question - no propagated events from crowdstrike to security hub #184
Comments
|
@neo-eddie-nazarov thanks for your questions and opening up an issue. Yes we have made some changes to the AWS security hub backend to fix some bugs so it sounds like you are good from that perspective.
I'll bring it up with the team to see how to proceed with your latter question. Will keep you posted, and in the meantime, if you have any other questions or ideas for enhancements, please feel free to post them here or in a new issue 👊🏼 |
|
@carlosmmatos thank you for your reply! The first issue was resolved once I run the test from an ec2 in AWS. Would be happy to get your input regarding all events support, thanks! |
@carlosmmatos |
|
@neo-eddie-nazarov I think the bigger question we are trying to get answered is if AWS supports this from partners. Just want to make sure we are allowed to send non-aws data into sechub. Once we get an answer back I'll update this thread. |
it seems like this is the way it was done previously until that PR limited it and before the integration gateway was introduced( referring to the https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub which has no restrictions)? |
|
@neo-eddie-nazarov - can you do us a favor, would you be willing to open a support case with us to further discuss this use-case with us along with our AWS partner. As it stands, AWS does not currently support non-AWS events but they are open to hearing customer use-cases to change this. If you would like to discuss this with us, when you create the support case, feel free to drop my name (Carlos Matos) so they can quickly route it to me and I can pass it on to the team. |
|
hey @carlosmmatos, I had the chance to discuss this with the AWS Security Hub team and the AWS partner team for Crowdstrike. ( they also have this discussion as ref ) so right now I need to provide them with some samples. |
Hi,
I've been testing this for our active subscription in crowdstrike in order to propagate events back to security hub. ( fig v3.1.13)
Have this running as in ECS fargate task in our AWS account.
From the logs I see that the streaming connection was established ( 200 ) for the following streaming url -
https://firehose.us-2.crowdstrike.com/sensors/entities/datafeed/v1/0?appId=<app_id>&offset=0&eventType=DetectionSummaryEventI was simulating events in crowdstrike using the following cmd:
bash crowdstrike_test_<_severity_>The event appears in crowdstrike but the stream seem not to pick the event ( don't see anything in logs nor security hub )
Would like to know if there was something missing on my end for the configuration.
Wanted to note that I run a test with v3.1.11 and started seeing the events just with processing errors so I guess this change is related
My goal with this is to emit all events from crowdstrike to securityhub and not only AWS related, is this something that is currently supported?
Update: confirmed now that this worked for a test event which originated from AWS.
So i'm back to the question whether it can support all events regardless of its origin and if there is a specific configuration for it? like the
"confirm_provider": truein hereThe text was updated successfully, but these errors were encountered: