Problem with CrowdStrike

Hello everyone,

I want to integrate crowdstrike on my siem, the kibana interface.
I have already preconfigured the following:

  • Generation id and secret: https://api.eu-1.crowdstrike.com.

  • Integration and preconfiguration of the CrowdStrike and CrowdStrike Falcon Intelligence module with the Crowdstrike id and secret generated before.

  • On CrowdStrike: Alerts: Yes (read only) and Hosts: Yes (also read), as requested in the documentation.

19 155116

  • API testing on powershell:
    $uri = "https://api.eu-1.crowdstrike.com/oauth2/token"
    $headers = @{
    "accept" = "application/json"
    "Content-Type" = "application/x-www-form-urlencoded"
    }
    $body = @{
    “client_id” = “…”
    “client_secret” = “…”
    }
    $response = Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $body
    $response > OK

No dashboard works and everything remains empty.

Thanks for your help :slight_smile:

Clarification: my elastic instance is local on a Linux server, not in the cloud.

From Elastic Search to SIEM

Hi,

I had similar issue. I'm on ELK stack 18.14.2. crowdstrike integration version 1.39.0, and crowdstrike falcon intelligence 1.1.3.

I use the falcon siem connector, and see logs in /var/log/crowdstrike/falconhoseclient/output and alerts coming in. As well as collecting crowdstrike logs via API.
For the API collector, having "Alerts" and "Hosts" scopes enabled. For the SIEM connector, I have API client with: "Alerts", "Hosts", "Detections" and "Falcon Data Replicator" and "Event Streams" enabled. I think the "Event Streams" should just be enough for that.

went to the host running elastic-agent where the integration is installed, and did a "systemctl restart elastic-agent". That seems to have fixed the issue.

However, the falcon intelligence seems to be "more" broken to me.
The ti_crowdstrike.ioc seems to have this issue: [ti_crowdstrike.ioc]: field [original] not present as part of path [event.original]] · Issue #10575 · elastic/integrations · GitHub and the ti_crowdstrike.intel kind of stopped ingesting for me a couple of weeks ago. Still investigating.

Sebastian

Hi, Thanks for your response, Sebastian :slight_smile:

'I went to the host running the elastic-agent where the integration is installed and did a "systemctl restart elastic-agent". That seems to have fixed the issue.'

I can’t do that on CrowdStrike, can I? I don't have an elastic-agent on CrowdStrike since it's a web-based service. Or do I need to install the agent on the Elastic server itself?

'/var/log/crowdstrike/falconhoseclient/output'
Is it normal that I don’t have this log file at all on my Linux server where Elastic is running?

Also, I found the file on the Linux server that was disabled: /etc/filebeat/modules.d/crowdstrike.yml.disabled.
I activated it and modified it like this:

cat /etc/filebeat/modules.d/crowdstrike.yml

  • module: crowdstrike
    falcon:
    enabled: true

    Set custom paths for the log files. If left empty,

    Filebeat will choose the paths depending on your OS.

    #var.paths:

Thanks you

Oh, you're with Filebeat, then YMMV :wink:

I assume filebeat would support same functionality like the agent integration.
With that, you have 3 options:
get info about events/alerts/hosts from Falcon Siem connector:

use the FDR and fetch logs from i.e. S3, or query CS Rest API.

I have the first installed on a VM, where Agent is running, and parses previously mentioned log file which is created and filled by the Falcon SIEM Connector.
Additionally have it querying the Rest API.

Sebastian

I downloaded the SIEM connector: crowdstrike-cs-falconhoseclient_2.26.0_amd64.deb from CrowdStrike.

I configured it as follows:

No other logs.

Where can I find the information? No dashboard contains any information.

Thanks again for your help.

so the siem connectors log file is filling fetching events and pushing it here: /var/log/crowdstrike/falconhoseclient/output ?

When you search in discover for log.file.path: /var/log/crowdstrike/falconhoseclient/output

you see anything?

The filebeat module docs don't mention these dashboards: CrowdStrike module | Filebeat Reference [8.15] | Elastic

so might only be visible in the SIEM as shown there.

Sebastian

image
empty :frowning: