Skip to main content

Using Attack Detective with On-Prem Falcon LogScale

S
Written by Sergey Bayrachny

To run investigations in your on-prem Falcon LogScale instance, you need to do the following:

  • Configure a Data Plane integration with your Falcon LogScale instance on the SOC Prime Platform

  • Set up a repository token in Falcon LogScale

  • Install the SOC Prime Attack Detective App for Falcon LogScale that connects your on-prem Falcon LogScale instance to Attack Detective

Configure a Data Plane on the SOC Prime Platform

To use Attack Detective with Falcon LogScale, first set up an integration profile (Data Plane) on the SOC Prime Platform.

  1. Log in to your SOC Prime Platform account and go to Account icon > Platform Settings > Data Planes.

  2. Click the Add Data Plane button.

  3. Give your Data Plane profile a meaningful name.

  4. Select Falcon LogScale as your platform and turn on the On Prem switch.

  5. Select if you want to share the profile across your team.

  6. Set the URL of your Falcon LogScale web console.

  7. Generate an Attack Detective API key by clicking the icon with arrows. You'll need to specify it in the .env file when installing the connector app. Please save the API key in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.

  8. Click Save Changes.

Set up a Repository Token in Falcon LogScale

To allow the Attack Detective connector app to access your Falcon LogScale, set up a repository token in Falcon LogScale.

  1. Go to your repository with data and click Settings.

  2. Click Tokens under Access control.

  3. On the Repository tokens screen, click Add new.

  4. In the New API token window

    1. Give the token a meaningful name.

    2. Under Permissions, set the Data read access checkbox.

    3. Do not provide any other permissions (keep all the other settings as is).

  5. Click the Create token button.

  6. Save your permission token. Note that you won't be able to access it later.

  7. Use the generated token in the logscale_token field of the .env file of SOC Prime Attack Detective App for Falcon LogScale.

Install the SOC Prime Attack Detective App for Falcon LogScale

Requirements

  • Host with Windows, Linux, or other operating system supported by Docker

  • Network access to the Falcon LogScale instance (default port 443). The app supports Falcon LogScale v1.118.0 or higher

  • These packages should be installed on the host:

    • Docker v23.0.1 or higher

    • Docker Compose v2.21.0 or newer

  1. Download the Content Pack with the app from Threat Detection Marketplace.

  2. Unpack the downloaded archive.

  3. In the folder where the archive has been unpacked, create a .env file.

  4. In the .env file, specify the values for the following variables:

Variable

Description

Required

ATTACK_DETECTIVE_URL

The Attack Detective API address. Please, use the following value: https://attacko.socprime.com/

Required

ATTACK_DETECTIVE_API_KEY

Attack Detective API key generated when configuring a Falcon LogScale Data Plane on the SOC Prime Platform. See the Configure a Data Plane on the SOC Prime Platform section of this guide.

Required

logscacle_url

The URL of your Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name.

Required

logscale_token

The repository token generated in Falcon LogScale that grants required API access to your repository. See the instructions in the Set up a Repository Token in Falcon LogScale section of this guide.

Required

max_concurrent_requests_to_logscale

Max number of concurrent requests to Falcon LogScale. The default and recommended value is 1. Set this value according to the performance of the app server and the Falcon LogScale server.

If the value is 1, requests are sent sequentially. If the value is higher than 1, the requests are sent in parallel, with the number of parallel requests limited by the value of this variable. To enable Attack Detective to send parallel requests, select the Parallel type in Scan Settings before running the scan.

Optional

PROXY_FOR_ATTACK_DETECTIVE

Add this variable to the file only if you're using a proxy. Format: http://user:pass@host:port

Optional

The code in the file will look like this:

ATTACK_DETECTIVE_URL=https://attacko.socprime.com/
ATTACK_DETECTIVE_API_KEY=a1aa1a1aa1a1aa1a1aaa1a1aa1a1AA1aaaaa1a1aaaaaaa1aa1A1aa
logscale_url=https://cloud.humio.com
logscale_token=b2bb2BbBB2bbb2bbb2bbbbbb22bbb22bb2bbbb2bbb2BB22BB2bbb2bb2bbb2

5. In the same folder, run the following command:

docker-compose up --build -d

This command will launch a docker container in the background that will be running until it is stopped manually.

All dependencies will be installed from the requirements.txt file.

The successful response will contain a line that looks like this:

Container logscaleonprem-attack_detective_logscale_client-1  Started

6. To ensure that the installation has been successful, go to Docker container logs.

To do it, you can run the following command:

docker logs logscaleonprem-attack_detective_logscale_client-1

In case of success, you'll see logs like these:

LogScale connection is OK
Attack Detective API connection is OK

Did this answer your question?