Comments (6)
@AditModi - sorry misread the initial message.. SSM params are being loaded.
So, generally if there are no streams available, the issue is in here: https://github.com/CrowdStrike/Cloud-AWS/blob/main/Security-Hub/main.py#L184
Basically we make the API call to Falcon to list the available streams for the given app_id
.
One thing to ensure is that you are using a unique app_id or from SSM FIG_APP_ID
in the event that there is another instance of the FIG running that may be using the same ID.
If you are sure you have a unique ID or that no other fig instance is running, you probably want to go to the ec2 instance and modify the main.py
file in /usr/share/fig
directory.
I would add something like this for debugging:
new_streams = falcon.command(action="listAvailableStreamsOAuth2", appId=config["app_id"])
print(json.dumps(new_stream, indent=4))
Follow the steps here to manually run it:
sudo systemctl stop fig # this will stop the current fig from interfering
sudo -u fig python3 main.py
Then report back with that.
from cloud-aws.
At this point you need to review/test detections. Per the docs:
{app_id}_{partition_number}.log
- Each stream opened by the application has it's own rotating log that contains details regarding the detections discovered. Review this log to confirm detections are being discovered within the event stream and are properly formatted / meeting severity threshold requirements. This file is named after the value used for the app_id parameter and the partition number.
This log file will tell you if anything has been processed.
from cloud-aws.
Are there any detections at all in your CID? You can check on the console. Outside of that, it sounds like you have configured everything you need on your end.
My suggestions:
- Get with somebody who can run a test detection on a system that has the falcon-sensor installed.
- Make sure this detection meets your defined severity threshold (
severity_threshold
orFIG_SEVERITY_THRESHOLD
) otherwise you won't see it processed by the FIG.
- Make sure this detection meets your defined severity threshold (
- Verify the detection shows on the console
- Check the logs again
from cloud-aws.
I did little bit of debugging in my EC2 and found that I get following error messages from fig_service.log:
Configuration parameters loaded from SSM Parameter Store
No Streams available
Process terminated
Specified configuration file not found
from cloud-aws.
Hi @carlosmmatos ,
thanks for the help. I added the debugging step and checked again.
I found that the appID was the issue, it was giving the 400 error. I made changes to it and Now, I have it working as expected. It is giving me 200 response.
I get following messages from fig_service.log:
Configuration parameters loaded from SSM Parameter Store.
Starting listener on partition number 0...
All threads started, main process sleeping.
Process terminated
I am still not able to view the crowdstrike related information in security hub. I am assuming it takes time for data to load, let me know if there is anything else to be updated.
Update: Security hub still doesn't include crowdstrike information, please let me know what else needs to be added.
from cloud-aws.
Thanks for the explanation on reviewing the CrowdStrike logs. I've checked the {app_id}_{partition_number}.log files, and there are no detections found.
Based on this, it seems the issue likely lies with CrowdStrike sensor configuration. On the AWS side, I've created and added the client ID and secret for the CrowdStrike Falcon Integration Gateway (FIG).
Could you please clarify if there are any other configuration steps required on the CrowdStrike side beyond the client credentials?
from cloud-aws.
Related Issues (20)
- Query on AWS Install to Amazon Linux 2 HOT 4
- Error when trying to use the standard download script HOT 1
- Allow using named Aws profiles for the agents HOT 3
- Chores: broken links in the docs
- Issue while file is uploaded and waiting for the file scan HOT 14
- ZIP files folder referenced in documentation does not exist HOT 3
- Add quota check to S3 bucket protection example
- Package is not supported (package is missing install action) HOT 2
- Runtime.ImportModuleError errors when trying to deploy / use S3 bucket protection example HOT 1
- decomission old powershell/bash scripts
- Manual installation is not working HOT 37
- What to put in the "Key" value when trying to run Cloudformation based security-hub integration? HOT 2
- Trying to figure out how fig is supposed to know what url to connect to (security hub integration) HOT 9
- s3 bucket protection demo needs updated malquery permissions
- No `lsmod` in current image, can't verify as per docs HOT 1
- Incorrect API permissions described HOT 2
- No linux/arm64 tooling container available for the EKS guide HOT 1
- falcon-node-sensor-push context in the EKS docs HOT 1
- Allow passing multiple existing bucket names HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-aws.