Deploy a Foundry App Template in 5 Easy Steps
CrowdStrike Falcon Foundry is a low-code application platform. It enables security teams to create custom applications within the Falcon ecosystem. With Falcon Foundry, you can automate workflows, integrate external data sources, and extend Falcon platform’s capabilities.
Falcon Foundry offers pre-built app templates to help you get started quickly. These templates simplify the app creation process and can also be used to create third-party integrations for Falcon Fusion SOAR. You can build apps to address specific security needs without extensive coding knowledge. Falcon Foundry apps integrate seamlessly with other Falcon modules, enhancing your overall security operations.
There are many app templates available out-of-the-box. Each template offers a unique solution for specific security needs. You can deploy a template to create a custom Falcon Foundry app in five simple steps.
Deploy a Custom App in Five Steps
- Access app templates in the Falcon console under Fusion SOAR > Content library
- Choose your template from our library of security solutions
- Configure settings by naming your app and adjusting parameters
- Review permissions required for app operation
- Deploy your custom Falcon Foundry app and access it through the Falcon console
These steps make it look pretty easy. A practical example might make the process sink in a bit more. Let’s put these steps into practice by deploying the Google Chat app template.
Prerequisites:
- Falcon Insight XDR or Falcon Prevent (one app)
- Falcon Next-Gen SIEM or Falcon Foundry (1+ apps depending on entitlement)
- Falcon Administrator and App Developer roles
- A Google Cloud account with Workspace Admin permissions
About Google Chat for Falcon
Google Chat for Falcon is unique because it’s available as an app template as well as a CrowdStrike Store app. To be listed in the CrowdStrike Store requires you to document how to configure the app. Let’s walk through the process or you can find detailed instructions here.
Configure Google Chat APIs on Google Cloud
Start by going to https://console.cloud.google.com. Select a project or create a new one. If you create a new one, name it Google Chat and select an existing organization and location. Click Create.
Once it’s created, select it from the Notifications menu. Search for “google chat api” in the search bar and select Google Chat API. Enable it, wait for a few seconds, then select the Configuration tab on its landing page. You can use the values below, but you’ll likely want to customize them for your needs.
- Name:
My Chat App - Avatar:
https://avatars.githubusercontent.com/u/2446477?s=256&v=4 - Description:
Foundry + Google Chat integration
Next, disable Interactive features. You can choose what you want with regards to Logs. That setting does not affect this tutorial. Click Save.
Go to Credentials > Create credentials > Service account. Enter the values below, or use your own.
- Name:
Google Chat - ID:
google-chat - Description:
Service account for Google Chat + Foundry
Click Create and Continue followed by Done.
Click on the service account’s email address, then select the Keys tab. Click Add key > Create new key and choose JSON. Click Create and save the file to your hard drive.
Go back to the Details tab and expand Advanced settings. Copy the Client ID for later and click View Google Workspace Admin Console. Go to Security > Access and data control > API Controls > Manage domain-wide delegation. Click Add New.
Enter the client ID you copied earlier and add the following 19 OAuth scopes.
https://www.googleapis.com/auth/chat.admin.memberships,https://www.googleapis.com/auth/chat.admin.memberships.readonly,https://www.googleapis.com/auth/chat.admin.spaces,https://www.googleapis.com/auth/chat.admin.spaces.readonly,https://www.googleapis.com/auth/chat.app.spaces,https://www.googleapis.com/auth/chat.delete,https://www.googleapis.com/auth/chat.memberships,https://www.googleapis.com/auth/chat.memberships.readonly,https://www.googleapis.com/auth/chat.messages,https://www.googleapis.com/auth/chat.messages.create,https://www.googleapis.com/auth/chat.messages.readonly,https://www.googleapis.com/auth/chat.messages.reactions.create,https://www.googleapis.com/auth/chat.messages.reactions.readonly,https://www.googleapis.com/auth/chat.messages.reactions,https://www.googleapis.com/auth/chat.spaces,https://www.googleapis.com/auth/chat.spaces.create,https://www.googleapis.com/auth/chat.spaces.readonly,https://www.googleapis.com/auth/chat.users.readstate,https://www.googleapis.com/auth/chat.users.readstate.readonly
Click Authorize.
NOTE: Each operation in Google Chat requires different permissions (a.k.a., scopes). If you only plan to use a few operations, I recommend narrowing the scopes to only have the ones you need.
At this point, Google Cloud is configured and you can proceed with installing the Google Chat app template. For more information on configuring the Google Chat API, including authentication and security practices, refer to the Google Chat API Documentation.
Deploy the Google Chat App Template
Log in to Falcon and go to Fusion SOAR > Content library. Search for “google chat”. You should see results like the following:
Click the Google Chat tile under App Templates. Then, click the Deploy in Foundry button. This will take you to Foundry > Templates.
Click the Deploy button to install the template. You should see a dialog like the one below.
Click Deploy again.
NOTE: If you get an error message about the app already existing, it means that someone has already deployed this template (or its app equivalent) to your CID. You should be able to continue by changing the name.
When the app is deployed, you’ll see an App overview screen that shows the integrations and authorization information. Click the Release button at the top to publish the app to your CID.
You’ll be prompted for release information. Use the following values, or change them as you see fit.
- Change type:
Major - Release notes:
First release of Google Chat
Once your deployment is released, click the View in App catalog button. Then, click Install now. You will be shown the permissions you’re granting to the app, Api-Integrations: read, write in this case. Select Accept and continue.
Next, you’ll be prompted for the JSON key you created in Google Cloud, as well as the subject email and permissions.
The name can be whatever you like. My recommendation is to name it Google Service Account since that’s what you’re specifying. You can look in the JSON key file you downloaded earlier for the email address. Upload the JSON key file, then click on the Permissions input and add all the available options. When you’re finished, your configuration should resemble the following.
Click Install app.
Test Google Chat Operations in Falcon Foundry
Now that your app is installed, you can use its actions in Falcon Fusion SOAR. It’s a good idea to make sure you’ve configured things correctly before trying it in a workflow. Go to Foundry > App manager and select Edit app from the three-dot actions menu. Next, click on the arrow for Integrations and click Chat APP. Search for “space list” to narrow the options, then choose Test from the actions menu. Select the Google Service Account configuration and click Test operation.
If you don’t have things configured correctly in Google Cloud, you’ll get a 404 from the Google Chat API.
When I experienced this error, it was because I forgot to configure Google Chat API’s details and disable its interactive features. Once I fixed that, everything worked for this request. No results were returned because I have no spaces set up currently.
Use Google Chat Actions in Falcon Fusion SOAR
You can now use the Google Chat API in your workflows. Go to Fusion SOAR > Workflows and create a new workflow. Select Create workflow from scratch and Next. Choose On demand for the trigger and Next to skip the schema builder. Click the green flag to add an action and search for “google”. You should see the list of actions available for use.
If you made it this far, congrats! You’ve successfully installed a Falcon Foundry App template and configured it to work with Falcon Fusion SOAR.
What’s the difference between a Store app and a Falcon Foundry App template?
If you’re a long time user of the Falcon platform, you might be familiar with the CrowdStrike Store and the apps available in it. But are you familiar with Falcon Foundry app templates? Falcon Foundry is CrowdStrike’s low-code application platform, which allows you to leverage app templates to create and deploy SOAR integrations with third-party tools. A Falcon Foundry template allows you to connect via API to import actions that you can use to build workflows that orchestrate between the Falcon platform and third-party tools.
A Falcon Foundry App template is “source available” in the sense that you can edit the app in Foundry after deploying it. You can change or add to its API integrations, add dashboards, integrate cloud functions, or use many other options. You can also sync the code to your local system using the Foundry CLI and its foundry apps sync command. The open source Foundry samples are available as App templates too, in addition to being on GitHub.
A Store app is closed source in that you can’t see or modify its code. It’s not available in Falcon Foundry, but its actions can be shared with Falcon Fusion SOAR.
Another reason an app might be in the Store (vs available as a template) is if the API requires a custom authentication mechanism. For example, Zoom’s Server-to-Server OAuth requires you to use a custom grant type and pass in an Account ID when requesting an access token. Since this is not a standard OAuth client credentials flow, we had to leverage our internal plugins architecture to make it work.
You can see both App templates and Store apps by visiting our content library at Fusion SOAR > Content library. You can search, filter, choose a vendor, or select your use-case to narrow your results.
Why is there a Store app and an app template for Google Chat? That’s an excellent question. The reason is so users have a choice. If users want to modify the response actions from Google Chat and only share a subset with Falcon Fusion SOAR, they can install the app template, then modify what’s shared with Falcon Fusion SOAR. If they want the default set of response actions and don’t want to manage the app in Falcon Foundry, the Store app will suffice.
Learn More About Falcon Foundry
I hope you’ve enjoyed learning about how to deploy an app template in Falcon Foundry. If you’d like to develop your own template, or perhaps a Store app, please contact us. In the meantime, check out Foundry > Learn for tutorials, getting started guides, and application capabilities documentation.
You might also like the other Foundry posts we’ve published:
