Collect CrowdStrike Detection logs

Supported in:

This document describes how you can export CrowdStrike Detection logs to Google Security Operations through Google Security Operations feed, and how CrowdStrike Detection fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of CrowdStrike and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product from which you collect logs.

  • CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes logs to Google SecOps.

  • Google Security Operations: Retains and analyzes the CrowdStrike Detection logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CS_DETECTS ingestion label.

Before you begin

  • Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone

  • Ensure that the device is running on a supported operating system.

    • The OS must be running on a 64-bit server. Microsoft Windows server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor versions 6.51 or later.
    • Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.

  • Obtain the Google Security Operations service account file and your customer ID from the Google Security Operations support team.

Configure CrowdStrike to ingest logs

To set up an ingestion feed, follow these steps:

  1. Create a new API client key pair at CrowdStrike Falcon. This key pair reads events and supplementary information from CrowdStrike Falcon.
  2. Provide READ permission to Detections while creating the key pair.

Configure a feed in Google Security Operations to ingest CrowdStrike Detection logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Third party API as the Source Type.
  5. Select CrowdStrike Detection Monitoring as the Log Type.
  6. Click Next.
  7. Configure the following mandatory input parameters:
    • OAuth Token Endpoint: specify the endpoint.
    • OAuth Client ID: specify the client ID that you obtained previously.
    • OAuth Client Secret: specify the client secret that you obtained previously.
    • Base URL: specify the Base URL.
  8. Click Next and then click Submit.