search

ZachChristensen28 / TA-crowdstrike-identities

The CrowdStrike Falcon Identity Protection Add-on for Splunk Add-on allows ingestion of the CrowdStrike identity data into Splunk enabling the data to be used with other Splunk Apps, such as Enterprise Security.
https://splunk-ta-crowdstrike.ztsplunker.com/
Other
0 stars 0 forks source link

Risk score in crowdstrike and in Splunk are not same #35

Open sharadap05 opened 3 weeks ago

sharadap05 commented 3 weeks ago

Description

Hi Team,

We configured add-on "Crowdstrike Falcon Identity Protection add-on for Splunk" in Splunk to get crowdstrike identity risk score details. But we see the scores in splunk are not the same as crowdstrike. For instance: for an user we see riskscore as 2.9 in crowdstrike, but in Splunk logs we see 0.29 for the same user. Can you please let us know if this is expected behavior of the add-on or a bug??

Related links

The document doesnot mention if the scores might be different format in splunk.

Proposed change (optional)

No response

ZachChristensen28 commented 3 weeks ago

Hello, thank you for reaching out.

The risk score comes directly from their API using the CrowdStrike Falcon API Software Development Kit, falconpy. I can investigate whether this is expected behavior. In the meantime, you can verify using the API docs CrowdStrike provides in their Developer portal.

sharadap05 commented 2 weeks ago

Hi Zach,

Do you have any further update on this?

Regards Sharada Pandilla | Information Security Operations – L2 Zoetis| Indianapolis | @.**@.> Information Security Communityhttp://infosec.corp.zoetis.com/ Have a Security Request?http://zlink.corp.zoetis.com/InfoSecRequests

From: Zach Christensen @.> Sent: Tuesday, July 2, 2024 10:11 PM To: ZachChristensen28/TA-crowdstrike-identities @.> Cc: Pandilla, Sharada @.>; Author @.> Subject: Re: [ZachChristensen28/TA-crowdstrike-identities] Risk score in crowdstrike and in Splunk are not same (Issue #35)

Hello, thank you for reaching out. The risk score comes directly from their API using the CrowdStrike Falcon API Software Development Kit, falconpy. I can investigate whether this is expected behavior. In the meantime, you can verify using

Hello, thank you for reaching out.

The risk score comes directly from their API using the CrowdStrike Falcon API Software Development Kit, falconpyhttps://urldefense.com/v3/__https:/falconpy.io/Service-Collections/Identity-Protection.html__;!!NI2rKV_i!-pHuxYDnyxaALMLryoSC1__We24kvbAOTErDc1PRH3rleZxHQB0KMWe1Wr5eGcq68UWBdcRaxUjQab-lRheyIUTYszWGYA$. I can investigate whether this is expected behavior. In the meantime, you can verify using the API docs CrowdStrike provides in their Developer portal.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ZachChristensen28/TA-crowdstrike-identities/issues/35*issuecomment-2204906778__;Iw!!NI2rKV_i!-pHuxYDnyxaALMLryoSC1__We24kvbAOTErDc1PRH3rleZxHQB0KMWe1Wr5eGcq68UWBdcRaxUjQab-lRheyIURVFGudJQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BJTTFO5QS7KTZHPWFTRSZDTZKNMRVAVCNFSM6AAAAABKIKYJVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBUHEYDMNZXHA__;!!NI2rKV_i!-pHuxYDnyxaALMLryoSC1__We24kvbAOTErDc1PRH3rleZxHQB0KMWe1Wr5eGcq68UWBdcRaxUjQab-lRheyIURQrkQbDA$. You are receiving this because you authored the thread.Message ID: @.**@.>>