Skip to content

CrowdStrike/cs-azure-integration-bicep

BranchesTags

Repository files navigation

CrowdStrike Falcon

Falcon Cloud Security Registration with Azure Bicep

The Azure Bicep templates in this repository allow for an easy and seamless integration of Azure environments into CrowdStrike Falcon Cloud Security.

Table of Contents

  1. Register an Azure management group
  2. Register a single Azure Subscription
  3. Troubleshooting
  4. Contributing
  5. Support
  6. License Information

Deployment using Azure CLI

Register an Azure management group

The command below registers an Azure management group, including all Azure subscriptions, into Falcon Cloud Security by performing the following actions:

  • Creates an app registration in Microsoft Entra ID, including Microsoft Graph API permissions and administrative consent
  • Assigns the following Azure RBAC permissions to the created app registration on the Azure management group:
    • Reader
    • Security Reader
    • Key Vault Reader
    • Azure Kubernetes Service RBAC Reader
  • Assigns the cs-website-reader custom role on the subscription with the following actions:
    • Microsoft.Web/sites/Read
    • Microsoft.Web/sites/config/Read
    • Microsoft.Web/sites/config/list/Action
  • Creates an Azure policy definition and management group assignment to create Azure subscription diagnostic settings
  • Creates Microsoft Entra ID diagnostic setting
  • Deploys infrastructure for Indicator of Attack (IOA) assessment
  • Integrates the subscription into Falcon Cloud Security for Indicator of Misconfiguration (IOM) and Indicator of Attack (IOA) assessment

Important

Registration only supports the Azure root management group (Tenant root group).

Prerequisite

Ensure you have a CrowdStrike API client ID and client secret for Falcon Cloud Security. If you don't, you can set them up in the Falcon console:

Required permissions

  • Application Developer, Cloud Application Administrator, or Application Administrator role in Microsoft Entra ID to create the app registration in Microsoft Entra ID

  • Privileged Role Administrator or Global Administrator role in Microsoft Entra ID to provide administrative consent to the requested Microsoft Graph API permissions.

    [!NOTE] Use the optional grantAdminConsent parameter to disable granting administrative consent to the requested Microsoft Graph API permissions automatically.

  • Owner role for the Azure management group to be integrated into Falcon Cloud Security

  • Owner role for the Azure subscription to be used for deployment of the infrastructure for Indicator of Attack (IOA) assessment

Deployment command

az deployment mg create --name 'cs-managementgroup-deployment' --location westus \
  --management-group-id $(az account show --query tenantId -o tsv) \
  --template-file cs-deployment-managementGroup.bicep \
  --only-show-errors

Remediate Azure Policy Assignment

To enable indicators of attack (IOAs) for all the already existing subscriptions on Azure, you must remediate the CrowdStrike IOA Azure policy assignment manually.

  1. In the Azure portal, navigate to Management Groups and select the tenant root group.
  2. Go to Governance > Policy and select Authoring > Assignments.
  3. Click the CrowdStrike IOA assignment and then remediate the assignment by creating a remediation task from a non-compliant policy assignment.
  4. Click Validate to return to the cloud accounts page. Allow about two hours for the data to be available.

Parameters

You can use any of these methods to pass parameters:

Parameter name Required Description
defaultSubscriptionId yes Subscription Id of the default Azure Subscription.
falconCID yes CID for the Falcon API.
falconClientId yes Client ID for the Falcon API.
falconClientSecret yes Client secret for the Falcon API.
falconCloudRegion no Falcon cloud region. Defaults to US-1. Allowed values are US-1, US-2, or EU-1.
useExistingAppRegistration no Use an existing Application Registration. Defaults to false.
grantAppRegistrationAdminConsent no Grant admin consent for Application Registration. Defaults to true.
azureClientId no Application Id of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureClientSecret no Application Secret of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azurePrincipalId no Principal Id of the Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureAccountType no Type of the Azure account to integrate.
location no Location for the resources deployed in this solution.
tags no Tags to be applied to all resources.
deployIOM no Deploy Indicator of Misconfiguration (IOM) integration. Defaults to true.
assignAzureSubscriptionPermissions no Assign required permissions on Azure Default Subscription automatically. Defaults to false.
assignAzureManagementGroupPermissions no Assign required permissions Azure Management Group automatically. Defaults to true.
deployIOA no Deploy Indicator of Attack (IOA) integration. Defaults to true.
enableAppInsights no Enable Application Insights for additional logging of Function Apps. Defaults to false.
deployActivityLogDiagnosticSettings no Deploy Activity Log Diagnostic Settings. Defaults to true.
deployEntraLogDiagnosticSettings no Deploy Entra Log Diagnostic Settings. Defaults to true.

Register a single Azure Subscription

The command below registers a single Azure Subscription into Falcon Cloud Security by performing the following actions:

  • Creates an app registration in Microsoft Entra ID, including Microsoft Graph API permissions and administrative consent
  • Creates Microsoft Azure activity log diagnostic setting
  • Creates Microsoft Entra ID diagnostic setting
  • Assigns the following Azure RBAC permissions on the Azure Subscription
    • Reader
    • Security Reader
    • Key Vault Reader
    • Azure Kubernetes Service RBAC Reader
  • Assigns the cs-website-reader custom role on the Subscription with the following actions
    • Microsoft.Web/sites/Read
    • Microsoft.Web/sites/config/Read
    • Microsoft.Web/sites/config/list/Action
  • Deploys infrastructure for Indicator of Attack (IOA) assessment
  • Integrates the Subscription into the CrowdStrike Falcon Cloud Security for Indicator of Misconfiguration (IOM) and Indicator of Attack (IOA) assessment

Prerequisite

Ensure you have a CrowdStrike API client ID and client secret for Falcon Cloud Security. If you don't, you can set them up in the Falcon console:

Required permissions

  • Application Developer, Cloud Application Administrator, or Application Administrator role in Microsoft Entra ID to create the app registration in Microsoft Entra ID

  • Privileged Role Administrator or Global Administrator role in Microsoft Entra ID to provide administrative consent to the requested Microsoft Graph API permissions.

    [!NOTE] Use the optional grantAdminConsent parameter to disable granting administrative consent to the requested Microsoft Graph API permissions automatically.

  • Owner role of the Azure subscription to be integrated into CrowdStrike Falcon Cloud Security

Deployment command

az deployment sub create --name 'cs-subscription-deployment' --location westus \
  --template-file cs-deployment-subscription.bicep \
  --only-show-errors

Note

The deployment command can be executed multiple times to register additional Azure subscriptions into CrowdStrike Falcon Cloud Security.

Parameters

You can use any of these methods to pass parameters:

Parameter name Required Description
defaultSubscriptionId yes Subscription Id of the default Azure Subscription.
falconCID yes CID for the Falcon API.
falconClientId yes Client ID for the Falcon API.
falconClientSecret yes Client secret for the Falcon API.
falconCloudRegion no Falcon cloud region. Defaults to US-1. Allowed values are US-1, US-2, or EU-1.
useExistingAppRegistration no Use an existing Application Registration. Defaults to false.
grantAppRegistrationAdminConsent no Grant admin consent for Application Registration. Defaults to true.
azureClientId no Application Id of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureClientSecret no Application Secret of an existing Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azurePrincipalId no Principal Id of the Application Registration in Entra ID. Only used with parameter useExistingAppRegistration.
azureAccountType no Type of the Azure account to integrate.
location no Location for the resources deployed in this solution.
tags no Tags to be applied to all resources.
deployIOM no Deploy Indicator of Misconfiguration (IOM) integration. Defaults to true.
assignAzureSubscriptionPermissions no Assign required permissions on Azure Default Subscription automatically. Defaults to true.
deployIOA no Deploy Indicator of Attack (IOA) integration. Defaults to true.
enableAppInsights no Enable Application Insights for additional logging of Function Apps. Defaults to false.
deployActivityLogDiagnosticSettings no Deploy Activity Log Diagnostic Settings. Defaults to true.
deployEntraLogDiagnosticSettings no Deploy Entra Log Diagnostic Settings. Defaults to true.

Troubleshooting

Key Vault already existing

When using our bicep files to set up Indicator Of Attack, a Key Vault is created to store sensible information. As per Microsoft's recommendation, the Key Vault is created with purge protection enabled.

When deleting the resource group cs-ioa-group, the Key Vault gets soft-deleted.

If you encounter any issues while trying to create the Key Vault, please follow Microsoft's instruction on how to recover a soft-deleted Key Vault.

IOAs still shown as inactive for discovered subscriptions after registering an Azure management group

After registering a management group and manually remediating the CrowdStrike IOA Azure policy assignment, IOAs can remain inactive for some discovered subscriptions. This can happen when the diagnostic settings are not configured in the registered subscriptions.

The evaluation of the assigned Azure policy responsible for the diagnostic settings creation can take some time to properly evaluate which resources need to be remediated (See Evaluation Triggers).

Make sure that all the existing subscriptions are properly listed under resources to remediate when creating the remediation tasks.

Contributing

If you want to develop new content or improve on this collection, please open an issue or create a pull request. All contributions are welcome!

Support

This is a community-driven, open source project aimed to register Falcon Cloud Security with Azure using Bicep. While not an official CrowdStrike product, this repository is maintained by CrowdStrike and supported in collaboration with the open source developer community.

For additional information, please refer to the SUPPORT.md file.

License Information

See the LICENSE for more information.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

6 watching

Forks

2 forks
Report repository

Releases 7

v0.0.7 Latest
Jan 16, 2025
+ 6 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages