IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
Has anyone else succesfuly made use of the fn_crowdstrike_falcon_sandbox integration? We had to edit the code so that the submit_name is not sent as part of the submission request, otherwise we got a validation error. We had to remove the falcon_sandbox_submit_name from the HA_LIST_OF_RUNTIME_PARAMS_SUBMIT_URL constant.
Otherwise, are people happy with the integration? I see it was last updated in 2019.
We recently installed it and upgraded the API key from restricted to standard, but the self-test still fails with error code 404 - bad api (or endpoint).Here's our app.config: it was pretty straight-forward.falcon_sandbox_api_key=xxxxxxfalcon_sandbox_api_host=https://www.hybrid-analysis.com/api/v2fetch_report_status_interval=60fetch_report_timeout=600app.config only asks for api key and not secret. Is that the problem?
I've confirmed via packet analysis there are no connections attempts being made to hybrid-analysis.Results from resilient-circuits selftest -l fn-crowdstrike-falcon-sandbox:2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 None
Hi Damian,From your error message here:2023-04-21 13:10:03,752 DEBUG [connectionpool] [MainThread] https://soar.domain.com:443 "GET /rest/orgs/201/functions/falcon_sandbox_submit_file?handle_format=names HTTP/1.1" 404 NoneIt seems that the problem is that there your connection to your QRadar SOAR is not working. I'd suggest checking your settings in your app.config, under the [resilient] section. Also, make sure which app.config file you are loading, check your environmental variables.Hope that helps.
Hi Deon,All other applications and required connections via "GET /rest/orgs/<ID>/functions..." work just fine. It's not a connection issue between the Integration Server and SOAR, but could possibly be either antiquated code within this Community app or the selftest isn't working correctly. I am going to test with the UI in SOAR next.I would be interested if anyone else is using this app and their experience.
UPDATE: I resolved the issue. After noticing that there were no customizations for Falcon Sandbox (i.e. Destinations, Workflows and Functions), I removed and reinstalled on our Integration Server again. This time, I used resilient-circuits customize -l fn-crowdstrike-falcon-sandbox vs importing the .res file. Note: The documentation for the app states to import via .res file.The other important thing to check is to ensure the Falcon Sandbox Destination has the correct Username/API key assignment.Once all customizations were validated, the selftest was successful.