IBM Security QRadar SOAR

 View Only
  • 1.  fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Mon March 13, 2023 08:28 AM

    Hi All, 

    Has anyone else succesfuly made use of the fn_crowdstrike_falcon_sandbox integration? We had to edit the code so that the submit_name is not sent as part of the submission request, otherwise we got a validation error. We had to remove the falcon_sandbox_submit_name from the HA_LIST_OF_RUNTIME_PARAMS_SUBMIT_URL constant. 

    Otherwise, are people happy with the integration? I see it was last updated in 2019.

    Regards

    -D



    ------------------------------
    Deon Joubert
    ------------------------------


  • 2.  RE: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Wed April 19, 2023 05:12 PM

    We recently installed it and upgraded the API key from restricted to standard, but the self-test still fails with error code 404 - bad api (or endpoint).

    Here's our app.config:  it was pretty straight-forward.

    falcon_sandbox_api_key=xxxxxx
    falcon_sandbox_api_host=https://www.hybrid-analysis.com/api/v2
    fetch_report_status_interval=60
    fetch_report_timeout=600

    app.config only asks for api key and not secret.  Is that the problem?



    ------------------------------
    Damian Scott
    ------------------------------



  • 3.  RE: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Tue April 25, 2023 12:46 PM

    I've confirmed via packet analysis there are no connections attempts being made to hybrid-analysis.

    Results from resilient-circuits selftest -l fn-crowdstrike-falcon-sandbox:

    2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 None

    Reason: Unknown Reason. {"success":false,"title":null,"message":"Unable to find Function with ID falcon_sandbox_submit_file","hints":[],"error_code":"generic"} in resilient.co3base.BaseClient.get.<locals>.__get, retrying in 8 seconds...


    ------------------------------
    Damian Scott
    ------------------------------



  • 4.  RE: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Wed April 26, 2023 02:55 AM

    Hi Damian,

    From your error message here:

    2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] 
    https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 None

    It seems that the problem is that there your connection to your QRadar SOAR is not working. I'd suggest checking your settings in your app.config, under the [resilient] section. Also, make sure which app.config file you are loading, check your environmental variables.

    Hope that helps.



    ------------------------------
    Deon Joubert
    ------------------------------



  • 5.  RE: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Wed April 26, 2023 12:45 PM

    Hi Deon,

    All other applications and required connections via "GET /rest/orgs/<ID>/functions..." work just fine.  It's not a connection issue between the Integration Server and SOAR, but could possibly be either antiquated code within this Community app or the selftest isn't working correctly.  I am going to test with the UI in SOAR next.

    I would be interested if anyone else is using this app and their experience.



    ------------------------------
    Damian Scott
    ------------------------------



  • 6.  RE: fn_crowdstrike_falcon_sandbox - Had to remove falcon_sandbox_submit_name to get it to work

    Posted Mon May 01, 2023 02:26 PM

    UPDATE:  I resolved the issue.  After noticing that there were no customizations for Falcon Sandbox (i.e. Destinations, Workflows and Functions), I removed and reinstalled on our Integration Server again.  This time, I used resilient-circuits customize -l  fn-crowdstrike-falcon-sandbox vs importing the .res file. Note:  The documentation for the app states to import via .res file.

    The other important thing to check is to ensure the Falcon Sandbox Destination has the correct Username/API key assignment.

    Once all customizations were validated, the selftest was successful.



    ------------------------------
    Damian Scott
    ------------------------------