Crowdstrike Integrations
Introduction
This integration is for CrowdStrike products. It includes the following datasets for receiving logs:
falcon dataset consists of endpoint data and Falcon platform audit data forwarded from Falcon SIEM Connector.
fdr dataset consists of logs forwarded using the Falcon Data Replicator.
Assumptions
The procedures described in Section 3 assume that a Log Collector has already been setup.
Compatibility
This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.
Requirements
Logs
Falcon
Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector.
FDR
The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is available in S3.
This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket and the integration can read from there.
In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time.
CrowdStrike Integration Procedures
Please provide the following information to CyTech:
Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3) Option 1
-
AWS: Access Key ID
-
AWS: Secret Access Key
-
AWS: Queue URL - URL of the AWS SQS queue that messages will be received from.
Collect CrowdStrike logs via API. Option 2 (Recommended)
-
Client ID: Client ID for the CrowdStrike.
-
Client Secret: Client Secret for the CrowdStrike.
-
URL: Token URL of CrowdStrike.
No Comments