Adding scanned data from CrowdStrike to BMC Helix Automation Console via Jitterbit Harmony

BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template to add scanned data from CrowdStrike Falcon to BMC Helix Automation Console (previously BMC Helix Vulnerability Management). To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template. The integration template uses the BMC Helix iPaaS HTTP connector for API operations for BMC Helix Automation Console (import scan report operation) and Vulnerability Management System vendors (export scan report operation).

The template provides the following capabilities

Use case

CrowdStrike Falcon to BMC Helix Automation Console

Add CrowdStrike Falcon scan data

Imports scanned data into BMC Helix Automation Console

Creates a policy in BMC Helix Automation Console corresponding to a CrowdStrike Falcon policy. BMC Helix Automation Console returns the policy ID and imports scanned data from CrowdStrike Falcon based on the policy ID that is generated.

Displays the assets and vulnerabilities on the BMC Helix Automation Console dashboard

Runs the import on demand based on the specified filter condition or automatically by using a scheduler

To learn more about CrowdStrike Falcon, see the CrowdStrike documentation.

CrowdStrike Falcon to BMC Helix Automation Console data flow

The following image gives an overview of the data flow for adding scanned data to BMC Helix Automation Console:

22102_CrowdStrike_AutomationConsole_ImportData.png

Before you begin

Make sure you have the following items to successfully set up and use this integration:

Required versions

Make sure you have access to the following applications:

  • CrowdStrike Falcon latest version
  • BMC Helix Automation Console version 20.08 or later

Authentication and permissions

A BMC Helix Automation Console user must have the following permissions:

  • An administrator access to BMC Helix Automation Console; for example, the Administrator security group
  • Read permission
  • Access to a valid security group set to import scan reports

A CrowdStrike Falcon user must have the following items:

  • Valid login credentials and access to APIs
  • Required assets added to CrowdStrike Falcon
  • Required data is available

  • Client ID and secret ID
    For steps to generate client and secret IDs, see Defining your first API client.

Scan file requirements

The scan data exported from CrowdStrike Falcon can be based on different filter conditions

Jitterbit Harmony subscription

A valid BMC Helix iPaaS subscription

Task 1: To download and import the integration template project file

  1. Download the Import CrowdStrike Vulnerability data in BMC Helix Automation Console 2024-05-01 file to your system.
    This file contains the BMC Helix iPaaS Integration Studio project Import CrowdStrike Vulnerability data in BMC Helix Automation Console 2024-05-01.

    Important

    Your access to product pages on the EPD website is determined by the license your company purchased.

  2. As a developer, log in to BMC Helix iPaaS and navigate to the Integration Studio.
  3. On the projects page, click Import.
  4. Click Browse, and then select the Import CrowdStrike Vulnerability data in BMC Helix Automation Console 2024-05-01.json file you downloaded.
    The Project Name and Organization fields are automatically populated depending on the values defined. 
  5. From the Environment list, select the environment to which you want to import this integration template, and then click Import.
    The project opens after the integration template is imported. 
  6. To open the project file later, select the environment where the integration templates are available, and then select Import CrowdStrike Vulnerability data in BMC Helix Automation Console, and click View/Edit.

Task 2: To update the project variables for the integration template

  1. Click ... next to the Environment name and select Project Variables.

  2. To access CrowdStrike Falcon and BMC Helix Automation Console, update the following project variables:

    Project variables

    Action

    CrowdStrike Falcon

    CROWDSTRIKE_URL

    Enter the URL of the CrowdStrike Falcon instance you are using.

    CROWDSTRIKE_CLIENT_ID

    Enter the client ID for your CrowdStrike Falcon instance that you generated earlier.

    CROWDSTRIKE_SECRET_ID

    Enter the secret ID for your CrowdStrike Falcon instance that you generated earlier.

    CROWDSTRIKEAPI_LIMIT

    Enter a value between 1-5000 to limit the items to be returned.

    By default, CrowdStrike Falcon sends 100 scanned data at a time.

    CROWDSTRIKE_FILTER

    Enter a filter condition in the following format to import scanned data from a CrowdStrike Falcon policy:

    filter=[filter_name]:['value']

    For example, enter filter=[severity]:['low'].

    You can also enter multiple filter conditions in the following format:

    filter=[filter_name]:['value']%2bfilter_name2:['value2']

    For example, enter filter=[severity]:['High','Critical']%2bstatus:['Open','Closed']

    To know more about the filters, see Filter Spotlight APIs.

    Important: Regardless of the severity value you specify in the filter, CrowdStrike Falcon sends data associated with all the severity values.

    CROWDSTRIKE_SCAN_NAME

    Enter a name for the scanned file that you want to import from CrowdStrike Falcon.

    The scanned file in BMC Helix Automation Console is generated with the name that you specify.

    BMC Helix Automation Console variables

    HAC_URL

    Enter the BMC Helix Portal URL to access BMC Helix Automation Console.

    HAC_Access_Key

    Enter the access key for your BMC Helix Automation Console instance that you generated from BMC Helix Portal.

    HAC_Secret_Key

    Enter the secret key for your BMC Helix Automation Console instance that you generated from BMC Helix Portal.

    HAC_Context

    Enter one of the following values:

    • ADE
    • TSSA

    This variable determines the user interface that you view after logging in to BMC Helix Automation Console. It also determines the pages you can view in the user interface and the operations that you can perform.

    Important: If you leave this variable blank, the template uses ADE as the default value.

    HVM_Vendor

    Enter CrowdStrike.

    Truesight Server Automation project variables

    TSSA_User_Name

    Enter the user name to access BMC Helix Automation Console.

    TSSA_Password

    Enter the password for the user name that you provided.

    TSSA_Role_Name

    Enter the role of the user who can access BMC Helix Automation Console.

    TSSA_Server_URL

    Enter the URL of your BMC Helix Automation Console instance in the following format:[http/https]://[host name and port]

    TSSA_Authentication_Type

     Enter SRP.This variable enables a user to log in to BMC Helix Automation Console by using the SRP (Secure Remote Password) authentication method.

Task 3: To configure the Jitterbit private agent

Perform the following steps only if you are using an on-premises version of BMC Helix iPaaS, powered by Jitterbit:

Important

Make sure you have administrator access to perform these configurations.

  1. In BMC Helix iPaaS, powered by Jitterbit, click Hamburger icon_Cloud Studio.pngand select Management Console > Agents > Agent Groups.
  2. Select the private agent you are using, click the Action list, and select Jitterbit Conf
    Action list_Jitterbit Conf.png
    The Jitterbit Conf dialog box is displayed.

  3. On the Config tab, click Edit, and perform the following actions:

    Section

    Field

    Description

    Action

    OperationEngine

    MaxAsyncOperationChainLength

    The number of asynchronous operations needed to import scanned vulnerability data from CrowdStrike Falcon. 

    Specify the number of operations you want to run based on the amount of vulnerability data you want to import.

    For example, if you want to import 2000000 vulnerabilities, enter 2000 in this field.

    If you want to import unlimited data, enter 0 or a negative number.

    By default, the value of this field is set to 50.

    22104_Maxoperationchainlength_fieldvalue.png

  4. Click Submit.

Cache functionality

The following image illustrates how the integration template imports vulnerability data after it failed during the first import process:

22104_Cache functionality_CrowdStrike template.png

If the import process fails due to certain reasons; for example, the agent machine is shut down, the cache functionality stores the point of failure for 24 hours. When you run the template again after the failure, the template starts importing the vulnerability data from the point where the import failed.

Task 4: To deploy and enable the project

  1. To deploy the project, click the ellipsis ... next to the project name and then click Deploy Project.
    22102_CrowdStrike_AutomationConsole_DeployProject.png
  2. To enable the project, select 4.0 HVM Create Policy > 4.1 HVM Create Policies, click the ellipsis, and then click Run.
    22102_CrowdStrike_AutomationConsole_EnableProject.png


(Optional) Task 5: To fetch the policy ID by using a scheduler

This integration template provides the HVM GET Policy operation that you can run automatically by using a scheduler. To do this, you can either use an existing schedule or create a new schedule and assign to a workflow.

To create a new schedule and assign it to a workflow, perform the following steps:

  1. In the template, on the WORKFLOWS tab, select 5.0 HVM GET Policy > 5.0 HVM GET WRAPPER.
  2. Click the ellipsis ..., and then click Settings, as shown in the following image:
    22102_CrowdStrike_AutomationConsole_HVM Get Policy_Scheduler.png
  3. On the Schedules tab, click Create New Schedule.

  4. On the New Schedule page, complete the following fields:

    Field name

    Action

    SCHEDULE NAME

    Enter a meaningful name for the schedule.

    OCCURENCE

    Specify when you want the schedule to be run.

    FREQUENCY

    Specify how many times you want the schedule to be run.

    DURATION

    Specify the start and end dates for the schedule.

    22102_CrowdStrike_AutomationConsole_HVM Get Policy_CreateNewSchedule.png

  5. Click Save.
  6. On the Schedules tab, from the CONDITION list, select On Schedule.
  7. From the SCHEDULE list, select the schedule you created.
  8. Click Assign.

For more information about schedules, see Schedules.

Workflows included in the integration template

The integration template includes workflows for the basic configuration and each integration use case. The following tables describe the operations defined in each workflow:

Common

This workflow contains the following operations:

Operation name

Actions performed

Validate HTTP status code

Validates the webhook operations

Parse JSON

Converts a JSON object in text format to a Javascript object


HAC Workflow

This workflow imports the defined scans into BMC Helix Automation Console. 

Operation name

Actions performed

HAC Wrapper

Integrates all the operations in this flow into a single logical flow

HAC IMS Login

Generates the IMS authorization token

HAC Session payload

 Generates a session ID.This workflow is applicable only when the TSSA context is selected.

HVM Import Scans

Imports scan report for the IDs defined in the project variables from the BMC Helix iPaaS temporary storage into BMC Helix Automation Console

Crowdstrike Workflow

This workflow retrieves the scan data and verifies it for export. The following operations are included in this workflow:

Operation name

Actions performed

CrowdStrike Wrapper

Integrates all the CrowdStrike Falcon operations into one logical flow

CrowdStrike Login

Logs in to a CrowdStrike Falcon instance and extracts the authorization token

GetVulnerabilities

Gets the data from CrowdStrike Falcon according to the filter criteria specified in the project variables

Create Json for HAC

Parses the response from the CrowdStrike Falcon message to the JSON format according to the BMC Helix Automation Console requirements

HAC Create Policy

This workflow imports the defined scans into BMC Helix Automation Console. 

Operation name

Actions performed

HAC Create policy wrapper

Integrates BMC Helix Automation Console and CrowdStrike Falcon as per the defined logic

HAC Create Policies

Creates a policy in BMC Helix Automation Console and returns the policy ID

Important

Run the HVM Create Policy workflow only once to generate a single scanned file with data for all the filter conditions that you have specified. If you want to generate a separate scanned file, specify the file name in the CROWDSTRIKE_SCAN_NAME variable, and then run the HVM Create Policy workflow.


HAC GET Policy

This workflow gets the policy ID from BMC Helix Automation Console and fetches data from the corresponding policy in CrowdStrike Falcon.

Operation name

Actions performed

HAC GET WRAPPER

Integrates BMC Helix Automation Console and CrowdStrike Falcon according to the defined logic

Get Policy Id

Gets the policy ID from BMC Helix Automation Console

Important

You can either run this workflow manually or by using a scheduler. For steps to run this workflow by using a scheduler, see To fetch the policy ID by using a scheduler.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*