Collect CrowdStrike Falcon logs

This document provides guidance about how to ingest CrowdStrike Falcon logs into Google Security Operations as follows:

Collect CrowdStrike Falcon logs by setting up a Google Security Operations feed.
Map CrowdStrike Falcon log fields to Google SecOps Unified Data Model (UDM) fields.
Understand supported CrowdStrike Falcon log types and event types.

For more information, see the Data ingestion to Google SecOps overview.

Before you begin

Ensure that you have the following prerequisites:

Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
All systems in the deployment architecture are configured in the UTC time zone.
Target device runs on a supported operating system
- Must be a 64-bit server
- Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
- Legacy OS versions must support SHA-2 code signing.
Google SecOps service account file and your customer ID from the Google SecOps support team

Deploy CrowdStrike Falcon with Google SecOps feed integration

A typical deployment consists of CrowdStrike Falcon which sends the logs, and the Google SecOps feed which fetches the logs. Your deployment might differ slightly based on your setup.

The deployment typically includes the following components:

CrowdStrike Falcon Intelligence: The CrowdStrike product you collect logs from.
CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes them to Google SecOps.
CrowdStrike Intel Bridge: The CrowdStrike product that collects threat indicators from the data source and forwards them to Google SecOps.
Google SecOps: The platform that retains, normalizes and analyzes the CrowdStrike detection logs.
An ingestion label parser that normalizes raw log data into the UDM format. The information in this document applies to CrowdStrike Falcon parsers with the following ingestion labels:
- CS_EDR
- CS_DETECTS
- CS_IOC The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:
  - domain
  - email_address
  - file_name
  - file_path
  - hash_md5
  - hash_sha1
  - hash_sha256
  - ip_address
  - mutex_name
  - url

Configure a Google SecOps feed for CrowdStrike EDR logs

The following procedures are needed to configure the feed.

How to configure CrowdStrike

To set up a Falcon Data Replicator feed, follow these steps:

Sign in to the CrowdStrike Falcon Console.
Go to Support Apps > Falcon Data Replicator.
Click Add to create a new Falcon Data Replicator feed and generate the following values:
- Feed
- S3 identifier,
- SQS URL
Client secret. Keep these values to set up a feed in Google SecOps.

For more information, see How to set up Falcon Data replicator feed.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started

How to set up the CrowdStrike Falcon feed

Click the CrowdStrike pack.
In the CrowdStrike Falcon log type, specify values for the following fields:
- Source: Amazon SQS V2
- Queue Name: Name of the SQS queue from which to read log data.
- S3 URI: The S3 bucket source URI.
- Source deletion option: Option to delete files and directories after transferring the data.
- Maximum File Age: Include files modified within the last number of days. Default is 180 days.
- SQS Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE.
- SQS Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels – Labels applied to all events from this feed.
Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Set up an ingestion feed with Amazon S3 bucket

To set up an ingestion feed using an S3 bucket, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
In Source type, select Amazon S3.
In Log type, select CrowdStrike Falcon.

Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:

Field	Description
`region`	S3 region URI.
`S3 uri`	S3 bucket source URI.
`uri is a`	Type of object that the URI points to (for example, file or folder).
`source deletion option`	Option to delete files and directories after transferring the data.
`access key id`	Access key (20-character alphanumeric string). For example, `AKIAOSFOODNN7EXAMPLE`.
`secret access key`	Secret access key (40-character alphanumeric string). For example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`.
`oauth client id`	Public OAuth client ID.
`oauth client secret`	OAuth 2.0 client secret.
`oauth secret refresh uri`	OAuth 2.0 client secret refresh URI.
`asset namespace`	Namespace associated with the feed.

Configure a Google SecOps feed for CrowdStrike logs

To forward CrowdStrike detection monitoring logs, follow these steps:

Sign in to CrowdStrike Falcon Console.
Go to Support Apps > API Clients and Keys .
Create a new API client key pair at CrowdStrike Falcon. This key pair must have READ permissions for both Detections and Alerts from CrowdStrike Falcon.

Ingest logs using Cloud Storage for CrowdStrike EDR logs

You can configure CrowdStrike to send EDR logs to a Cloud Storage bucket, and then ingest these logs into Google SecOps using a feed. This process requires coordination with CrowdStrike Support.

Before you begin

Ensure you have an active CrowdStrike Falcon instance.
Ensure you have a Google Cloud project where you can create Cloud Storage buckets and manage IAM permissions.
Ensure you have an active Google SecOps instance.
Ensure you have administrator rights in both your Google Cloud environment and your Google SecOps instance.

Steps

Contact CrowdStrike Support: Open a support ticket with CrowdStrike to enable and configure the feature to push EDR logs to your Cloud Storage bucket. CrowdStrike Support will provide guidance on the specific required configurations.
Create and permission the Cloud Storage bucket:
1. In the Google Cloud console, create a new bucket in Cloud Storage. Note the bucket name (for example, gs://my-crowdstrike-edr-logs).
2. Grant write permissions to the service account or entity provided by CrowdStrike. Follow the instructions from CrowdStrike Support to allow log files to be written into this bucket for this permission.
Configure the Google SecOps feed:
1. In your Google SecOps instance, go to SIEM Settings > Feeds.
2. Click Add New.
3. Enter a descriptive Feed name (for example, CS-EDR-GCS).
4. For Source type, select Google Cloud Storage V2.
5. For Log type, select CrowdStrike Falcon.
6. In the service account section, click Get Service Account. Copy the unique service account email address displayed.
7. In the Google Cloud console, navigate to your Cloud Storage bucket. Grant the Storage Object Viewer IAM role to the service account email address copied from the Google SecOps feed settings. This permission allows the feed to read the log files.
8. Return to the Google SecOps Feed configuration page.
9. Enter the Storage Bucket URL using the name of the bucket you created (for example, gs://my-crowdstrike-edr-logs).
10. Select a Source Deletion Option:
  - Never delete files: Recommended.
  - Delete transferred files and empty directories: Use with caution.
11. Optional: Specify an Asset Namespace.
12. Click Next, review the settings, and then click Submit.
Verify log ingestion: After CrowdStrike confirms that logs are being pushed, allow some time for data to be ingested into Google SecOps. Check for incoming logs by searching with the Log Type CROWDSTRIKE_EDR in Google SecOps.

If you encounter issues, review the IAM permissions on the Cloud Storage bucket and the feed configuration in Google SecOps. If issues persist, contact the Google SecOps support team.

To receive CrowdStrike detection monitoring logs, follow these steps

Sign in to your Google SecOps instance.
Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
In Source type, select Third Party API.
In Log type, select CrowdStrike Detection Monitoring.

If you encounter issues, contact the Google SecOps support team.

Ingest CrowdStrike IoC logs into Google SecOps

To configure log ingestion from CrowdStrike into Google SecOps for IoC logs, complete the following steps:

Create a new API client key pair at CrowdStrike Falcon Console. This key pair allows Google SecOps Intel Bridge to access and read events and supplementary information from CrowdStrike Falcon. For setup instructions, see CrowdStrike to Google SecOps Intel Bridge.
Provide READ permission to Indicators (Falcon Intelligence) when you create the key pair.
Set up the Google SecOps Intel Bridge by following the steps in CrowdStrike to Google SecOps Intel Bridge.

Run the following Docker commands to send the logs from CrowdStrike to Google SecOps, where sa.json is the Google SecOps service account file:

docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

After the container runs successfully, IoC logs will begin streaming into Google SecOps.

Supported CrowdStrike log formats

The CrowdStrike parser supports logs in JSON format.

Need more help? Get answers from Community members and Google SecOps professionals.