Adds a new script and utility to run a standalone HTTP web server for emulating external API calls (ex. APIs called by Connectors in support for Bi-Directional response actions)
Includes two plugins: SentinelOne and Crowdstrike. Only SentinelOne has some working APIs (APIs that respond with payloads)
Has not been tested with Kibana yet, but should be able to start it and then use the URL for the desired plugin (SentinelOne or Crowdstrike) to setup a Connector in Kibana
See README file for more on this utility and associated framework
To run it, execute:
node x-pack/plugins/security_solution/scripts/endpoint/start_external_edr_server_emulator.js
info [EmulatorServer] added route: [CORE] GET /_status
info [EmulatorServer] added route: [sentinelone] GET /sentinelone/web/api/v2.1/agents
info [EmulatorServer] added route: [sentinelone] GET /sentinelone/web/api/v2.1/activities
info [EmulatorServer] added route: [sentinelone] POST /sentinelone/web/api/v2.1/agents/actions/connect
info [EmulatorServer] added route: [sentinelone] POST /sentinelone/web/api/v2.1/agents/actions/disconnect
info [EmulatorServer] added route: [crowdstrike] GET /crowdstrike
info [EmulatorServer] Server started and available at: http://your-conputer-dns-address:54498
All arguments are optional and the defaults assume a developer stack running locally on port 5601 (KBN) and 9200 (ES). These can be overwritten - see utility's --help output:
node x-pack/plugins/security_solution/scripts/endpoint/start_external_edr_server_emulator.js --help
node x-pack/plugins/security_solution/scripts/endpoint/start_external_edr_server_emulator.js
Start external API emulator
Options:
--port The port number where the server should listen on
(Default is 0 - which means an available port is assigned randomly)
--username User name to be used for auth against elasticsearch and
kibana (Default: elastic).
**IMPORTANT:** if 'asSuperuser' option is not used, then the
user defined here MUST have 'superuser' AND 'kibana_system' roles
--password User name Password (Default: changeme)
--apiKey An API key to use for communication with Kibana/Elastisearch. Would be
used instead of username/password
--asSuperuser If defined, then a Security super user will be created using the
the credentials defined via 'username' and 'password' options. This
new user will then be used to run this utility.
--kibana The url to Kibana (Default: http://127.0.0.1:5601)
--elasticsearch The url to Elasticsearch (Default: http://127.0.0.1:9200)
--verbose, -v Log verbosely
--debug Log debug messages (less than verbose)
--quiet Only log errors
--silent Don't log anything
--help Show this message
Summary
README
file for more on this utility and associated frameworkTo run it, execute:
All arguments are optional and the defaults assume a developer stack running locally on port 5601 (KBN) and 9200 (ES). These can be overwritten - see utility's
--help
output: