Collect CrowdStrike IOC logs

Supported in:

Overview

This parser extracts CrowdStrike Falcon Intelligence data from JSON-formatted messages. It transforms various IOC fields into the UDM format, handling different indicator types (domains, IPs, URLs, hashes, etc.) and their associated metadata, including relations, labels, and threat information. The parser also performs data validation and error handling. It prioritizes JSON parsing, falling back to grok matching if necessary, and drops malformed messages.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have access to the CrowdStrike Falcon Intelligence platform with appropriate permissions.

Configure a feed in Google SecOps to ingest the CrowdStrike IOC logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, CrowdStrike IOC Logs).
  4. Select Webhook as the Source type.
  5. Select Crowdstrike IOC as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. On the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

Replace the following:

  • ENDPOINT_URL: the feed endpoint URL.
  • API_KEY: the API key to authenticate to Google SecOps.
  • SECRET: the secret key that you generated to authenticate the feed.

Create a CrowdStrike webhook

  1. Sign in to the CrowdStrike Falcon Intelligence console.
  2. Go to the CrowdStrike Store.
  3. Find Webhook.
  4. Activate the Webhook integration.
  5. Click Configure.
  6. Select Add configuration.
  7. Ensure only IOCs are sent to the webhook.
  8. Paste the endpoint URL into the Webhook URL field in the Configure Webhook screen.
  9. Click Save.
  10. CrowdStrike now sends generated events to the specified Google SecOps feed.