Rivian Falcon LogScale
Security Information and Event Management
Last updated
Security Information and Event Management
Last updated
Adding a SIEM solution to the Rivian Data Stack for "logging" was dead simple with the Community Edition of CrowdStrike's Falcon LogScale, and here's how we got it done.
Getting Started was ridiculously straight forward and I had the account approved in a couple of days with the following disclaimer:
Falcon LogScale Community is a free service providing you with up to 16 GB/day of data ingest, up to 5 users, and 7 day data retention, if you exceed the limitations, you’ll be asked to upgrade to a paid offering. You can use Falcon LogScale under the limitations as long as you want, provided, that we can modify or terminate the Community program at any time without notice or liability of any kind.
Pretty generous and a good fit for this implementation, with the caveat all good thins can come to an end...
After clicking things to death in the foundational concepts section, I created a Repository, which subsequently spit out an ingestion url and an ingestion token.
Now, Data Sources in our stack are a repeatable implementation, but here is a look at the use of the library to push a json object to the platform on an interval.
In its entirety in the repo, and carbon copy from the supplied documentation.
Lets check the cluster and see if the CronJob is running for the log push... our cron history is at 3 and looks like 3 trailing were successful.
After the logs were getting pushed, it didnt take too long to get used to querying the data with LogScale Query Language (LQL).
Which eventually lead to creating a parser to eliminate some complexity around the nested objects, and ultimately a sexy dashboard.
The point of this was to implement a "logging" infrastructure that could generate some observability as they occur and result in some sort of security event. For this, were going to take a look at how "Security State" and "Egress" were surfaced as
Entering edit mode, you can see the LQL behind the magical tile.
Four Locked Doors = Secured 🔓
Pretty much the same flow as creating a dashboard widget for visualization, you can create an alert in real time as the logs are rolling in based on a simple or nested query. There are two SIEM (ish) events of particular interest to get some alerting on...
Gear Guard is Rivian's security system that connects Rivian hardware (interior screen, braided steel cable, cameras) and software technology to keep a watchful eye on your vehicle and gear while you're away. After inspection of the api and profiling the data in LogScale, there was a metric "engaged" that is a running number of the "events" the camera recorded while the feature was enabled.
Then, when the condition was met the event fired an action, for a simple demonstration this one sent the below email and fire when a new Camera event takes place.