Adding scanned data from CrowdStrike to BMC Helix Automation Console via Jitterbit Harmony
BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template to add scanned data from CrowdStrike Falcon to BMC Helix Automation Console (previously BMC Helix Vulnerability Management). To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template. The integration template uses the BMC Helix iPaaS HTTP connector for API operations for BMC Helix Automation Console (import scan report operation) and Vulnerability Management System vendors (export scan report operation).
The template provides the following capabilities:
Use case | CrowdStrike Falcon to BMC Helix Automation Console |
|---|---|
Add CrowdStrike Falcon scan data | Imports scanned data into BMC Helix Automation Console |
Creates a policy in BMC Helix Automation Console corresponding to a CrowdStrike Falcon policy. BMC Helix Automation Console returns the policy ID and imports scanned data from CrowdStrike Falcon based on the policy ID that is generated. | |
Displays the assets and vulnerabilities on the BMC Helix Automation Console dashboard | |
Runs the import on demand based on the specified filter condition or automatically by using a scheduler |
To learn more about CrowdStrike Falcon, see the
CrowdStrike documentation
.
CrowdStrike Falcon to BMC Helix Automation Console data flow
The following image gives an overview of the data flow for adding scanned data to BMC Helix Automation Console:
Before you begin
Make sure you have the following items to successfully set up and use this integration:
| Required versions | Make sure you have access to the following applications:
|
|---|---|
| Authentication and permissions | A BMC Helix Automation Console user must have the following permissions:
|
A CrowdStrike Falcon user must have the following items:
| |
| Scan file requirements | The scan data exported from CrowdStrike Falcon can be based on different filter conditions |
| Jitterbit Harmony subscription | A valid
BMC Helix iPaaS
|
Task 1: To download and import the integration template project file
Download the Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management 2023-01-01
file to your system.
This file contains the BMC Helix iPaaS Cloud Studio project Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.Important
Your access to product pages on the EPD website is determined by the license your company purchased.
As a developer, log in to BMC Helix iPaaS and navigate to the Cloud Studio.
- On the projects page, click Import.
- Click Browse, and then select the Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.json file you downloaded.
The Project Name and Organization fields are automatically populated depending on the values defined. - From the Environment list, select the environment to which you want to import this integration template, and then click Import.
The project opens after the integration template is imported. - To open the project file later, select the environment where the integration templates are available, and then select Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management, and click View/Edit.
Task 2: To update the project variables for the integration template
- Click ... next to the Environment name and select Project Variables.
To access CrowdStrike Falcon and BMC Helix Automation Console, update the following project variables:
Project variables Action CrowdStrike Falcon CROWDSTRIKE_URL
Enter the URL of the CrowdStrike Falcon instance you are using.
CROWDSTRIKE_CLIENT_ID
Enter the client ID for your CrowdStrike Falcon instance that you generated earlier.
CROWDSTRIKE_SECRET_ID
Enter the secret ID for your CrowdStrike Falcon instance that you generated earlier.
CROWDSTRIKEAPI_LIMIT
Enter a value between 1-5000 to limit the items to be returned.
By default, CrowdStrike Falcon sends 100 scanned data at a time.
CROWDSTRIKE_FILTER
Enter a filter condition in the following format to import scanned data from a CrowdStrike Falcon policy:
filter=[filter_name]:['value']For example, enter filter=[severity]:['low'].
You can also enter multiple filter conditions in the following format:
filter=[filter_name]:['value']%2bfilter_name2:['value2']
For example, enterfilter=[severity]:['High','Critical']%2bstatus:['Open','Closed']
To know more about the filters, see Filter Spotlight APIs
.
Important: Regardless of the severity value you specify in the filter, CrowdStrike Falcon sends data associated with all the severity values.CROWDSTRIKE_SCAN_NAME
Enter a name for the scanned file that you want to import from CrowdStrike Falcon.
The scanned file in BMC Helix Automation Console is generated with the name that you specify.
BMC Helix Automation Console HVM_URL Enter the URL of the BMC Helix Automation Console instance. HVM_User Enter the username to access the BMC Helix Automation Console instance. HVM_Password Enter the password for the username to access the BMC Helix Automation Console instance. HVM_Login_Role Enter the role of the BMC Helix Automation Console Instance user. HVM_TenantID Enter the tenant ID of the BMC Helix Automation Console Instance.
This value is mandatory if the user belongs to multiple tenants.
HVM_Vendor Enter CrowdStrike. HVM_Cloud_User Enter one of the following values to define the type of user for the BMC Helix Automation Console instance:
- True: For a cloud user
- False: For a Server Automation user
Task 3: To configure the Jitterbit private agent
Perform the following steps only if you are using an on-premises version of BMC Helix iPaaS, powered by Jitterbit:
Important
Make sure you have administrator access to perform these configurations.
- In BMC Helix iPaaS, powered by Jitterbit, click
and select Management Console > Agents > Agent Groups. - Select the private agent you are using, click the Action list, and select Jitterbit Conf.
The Jitterbit Conf dialog box is displayed. On the Config tab, click Edit, and perform the following actions:
Section Field Description Action OperationEngine MaxAsyncOperationChainLength The number of asynchronous operations needed to import scanned vulnerability data from CrowdStrike Falcon. Specify the number of operations you want to run based on the amount of vulnerability data you want to import.
For example, if you want to import 2000000 vulnerabilities, enter 2000 in this field.
If you want to import unlimited data, enter 0 or a negative number.
By default, the value of this field is set to 50.
- Click Submit.
Cache functionality
The following image illustrates how the integration template imports vulnerability data after it failed during the first import process:
If the import process fails due to certain reasons; for example, the agent machine is shut down, the cache functionality stores the point of failure for 24 hours. When you run the template again after the failure, the template starts importing the vulnerability data from the point where the import failed.
Task 4: To deploy and enable the project
- To deploy the project, click the ellipsis ... next to the project name and then click Deploy Project.
- To enable the project, select 4.0 HVM Create Policy > 4.1 HVM Create Policies, click the ellipsis, and then click Run.
(Optional) Task 5: To fetch the policy ID by using a scheduler
This integration template provides the HVM GET Policy operation that you can run automatically by using a scheduler. To do this, you can either use an existing schedule or create a new schedule and assign to a workflow.
To create a new schedule and assign it to a workflow, perform the following steps:
- In the template, on the WORKFLOWS tab, select 5.0 HVM GET Policy > 5.0 HVM GET WRAPPER.
- Click the ellipsis ..., and then click Settings, as shown in the following image:
- On the Schedules tab, click Create New Schedule.
On the New Schedule page, complete the following fields:
Field name Action SCHEDULE NAME Enter a meaningful name for the schedule. OCCURENCE Specify when you want the schedule to be run. FREQUENCY Specify how many times you want the schedule to be run. DURATION Specify the start and end dates for the schedule. 
- Click Save.
- On the Schedules tab, from the CONDITION list, select On Schedule.
- From the SCHEDULE list, select the schedule you created.
- Click Assign.
For more information about schedules, see
Schedules
.
Workflows included in the integration template
The integration template includes workflows for the basic configuration and each integration use case. The following tables describe the operations defined in each workflow:
Common
This workflow contains the following operations:
| Operation name | Actions performed |
|---|---|
Validate HTTP status code | Validates the webhook operations |
| Parse JSON | Converts a JSON object in text format to a Javascript object |
HVM Workflow
This workflow imports the defined scans into BMC Helix Automation Console.
| Operation name | Actions performed |
|---|---|
| HVM Wrapper | Integrates all the operations in this flow into a single logical flow |
| HVM Login | Logs in to the BMC Helix Automation Console instance by using the credentials provided in the project variables and retrieves the authorization token |
| HVM Generate JWT | Generates JWT from authorization token |
| HVM Import Scans | Imports scan report for the IDs defined the project variables from the BMC Helix iPaaS temporary storage into BMC Helix Automation Console |
| Successful Scan details | Shows details of the scanned data |
Crowdstrike
This workflow retrieves the scan data and verifies it for export. The following operations are included in this workflow:
Operation name | Actions performed |
|---|---|
CrowdStrike Wrapper | Integrates all the CrowdStrike Falcon operations into one logical flow |
Login | Logs in to a CrowdStrike Falcon instance and extracts the authorization token |
GetVulnerabilities | Gets the data from CrowdStrike Falcon according to the filter criteria specified in the project variables |
Create Json for HVM | Parses the response from the CrowdStrike Falcon message to the JSON format according to the BMC Helix Automation Console requirements |
HVM Create Policy
This workflow imports the defined scans into BMC Helix Automation Console.
| Operation name | Actions performed |
|---|---|
HVM Create policy wrapper | Integrates BMC Helix Automation Console and CrowdStrike Falcon as per the defined logic |
HVM Create Policies | Creates a policy in BMC Helix Automation Console and returns the policy ID |
Important
Run the HVM Create Policy workflow only once to generate a single scanned file with data for all the filter conditions that you have specified. If you want to generate a separate scanned file, specify the file name in the CROWDSTRIKE_SCAN_NAME variable, and then run the HVM Create Policy workflow.
HVM GET Policy
This workflow gets the policy ID from BMC Helix Automation Console and fetches data from the corresponding policy in CrowdStrike Falcon.
Operation name | Actions performed |
|---|---|
HVM GET WRAPPER | Integrates BMC Helix Automation Console and CrowdStrike Falcon according to the defined logic |
Get Policy Id | Gets the policy ID from BMC Helix Automation Console |
Important
You can either run this workflow manually or by using a scheduler. For steps to run this workflow by using a scheduler, see To fetch the policy ID by using a scheduler.
Comments
Log in or register to comment.