config/config.ini

# Falcon Integration Gateway

[main]
# Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
# The gateway will push events to the cloud providers specified below
#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC

# Uncomment to configure number of threads that process Falcon Events. Alternatively,
# use FIG_WORKER_THREADS env variable.
#worker_threads = 4

[events]
# Uncomment to filter out events based on severity (allowed values 1-5, default 2).
# Alternatively, use EVENTS_SEVERITY_THRESHOLD env variable.
#severity_threshold = 3

# Uncomment to filter out events based on number of days past the event (default 21).
# Alternatively, use EVENTS_OLDER_THAN_DAYS_THRESHOLD env variable.
#older_than_days_threshold = 14

# Exclude events originating from certain cloud environments (AWS, Azure, GCP, or unrecognized)
# detections_exclude_clouds =

# Pass in the offset to start the stream from. This is useful to prevent duplicate events.
# Alternatively, use EVENTS_OFFSET env variable. (default: 0)
#offset = 0

[logging]
# Uncomment to request logging level (ERROR, WARN, INFO, DEBUG). Alternatively, use
# LOG_LEVEL env variable.
#level = DEBUG

[falcon]
# Uncomment to provide Falcon Cloud. Alternatively, use FALCON_CLOUD_REGION env variable.
#cloud_region = us-1

# Uncomment to provide OAuth Client ID.
# Alternatively, use FALCON_CLIENT_ID env variable or a credentials store (see [credentials_store] section).
#client_id = ABCD

# Uncomment to provide OAuth Secret.
# Alternatively, use FALCON_CLIENT_SECRET env variable or a credentials store (see [credentials_store] section).
#client_secret = ABCD

# Uncomment to provide application id. Needs to be different per each fig instance.
# Alternatively, use FALCON_APPLICATION_ID env variable.
#application_id = my-acme-gcp-1

[credentials_store]
# Uncomment to provide credentials store. Alternatively, use CREDENTIALS_STORE env variable.
# Supported values: ssm, secrets_manager
#store = ssm

[ssm]
# Uncomment to provide aws region for SSM. Alternatively, use SSM_REGION env variable.
#region = us-west-2

# Uncomment to provide SSM parameter name or path for client id. Alternatively, use SSM_CLIENT_ID env variable.
#ssm_client_id = /falcon/fig/client_id

# Uncomment to provide SSM parameter name or path for client secret. Alternatively, use SSM_CLIENT_SECRET env variable.
#ssm_client_secret = /falcon/fig/client_secret

[secrets_manager]
# Uncomment to provide aws region for Secrets Manager. Alternatively, use SECRETS_MANAGER_REGION env variable.
#region = us-west-2

# Uncomment to provide Secrets Manager secret name. Alternatively, use SECRETS_MANAGER_SECRET_NAME env variable.
#secrets_manager_secret_name = falcon/fig/credentials

# Uncomment to provide Secrets Manager client id key. Alternatively, use SECRETS_MANAGER_CLIENT_ID_KEY env variable.
#secrets_manager_client_id_key = client_id

# Uncomment to provide Secrets Manager client secret key. Alternatively, use SECRETS_MANAGER_CLIENT_SECRET_KEY env variable.
#secrets_manager_client_secret_key = client_secret

[generic]
# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
# Generic backend can be used for outputting events to STDOUT

[gcp]
# GCP section is applicable only when GCP backend is enabled in the [main] section.

# Use GOOGLE_APPLICATION_CREDENTIALS env variable to configure GCP Backend. GOOGLE_APPLICATION_CREDENTIALS
# is an environment variable used to configure GCP Service accounts, it should point out to the credentials
# file for given service account.

[azure]
# Azure section is applicable only when AZURE backend is enabled in the [main] section.

# Uncomment to provide Azure Workspace ID. Alternatively, use WORKSPACE_ID env variable.
#workspace_id =
# Uncomment to provide Azure Primary Key. Alternatively, use PRIMARY_KEY env variable.
#primary_key =

# Uncomment to enable RTR based auto discovery of Azure Arc Systems. Alternatively,
# use ARC_AUTODISCOVERY env variable.
#arc_autodiscovery = true

[aws]
# AWS section is applicable only when AWS backend is enabled in the [main] section.

# Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
#region = eu-west-1

# Uncomment to manage whether or not to confirm instance in AWS account supported region.
# Alternatively, use AWS_CONFIRM_INSTANCE env variable.
#confirm_instance = true

[cloudtrail_lake]
# AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.

# Uncomment to provide the Channel ARN. Alternatively, use CLOUDTRAIL_LAKE_CHANNEL_ARN env variable.
#channel_arn =

# Uncomment to provide the AWS region. Should match the same region as the Channel.
# Alternatively, use CLOUDTRAIL_LAKE_REGION env variable.
#region =

[aws_sqs]
# AWS SQS section is applicable only when AWS backend is enabled in the [main] section.
# AWS SQS Backend publishes raw events to SQS queue

# Uncomment to provide AWS region. Alternatively, use AWS_REGION env variable
#region = eu-west-1

# Uncomment to provide name of AWS SQS. Alternatively, use AWS_SQS env variable
#sqs_queue_name = my-sqs-queue-for-falcon

[workspaceone]
# Workspace One section is applicable only when Workspace One backend is enabled in the [main] section.

# Uncomment to provide Workspace One token. Alternatively, use WORKSPACEONE_TOKEN env variable
#token =

# Uncomment to provide syslog host. Alternatively, use SYSLOG_HOST env variable
#syslog_host =

# Uncomment to provide syslog port. Alternatively, use SYSLOG_PORT env variable
#syslog_port =

[chronicle]
# Chronicle section is applicable only when Chronicle backend is enabled in the [main] section

# Uncomment to provide Google Service Account filepath. Alternatively, use GOOGLE_SERVICE_ACCOUNT_FILE variable
#service_account = apikeys-demo.json

# Uncomment to provide Chronicle Customer ID. Alternatively, use GOOGLE_CUSTOMER_ID variable
#customer_id = XXX

# Uncomment to provide Chronicle region (us, europe, asia-southeast1). Alternatively, use CHRONICLE_REGION variable
#region =