Collect CrowdStrike Falcon logs

This document provides guidance about how to ingest CrowdStrike Falcon logs into Google Security Operations as follows:

  • Collect CrowdStrike Falcon logs by setting up a Google Security Operations feed.
  • Map CrowdStrike Falcon log fields to Google SecOps Unified Data Model (UDM) fields.
  • Understand supported CrowdStrike Falcon log types and event types.

For more information, see the Data ingestion to Google SecOps overview.

Before you begin

Ensure that you have the following prerequisites:

  • Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
  • All systems in the deployment architecture are configured in the UTC time zone.
  • Target device runs on a supported operating system
    • Must be a 64-bit server
    • Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
    • Legacy OS versions must support SHA-2 code signing.
  • Google SecOps service account file and your customer ID from the Google SecOps support team

Deploy CrowdStrike Falcon with Google SecOps feed integration

A typical deployment consists of CrowdStrike Falcon which sends the logs, and the Google SecOps feed which fetches the logs. Your deployment might differ slightly based on your setup.

The deployment typically includes the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product you collect logs from.
  • CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes them to Google SecOps.
  • CrowdStrike Intel Bridge: The CrowdStrike product that collects threat indicators from the data source and forwards them to Google SecOps.
  • Google SecOps: The platform that retains, normalizes and analyzes the CrowdStrike detection logs.
  • An ingestion label parser that normalizes raw log data into the UDM format. The information in this document applies to CrowdStrike Falcon parsers with the following ingestion labels:
    • CS_EDR
    • CS_DETECTS
    • CS_IOC The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:
      • domain
      • email_address
      • file_name
      • file_path
      • hash_md5
      • hash_sha1
      • hash_sha256
      • ip_address
      • mutex_name
      • url

Configure a Google SecOps feed for CrowdStrike EDR logs

The following procedures are needed to configure the feed.

How to configure CrowdStrike

To set up a Falcon Data Replicator feed, follow these steps:

  1. Sign in to the CrowdStrike Falcon Console.
  2. Go to Support Apps > Falcon Data Replicator.
  3. Click Add to create a new Falcon Data Replicator feed and generate the following values:
    • Feed
    • S3 identifier,
    • SQS URL
  4. Client secret. Keep these values to set up a feed in Google SecOps.

For more information, see How to set up Falcon Data replicator feed.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure multiple feeds for different log types within this product family, see Configure feeds by product.

To configure a single feed, follow these steps:

Set up an ingestion feed with Amazon SQS

You can use either Amazon SQS (preferred) or Amazon S3 to set up the ingestion feed in Google SecOps.

To set up an ingestion feed with Amazon SQS, complete the following:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
  5. In Source type, select Amazon SQS.
  6. In Log type, select CrowdStrike Falcon.
  7. Based on the service account and the Amazon SQS configuration that you created, specify values for the following fields:
    Field Description
    region Region associated with the SQS queue.
    QUEUE NAME Name of the SQS queue to read from.
    ACCOUNT NUMBER Account number that owns the SQS queue.
    source deletion option Option to delete files and directories after transferring the data.
    QUEUE ACCESS KEY ID 20-character access key ID. For example, AKIAOSFOODNN7EXAMPLE.
    QUEUE SECRET ACCESS KEY 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    asset namespace Namespace associated with the feed.
    submit Submit and save the feed configuration to Google SecOps.

If you encounter issues, contact the Google SecOps support team.

Set up an ingestion feed with Amazon S3 bucket

To set up an ingestion feed using an S3 bucket, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
  5. In Source type, select Amazon SQS.
  6. In Source type, select Amazon S3.
  7. In Log type, select CrowdStrike Falcon.
  8. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
    Field Description
    region S3 region URI.
    S3 uri S3 bucket source URI.
    uri is a Type of object that the URI points to (for example, file or folder).
    source deletion option Option to delete files and directories after transferring the data.
    access key id Access key (20-character alphanumeric string). For example, AKIAOSFOODNN7EXAMPLE.
    secret access key Secret access key (40-character alphanumeric string). For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    oauth client id Public OAuth client ID.
    oauth client secret OAuth 2.0 client secret.
    oauth secret refresh uri OAuth 2.0 client secret refresh URI.
    asset namespace Namespace associated with the feed.

Set up feeds from the Content Hub

You can configure the ingestion feed in Google SecOps using either Amazon SQS (preferred) or Amazon S3.

Specify values for the following fields:

  • Region: Region where the S3 bucket or SQS queue is hosted.
  • Queue Name: Name of the SQS queue from which to read log data.
  • Account Number: Account number that owns the SQS queue.
  • Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE.
  • Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
  • Source deletion option: Option to delete files and directories after transferring the data.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels – Labels applied to all events from this feed.

Configure a Google SecOps feed for CrowdStrike logs

To forward CrowdStrike detection monitoring logs, follow these steps:

  1. Sign in to CrowdStrike Falcon Console.
  2. Go to Support Apps > API Clients and Keys .
  3. Create a new API client key pair at CrowdStrike Falcon. This key pair must have READ permissions for both Detections and Alerts from CrowdStrike Falcon.

To receive CrowdStrike detection monitoring logs, follow these steps:

  1. Sign in to your Google SecOps instance.
  2. Go to SIEM Settings > Feeds.
  3. Click Add New Feed.
  4. On the next page, click Configure a single feed.
  5. In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
  6. In Source type, select Amazon SQS.
  7. In Source type, select Third Party API.
  8. In Log type, select CrowdStrike Detection Monitoring.

If you encounter issues, contact the Google SecOps support team.

Ingest CrowdStrike IoC logs into Google SecOps

To configure log ingestion from CrowdStrike into Google SecOps for IoC logs, complete the following steps:

  1. Create a new API client key pair at CrowdStrike Falcon Console. This key pair allows Google SecOps Intel Bridge to access and read events and supplementary information from CrowdStrike Falcon. For setup instructions, see CrowdStrike to Google SecOps Intel Bridge.
  2. Provide READ permission to Indicators (Falcon Intelligence) when you create the key pair.
  3. Set up the Google SecOps Intel Bridge by following the steps in CrowdStrike to Google SecOps Intel Bridge.

  4. Run the following Docker commands to send the logs from CrowdStrike to Google SecOps, where sa.json is the Google SecOps service account file:

    docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

  5. After the container runs successfully, IoC logs will begin streaming into Google SecOps.

Supported CrowdStrike log formats

The CrowdStrike parser supports logs in JSON format.

Need more help? Get answers from Community members and Google SecOps professionals.