search

ZachChristensen28 / TA-crowdstrike-identities

The CrowdStrike Falcon Identity Protection Add-on for Splunk Add-on allows ingestion of the CrowdStrike identity data into Splunk enabling the data to be used with other Splunk Apps, such as Enterprise Security.
https://splunk-ta-crowdstrike.ztsplunker.com/
Other
0 stars 0 forks source link

Not all identities being pulled #32

Closed kbostater3 closed 4 months ago

kbostater3 commented 4 months ago

Bug description

Only about 9000 of our 13000 identities are being pulled in. It's not a dedup error, because some of our samAccountNames that exist in multiple domains are showing up more than once. The most complete domain "CACHEMAIL.EXT" is also the most useless. Blacklisting that domain does not lead to more entries from other domains being ingested.

Related links

TA-crowdstrike-identities Version

1.0.2

Splunk Version

9.0.2303.201

ZachChristensen28 commented 4 months ago

This may be related to issue #29. The default behavior is to only pull in devices that are not learned by CrowdStrike. This setting will be removed in the next version. Remove "learned: false" from the GraphQL call in the python the script and see if that makes a difference. https://github.com/ZachChristensen28/TA-crowdstrike-identities/blob/3d7812af8a653b89c97ccd96b58bc4f34c0fca01/src/TA-crowdstrike-identities/bin/input_module_crowdstrike_identities.py#L72

kbostater3 commented 4 months ago

We're using Splunk GovCloud. I asked Splunk Support to make that change, but they refused because it's a developer supported app.

ZachTheSplunker commented 4 months ago

The new version was just released with the fix. It should be available in Splunk Gov Cloud after the appinspect runs. Could take 2 - 5 days. https://splunkbase.splunk.com/app/6893