Problem with Crowdstrike& AWS Securityhub integration #130
Comments
|
Hi @EasonJYC - I'm trying to recreate this now and will let you know the result here shortly. |
|
Hi @EasonJYC - I can recreate this and am classifying this as a bug. I will be submit a PR to resolve this issue shortly. Stay tuned. |
|
Quick follow-up question: If you set the default value for ssl_verify to False ( |
|
I think we tried that before and still cannot connect. Do you want me to try that again? |
|
Yes please. I think this might be related to the ca-certificate changes AWS implemented in September. Either way, I'll be updating the code to reflect new functionality in the FalconPy library, but may have to add something to our terraform to handle the "yum update ca-certificates" step. |
|
Hi I just tried with "ssl_verify = false" and I still fail to connect to the API. |
|
Copy that. That lines up with my testing over here as well, so it appears there are a couple of issues I'll need to address. I'm working on these changes now. 👨💻 |
|
Hi @EasonJYC - The PR to resolve this issue has been submitted. If you need to test this before it merges to main, update line 80 of wget -O sechub-2.0.latest-install.run https://github.com/CrowdStrike/Cloud-AWS/blob/jshcodes-sechub-1221/Security-Hub/install/sechub-2.0.latest-install.run?raw=trueLet us know if you have any problems. |
|
Hi @jshcodes , Thanks for your update! I tried the new code and the fig works fine. I generated a sample detection(critical severity) on Crowdstrike but Securityhub didn't receive the detection. I checked the fig, SQS and Lambda and I could see the activity of all of them. So I guess the connection between Lambda and Securityhub might not work. Can you reproduce it on your side? Thanks! |
|
Hi @EasonJYC ! Have you navigated to Security Hub / Integrations and started accepting CrowdStrike findings for the region you've deployed to?
|
|
Yes! I have already done that. |
|
Is it because we deploy the CS&Securityhub integration in Account A Region A but the detections are in Account B Region B? Because our idea is to receive all detections on our hosts(located in Account B, C, D etc) in a single Securityhub dashboard(which is located in Account A Region A). |
|
It might be. We have a way to address that as well. Let's turn debugging on in the Lambda. And turn off Instance confirmation.
Add the following environment variables, and run a test or two. Then check the CloudWatch log for the Lambda and let us know any errors that you get back? (Don't forget to sanitize any internal information like CID, AIDs, API credentials, IP addresses, etc.) I usually get there using this button from the Lambda page. And then I click Search All (and drop the range down). |
|
Hi, |
|
Delete your offset file ( |
|
Followup: It can take a few minutes for detections to come across. You can also tail the log file with |
|
Now Securityhub is able to receive alerts! Thanks for your help @jshcodes ! |
|
Excellent! Couple of notes:
Let us know if you have any more problems. 😄 |
|
Thanks for your notes! I just want to remind that Debugging mode is on by default if we deploy it through Terraform. Thanks again! |
Doh! I'll get this updated as well. 😄 |
I deployed the integration through terraform and followed the guide here:
https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub/terraform
But AWS securityhub cannot receive events from Crowdstrike. I checked the fig service on fig instance and found that it failed to connect to CS API:
I double checked the API we used and I'm sure that we provided the required access:
Event Streams API - READ
Hosts API - READ
Sensor Download API - READ
Any help would be appreciated!
The text was updated successfully, but these errors were encountered: