Open AditModi opened 3 weeks ago
AditModi
commented
3 weeks ago I did little bit of debugging in my EC2 and found that I get following error messages from fig_service.log:
Configuration parameters loaded from SSM Parameter Store
No Streams available
Process terminated
Specified configuration file not found
carlosmmatos
commented
3 weeks ago @AditModi - sorry misread the initial message.. SSM params are being loaded.
So, generally if there are no streams available, the issue is in here: https://github.com/CrowdStrike/Cloud-AWS/blob/main/Security-Hub/main.py#L184
Basically we make the API call to Falcon to list the available streams for the given app_id.
One thing to ensure is that you are using a unique app_id or from SSM FIG_APP_ID in the event that there is another instance of the FIG running that may be using the same ID.
If you are sure you have a unique ID or that no other fig instance is running, you probably want to go to the ec2 instance and modify the main.py file in /usr/share/fig directory.
I would add something like this for debugging:
new_streams = falcon.command(action="listAvailableStreamsOAuth2", appId=config["app_id"])
print(json.dumps(new_stream, indent=4))Follow the steps here to manually run it:
sudo systemctl stop fig # this will stop the current fig from interfering
sudo -u fig python3 main.pyThen report back with that.
AditModi
commented
3 weeks ago Hi @carlosmmatos , thanks for the help. I added the debugging step and checked again. I found that the appID was the issue, it was giving the 400 error. I made changes to it and Now, I have it working as expected. It is giving me 200 response.
I get following messages from fig_service.log:
Configuration parameters loaded from SSM Parameter Store.
Starting listener on partition number 0...
All threads started, main process sleeping.
Process terminatedI am still not able to view the crowdstrike related information in security hub. I am assuming it takes time for data to load, let me know if there is anything else to be updated.
Update: Security hub still doesn't include crowdstrike information, please let me know what else needs to be added.
carlosmmatos
commented
3 weeks ago At this point you need to review/test detections. Per the docs:
{app_id}_{partition_number}.log - Each stream opened by the application has it's own rotating log that contains details regarding the detections discovered. Review this log to confirm detections are being discovered within the event stream and are properly formatted / meeting severity threshold requirements. This file is named after the value used for the __app_id__ parameter and the partition number.
This log file will tell you if anything has been processed.
AditModi
commented
3 weeks ago Thanks for the explanation on reviewing the CrowdStrike logs. I've checked the {appid}{partition_number}.log files, and there are no detections found.
Based on this, it seems the issue likely lies with CrowdStrike sensor configuration. On the AWS side, I've created and added the client ID and secret for the CrowdStrike Falcon Integration Gateway (FIG).
Could you please clarify if there are any other configuration steps required on the CrowdStrike side beyond the client credentials?
carlosmmatos
commented
3 weeks ago Are there any detections at all in your CID? You can check on the console. Outside of that, it sounds like you have configured everything you need on your end.
My suggestions:
severity_threshold or FIG_SEVERITY_THRESHOLD) otherwise you won't see it processed by the FIG.
I successfully deployed the CloudFormation template for the CrowdStrike integration with Security Hub link. However, even after subscribing to CrowdStrike findings in the deployed region, I am not seeing any findings populate within Security Hub.
Steps to Reproduce:
Expected Behavior:
Actual Behavior:
Possible Causes: