Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non Cloud VM detection doesn't get processed (But does by SIEM) #130

Closed
MrCNeale opened this issue Sep 21, 2022 · 3 comments
Closed

Non Cloud VM detection doesn't get processed (But does by SIEM) #130

MrCNeale opened this issue Sep 21, 2022 · 3 comments
Assignees
@isimluk

Comments

@MrCNeale
Copy link
Contributor

Background
Installed CS agent on ARC based remote VM, non cloud hosted.
Triggered detection

Expected result
FIG would read detection and write to Log Analytics in Azure

Observed Result
No entry written to falconintegration log in LogAnalytics
Nothing in Debug Log apart from "fig cs_refresh DEBUG Refresh of streaming session succeeded"

Additional tests/debug/info
Expected result occurs for same detection type on a Cloud (Azure) hosted VM.
Debug Log shows detection for Cloud(Azure) hosted VM.
FIG Version 3.0.6*
*(I think...not sure how to query the running container to get version. We deploy it from a private repo, not latest quay.io image)
ARC (non-cloud) VM detection shows in Falcon Portal
ARC VM detection shows in SIEM server logs and in Log Analytics (scraped by OMS Agent custom log).

Despite Debug Mode we don't see any failure based on the flow diagram in
https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/docs/developer_guide.md
@MrCNeale
Copy link
Contributor Author

After digging.
I believe it's due to
class Runtime():
RELEVANT_EVENT_TYPES = ['DetectionSummaryEvent']

def __init__(self):
    log.info("Azure Backend is enabled.")

def is_relevant(self, falcon_event): return falcon_event.cloud_provider == 'AZURE'
Can a way be added to override the filter, e.g. "ALL" or "" ?
Not sure what, if anything is returned in your second query to find the cloud provider for an ARC vm.

@MrCNeale
Copy link
Contributor Author

Final comment/improvement request.
Ability to specify allowed types, AWS/GCP/AZURE/None
And a preferred output, e.g. output to Log Analytics.

Another option is "how does the metadata get populated in the hosts api?"
as from an AWS/VMware VM, that is running ARC agent, you can query (like the azure metadata service) another agent to find out what cloud it's in.

@isimluk isimluk self-assigned this Oct 20, 2022
isimluk added a commit to isimluk/falcon-integration-gateway that referenced this issue Nov 2, 2022
@isimluk
Enable detection filtering based on cloud the instance resides in
02fe61b 
Sometimes users need to fine tune the detections that will be forwarded by the
fig. This change allows users to configure detection even filtering based on
cloud from which the detection comes from:

The following example will exclude detections coming from GCP cloud.

    [events]
    detections_exclude_clouds = GCP

Relates to CrowdStrike#130.
@isimluk isimluk mentioned this issue Nov 2, 2022
Merged
@isimluk
Copy link
Contributor

isimluk commented Dec 6, 2022

Hello Chris,

I am closing this issue as falcon-integration-gateway 3.1.5 has been released with Azure Arc support.

FIG with Azure Arc support will perform RTR based autodiscovery of Azure Arc settings on systems outside Azure.

To enable this functionality please:

  • set arc_autodiscovery=true inside [azure] section in your config.ini
  • grant extra Falcon permission to API keys 
    Real Time Response: [Read, Write]

Please let me know if anything else can be done on this front.

@isimluk isimluk closed this as completed Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isimluk isimluk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isimluk @MrCNeale