CrowdStrike Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

This input will pull CrowdStrike data directly from the CrowdStrike API into Graylog allowing users to perform an in-depth analysis of security event data.

Prerequisites

In order for Graylog to pull data from CrowdStrike, an API client must be defined from the CrowdStrike Falcon UI along with its required scope. See the CrowdStrike documentation for more details.

HintYou must be designated a Falcon Administrator role to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or when it is reset.

CrowdStrike Setup

To define a CrowdStrike API client:

  1. Log into the Falcon UI.

  2. On the left menu pane, navigate to Support and resources > API clients and keys.

  3. Click Add new API Client.

    1. On the resulting page, input a client name and description for the new API client.

    2. Under the API Scopes section, grant read permissions for Alerts and Event streams by selecting the Read check box next to Alerts and Event streams.

    3. Click save, and you will be presented with the Client ID and Client Secrets.

WarningThe secret will only be shown once and should be stored in a secure place. If the Client Secret is lost, a reset must be performed, and any application relying on the Client Secret will need to be updated with the new credentials.

Graylog Configuration

When launching a new CrowdStrike input from the Graylog Inputs tab, the following parameters will need to be completed:

  • Input Name: Provide a unique name for your new CrowdStrike input.

  • CrowdStrike Client ID: The Client ID obtained from the CrowdStrike configuration above.

  • Client Secret: The Client ID obtained from the CrowdStrike configuration above.

  • User Region: The CrowdStrike User Account Region.

  • Store Full Message:

    • Permits Graylog to store the raw log data in the full_message field for each log message.

    • Selection can result in a significant increase in the amount of data stored.

  • Checkpoint Interval: How often (in seconds) Graylog will record checkpoints for CrowdStrike data streams. The default is set to 30 seconds.