Adding scanned data from CrowdStrike to TrueSight Automation Console via BMC Helix iPaaS, powered by Jitterbit

BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template to add scanned data from CrowdStrike Falcon to TrueSight Automation Console (previously BMC Helix Vulnerability Management). To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template. The integration template uses the BMC Helix iPaaS HTTP connector for API operations for TrueSight Automation Console (import scan report operation) and Vulnerability Management System vendors (export scan report operation).

The template provides the following capabilities

Use case

CrowdStrike Falcon to TrueSight Automation Console

Add CrowdStrike Falcon scan data

Imports scanned data into TrueSight Automation Console

Creates a policy in TrueSight Automation Console corresponding to a CrowdStrike Falcon policy. TrueSight Automation Console returns the policy ID and imports scanned data from CrowdStrike Falcon based on the policy ID that is generated.

Displays the assets and vulnerabilities on the TrueSight Automation Console dashboard

Runs the import on demand based on the specified filter condition or automatically by using a scheduler

To learn more about CrowdStrike Falcon, see the CrowdStrike documentation.

CrowdStrike Falcon to TrueSight Automation Console data flow

The following image gives an overview of the data flow for adding scanned data to TrueSight Automation Console:

23301_CrowdStrike to TSAC.png

Before you begin

Make sure you have the following items to successfully set up and use this integration:

Required versions

Make sure you have access to the following applications:

  • CrowdStrike Falcon latest version
  • TrueSight Automation Console version 20.08 or later

Authentication and permissions

A TrueSight Automation Console user must have the following permissions:

  • An administrator access to TrueSight Automation Console
  • Read permission
  • Access to a valid security group set to import scan reports

A CrowdStrike Falcon user must have the following items:

  • Valid login credentials and access to APIs
  • Required assets added to CrowdStrike Falcon
  • Required data is available

  • Client ID and secret ID
    For steps to generate client and secret IDs, see Defining your first API client.

Scan file requirements

The scan data exported from CrowdStrike Falcon can be based on different filter conditions

Jitterbit Harmony subscription

A valid BMC Helix iPaaS subscription

Task 1: To download and import the integration template project file

  1. Download the Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management 2023-01-01 file to your system.
    This file contains the BMC Helix iPaaS Integration Studio project Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.

    Important

    Your access to product pages on the EPD website is determined by the license your company purchased.

  2. As a developer, log in to BMC Helix iPaaS and navigate to the Integration Studio.
  3. On the projects page, click Import.
  4. Click Browse, and then select the Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management.json file you downloaded.
    The Project Name and Organization fields are automatically populated depending on the values defined. 
  5. From the Environment list, select the environment to which you want to import this integration template, and then click Import.
    The project opens after the integration template is imported. 
  6. To open the project file later, select the environment where the integration templates are available, and then select Import CrowdStrike Vulnerability data in BMC Helix Vulnerability Management, and click View/Edit.

Task 2: To update the project variables for the integration template

  1. Click ... next to the Environment name and select Project Variables.

  2. To access CrowdStrike Falcon and TrueSight Automation Console, update the following project variables:

    Project variables

    Action

    CrowdStrike Falcon

    CROWDSTRIKE_URL

    Enter the URL of the CrowdStrike Falcon instance you are using.

    CROWDSTRIKE_CLIENT_ID

    Enter the client ID for your CrowdStrike Falcon instance that you generated earlier.

    CROWDSTRIKE_SECRET_ID

    Enter the secret ID for your CrowdStrike Falcon instance that you generated earlier.

    CROWDSTRIKEAPI_LIMIT

    Enter a value between 1-5000 to limit the items to be returned.

    By default, CrowdStrike Falcon sends 100 scanned data at a time.

    CROWDSTRIKE_FILTER

    Enter a filter condition in the following format to import scanned data from a CrowdStrike Falcon policy:

    filter=[filter_name]:['value']

    For example, enter filter=[severity]:['low'].

    You can also enter multiple filter conditions in the following format:

    filter=[filter_name]:['value']%2bfilter_name2:['value2']

    For example, enter filter=[severity]:['High','Critical']%2bstatus:['Open','Closed']

    To know more about the filters, see Filter Spotlight APIs.

    Important: Regardless of the severity value you specify in the filter, CrowdStrike Falcon sends data associated with all the severity values.

    CROWDSTRIKE_SCAN_NAME

    Enter a name for the scanned file that you want to import from CrowdStrike Falcon.

    The scanned file in TrueSight Automation Console is generated with the name that you specify.

    TrueSight Automation Console

    HVM_URL

    Enter the URL of the TrueSight Automation Console instance.

    HVM_User

    Enter the username to access the TrueSight Automation Console instance.

    HVM_Password

    Enter the password for the username to access the TrueSight Automation Console instance.

    HVM_Login_Role

    Enter the role of the TrueSight Automation Console Instance user.

    HVM_TenantID

    Enter the tenant ID of the TrueSight Automation Console Instance.

    This value is mandatory if the user belongs to multiple tenants.

    HVM_Vendor

    Enter CrowdStrike.

    HVM_Cloud_User

    Enter one of the following values to define the type of user for the TrueSight Automation Console instance: 

    • True: For a cloud user
    • False: For a Server Automation user

Task 3: To configure the Jitterbit private agent

Perform the following steps only if you are using an on-premises version of BMC Helix iPaaS, powered by Jitterbit:

Important

Make sure you have administrator access to perform these configurations.

  1. In BMC Helix iPaaS, powered by Jitterbit, click Hamburger icon_Cloud Studio.pngand select Management Console > Agents > Agent Groups.
  2. Select the private agent you are using, click the Action list, and select Jitterbit Conf
    Action list_Jitterbit Conf.png
    The Jitterbit Conf dialog box is displayed.

  3. On the Config tab, click Edit, and perform the following actions:

    Section

    Field

    Description

    Action

    OperationEngine

    MaxAsyncOperationChainLength

    The number of asynchronous operations needed to import scanned vulnerability data from CrowdStrike Falcon. 

    Specify the number of operations you want to run based on the amount of vulnerability data you want to import.

    For example, if you want to import 2000000 vulnerabilities, enter 2000 in this field.

    If you want to import unlimited data, enter 0 or a negative number.

    By default, the value of this field is set to 50.

    22104_Maxoperationchainlength_fieldvalue.png

  4. Click Submit.

Task 4: To deploy and enable the project

  1. To deploy the project, click the ellipsis ... next to the project name and then click Deploy Project.
    22102_CrowdStrike_AutomationConsole_DeployProject.png
  2. To enable the project, select 4.0 TSAC Create Policy > 4.1 TSAC Create Policies, click the ellipsis, and then click Run.
    22102_CrowdStrike_AutomationConsole_EnableProject.png


(Optional) Task 5: To fetch the policy ID by using a scheduler

This integration template provides the TSAC GET Policy operation that you can run automatically by using a scheduler. To do this, you can either use an existing schedule or create a new schedule and assign to a workflow.

To create a new schedule and assign it to a workflow, perform the following steps:

  1. In the template, on the WORKFLOWS tab, select 5.0 TSAC GET Policy > 5.0 TSAC GET WRAPPER.
  2. Click the ellipsis ..., and then click Settings, as shown in the following image:
    22102_CrowdStrike_AutomationConsole_HVM Get Policy_Scheduler.png
  3. On the Schedules tab, click Create New Schedule.

  4. On the New Schedule page, complete the following fields:

    Field name

    Action

    SCHEDULE NAME

    Enter a meaningful name for the schedule.

    OCCURENCE

    Specify when you want the schedule to be run.

    FREQUENCY

    Specify how many times you want the schedule to be run.

    DURATION

    Specify the start and end dates for the schedule.

    22102_CrowdStrike_AutomationConsole_HVM Get Policy_CreateNewSchedule.png

  5. Click Save.
  6. On the Schedules tab, from the CONDITION list, select On Schedule.
  7. From the SCHEDULE list, select the schedule you created.
  8. Click Assign.

For more information about schedules, see Schedules.

How does the template resume a failed import

The following image illustrates how the integration template imports vulnerability data after it failed during the first import process:

23301_TSAC_CS_Cache functionality.png

If the import process fails due to certain reasons; for example, the agent machine is shut down, the cache functionality stores the point of failure for 24 hours. When you run the template again after the failure, the template starts importing the vulnerability data from the point where the import failed.

Workflows included in the integration template

The integration template includes workflows for the basic configuration and each integration use case. The following tables describe the operations defined in each workflow:

Common

This workflow contains the following operations:

Operation name

Actions performed

Validate HTTP status code

Validates the webhook operations

Parse JSON

Converts a JSON object in text format to a Javascript object

TSAC Workflow

This workflow imports the defined scans into TrueSight Automation Console. 

Operation name

Actions performed

TSAC Wrapper

Integrates all the operations in this flow into a single logical flow

TSAC Login

Logs in to the TrueSight Automation Console instance by using the credentials provided in the project variables and retrieves the authorization token

TSAC Generate JWT

Generates JWT from authorization token

TSAC Import Scans

Imports scan report for the IDs defined the project variables from the BMC Helix iPaaS temporary storage into TrueSight Automation Console

Successful Scan details

Shows details of the scanned data

Crowdstrike

This workflow retrieves the scan data and verifies it for export. The following operations are included in this workflow:

Operation name

Actions performed

CrowdStrike Wrapper

Integrates all the CrowdStrike Falcon operations into one logical flow

Login

Logs in to a CrowdStrike Falcon instance and extracts the authorization token

GetVulnerabilities

Gets the data from CrowdStrike Falcon according to the filter criteria specified in the project variables

Create Json for TSAC

Parses the response from the CrowdStrike Falcon message to the JSON format according to the TrueSight Automation Console requirements

TSAC Create Policy

This workflow imports the defined scans into TrueSight Automation Console. 

Operation name

Actions performed

TSAC Create policy wrapper

Integrates TrueSight Automation Console and CrowdStrike Falcon as per the defined logic

TSAC Create Policies

Creates a policy in TrueSight Automation Console and returns the policy ID

Important

Run the TSAC Create Policy workflow only once to generate a single scanned file with data for all the filter conditions that you have specified. If you want to generate a separate scanned file, specify the file name in the CROWDSTRIKE_SCAN_NAME variable, and then run the TSAC Create Policy workflow.


TSAC GET Policy

This workflow gets the policy ID from TrueSight Automation Console and fetches data from the corresponding policy in CrowdStrike Falcon.

Operation name

Actions performed

TSAC GET WRAPPER

Integrates TrueSight Automation Console and CrowdStrike Falcon according to the defined logic

Get Policy Id

Gets the policy ID from TrueSight Automation Console

Important

You can either run this workflow manually or by using a scheduler. For steps to run this workflow by using a scheduler, see To fetch the policy ID by using a scheduler.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*