connectors icon indicating copy to clipboard operation
connectors copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Crowdstrike Reports not being pulled in

Open cvdsouza opened this issue 10 months ago • 2 comments

Description

The Crowdstrike Connector v6.0.10 doesn't seem to be pulling any reports.

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. } Ubuntu - Using Docker
  2. OpenCTI version: 6.0.10
  3. OpenCTI client: { e.g. frontend or python }: python ( connector)
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Connect the Crowdstrike connector with credentials from CS ( All Threat Intel scopes are selected including Reports).
  2. Run the connector
  3. Set the connector to Debug mode
  4. Ensure: CROWDSTRIKE_SCOPES=report , in docker-compose.yml
  5. Run the connector and observe debug logs

Expected Output

Expect Reports to be created in OpenCTI.

Actual Output

No reports created. Following observed in Debug logs.

DEBUG _request method: POST, path: /oauth2/token, kwargs: {'data': {'client_id': 'XXXXX', 'client_secret': 'XXXXXXX'}, 'json': None, 'headers': {'Accept': 'application/json', 'Content-Type': 'application/x-www-form-urlencoded'}} | timestamp=2024-04-24T02:30:17.489586Z name=crowdstrike_client.http.client 

DEBUG _request url: https://api.us-2.crowdstrike.com/oauth2/token, request_headers: {'Accept': 'application/json', 'Content-Type': 'application/x-www-form-urlencoded'}, timeout: (15, 120), kwargs: {'data': {'client_id': 'XXXXXX', 'client_secret': 'XXXXXXX'}, 'json': None} | timestamp=2024-04-24T02:30:17.489686Z name=crowdstrike_client.http.client 

DEBUG _request response status code: 201, response_headers: {'Server': 'nginx', 'Date': 'Wed, 24 Apr 2024 02:30:17 GMT', 'Content-Type': 'application/json', 'Content-Length': '1251', 'Connection': 'keep-alive', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': '1ff485c8-04bb-4f2f-9830-bf39f0105126', 'X-Ratelimit-Limit': '300', 'X-Ratelimit-Remaining': '299', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'} | timestamp=2024-04-24T02:30:18.006772Z name=crowdstrike_client.http.client 

INFO Generated access token (type 'bearer') expires in 1799 seconds | timestamp=2024-04-24T02:30:18.006928Z name=crowdstrike_client.api.authenticator 

DEBUG _request method: GET, path: /intel/combined/reports/v1, kwargs: {'headers': {'Authorization': 'bearer XXXXXXXXX'}, 'params': {'offset': 0, 'limit': 30, 'sort': 'created_date|asc', 'filter': "created_date:>1713218148+type:['notice', 'tipper', 'intelligence report', 'periodic report']", 'fields': ['__full__']}} | timestamp=2024-04-24T02:30:18.008399Z name=crowdstrike_client.http.client 

DEBUG _request url: https://api.us-2.crowdstrike.com/intel/combined/reports/v1, request_headers: {'Authorization': 'bearer XXXXX'}, timeout: (15, 120), kwargs: {'params': {'offset': 0, 'limit': 30, 'sort': 'created_date|asc', 'filter': "created_date:>1713218148+type:['notice', 'tipper', 'intelligence report', 'periodic report']", 'fields': ['__full__']}} | timestamp=2024-04-24T02:30:18.008563Z name=crowdstrike_client.http.client 

DEBUG _request response status code: 200, response_headers: {'Server': 'nginx', 'Date': 'Wed, 24 Apr 2024 02:30:18 GMT', 'Content-Type': 'application/json', 'Content-Length': '194', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': 'e6a0c0c4-b835-41d3-9604-489a55c5ac16', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'} | timestamp=2024-04-24T02:30:18.483129Z name=crowdstrike_client.http.client 

INFO Query pagination info limit: 30, offset: 0, total: 0 | timestamp=2024-04-24T02:30:18.486235Z name=crowdstrike.utils 

INFO Query fetched 0 resources | timestamp=2024-04-24T02:30:18.486359Z name=crowdstrike.utils 

INFO Report importer completed, latest fetch 2024-04-15 21:55:48+00:00. | timestamp=2024-04-24T02:30:18.486502Z name=CrowdStrike 

INFO Storing updated new state: {'latest_report_timestamp': 1713218148, 'last_run': 1713924016} | timestamp=2024-04-24T02:30:18.486610Z name=CrowdStrike 

INFO Storing new state: {'latest_report_timestamp': 1713218148, 'last_run': 1713925818} | timestamp=2024-04-24T02:30:18.486722Z name=CrowdStrike 

INFO State stored, next run in: 1800 seconds | timestamp=2024-04-24T02:30:18.486814Z name=CrowdStrike

Additional information

I'm observing successful calls to the CS API , however I'm not seeing the Report object being returned. 0 resources are being returned which is very unlikely for the CS connector especially since I'm pulling 1 month of data. All other data points such as Indicators, Actors, Malware etc.. are being pulled.

Screenshots (optional)

cvdsouza avatar Apr 24 '24 02:04 cvdsouza