feat: add crowdstrike connector

Signed-off-by: Szilard Parrag <szilard.parrag@axoflow.com>

Author: OverOrion

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/axoflow/axoflow-otel-collector/axoflow-otel-collector:0.129.0-axoflow.kafkareceiver AS axo-otelcol
+FROM ghcr.io/axoflow/axoflow-otel-collector/axoflow-otel-collector:0.129.0-axoflow.4 AS axo-otelcol
 
 FROM alpine:3.21 AS base
 

connectors/crowdstrike/README.md

@@ -0,0 +1,112 @@
+
+# CrowdStrike Falcon Receiver
+
+This directory contains the Axoflow CrowdStrike Falcon receiver which helps collecting alerts from the CrowdStrike Falcon platform.
+
+## Quickstart
+
+### Authentication with ClientID / ClientSecret
+
+Make sure the required environment variables are set before running the receiver.
+
+```bash
+UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
+AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
+
+```bash
+docker run \
+        --rm \
+        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
+        -e CROWDSTRIKE_CLIENT_ID="${CROWDSTRIKE_CLIENT_ID}" \
+        -e CROWDSTRIKE_CLIENT_SECRET="${CROWDSTRIKE_CLIENT_SECRET}" \
+        -e CROWDSTRIKE_CLOUD="${CROWDSTRIKE_CLOUD}" \
+        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
+        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
+        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
+        ghcr.io/axoflow/axocloudconnectors:latest
+```
+
+### Authentication with Access Token
+
+Make sure the required environment variables are set before running the receiver.
+
+```bash
+UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
+AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
+
+```bash
+docker run \
+        --rm \
+        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
+        -e CROWDSTRIKE_ACCESS_TOKEN="${CROWDSTRIKE_ACCESS_TOKEN}" \
+        -e CROWDSTRIKE_CLOUD="${CROWDSTRIKE_CLOUD}" \
+        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
+        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
+        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
+        ghcr.io/axoflow/axocloudconnectors:latest
+```
+
+
+## Deploy with Helm-chart (ClientID / ClientSecret)
+
+```bash
+make minikube-cluster
+make docker-build
+make minikube-load-image
+
+kubectl create namespace cloudconnectors
+kubectl create secret generic crowdstrike-falcon \
+  --from-literal=client-id="<YOUR-CROWDSTRIKE-CLIENT-ID>" \
+  --from-literal=client-secret="<YOUR-CROWDSTRIKE-CLIENT-SECRET>" \
+  --from-literal=cloud="<YOUR-CROWDSTRIKE-CLOUD>" \
+  --namespace cloudconnectors \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
+AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
+
+helm upgrade --install --wait --namespace cloudconnectors cloudconnectors ./charts/cloudconnectors \
+  --set image.repository="axocloudconnectors" \
+  --set image.tag="dev" \
+  --set 'env[0].name=AXOROUTER_ENDPOINT' \
+  --set 'env[0].value=axorouter.axoflow-local.svc.cluster.local:4317' \
+  --set 'env[1].name=AXOCLOUDCONNECTOR_DEVICE_ID' \
+  --set "env[1].value=${AXOCLOUDCONNECTOR_DEVICE_ID}" \
+  --set 'env[2].name=CROWDSTRIKE_CLIENT_ID' \
+  --set 'env[2].valueFrom.secretKeyRef.name=crowdstrike-falcon' \
+  --set 'env[2].valueFrom.secretKeyRef.key=client-id' \
+  --set 'env[3].name=CROWDSTRIKE_CLIENT_SECRET' \
+  --set 'env[3].valueFrom.secretKeyRef.name=crowdstrike-falcon' \
+  --set 'env[3].valueFrom.secretKeyRef.key=client-secret' \
+  --set 'env[4].name=CROWDSTRIKE_CLOUD' \
+  --set 'env[4].valueFrom.secretKeyRef.name=crowdstrike-falcon' \
+  --set 'env[4].valueFrom.secretKeyRef.key=cloud'
+```
+
+## Deploy with Helm-chart (Access Token)
+
+```bash
+kubectl create secret generic crowdstrike-falcon \
+  --from-literal=access-token="<YOUR-CROWDSTRIKE-ACCESS-TOKEN>" \
+  --from-literal=cloud="<YOUR-CROWDSTRIKE-CLOUD>" \
+  --namespace cloudconnectors \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
+AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
+
+helm upgrade --install --wait --namespace cloudconnectors cloudconnectors ./charts/cloudconnectors \
+  --set image.repository="axocloudconnectors" \
+  --set image.tag="dev" \
+  --set 'env[0].name=AXOROUTER_ENDPOINT' \
+  --set 'env[0].value=axorouter.axoflow-local.svc.cluster.local:4317' \
+  --set 'env[1].name=AXOCLOUDCONNECTOR_DEVICE_ID' \
+  --set "env[1].value=${AXOCLOUDCONNECTOR_DEVICE_ID}" \
+  --set 'env[2].name=CROWDSTRIKE_ACCESS_TOKEN' \
+  --set 'env[2].valueFrom.secretKeyRef.name=crowdstrike-falcon' \
+  --set 'env[2].valueFrom.secretKeyRef.key=access-token' \
+  --set 'env[3].name=CROWDSTRIKE_CLOUD' \
+  --set 'env[3].valueFrom.secretKeyRef.name=crowdstrike-falcon' \
+  --set 'env[3].valueFrom.secretKeyRef.key=cloud'
+```
+

