CrowdStrike / falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
GNU Affero General Public License v3.0
186 stars 54 forks source link

Error while authenticating to API #38

Closed xalapa5000 closed 7 years ago

xalapa5000 commented 7 years ago

I am getting the following errors: 2017-06-09 11:43:11,683 FATAL FalconOrchestrator.Client.Authentication - Error while authenticating to API System.Net.WebException: The remote server returned an error: (500) Internal Server Error. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() 2017-06-09 11:43:11,714 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured System.Net.WebException: The remote server returned an error: (500) Internal Server Error. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

What can be done to resolve?

xalapa5000 commented 7 years ago

I have verified that the URL to the API is correct.

xalapa5000 commented 7 years ago

I think I found the issue. I was using normal crowdstrike creds and not API Query creds.

mr-burnse commented 7 years ago

That would do it! You'll need streaming API credentials for this. Also please make sure you contact our support team to ensure the API is enabled first,

xalapa5000 commented 7 years ago

I have now set it up with API query credentials and reset the API Key. After restarting the service the dashboard does not populate. Here are the last lines from the run log: 2017-06-12 08:50:26,203 FATAL FalconOrchestrator.Client.FalconOrchestratorService - Client service has been stopped 2017-06-12 08:50:28,453 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service 2017-06-12 08:50:31,719 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - [138] Event already stored in database 2017-06-12 08:50:31,719 WARN FalconOrchestrator.Client.AuditEvent - Malformed audit event timestamp, failing over to current time 2017-06-12 08:50:32,109 DEBUG FalconOrchestrator.Client.EventModel - [139] Authentication audit event saved to database

What can be done to start getting data?

mr-burnse commented 7 years ago

You should be using streaming API keys not Query...however since you're getting even it seems that's not the issue. These logs imply the service is working as expected, you should leave it running to collect more events. Also make sure on the top right of the navigation bar, you click on the refresh button to get new detections populated into the UI.

xalapa5000 commented 7 years ago

I setup both the Streaming API and Query API tabs. Should it be one or the other? Currently all we are interested in using is the Whitelist functionality.

Does it require the Email, Active Directory, and Forensics tabs be configured in order to work? I didn't set them up for now as they seemed to not be necessary for Whitelisting.

I have tried clicking the refresh button to the right of the welcome/username section. The service has been running for about an hour with no new logs.

mr-burnse commented 7 years ago

For this, you just need Streaming API but there's problem with inputting Query API as well (they just won't be used). For whitelisting, no you don't require Email/AD/Forensics to be configured. Keep in mind this whitelisting is only done locally within Orchestrator (i.e. it does not currently modify the status of the detection in the main Falcon UI).

Try setting the offset (in the streaming API configuration UI) back to 0 and re-starting the service. Also are there no entries in the client log stating "detection event saved to database"?

xalapa5000 commented 7 years ago

I changed the offset to 0 saved. No change. When I went back to look at that setting it show it is 140 for some reason.

No, there are no "detection event saved to database" logs.

So setting up whitelisting in Orchestrator won't actually whitelist any of the computers in my environment?

mr-burnse commented 7 years ago

So it would seem that there are no detections in the stream for Orchestrator to process. I'm assuming there have been detections/alerts in your environment within the past 30 days? Whitelisting is intended to whitelist certain events, by marking them with the state of "whitelisted" in the local Orchestrator database. Have you checked out the video demonstration? Link is on the main project page.

xalapa5000 commented 7 years ago

Yes, there have been events in the last 30 days.

I have seen the video. Here is the use case:
We have in-house devs that are working to create applications. Every time they make a change to the .exe it generates a new hash that is then blocked by falcon. We then have to add the new hash individually in the falcon portal every time. It is getting tiresome to have to maintain this. We would like to either Whitelist their working directory or the filename of the application so that it isn't blocked with every change. Can setting up Whitelisting with orchestrator accomplish this?

mr-burnse commented 7 years ago

No that's not something you would do with Orchestrator. For that level of whitelisting you should work through our support team.

xalapa5000 commented 7 years ago

OK. Thank you.

Guru668 commented 4 years ago

We are getting below error while we configuring Falcon SIEM connector .

RACE: Retrying work for partition=-1 due to error='falconhose[oauth2]: call to get access token returned empty token without an error'

Please check and update me if you encounter the same error.

Thanks in advance