All Apps and Add-ons

3 issues with TA_crowdstrike app: URL constants valid only for commercial and not for EU cloud, authentication header issue in validate of credentials and uncomment execution of Query API imports

croncari
New Member

Hi,

I'm trying to use your Add-On for the EU Cloud API and I've encountered the following issues and found a solution I would like to share with you in order to ask you to check and eventually fix them in a "official" Add-on released by you.

EU Cloud version
The current Add-on contains a series of consts for the URL that are pointing to the Commercial APIs. However we don't have access to them, but to the EU Cloud ones.
Is is possible for you to create a version of the Add-on that accepts the URLs for the Query and The Streaming API valid for the EU Cloud either as an input or at least to configure them in such a way?

Authentication header issue for validation of credentials
In the file "ta_crowdstrike_rh_falcon_host_accounts.py", for the method "validate" of the class "CheckValidation" , the header "Authorization" set with your code in the following way:

headers = {"Authorization": "Basic " + base64string, "Content-Type": "application/json", "Accept": "application/json"}

didn't work. The API returned an "Authentication" error.
I had to make the following changes to let it work

auth=HTTPBasicAuth(
             data["api_uuid"],
              data["api_key"]
   )
   base64string = base64.b64encode('%s:%s' % (data["api_uuid"], data["api_key"]))

   headers = {"Content-Type": "application/json", "Accept": "application/json"}
   params = {
          headers": headers,
           "proxies": proxies}

   rest_resp = requests.get("https://falconapi.eu-1.crowdstrike.com/detects/queries/detects/v1", headers=headers,
                                         proxies=proxies, auth=auth)

I don't know if this fix is valid also for you, but, can you check it and eventually fix it in your official code, please?

Execution of the Query API imports commented
After having applied the changes above and once configured, the modular input didn't import any data. Investigating in the code, I've found the following comment and commented code In the file "falcon_host_data_client.py"

#We are restricting device endpoint due to issue at product side. We will revoke below condition
                # once get resolved at product side.
if self._endpoint.find(consts.DEVICE_QUERY_ENDPOINT)!=-1 or self._endpoint.find(consts.DETECT_QUERY_ENDPOINT)!=-1:
    return False

Commenting the two code lines, the import of data works.
Can you enable back the import of data in your official version, please?

Our purpose is not to have a customized add-on, so please, let us know if it is in your objectives to keep this app up-to-date

Thank you for your support

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...