Collect CrowdStrike Falcon EDR logs

Supported in:

This document describes how you can export CrowdStrike Falcon EDR logs to Google Security Operations through Google Security Operations feed, and how CrowdStrike Falcon EDR fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of CrowdStrike enabled for ingestion to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product from which you collect logs.

  • Google Security Operations: Retains and analyzes the CrowdStrike EDR logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CS_EDR ingestion label.

Before you begin

  • Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.

  • Ensure that the device is running on a supported operating system.

    • The OS must be running on a 64-bit server. Microsoft Windows server 2008 R2 SP1 is supported for Crowdstrike Falcon Host sensor versions 6.51 or later.
    • Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.

  • Obtain the Google Security Operations service account file and your customer ID from the Google Security Operations support team.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

Configure a Falcon Data Replicator Feed

To set up an Falcon Data Replicator feed, follow these steps:

  1. Click the ADD button to create a new Falcon Data Replicator feed. This will generate S3 identifier, SQS URL and Client secret.
  2. Use the generated Feed, S3 identifier, SQS URL, and Client secret values to set up feed in Google Security Operations.

Configure a feed in Google Security Operations to ingest CrowdStrike EDR logs

You can use SQS or S3 bucket to setup the ingestion feed in Google Security Operations. SQS is preferred but S3 is also supported.

To set up an ingestion feed using S3 bucket, follow these steps:

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. In Source type, select Amazon S3.
  5. In Log type, select CrowdStrike Falcon.
  6. Click Next.
  7. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    S3 uri The S3 bucket source URI.
    uri is a The type of object URI points to.
    source deletion option Whether to delete files and/or directories after transferring.
    access key id An account access key that is 20-character alphanumeric string, for exapmple AKIAOSFOODNN7EXAMPLE.
    secret access key An account access key that is a 40-character alphanumeric string, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    oauth client id A public, client-specific OAuth identifier.
    oauth client secret OAuth 2.0 client secret.
    oauth secret refresh uri OAuth 2.0 client secret refresh URI.
    asset namespace The namespace the feed will be associated with.
  8. Click Next and then click Submit.

To set up an ingestion feed using SQS, follow the steps:

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. In Source type, select Amazon SQS.
  5. In Log type, select CrowdStrike Falcon.
  6. Click Next.
  7. Based on the service account and the Amazon SQS configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    QUEUE NAME The SQS queue name to read from.
    ACCOUNT NUMBER The SQS account number.
    source deletion option Whether to delete files and/or directories after transferring.
    QUEUE ACCESS KEY ID An account access key that is 20-character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLE.
    QUEUE SECRET ACCESS KEY An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    asset namespace The namespace that the feed will be associated with.

  8. Click Next and then click Submit.