We recently setup monitoring via CrowdStrike, but unfortunately they did not have any capability to send notifications directly to OpsGenie (although they support PagerDuty). Since both companies have an API ability, I was able to write this AWS Lambda code to fix the CrowdStrike deficiency. This code can be used as a relay to reformat the CrowdStrike WebHook API to fit the OpsGenie API and create an alert.
Lambda is a feature of AWS that allows you to run code on AWS without requiring a server. You are charged per execution, which is great for systems (like this one), where it may be a long period between alerts from CrowdStrike. Once configured, you'll see nicely formatted CrowdStrike alerts in OpsGenie like this:
Please note that although I'm happy to post this code and these directions, I don't generally have time to debug your personal configuration or otherwise assist you. This setup works for me and hopefully gives you a head start on your own configuration. There's an AWS Guide here: AWS API Gateway Getting Started Guide https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
The first step here is to go into the OpsGenie settings and add an API integration. Go to Settings, then click on "Integrations List" and click to add an "API integration." Once configured, you'll see something similar to the below image. The API key will be listed there, so make a copy of it to use later.
You may wish to check the box called "Suppress Notifications" while you work on this configuration to avoid actually paging anyone. The alerts will still appear in the OpsGenie console.
This assumes you already have an account in AWS. Note that I'm not responsible for your AWS charges, so be sure that you understand how Lambda functions will be charged to your AWS account.
Inside AWS, click on "Services" and select "Lambda." Click on the "Create Function" button. Supply a function name and select the runtime as Python 3.x.
There are some other pages here that I didn't screenshot, but I just accepted the defaults. Don't worry about adding the code yet, we'll get to that.
Now that we have the Lambda function configured, we need to setup an API Gateway. This will configure a URL on AWS that when called, will execute your Lambda function. We'll give this URL to CrowdStrike and they'll do a POST action to this URL and pass through the JSON data for the alert.
Inside AWS, click on "Services" and select "API Gateway." On the main page, click on the "Build" button to build an HTTP API. Proceed through the "Create an API" wizard. On the first step, select Lambda as the Integration type and select the name of your Lambda function as shown below.
Finally click "Create."
If you navigate back to the Lambda page, you'll now see your API gateway shown as a trigger for your Lambda function. If you click on "Configuration...Triggers", you see the API endpoint listed. This is the URL that we'll put inside CrowdStrike later.
To be secure, we want to encrypt our OpsGenie API key. This way it won't be visible in our code on AWS.
In AWS, click on Services and select Key Management Service. Click on "Customer managed keys" and click "Create Key." Here are some screenshots of the wizard.
Add yourself as a key administrator (not shown, but check the box next to your name)
Be sure to give the role that was created when you created the Lambda function access to this key.
Navigate back to your Lambda function. Click on "Configuration...Environment Variables." Create a new Environment Variable called "apiKey." The name has to match exactly, as it is referenced in our code.
Click on the "Encryption in Transit" button and select the key that you created in Step 4 above. You'll notice the sample code that we placed into our Lambda function, which allows us to decrypt the apiKey at runtime.
Copy the text of the code from this GitHub repository and paste it over the lambda_function. Anytime you update the code, you'll need to click "Deploy."
Click on "Test" and add paste in the JSON from test.json in this GitHub. We can use this "Test Event" to pretend to be CrowdStrike sending an alert.
At this point, you should be able to perform a test that will create an alert in OpsGenie. Note that the API url for OpsGenie is in the lambda_function, in the "create_opsgenie_alert" function. If you are in the EU, you may have a different API endpoint.
Click on the Test button and review the Execution results. If the results show a statusCode of 202, you should see a new alert appear in your OpsGenie queue.
Note that there is a Workflow code in the sample data that matches the "workflows" in the main function. We use this as an easy verification that the data is actually from the CrowdStrike Notification workflow. Since you haven't created it yet, the workflow_id in the sample event matches the code. You'll need to update this below before we go live.
Once you've verified that that the OpsGenie side is working, you can configure the webhook on CrowdStrike.
Navigate to the CrowdStrike store and find the "Webhook" item. Click Configure. Give the Webhook a name and paste in the API Gateway URL from Step 3. (Again, you can find it in AWS Lambda, in the Configuration...Triggers section.
In CrowdStrike, navigate to Configuration...Notification Workflows and create a new Workflow (if you don't already have one). In the Edit Actions section, select "Call webhook" as the action and select the Webhook that you created in step 8. In the Data to include section, specify the fields that you want to include in the alert.
While on the Edit Notifications Workflow page in CrowdStrike, copy the Workflow ID from the URL bar. This Workflow ID is passed along with each Webhook request to our Lambda function. We use it as a simple verification method.
Flip back to your AWS Lambda code and paste the Workflow ID into the code (I have 2 pretend codes listed there). If you remove the existing codes, be sure to update your Test Event a Workflow ID that matches what is in the code.
Once everything is set, you can create a simple CrowdStrike test using this command (on a Windows computer that is running the CrowdStrike agent).
choice /m crowdstrike_sample_detection
It usually takes a few minutes for the alert to be processed by CrowdStrike. On the Notifications Workflow page, you can click on the 3-dots and select "See Activity". This will show you the alert from the CrowdStrike point of view. If there is an error, you'll see something like this:
Once everything is working, be sure to remember to turn off "Suppress Notifications" for the configured API integration inside the OpsGenie settings. Otherwise it won't ever actually do notifications, it will just appear in the Dashboard.
On the Lambda page, you can click on the "Monitor" tab to review the logs for the lambda execution. Click on the link in the LogStream to see the details. Note that it can take several minutes for the logs to appear here. Any output from the script (a print() function for example), will show here.
A good way to test is to include a print(event) in the main function so you can see what data came in from the API (i.e. what CrowdStrike is sending you.)
I'm not an expert on anything, so you shouldn't trust any of this. Your use of my code and/or these directions is at your own risk. You are responsible for reviewing the code and these directions before you do anything on your systems (AWS, OpsGenie, CrowdStrike or others). You are also responsible for any charges that AWS may make against you for your use of their features and services.