Adding scanned data from CrowdStrike to BMC Helix Automation Console via Jitterbit Harmony
BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template to add scanned data from CrowdStrike Falcon to BMC Helix Automation Console (previously BMC Helix Vulnerability Management). To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template. The integration template uses the BMC Helix iPaaS HTTP connector for API operations for BMC Helix Automation Console (import scan report operation) and Vulnerability Management System vendors (export scan report operation).
The template provides the following capabilities:
CrowdStrike Falcon to BMC Helix Automation Console
Add CrowdStrike Falcon scan data
Imports scanned data into BMC Helix Automation Console
Creates a policy in BMC Helix Automation Console corresponding to a CrowdStrike Falcon policy. BMC Helix Automation Console returns the policy ID and imports scanned data from CrowdStrike Falcon based on the policy ID that is generated.
Displays the assets and vulnerabilities on the BMC Helix Automation Console dashboard
Runs the import on demand based on the specified filter condition or automatically by using a scheduler
To learn more about CrowdStrike Falcon, see the .
CrowdStrike Falcon to BMC Helix Automation Console data flow
The following image gives an overview of the data flow for adding scanned data to BMC Helix Automation Console:
Before you begin
Make sure you have the following items to successfully set up and use this integration:
Make sure you have access to the following applications:
|Authentication and permissions
A BMC Helix Automation Console user must have the following permissions:
A CrowdStrike Falcon user must have the following items:
|Scan file requirements
The scan data exported from CrowdStrike Falcon can be based on different filter conditions
|Jitterbit Harmony subscription
A valid subscription
Task 1: To download and import the integration template project file
Download the file to your system.
This file contains the BMC Helix iPaaS Cloud Studio project Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.
Your access to product pages on the EPD website is determined by the license your company purchased.
As a developer, log in to BMC Helix iPaaS and navigate to the Cloud Studio.
- On the projects page, click Import.
- Click Browse, and then select the Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.json file you downloaded.
The Project Name and Organization fields are automatically populated depending on the values defined.
- From the Environment list, select the environment to which you want to import this integration template, and then click Import.
The project opens after the integration template is imported.
- To open the project file later, select the environment where the integration templates are available, and then select Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management, and click View/Edit.
Task 2: To update the project variables for the integration template
- Click ... next to the Environment name and select Project Variables.
To access CrowdStrike Falcon and BMC Helix Automation Console, update the following project variables:
Project variables Action CrowdStrike Falcon
Enter the URL of the CrowdStrike Falcon instance you are using.
Enter the client ID for your CrowdStrike Falcon instance that you generated earlier.
Enter the secret ID for your CrowdStrike Falcon instance that you generated earlier.
Enter a value between 1-5000 to limit the items to be returned.
By default, CrowdStrike Falcon sends 100 scanned data at a time.
Enter a filter condition in the following format to import scanned data from a CrowdStrike Falcon policy:
For example, enter filter=[severity]:['low'].
You can also enter multiple filter conditions in the following format:
For example, enter
To know more about the filters, see .
Important: Regardless of the severity value you specify in the filter, CrowdStrike Falcon sends data associated with all the severity values.
Enter a name for the scanned file that you want to import from CrowdStrike Falcon.
The scanned file in BMC Helix Automation Console is generated with the name that you specify.
BMC Helix Automation Console HVM_URL Enter the URL of the BMC Helix Automation Console instance. HVM_User Enter the username to access the BMC Helix Automation Console instance. HVM_Password Enter the password for the username to access the BMC Helix Automation Console instance. HVM_Login_Role Enter the role of the BMC Helix Automation Console Instance user. HVM_TenantID
Enter the tenant ID of the BMC Helix Automation Console Instance.
This value is mandatory if the user belongs to multiple tenants.
HVM_Vendor Enter CrowdStrike. HVM_Cloud_User
Enter one of the following values to define the type of user for the BMC Helix Automation Console instance:
- True: For a cloud user
- False: For a Server Automation user
Task 3: To configure the Jitterbit private agent
Perform the following steps only if you are using an on-premises version of BMC Helix iPaaS, powered by Jitterbit:
Make sure you have administrator access to perform these configurations.
- In BMC Helix iPaaS, powered by Jitterbit, click and select Management Console > Agents > Agent Groups.
- Select the private agent you are using, click the Action list, and select Jitterbit Conf.
The Jitterbit Conf dialog box is displayed.
On the Config tab, click Edit, and perform the following actions:
Section Field Description Action OperationEngine MaxAsyncOperationChainLength The number of asynchronous operations needed to import scanned vulnerability data from CrowdStrike Falcon.
Specify the number of operations you want to run based on the amount of vulnerability data you want to import.
For example, if you want to import 2000000 vulnerabilities, enter 2000 in this field.
If you want to import unlimited data, enter 0 or a negative number.
By default, the value of this field is set to 50.
- Click Submit.
The following image illustrates how the integration template imports vulnerability data after it failed during the first import process:
If the import process fails due to certain reasons; for example, the agent machine is shut down, the cache functionality stores the point of failure for 24 hours. When you run the template again after the failure, the template starts importing the vulnerability data from the point where the import failed.
Task 4: To deploy and enable the project
- To deploy the project, click the ellipsis ... next to the project name and then click Deploy Project.
- To enable the project, select 4.0 HVM Create Policy > 4.1 HVM Create Policies, click the ellipsis, and then click Run.
(Optional) Task 5: To fetch the policy ID by using a scheduler
This integration template provides the HVM GET Policy operation that you can run automatically by using a scheduler. To do this, you can either use an existing schedule or create a new schedule and assign to a workflow.
To create a new schedule and assign it to a workflow, perform the following steps:
- In the template, on the WORKFLOWS tab, select 5.0 HVM GET Policy > 5.0 HVM GET WRAPPER.
- Click the ellipsis ..., and then click Settings, as shown in the following image:
- On the Schedules tab, click Create New Schedule.
On the New Schedule page, complete the following fields:
Field name Action SCHEDULE NAME Enter a meaningful name for the schedule. OCCURENCE Specify when you want the schedule to be run. FREQUENCY Specify how many times you want the schedule to be run. DURATION Specify the start and end dates for the schedule.
- Click Save.
- On the Schedules tab, from the CONDITION list, select On Schedule.
- From the SCHEDULE list, select the schedule you created.
- Click Assign.
For more information about schedules, see .
Workflows included in the integration template
The integration template includes workflows for the basic configuration and each integration use case. The following tables describe the operations defined in each workflow:
This workflow contains the following operations:
Validate HTTP status code
|Validates the webhook operations
This workflow imports the defined scans into BMC Helix Automation Console.
Integrates all the operations in this flow into a single logical flow
Logs in to the BMC Helix Automation Console instance by using the credentials provided in the project variables and retrieves the authorization token
|HVM Generate JWT
|Generates JWT from authorization token
|HVM Import Scans
Imports scan report for the IDs defined the project variables from the BMC Helix iPaaS temporary storage into BMC Helix Automation Console
|Successful Scan details
Shows details of the scanned data
This workflow retrieves the scan data and verifies it for export. The following operations are included in this workflow:
Integrates all the CrowdStrike Falcon operations into one logical flow
Logs in to a CrowdStrike Falcon instance and extracts the authorization token
Gets the data from CrowdStrike Falcon according to the filter criteria specified in the project variables
Create Json for HVM
Parses the response from the CrowdStrike Falcon message to the JSON format according to the BMC Helix Automation Console requirements
HVM Create Policy
This workflow imports the defined scans into BMC Helix Automation Console.
HVM Create policy wrapper
Integrates BMC Helix Automation Console and CrowdStrike Falcon as per the defined logic
HVM Create Policies
Creates a policy in BMC Helix Automation Console and returns the policy ID
Run the HVM Create Policy workflow only once to generate a single scanned file with data for all the filter conditions that you have specified. If you want to generate a separate scanned file, specify the file name in the CROWDSTRIKE_SCAN_NAME variable, and then run the HVM Create Policy workflow.
HVM GET Policy
This workflow gets the policy ID from BMC Helix Automation Console and fetches data from the corresponding policy in CrowdStrike Falcon.
HVM GET WRAPPER
Integrates BMC Helix Automation Console and CrowdStrike Falcon according to the defined logic
Get Policy Id
Gets the policy ID from BMC Helix Automation Console
You can either run this workflow manually or by using a scheduler. For steps to run this workflow by using a scheduler, see To fetch the policy ID by using a scheduler.