Collect CrowdStrike Falcon logs

This document offers guidance for CrowdStrike Falcon logs as follows:

  • Describes how to collect CrowdStrike Falcon logs by setting up a Google Security Operations feed.
  • Explains how CrowdStrike Falcon log fields map to Google SecOps unified data model (UDM) fields.
  • Lists the supported CrowdStrike Falcon log types and event types.

For more information, see the Data ingestion to Google SecOps overview.

Before you begin

  • Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.
  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.
  • Ensure that the device is running on a supported operating system.
    • The OS must be running on a 64-bit server. Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor versions 6.51 or later.
    • Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.
  • Obtain the Google SecOps service account file and your customer ID from the Google SecOps support team.

Deploy CrowdStrike Falcon with Google SecOps feed integration

A typical deployment consists of CrowdStrike Falcon and the Google SecOps feed configured to send logs to Google SecOps. Your deployment might differ from the typical deployment.

The deployment contains the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product you collect logs from.
  • CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes logs to Google SecOps.
  • CrowdStrike Intel Bridge: The CrowdStrike product that collects the information from the data source and forwards it to Google SecOps.
  • Google SecOps: The platform that retains and analyzes the CrowdStrike Detection logs. An ingestion label identifies the parser which normalizes the raw log data to UDM. The information in this document applies to CrowdStrike Falcon parsers with the following ingestion labels:
    • CS_EDR
    • CS_DETECTS
    • CS_IOC The CrowdStrike IOC parser supports the following indicator types:
      • domain
      • email_address
      • file_name
      • file_path
      • hash_md5
      • hash_sha1
      • hash_sha256
      • ip_address
      • mutex_name
      • url

Configure a Google SecOps feed for CrowdStrike EDR logs

The following procedures are needed to configure the feed.

Configure a Falcon Data Replicator Feed

To set up an Falcon Data Replicator feed, follow these steps:

  1. Sign in to the CrowdStrike Falcon Console.
  2. Go to Support Apps > Falcon Data Replicator.
  3. Click Add to create a new Falcon Data Replicator feed. This will generate S3 identifier, SQS URL, and Client secret.
  4. Use the generated Feed, S3 identifier, SQS URL, and Client secret values to set up feed in Google SecOps.

For more information, see How to set up Falcon Data replicator feed.

Set up ingestion feeds

You can use Amazon SQS or an Amazon S3 bucket to set up the ingestion feed in Google SecOps. Amazon SQS is preferred, but Amazon S3 is also supported.

Set up an ingestion feed with an S3 bucket

To set up an ingestion feed using an S3 bucket, follow these steps:

  1. Sign in to your Google SecOps instance.
  2. From the application menu, select Settings > Feeds.
  3. Click Add new.
  4. In Source type, select Amazon S3.
  5. In Log type, select CrowdStrike Falcon.
  6. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    S3 uri The S3 bucket source URI.
    uri is a The type of object URI points to.
    source deletion option Whether to delete files and directories after transferring.
    access key id An account access key that is 20-character alphanumeric string; for example, AKIAOSFOODNN7EXAMPLE.
    secret access key An account access key that is a 40-character alphanumeric string; for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    oauth client id A public, client-specific OAuth identifier.
    oauth client secret The OAuth 2.0 client secret.
    oauth secret refresh uri The OAuth 2.0 client secret refresh URI.
    asset namespace The namespace that the feed will be associated with.

Set up an ingestion feed with Amazon SQS

To set up an ingestion feed with Amazon SQS, complete the following:

  1. From the application menu, select Settings > Feeds.
  2. Click Add new.
  3. In Source type, select Amazon SQS.
  4. In Log type, select CrowdStrike Falcon.
  5. Based on the service account and the Amazon SQS configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    QUEUE NAME The SQS queue name to read from.
    ACCOUNT NUMBER The SQS account number.
    source deletion option Whether to delete files and directories after transferring.
    QUEUE ACCESS KEY ID An account access key that is 20-character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLE.
    QUEUE SECRET ACCESS KEY An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    asset namespace The namespace that the feed will be associated with.
    submit The command to submit the feed.

If you encounter issues, contact the Google SecOps support team.

Configure a Google SecOps feed for CrowdStrike logs

To set up an ingestion feed in Google SecOps to ingest CrowdStrike detection monitoring logs, follow these steps:

  1. Sign in to CrowdStrike Falcon Console.
  2. Go to Support Apps > API Clients and Keys .
  3. Create a new API client key pair at CrowdStrike Falcon. This key pair reads events and supplementary information from CrowdStrike Falcon.
  4. Provide READ permission to Detections and Alerts while creating the key pair.
  5. Sign in to your Google SecOps instance.
  6. From the application menu, select Settings > Feeds.
  7. Click Add new.
  8. In Source type, select Third Party API.
  9. In Log type, select CrowdStrike Detection Monitoring.

If you encounter issues, contact the Google SecOps support team.

Ingest CrowdStrike IOC logs into Google SecOps

To configure log ingestion to Google SecOps for CrowdStrike IOC logs, complete the following steps:

  1. Create a new API client key pair at CrowdStrike Falcon. Google SecOps Intel Bridge uses this key pair to read events and supplementary information from CrowdStrike Falcon. For more information, see CrowdStrike to Google SecOps Intel Bridge.
  2. Provide READ permission to Indicators (Falcon Intelligence) while creating the key pair.
  3. Set up the Google SecOps Intel Bridge by following the steps in CrowdStrike to Google SecOps Intel Bridge.

  4. Run the following commands to send the logs from CrowdStrike to Google SecOps, where sa.json is the Google SecOps service account file:

    docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

Need more help? Get answers from Community members and Google SecOps professionals.