Collect CrowdStrike Falcon Stream logs

This document explains how to collect CrowdStrike Falcon Stream logs using Bindplane. The parser extracts key-value pairs and maps them to the Unified Data Model (UDM), handling different delimiters and enriching the data with additional context like severity and event types. It also performs specific transformations for certain event types and fields, such as user logins and security results.

Before You Begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to the CrowdStrike Falcon console.
• Obtain API credentials for Falcon Stream (Client ID and Client Secret).

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install Bindplane agent

Windows Installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/Bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux Installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/Bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional Installation Resources

• For additional installation options, consult this installation guide.

Configure Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. Typically, it's in the /etc/Bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:54525"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: SYSLOG
               namespace: cs_stream
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   
   

• Replace the port and IP address as required in your infrastructure.
• Replace <customer_id> with the actual customer ID.
• Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

  sudo systemctl restart Bindplane-agent
  

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

  net stop BindplaneAgent && net start BindplaneAgent
  

Configure and get a CrowdStrike API Key

1. Sign in to CrowdStrike Falcon with a privileged account.
2. Go to Menu > Support.
3. Click API Clients > KeysSelect.
4. Click Add new API client.
5. In the API Scopes section, select Event streams and then enable the Read option.
6. Click Add.
7. Copy and save the Client ID, Client Secret and Base URL.

Install the Falcon SIEM Connector

1. Download the RPM installer package for your operating system.

2. Package installation:

   • CentOS operating system:

     sudo rpm -Uvh <installer package>
     

   • Ubuntu operating system:

     sudo dpkg -i <installer package>
     

3. Default installation directories:

   • Falcon SIEM Connector - /opt/crowdstrike/.
   • Service - /etc/init.d/cs.falconhoseclientd/.

Configure the SIEM Connector to forward events to Bindplane

1. Sign into the machine with installed SIEM Connector as a sudo user.
2. Go to the /opt/crowdstrike/etc/ directory.
3. Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg.
   • SIEM Connector uses cs.falconhoseclient.cfg configuration by default.
4. Edit the cs.falconhoseclient.cfg file and modify or set the following parameters:
   • api_url: - Your CrowdStrike Falcon Base URL copied from previous step.
   • app_id: - Any string as identifier for connecting to Falcon Streaming API; for example, set to app_id: SECOPS-LEEF.
   • client_id: - The client_id value copied from previous step.
   • client_secret: - The client_secret value copied from previous step.
   • send_to_syslog_server: true - Enable push to Syslog server.
   • host: - The IP or hostname of the Bindplane agent.
   • port: - The port of the Bindplane agent.
5. Save the cs.falconhoseclient.cfg file.

6. Start the SIEM Connector service:

   • CentOS operating system:

     sudo service cs.falconhoseclientd start
     

   • Ubuntu 16.04 or later operating system:

     sudo systemctl start cs.falconhoseclientd.service
     

7. Optional: stop the SIEM Connector service:

   • CentOS operating system:

     sudo service cs.falconhoseclientd stop
     

   • Ubuntu 16.04 or later operating system:

     sudo systemctl stop cs.falconhoseclientd.service
     

8. Optional: restart the SIEM Connector service:

   • CentOS operating system:

     sudo service cs.falconhoseclientd restart
     

   • Ubuntu 16.04 or later operating system:

