Code Monkey home page Code Monkey logo

crowdstrike-spotlight-humio-package-integration's Introduction

CrowdStrike Spotlight Package Integration

This repository contains the consumer and shipper code driving data to the CrowdStrike Spotlight Humio Package

Configuration File Example

This client is powered by CrowdStrike's FalconPy SDK. For more information visit: https://github.com/CrowdStrike/falconpy.

For information about the Spotlight API visit: https://falcon.crowdstrike.com/documentation/98/spotlight-apis.

[Logging]
log_level = INFO                                                #set to debug for troubleshooting                                            
log_file = LogFiles/CrowdStrikeSpotlight2Humio

[CrowdStrike]
client_version = 2.0                                            #do not alter
proxy_used = False                                              #set to True for proxy usage
proxies = {}                                                    #configure with proper python proxy syntax
limit = 490
filter = updated_timestamp:>                                    #at least 1 filter must be set, updated_timestamp is the best timestamp to use
time_filter = '2021-10-11T00:00:12Z'                            #timestamp to start from, must be enclosed in single quotes
                                                                #keep in mind the retention policy for Humio when setting this as older data will not be retained
updated_timestamp = '2022-06-16T21:33:56Z'                      #timestamp populated by client for follow on queries, no not populate/modify
sort = updated_timestamp|asc                                    #sorting logic, recommended this not be modified
client_id =                                                     #CrowdStrike ClientID for API access
client_secret =                                                 #CrowdStrike Secret for API access
base_url = https://api.crowdstrike.com                          #Base URL for CrowdStrike Falcon Instance, adjust for proper cloud 
facets = cve, remediation, host_info, evaluation_logic          #additional data collection with optional facets
timeout_conn = 30                                               #connection timeout
timeout_read = 300                                              #read timeout

[Humio]
hecurl = https://cloud.us.humio.com/api/v1/ingest/hec/raw       #standard Humio Cloud HEC URL, adjust as needed
humiohectoken =                                                 #Humio HEC token
content-type = application/json                                 #HEC post header setting, do not modify
accept = application/json                                       #HEC post header setting, do not modify
humiohecverify = True                                           #HEC SSL verify setting, modified only if needed

crowdstrike-spotlight-humio-package-integration's People

Contributors

ckachigian avatar czielin80 avatar jshcodes avatar nkhetia31 avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nkhetia31 czielin80 ryanfaircloth cryptojones mikeshift

crowdstrike-spotlight-humio-package-integration's Issues

Run the package with a few configuration changes leads to errors

Cs team has made some changes to configurations.
Details :

  1. This was a fresh/clean deployment of the integration scripts tested on both Windows and Linux platforms with Python3. The scripts were obtained from the GitHub library.
  2. The only change or modification was to the Configuration file where tokens and URLs and other relevant content was provided. This was in accordance with the directions for deployment.
  3. The Vulnerability ID and Remediation scripts which are returning the errors were not modified in any way.

When running errors are returned from other scripts as per the attached screenshot.

https://crowdstrike.lightning.force.com/lightning/r/Case/5006T00002077vsQAA/view
image

CrowdStrike/Spotlight package integration issue

Steps followed with the scripts downloaded from this repo.
Edited the config file and entered all the required credentials. Ran the CrowdStrikeSpotlight2HumioMain.py.

Get the following error. Looks like IDs key is not found in that map.

Exception in thread Thread-4 (get_vul_details):
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 946, in run
    self._target(*self._args, **self._kwargs)
  File "/tmp/CrowdStrike-Spotlight-Humio-Package-Integration-main/Get_Spotlight_Details.py", line 94, in get_vul_details
    remed_id = i['remediation']['ids']
KeyError: 'ids'
Exception in thread Thread-3 (get_vul_details):
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 946, in run
    self._target(*self._args, **self._kwargs)
  File "/tmp/CrowdStrike-Spotlight-Humio-Package-Integration-main/Get_Spotlight_Details.py", line 94, in get_vul_details
    remed_id = i['remediation']['ids']
KeyError: 'ids'
Exception in thread Thread-5 (get_vul_details):
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 946, in run
    self._target(*self._args, **self._kwargs)
  File "/tmp/CrowdStrike-Spotlight-Humio-Package-Integration-main/Get_Spotlight_Details.py", line 94, in get_vul_details
    remed_id = i['remediation']['ids']
KeyError: 'ids'
Exception in thread Thread-6 (get_vul_details):
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 946, in run
    self._target(*self._args, **self._kwargs)
  File "/tmp/CrowdStrike-Spotlight-Humio-Package-Integration-main/Get_Spotlight_Details.py", line 94, in get_vul_details
    remed_id = i['remediation']['ids']

Debug logs indicate that the spotlight data has been sent successfully to Humio. However Humio has parsing errors.
"Could not parse json for field=@rawstring msg=Could not handle input | No field named updated_timestamp to use when parsing timestamp"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.