Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security Graylog Security. Contact sales to learn more about obtaining Illuminate.

CrowdStrike Falcon is a cutting-edge endpoint security solution with advanced capabilities. Leveraging artificial intelligence and threat intelligence, Falcon empowers organizations to proactively defend against cyber threats, detect malicious activities in real-time, and respond swiftly to secure their endpoints with unmatched precision and agility.

This technology pack will:

  • Process Crowdstrike Falcon logs, providing normalization and enrichment of those events.

Supported Version(s)

  • Crowdstrike Falcon 6.54.16812.0

Requirements

  • Crowdstrike Falcon version 6.54.16812.0

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Crowdstrike Falcon Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Crowdstrike Falcon Event Log Messages”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

  • Sending logs via Graylog’s Crowdstrike Input

Log Format Example

- {"timestamp":1693337449.649,"version":"1.1","host":"customer-id","short_message":"{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}","full_message":"{\"metadata\":{\"customerIDString\":\"customer-id\",\"offset\":2802412,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1688847014000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}}","_event_source_product":"crowdstrike_falcon","_vendor_subtype":"UserActivityAuditEvent","_vendor_version":"1.0","_event_created":"2023-07-08T20:10:14.000Z"}

What is Provided

  • We provide parsing rules to normalize and enrich Crowdstrike Falcon log messages .

  • All messages sent via the Crowdstrike API to the Graylog Crowdstrike Input will be parsed, but not all will receive categorization or normalization.

  • We provide Categorization for the following log types:

    • DetectionSummaryEvent

    • UserActivityAuditEvent

Input Configuration

  1. In order to successfully connect your Crowdstrike Falcon device to the Graylog Crowdstrike input, you will need your CrowdStrike client ID and your Client Secret.

  2. Then, once connected, your Crowdstrike logs should successfully be coming into your Graylog instance.

Events Processed by This Technology Pack

The Crowdstrike Falcon content pack supports parsing for all fields and GIM categorization for the CustomerIOCEvent, DetectionSummaryEvent, and UserActivityAuditEvent events.

Crowdstrike Spotlight Content Pack

Crowdstrike Falcon: Overview Tab

Crowdstrike Falcon: Authentication Tab

Crowdstrike Falcon: Alert Tab