IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Mon January 29, 2024 11:33 AM

    i have integration issue of integration between IBM Soar (v49) and CrowdStrike Falcon

    The location: /var/crowdstrike is not writable for the current user. Please change dynamic_data_store in app.config to a writable directory 

    even this file is writable by all

    and in thier documentation they put 

     Location to save the status of polling (Detection offset).
    # The location should exist and should be writable for the current user, 
    otherwise the extension will use the default_detection_offset and show a 
    warning.
    # User can change the location to the directory where the current user has 
    writable access. Note that this is not supported with an App Host.
    dynamic_data_store=/var/rescircuits

    any support



    ------------------------------
    Hazzaa Alotaibi
    ------------------------------


  • 2.  RE: integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Tue January 30, 2024 10:24 AM

    Hi Hazzaa

    Will reach out to the developer but am somewhat unclear with your question?

    Could you elaborate  please ?

    Thanks John



    ------------------------------
    John Quirke
    ------------------------------

    Original Message


  • 3.  RE: integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Thu February 01, 2024 12:38 PM

    after configuring the CrowdStrike app in app.conf file the does not pull detections or upload IOC i enabled the DEBUG logging in the logs i get this error

    2024-01-10 23:38:24,289 INFO [cs_detection_poll] [MainThread] Component initiated.!
    2024-01-10 23:38:24,290 INFO [cs_detection_process] [MainThread] Save dynamic data at: /var/rescircuits
    2024-01-10 23:38:24,291 WARNING [cs_detection_process] [MainThread] The location: /var/rescircuits is not writable for the current user.Please change dynamic_data_store in app.config to a writable directory

    thanks for your support 



    ------------------------------
    Hazzaa Alotaibi
    ------------------------------

    Original Message


  • 4.  RE: integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Tue February 13, 2024 03:37 AM

    Hi John,

    i used this command to get shell access but i cannot

    #sudo kubectl exec -it 17453da7-072b-4703-8e47-0c0213b51bc8-cbc6c7856-tv52n -- bash


    Error from server (NotFound): pods "17453da7-072b-4703-8e47-0c0213b51bc8-cbc6c7856-tv52n" not found

    how i get shell access to crowdstrike app container ?



    ------------------------------
    Hazzaa Alotaibi
    ------------------------------

    Original Message


  • 5.  RE: integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Wed February 14, 2024 06:07 AM
    Hi Hazzaa

     

    Apologies for not getting back yesterday

     

    This is the command I use to attach to a running container, you need both the namespace and deployment name.

    (from 'sudo kubectl get --all-namespaces po -L App-name |grep <name of app>' )

     

    sudo kubectl exec -it --namespace <namespace> deployments/<deployment_name> -- /bin/bash

     

    Regards

    John

     

     




    Original Message


  • 6.  RE: integration between IBM Soar (v49) and CrowdStrike Falcon

    Posted Tue February 20, 2024 05:05 AM

    @John

    Thanks a lot you are very helpful



    ------------------------------
    Hazzaa Alotaibi
    ------------------------------

    Original Message


Related Content