-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non Cloud VM detection doesn't get processed (But does by SIEM) #130
Comments
After digging.
|
Final comment/improvement request. Another option is "how does the metadata get populated in the hosts api?" |
Sometimes users need to fine tune the detections that will be forwarded by the fig. This change allows users to configure detection even filtering based on cloud from which the detection comes from: The following example will exclude detections coming from GCP cloud. [events] detections_exclude_clouds = GCP Relates to CrowdStrike#130.
Hello Chris, I am closing this issue as falcon-integration-gateway 3.1.5 has been released with Azure Arc support. FIG with Azure Arc support will perform RTR based autodiscovery of Azure Arc settings on systems outside Azure. To enable this functionality please:
Please let me know if anything else can be done on this front. |
Background
Installed CS agent on ARC based remote VM, non cloud hosted.
Triggered detection
Expected result
FIG would read detection and write to Log Analytics in Azure
Observed Result
No entry written to falconintegration log in LogAnalytics
Nothing in Debug Log apart from "fig cs_refresh DEBUG Refresh of streaming session succeeded"
Additional tests/debug/info
Expected result occurs for same detection type on a Cloud (Azure) hosted VM.
Debug Log shows detection for Cloud(Azure) hosted VM.
FIG Version 3.0.6*
*(I think...not sure how to query the running container to get version. We deploy it from a private repo, not latest quay.io image)
ARC (non-cloud) VM detection shows in Falcon Portal
ARC VM detection shows in SIEM server logs and in Log Analytics (scraped by OMS Agent custom log).
Despite Debug Mode we don't see any failure based on the flow diagram in
https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/docs/developer_guide.md
The text was updated successfully, but these errors were encountered: