All Apps and Add-ons

Future update of this TA to work with OAuth2-based

FloSwiip
Path Finder

Hello,

This TA is using only the deprecated legacy key-based APIs access
Based on your last CS communication, the end date for this kind of access is the October 29th, 2020
Are you planning to update this TA accordingly or it is going to be abandoned and removed from splunkbase ?

Thank you for your support

Labels (1)

yeahnah
Motivator

A see a CrowdStrike Falcon Event Streams Technical Add-On has just been released with oAuth support and is the replacement for CrowdStrike Falcon Endpoint Add-on.  

https://splunkbase.splunk.com/app/5082/#/overview

However, it states only version 8 compatibility at the moment, which I hope is just due to the fact they have not tested against older versions yet.

 

0 Karma

FloSwiip
Path Finder

Hello,

Yes same remark about the splunk 8+ only

I just tried it on a splunk heavy forwarder running version 7.3.6 and I am getting the following error

 

 

 

2020-07-14 16:17:48,687 ERROR pid=22745 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/ta_crowdstrike_falcon_event_streams/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/crowdstrike_event_streams.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 321, in collect_events
    crowdstrike_client()
  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 189, in crowdstrike_client
    token_result, token_message, token_url= Stream().get_token(clientid, secret, api_endpoint, proxy)
TypeError: 'NoneType' object is not iterable

 

 

 

Edit: I have the same failure with splunk 8.0.4.1and the default setting of python in the server.conf
python.version = python2 🤔

Edit2: Still the same error with
python.version = python3 😓

Edit3: Ok I have regenerated my api credential and it was the reason of the error ( really bad catch )
Now it is spamming an offset errors but maybe it is normal

 

 

2020-07-15 07:46:14,342 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Event Written
2020-07-15 07:46:14,342 ERROR pid=15876 tid=Thread-1 file=Stream_Attributes.py:record_offsets:116 | Failed to record offsets to offsets file.
2020-07-15 07:46:14,376 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Offset recording to KV store: XXXX_Detections_feed_num_0 {u'https://firehose.crowdstrike.com/sensors/entities/datafeed/v1/0?appId=splunk_qualif': XXXXX}

 

Edit4:
For the error in edit3, it is the creation of an empty dir in TA-crowdstrike-falcon-event-streams/bin/offsets that is missing, so python is failing to manage files here.
Note that is app is deployed, it is important to add it to the exclusion to not loose its contain

 

0 Karma

knobster
New Member

There will be a OAuth2 version very soon. It's currently being tested.

0 Karma

knobster
New Member

Nothing yet. The team is testing it currently but should be released in late July.

0 Karma

javanzato
New Member

Will the new version support Splunk 7.2/7.3?

0 Karma

dileep_ey
Engager

Any update on new CrowdStrike Supports OAuth2 based authentications.?

0 Karma

javanzato
New Member

Any update on this?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...