Findings Not Populating in Security Hub After CrowdStrike Subscription ([security-hub-integration.yaml]) about cloud-aws HOT 6 OPEN

@AditModi - sorry misread the initial message.. SSM params are being loaded.

So, generally if there are no streams available, the issue is in here: https://github.com/CrowdStrike/Cloud-AWS/blob/main/Security-Hub/main.py#L184

Basically we make the API call to Falcon to list the available streams for the given app_id.

One thing to ensure is that you are using a unique app_id or from SSM FIG_APP_ID in the event that there is another instance of the FIG running that may be using the same ID.

If you are sure you have a unique ID or that no other fig instance is running, you probably want to go to the ec2 instance and modify the main.py file in /usr/share/fig directory.

I would add something like this for debugging:

new_streams = falcon.command(action="listAvailableStreamsOAuth2", appId=config["app_id"])
print(json.dumps(new_stream, indent=4))

Follow the steps here to manually run it:

sudo systemctl stop fig  # this will stop the current fig from interfering
sudo -u fig python3 main.py

Then report back with that.

from cloud-aws.

At this point you need to review/test detections. Per the docs:

{app_id}_{partition_number}.log - Each stream opened by the application has it's own rotating log that contains details regarding the detections discovered. Review this log to confirm detections are being discovered within the event stream and are properly formatted / meeting severity threshold requirements. This file is named after the value used for the app_id parameter and the partition number.

This log file will tell you if anything has been processed.

from cloud-aws.

Are there any detections at all in your CID? You can check on the console. Outside of that, it sounds like you have configured everything you need on your end.

My suggestions:

• Get with somebody who can run a test detection on a system that has the falcon-sensor installed.
  • Make sure this detection meets your defined severity threshold (severity_threshold or FIG_SEVERITY_THRESHOLD) otherwise you won't see it processed by the FIG.
• Verify the detection shows on the console
• Check the logs again

from cloud-aws.

I did little bit of debugging in my EC2 and found that I get following error messages from fig_service.log:

Configuration parameters loaded from SSM Parameter Store 
No Streams available
Process terminated
Specified configuration file not found

from cloud-aws.

Hi @carlosmmatos ,
thanks for the help. I added the debugging step and checked again.
I found that the appID was the issue, it was giving the 400 error. I made changes to it and Now, I have it working as expected. It is giving me 200 response.

I get following messages from fig_service.log:

Configuration parameters loaded from SSM Parameter Store.
Starting listener on partition number 0...
All threads started, main process sleeping.
Process terminated

I am still not able to view the crowdstrike related information in security hub. I am assuming it takes time for data to load, let me know if there is anything else to be updated.

Update: Security hub still doesn't include crowdstrike information, please let me know what else needs to be added.

from cloud-aws.

Thanks for the explanation on reviewing the CrowdStrike logs. I've checked the {app_id}_{partition_number}.log files, and there are no detections found.

Based on this, it seems the issue likely lies with CrowdStrike sensor configuration. On the AWS side, I've created and added the client ID and secret for the CrowdStrike Falcon Integration Gateway (FIG).

Could you please clarify if there are any other configuration steps required on the CrowdStrike side beyond the client credentials?

from cloud-aws.