Horizon monitors your AWS, Azure, and GCP cloud services to detect critical security issues, common configuration errors, and patterns of suspicious behavior. Use Horizon to triage findings and find recommended remediations to close the gaps and keep your cloud data secure. -[Expand solution overview here] +The first step in getting started using Falcon Horizon, is to register your cloud accounts with Falcon Horizon. When registering, Falcon Horizon is granted limited read-only access to your cloud account. When you register using this solution, all accounts in that organization are registered automatically for Falcon Horizon. ### AWS Marketplace listing -[Partner-product-name-in-aws-marketplace](https://aws.amazon.com/marketplace/pp/prodview-) +[PCrowdStrike Falcon Cloud Security](https://aws.amazon.com/marketplace/pp/prodview-l6ti2ml2i2g6y?ref_=esp&feature_=FeaturedProducts) **Next:** Choose [Terminologies](/terminologies/index.html) to get started. diff --git a/guide/content/post-deployment-steps.md b/guide/content/post-deployment-steps.md index 476b671..8ede053 100644 --- a/guide/content/post-deployment-steps.md +++ b/guide/content/post-deployment-steps.md @@ -6,9 +6,10 @@ description: Post deployment options ## Verifying the solution functionality -## Parnter capability 1 - -## Parnter capability 2 - +## Verify Account Activation in CrowdStrike Falcon Console +* Sign in to your CrowdStrike Falcon Console +* Navigate to Cloud-Security/Registration https://falcon.crowdstrike.com/cloud-security/registration +* Verify each AWS Account ID shows "Active" in the Configuration (IOM) and Behavior (IOA) columns. +* This step may take several minutes, click refresh to retireve the latest account status. **Next:** Choose [Test the Deployment](/test-deployment/index.html) to get started. \ No newline at end of file diff --git a/guide/content/pre-deployment-steps.md b/guide/content/pre-deployment-steps.md index 87d0345..cb04b43 100644 --- a/guide/content/pre-deployment-steps.md +++ b/guide/content/pre-deployment-steps.md @@ -7,8 +7,7 @@ description: Pre Deployment Options Before deploying this ABI package, complete the following steps: * Subscribe to partner product from AWS Marketplace using -* Any things to be done before deployment -* Any other pre-deployment steps +* Create Crowdstrike API Client in Falcon UI with CSPM registration API scope. * Become familiar with the [additional resources](https://link), later in this guide. **Next:** Choose **[Deployment Steps](/deployment-steps/index.html)** to get started. \ No newline at end of file diff --git a/guide/content/terminologies.md b/guide/content/terminologies.md index 2bcc22f..e9e8275 100644 --- a/guide/content/terminologies.md +++ b/guide/content/terminologies.md @@ -7,6 +7,15 @@ description: Terminolgies used in this guide. * **ABI :** AWS Built In (ABI) as explained above. * **ABI Modules :** The GitHub repositories based of AWS SRA, which provide templates for enabling AWS foundational services like CloudTrail, GuardDuty, SecurityHub and more security services. * **ABI Projects :** The GitHub repositories built by Partners in partnership with AWS. While building these projects, partners leverage ABI Modules provided to enable AWS services as needed before creating partner specific assets. The project contains 1\ IaC templates to automate enablement of both AWS and Partner services, 2\ Wrappers for most common formats like CfCT manifest, SC Baselines and more to allow customers to easily pick and choose from the services available. For Pilot, we will focus only on including CfCT manifest file in the package. -* [[Add more terminologies here]] +* **Assessment:** An individual instance when Horizon compares your cloud settings to the Horizon policies. +* **Assessment Schedules:** You can select how frequently your cloud environment is assessed for misconfigurations. You can also exclude AWS services and regions from assessment. +* **Behavioral:** Patterns of suspicious behavior in your cloud environment. +* **Configuration:** Findings based on policies and benchmarks compared to your cloud configuration. +* **CrowdStrike API Client:** CrowdStrike Falcon API Client authentication credentials for interaction with CrowdStike APIs via OAuth 2.0 token. Includes an API Client ID and API Client Secret. +* **CrowdStrike EventBus:** The AWS EventBus in CrowdStrike's environment to receive events and provide the data to CrowdStrike Falcon Horizon service. +* **Horizon Policies:** Horizon policies are a set of rules defined to detect misconfigurations of the cloud resources (IOMs) or to detect suspicious behavior patterns (IOAs). +* **Indicator of attack (IOA):** A pattern of suspicious behavior that suggests an attack might be underway. In Horizon, IOAs are labeled as findings. +* **Indicator of misconfiguration (IOM):** A configuration setting that doesn’t follow recommended security guidelines and might become a security vulnerability in a cloud environment. In Horizon, IOMs are labeled as findings. +* **Registration:** Enroll your AWS Account ID with CrowdStrike Falcon Horizon service. **Next:** Choose [Cost and licenses](/costandlicenses/index.html) to get started. diff --git a/guide/content/test-deployment.md b/guide/content/test-deployment.md index 052c10e..8ae1298 100644 --- a/guide/content/test-deployment.md +++ b/guide/content/test-deployment.md @@ -4,11 +4,23 @@ title: Test the deployment description: Test the deployment --- -## Step-1 +To test the functionality of CrowdStrike Falcon Horizon, you may generate findings by intentionally violating a policy of your choice. +**Note:** CrowdStrike does not recommend executing these steps against any accounts and/or workloads with sensitive data. -## Step-2 +## Step-1: Review Policies +* Log in to the CrowdStrike Falcon console +* Navigate to Cloud Security/Cloud Security Posture/Policies +* Filter by AWS and choose a service +* Review Configuration and Behavioral policies. + +## Step-2: Execute Policy Violation +* Choose a policy to test, for example "VPC Flow Logs Disabled" +* Make the relevant change in your AWS account ## Step-3 +* Review your Horizon Assessment findings in Cloud Security/Cloud Security Posture/Assessment +* If the policy you chose is Behavioral, please wait a few minutes for the finding to appear. +* If the policy you chose is Configuration, please wait for the next assessment scan for the finding to appear. 2 hours is the default interval, but this may be changed in Cloud Security/Cloud Security Posture/Settings **Next:** Choose [Additonal Resources](/additional-resources/index.html) to get started. \ No newline at end of file diff --git a/guide/content/troubleshooting.md b/guide/content/troubleshooting.md index d6813b1..f6c8788 100644 --- a/guide/content/troubleshooting.md +++ b/guide/content/troubleshooting.md @@ -4,6 +4,8 @@ title: Troubleshooting description: Troubleshooting --- +For troubleshooting issues with CrowdStrike Falcon Horizon please [submit a support ticket here.](https://supportportal.crowdstrike.com/) + For troubleshooting common ABI issues, refer to the [AWS Built In General Information Guide](http://link-to-reference-architecture) and [Troubleshooting CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html).