CrowdStrike Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

This input pulls CrowdStrike data directly from the CrowdStrike API into Graylog allowing you to perform in-depth analysis of security event data.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • In order for Graylog to pull data from CrowdStrike, an API client must be defined. See the CrowdStrike documentation for more details.

HintYou must be designated a Falcon Administrator role to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or when it is reset.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  1. Configure a CrowdStrike API client.

  2. Grant read permissions for Alerts and Event streams when configuring the API Client.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Client ID
  • Client Secret

WarningThe secret will only be shown once and should be stored in a secure place. If the Client Secret is lost, a reset must be performed, and any application relying on the Client Secret will need to be updated with the new credentials.

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new CrowdStrike input.
CrowdStrike Client ID The Client ID obtained from the CrowdStrike configuration above.
Client Secret The Client Secret obtained from the CrowdStrike configuration above.
User Region The CrowdStrike User Account Region.
Store Full Message Permits Graylog to store the raw log data in the full_message field for each log message. Selection can result in a significant increase in the amount of data stored.
Checkpoint Interval How often (in seconds) Graylog will record checkpoints for CrowdStrike data streams. The default is set to 30 seconds.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: