question - no propagated events from crowdstrike to security hub

[neo-eddie-nazarov]

Hi,

I've been testing this for our active subscription in crowdstrike in order to propagate events back to security hub. ( fig v3.1.13)

Have this running as in ECS fargate task in our AWS account.

From the logs I see that the streaming connection was established ( 200 ) for the following streaming url - https://firehose.us-2.crowdstrike.com/sensors/entities/datafeed/v1/0?appId=<app_id>&offset=0&eventType=DetectionSummaryEvent

I was simulating events in crowdstrike using the following cmd: bash crowdstrike_test_<_severity_>

The event appears in crowdstrike but the stream seem not to pick the event ( don't see anything in logs nor security hub )

Would like to know if there was something missing on my end for the configuration.

Wanted to note that I run a test with v3.1.11 and started seeing the events just with processing errors so I guess this change is related

My goal with this is to emit all events from crowdstrike to securityhub and not only AWS related, is this something that is currently supported?

Update: confirmed now that this worked for a test event which originated from AWS.

So i'm back to the question whether it can support all events regardless of its origin and if there is a specific configuration for it? like the "confirm_provider": true in here

[carlosmmatos]

@neo-eddie-nazarov thanks for your questions and opening up an issue. Yes we have made some changes to the AWS security hub backend to fix some bugs so it sounds like you are good from that perspective.

• Without knowing your other configuration options, it maybe possible that the test events you are simulating aren't meeting the severity threshold. The default is 3 so if you are not testing anything above this you won't see it come through.
• The question wrt to whether we can support all events is something I have to get back to you on. The quick answer is yes, of course we can support sending all the data (not just AWS detections) as we do this with other backends. The longer version is making sure we can support both without introducing any bugs to existing (AWS only) users.

I'll bring it up with the team to see how to proceed with your latter question. Will keep you posted, and in the meantime, if you have any other questions or ideas for enhancements, please feel free to post them here or in a new issue 👊🏼

[neo-eddie-nazarov]

@carlosmmatos thank you for your reply!

The first issue was resolved once I run the test from an ec2 in AWS.

Would be happy to get your input regarding all events support, thanks!

[neo-eddie-nazarov]

• The question wrt to whether we can support all events is something I have to get back to you on. The quick answer is yes, of course we can support sending all the data (not just AWS detections) as we do this with other backends. The longer version is making sure we can support both without introducing any bugs to existing (AWS only) users.

@carlosmmatos regarding the bugs, this could be enabled via flag/env variable that can be passed in and set disable as default. this will preserve the current configuration for existing users and allow implementation to who'd like to try this feature as done for other backends 🤔

[carlosmmatos]

@neo-eddie-nazarov I think the bigger question we are trying to get answered is if AWS supports this from partners. Just want to make sure we are allowed to send non-aws data into sechub. Once we get an answer back I'll update this thread.

[neo-eddie-nazarov]

@neo-eddie-nazarov I think the bigger question we are trying to get answered is if AWS supports this from partners. Just want to make sure we are allowed to send non-aws data into sechub. Once we get an answer back I'll update this thread.

it seems like this is the way it was done previously until that PR limited it and before the integration gateway was introduced( referring to the https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub which has no restrictions)? not sure if there are any restrictions if I as an AWS customer can send them whatever I want 🤔

[carlosmmatos]

@neo-eddie-nazarov - can you do us a favor, would you be willing to open a support case with us to further discuss this use-case with us along with our AWS partner. As it stands, AWS does not currently support non-AWS events but they are open to hearing customer use-cases to change this.

If you would like to discuss this with us, when you create the support case, feel free to drop my name (Carlos Matos) so they can quickly route it to me and I can pass it on to the team.

[neo-eddie-nazarov]

hey @carlosmmatos,

I had the chance to discuss this with the AWS Security Hub team and the AWS partner team for Crowdstrike. ( they also have this discussion as ref ) so right now I need to provide them with some samples.