     sudo systemctl restart cs.falconhoseclientd.service
     

UDM Mapping Table

Log Field	UDM Mapping	Logic
cat	security_result.category_details	The value of the cat field is directly mapped to the security_result.category_details field.
commandLine	target.process.command_line	The value of the commandLine field is directly mapped to the target.process.command_line field.
cs1	security_result.summary	If cs1Label is "incidentType", the value of cs1 is mapped to security_result.summary. Otherwise, it's mapped as a key-value pair in security_result.detection_fields with the key from cs1Label and value from cs1.
cs1Label	security_result.detection_fields.key	Used as the key in security_result.detection_fields when cs1 is not an incident type.
cs2	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key from cs2Label and value from cs2.
cs2Label	security_result.detection_fields.key	Used as the key in security_result.detection_fields along with cs2.
cs3	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key from cs3Label and value from cs3.
cs3Label	security_result.detection_fields.key	Used as the key in security_result.detection_fields along with cs3.
cs4	security_result.about.url	If cs4Label is "falconHostLink", the value of cs4 is mapped to security_result.about.url. Otherwise, it's mapped as a key-value pair in security_result.detection_fields with the key from cs4Label and value from cs4.
cs4Label	security_result.detection_fields.key	Used as the key in security_result.detection_fields when cs4 is not a falconHostLink.
description	metadata.description	The value of the description field is directly mapped to the metadata.description field. If it's empty, incidentDescription or msg or serviceName are used instead.
devTime	metadata.event_timestamp	The value of the devTime field is parsed and mapped to the metadata.event_timestamp field.
deviceCustomDate1	metadata.event_timestamp	If devTime is not present, the value of the deviceCustomDate1 field is parsed and mapped to the metadata.event_timestamp field.
domain	principal.administrative_domain	Extracted from the userName field using a regular expression and mapped to principal.administrative_domain.
duser	principal.user.userid	If present, the value of duser overwrites the usrName field and is then used for populating the user fields.
endpointName	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key "endpointName".
eventType	metadata.product_event_type	The value of the eventType field is directly mapped to the metadata.product_event_type field.
falconHostLink	security_result.about.url	The value of the falconHostLink field is directly mapped to the security_result.about.url field.
filePath	target.process.file.full_path	The value of the filePath field is directly mapped to the target.process.file.full_path field.
identityProtectionIncidentId	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key "identityProtectionIncidentId".
incidentDescription	metadata.description	If description is empty, the value of the incidentDescription field is mapped to the metadata.description field.
incidentType	security_result.summary	The value of the incidentType field is directly mapped to the security_result.summary field.
log_type	metadata.log_type	The value of the log_type field is directly mapped to the metadata.log_type field.
msg	metadata.description	If description and incidentDescription are empty, the value of the msg field is mapped to the metadata.description field.
numbersOfAlerts	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key "numbersOfAlerts".
numberOfCompromisedEntities	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key "numberOfCompromisedEntities".
product	metadata.product_name	The value of the product field is directly mapped to the metadata.product_name field.
resource	target.resource.name	The value of the resource field is directly mapped to the target.resource.name field.
serviceName	target.application	The value of the serviceName field is directly mapped to the target.application field. Also used as a fallback for metadata.description.
severityName	security_result.severity	The value of the severityName field is mapped to the security_result.severity field after being uppercased. The mapping logic includes specific conversions for different severity names.
sha256	target.file.sha256	The value of the sha256 field is directly mapped to the target.file.sha256 field.
src	principal.ip	The value of the src field is directly mapped to the principal.ip field.
srcMAC	principal.mac	The value of the srcMAC field is directly mapped to the principal.mac field after replacing hyphens with colons.
state	security_result.detection_fields.value	Mapped as a key-value pair in security_result.detection_fields with the key "state".
success	security_result.action	If success is "true", security_result.action is set to "ALLOW". If success is "false", security_result.action is set to "BLOCK".
userName	principal.user.userid	If usrName is not present, the value of the userName field is used for populating the user fields. The domain is extracted if present.
usrName	principal.user.userid / target.user.userid	If present, the value of the usrName field is mapped to either principal.user.userid or target.user.userid depending on the eventType. If it's an email address, it's also added to the respective email_addresses field.
vendor	metadata.vendor_name	The value of the vendor field is directly mapped to the metadata.vendor_name field.
version	metadata.product_version	The value of the version field is directly mapped to the metadata.product_version field.
(Parser Logic)	extensions.auth.mechanism	Set to "USERNAME_PASSWORD" if eventType is "saml2Assert" or "twoFactorAuthenticate".
(Parser Logic)	extensions.auth.type	Set to "AUTHTYPE_UNSPECIFIED" if eventType is "assert" or "userAuthenticate".
(Parser Logic)	metadata.event_timestamp	The timestamp from the raw log's collection_time or timestamp field is used as the event timestamp.
(Parser Logic)	metadata.event_type	Determined based on the eventType and other fields. Defaults to "GENERIC_EVENT" and can be changed to "USER_LOGIN", "GROUP_MODIFICATION", "GROUP_DELETION", "SERVICE_STOP", "SERVICE_START", or "USER_UNCATEGORIZED".
(Parser Logic)	target.resource.type	Set to "GROUP" if eventType is "remove_group", "update_group", or "delete_group".

Changes

2025-01-10

Enhancement:

• When "OperationBlocked" is "true", mapped "security_result.action" to "BLOCK".
• When "OperationBlocked" is "false", mapped "security_result.action" to "ALLOW".
• When "event_type" is "IdentityProtectionEvent", then mapped "event_data.IncidentDescription" to "security_result.summary".
• When "event_type" is "IdentityProtectionEvent", then mapped "event_data.SeverityName" to "security_result.severity".

2025-01-09

Enhancement:

• Mapped "event_data.Technique" to "security_result.rule_name".
• Mapped "event_data.CommandLine" to "target.process.command_line".
• If "event_data.IOCType" is "ipv4", then mapped "event_data.IOCValue" to "target.ip" and "target.asset.ip".
• If "event_data.IOCType" is "hash_sha256", then mapped "event_data.IOCValue" to "target.file.sha256".

2024-12-12

Enhancement:

• Mapped "event.SeverityName" to "security_result.severity".
• Mapped "event.Description" to "security_result.summary".
• Mapped "security_result.action" based on "event.PatternDispositionFlags.OperationBlocked".

2024-10-29

Enhancement:

• Added support for JSON format of logs.
• Mapped "request" to "network.http.referral_url".
• Mapped "networkDetectionType" to "security_result.detection_fields".

2022-07-18

Enhancement:

• Added following mapping for the LEEF format logs:
• The field "version" mapped to "metadata.product_version".
• The field "usrName" and "userName" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid".
• The field "severityName" mapped to "security_result.severity".
• The field "cat" mapped to "security_result.category_details".
• The field "incidentType" mapped to "security_result.summary".
• The field "falconHostLink" mapped to "security_result.about.url".
• The field "numberOfCompromisedEntities" mapped to "security_result.detection_fields[n]".
• The field "identityProtectionIncidentId" mapped to "security_result.detection_fields[n]".
• The field "numbersOfAlerts" mapped to "security_result.detection_fields[n]".
• The field "state" mapped to "security_result.detection_fields[n]".
• Added following mapping for the CEF format logs:
• The field "version" mapped to "metadata.product_version".
• The field "deviceCustomDate1" mapped to "metadata.event_type".
• The field "msg" mapped to "metadata.description".
• The field "cs1" mapped to "security_result.summary" if the value of "cs1Label" is "incidentType" else mapped to "security_result.detection_fields[n]".
• The field "cs2" mapped to "security_result.detection_fields[n]".
• The field "cs3" mapped to "security_result.detection_fields[n]".
• The field "cs1" mapped to "security_result.about.url" if the value of "cs4Label" is "falconHostLink" else mapped to "security_result.detection_fields[n]".
• The field "cn1" mapped to "security_result.detection_fields[n]".
• The field "cn2" mapped to "security_result.detection_fields[n]".
• The field "cn3" mapped to "security_result.detection_fields[n]".
• The field "duser" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid".

Need more help? Get answers from Community members and Google SecOps professionals.