UPDATE: I resolved the issue. After noticing that there were no customizations for Falcon Sandbox (i.e. Destinations, Workflows and Functions), I removed and reinstalled on our Integration Server again. This time, I used resilient-circuits customize -l fn-crowdstrike-falcon-sandbox vs importing the .res file. Note: The documentation for the app states to import via .res file.
The other important thing to check is to ensure the Falcon Sandbox Destination has the correct Username/API key assignment.
Once all customizations were validated, the selftest was successful.
Original Message:
Sent: Wed April 26, 2023 12:44 PM
From: Damian Scott
Subject: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work
Hi Deon,
All other applications and required connections via "GET /rest/orgs/<ID>/functions..." work just fine. It's not a connection issue between the Integration Server and SOAR, but could possibly be either antiquated code within this Community app or the selftest isn't working correctly. I am going to test with the UI in SOAR next.
I would be interested if anyone else is using this app and their experience.
------------------------------
Damian Scott
Original Message:
Sent: Wed April 26, 2023 02:54 AM
From: Deon Joubert
Subject: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work
Hi Damian,
From your error message here:
2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 None
It seems that the problem is that there your connection to your QRadar SOAR is not working. I'd suggest checking your settings in your app.config, under the [resilient] section. Also, make sure which app.config file you are loading, check your environmental variables.
Hope that helps.
------------------------------
Deon Joubert
Original Message:
Sent: Tue April 25, 2023 12:45 PM
From: Damian Scott
Subject: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work
I've confirmed via packet analysis there are no connections attempts being made to hybrid-analysis.
Results from resilient-circuits selftest -l fn-crowdstrike-falcon-sandbox:
2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 None
Reason: Unknown Reason. {"success":false,"title":null,"message":"Unable to find Function with ID falcon_sandbox_submit_file","hints":[],"error_code":"generic"} in resilient.co3base.BaseClient.get.<locals>.__get, retrying in 8 seconds...
------------------------------
Damian Scott
Original Message:
Sent: Wed April 19, 2023 05:11 PM
From: Damian Scott
Subject: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work
We recently installed it and upgraded the API key from restricted to standard, but the self-test still fails with error code 404 - bad api (or endpoint).
Here's our app.config: it was pretty straight-forward.
falcon_sandbox_api_key=xxxxxx
falcon_sandbox_api_host=https://www.hybrid-analysis.com/api/v2
fetch_report_status_interval=60
fetch_report_timeout=600
app.config only asks for api key and not secret. Is that the problem?
------------------------------
Damian Scott
Original Message:
Sent: Mon March 13, 2023 08:27 AM
From: Deon Joubert
Subject: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work
Hi All,
Has anyone else succesfuly made use of the fn_crowdstrike_falcon_sandbox integration? We had to edit the code so that the submit_name is not sent as part of the submission request, otherwise we got a validation error. We had to remove the falcon_sandbox_submit_name from the HA_LIST_OF_RUNTIME_PARAMS_SUBMIT_URL constant.
Otherwise, are people happy with the integration? I see it was last updated in 2019.
Regards
-D
------------------------------
Deon Joubert
------------------------------