CrowdStrike Input
The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.
This input will pull CrowdStrike data directly from the CrowdStrike API into Graylog allowing users to perform an in-depth analysis of security event data.
Prerequisites
In order for Graylog to pull data from CrowdStrike, an API client must be defined from the CrowdStrike Falcon UI along with its required scope. See the CrowdStrike documentation for more details.
CrowdStrike Setup
To define a CrowdStrike API client:
-
Log into the Falcon UI.
-
On the left menu pane, navigate to Support and resources > API clients and keys.
-
Click Add new API Client.
-
On the resulting page, input a client name and description for the new API client.
-
Under the API Scopes section, grant read permissions for Alerts and Event streams by selecting the Read check box next to Alerts and Event streams.
-
Click save, and you will be presented with the Client ID and Client Secrets.
-
Graylog Configuration
When launching a new CrowdStrike input from the Graylog Inputs tab, the following parameters will need to be completed:
-
Input Name: Provide a unique name for your new CrowdStrike input.
-
CrowdStrike Client ID: The Client ID obtained from the CrowdStrike configuration above.
-
Client Secret: The Client ID obtained from the CrowdStrike configuration above.
-
User Region: The CrowdStrike User Account Region.
- Store Full Message:
-
Permits Graylog to store the raw log data in the
full_message
field for each log message. -
Selection can result in a significant increase in the amount of data stored.
-
-
Checkpoint Interval: How often (in seconds) Graylog will record checkpoints for CrowdStrike data streams. The default is set to 30 seconds.