connectors/crowdstrike/config.yaml

@@ -0,0 +1,89 @@
+exporters:
+  otlp/axorouter:
+    endpoint: ${env:AXOROUTER_ENDPOINT}
+    retry_on_failure:
+      enabled: true
+      max_elapsed_time: 0
+    sending_queue:
+      enabled: true
+      storage: file_storage
+    tls:
+      insecure: ${env:AXOROUTER_TLS_INSECURE:-false}
+      ca_file: ${env:AXOROUTER_TLS_CA_FILE}
+      ca_pem: ${env:AXOROUTER_TLS_CA_PEM}
+      cert_file: ${env:AXOROUTER_TLS_CERT_FILE}
+      cert_pem: ${env:AXOROUTER_TLS_CERT_PEM}
+      key_file: ${env:AXOROUTER_TLS_KEY_FILE}
+      key_pem: ${env:AXOROUTER_TLS_KEY_PEM}
+      min_version: ${env:AXOROUTER_TLS_MIN_VERSION:-1.2}
+      max_version: ${env:AXOROUTER_TLS_MAX_VERSION}
+      include_system_ca_certs_pool: ${env:AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL:-false}
+      insecure_skip_verify: ${env:AXOROUTER_TLS_INSECURE_SKIP_VERIFY:-false}
+
+processors:
+  resource/axoflow_device_id:
+    attributes:
+      - key: "com.axoflow.device_id"
+        action: insert
+        value: "${env:AXOCLOUDCONNECTOR_DEVICE_ID}"
+
+  resourcedetection/system:
+    detectors: ["system", "env"]
+    system:
+      hostname_sources: ["dns", "os", "cname", "lookup"]
+      resource_attributes:
+        host.name:
+          enabled: true
+        host.ip:
+          enabled: true
+        host.id:
+          enabled: true
+
+  resource/axoflow: # Provider specific!
+    attributes:
+      - key: "com.axoflow.vendor"
+        action: insert
+        value: "crowdstrike"
+      - key: "com.axoflow.product"
+        action: insert
+        value: "falcon"
+
+receivers: # Provider specific!
+  crowdstrike:
+    access_token: ${env:CROWDSTRIKE_ACCESS_TOKEN}
+    client_id: ${env:CROWDSTRIKE_CLIENT_ID}
+    client_secret: ${env:CROWDSTRIKE_CLIENT_SECRET}
+    member_cid: ${env:CROWDSTRIKE_MEMBER_CID}
+    cloud: ${env:CROWDSTRIKE_CLOUD}
+    host_override: ${env:CROWDSTRIKE_HOST_OVERRIDE}
+    poll_interval: ${env:CROWDSTRIKE_POLL_INTERVAL}
+    debug: ${CROWDSTRIKE_DEBUG}
+    tls:
+      insecure: ${env:CROWDSTRIKE_TLS_INSECURE:-false}
+      insecure_skip_verify: ${env:CROWDSTRIKE_TLS_INSECURE_SKIP_VERIY:-false}
+      server_name_override: ${env:CROWDSTRIKE_TLS_SERVER_NAME_OVERRIDE}
+      ca_file: ${env:CROWDSTRIKE_TLS_CA_FILE}
+      ca_pem: ${env:CROWDSTRIKE_TLS_CA_PEM}
+      cert_file: ${env:CROWDSTRIKE_TLS_CERT_FILE}
+      cert_pem: ${env:CROWDSTRIKE_TLS_CERT_PEM}
+      key_file: ${env:CROWDSTRIKE_TLS_KEY_FILE}
+      key_pem: ${env:CROWDSTRIKE_TLS_KEY_PEM}
+      min_version: ${env:CROWDSTRIKE_TLS_MIN_VERSION:-1.2}
+      max_version: ${env:CROWDSTRIKE_TLS_MAX_VERSION}
+      include_system_ca_certs_pool: ${env:CROWDSTRIKE_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL:-false}
+
+extensions:
+  health_check:
+    endpoint: ${env:POD_IP}:13133
+  file_storage:
+    directory: ${env:STORAGE_DIRECTORY}
+    create_directory: true
+
+service:
+  extensions: [health_check, file_storage]
+  pipelines:
+    logs:
+      receivers: [crowdstrike]
+      processors:
+        [resource/axoflow_device_id, resourcedetection/system, resource/axoflow]
+      exporters: [otlp/axorouter]