Skip to main content
Sumo Logic

Collect logs for the CrowdStrike Falcon App

This page shows you how to configure log collection from CrowdStrike Falcon and send the logs to Sumo Logic, as well as providing field extraction rule, log, and query examples.

This page shows you how to configure log collection from CrowdStrike Falcon and have them sent to Sumo Logic. CrowdStrike Falcon provides endpoint detection and response, next-gen antivirus and threat intelligence services through the cloud. Multiple security functions are consolidated into a single lightweight agent, for visibility across using central security analytics with Sumo Logic.

Collection process overview 

SIEMs (Security Information and Event Management) are used to gather data from a variety of security products to detect, investigate, correlate and remediate security threats.. The Falcon SIEM Connector provides a fast and efficient way to optimize collection across an extensive number of endpoints. 

To set up log collection for CrowdStrike Falcon, you download, install, and configure the CrowdStrike SIEM Connector to send data to Sumo Logic, through performing the following tasks:

  • Step 1. Download and Install CrowdStrike SIEM Connector on a host machine. 
  • Step 2. Configure CrowdStrike SIEM Connector to stream CrowdStrike events into local a file.
  • Step 3 Install Sumo Logic Installed Collector  on the same host and set up local file source

For more information about the CrowdStrike Falcon SIEM Connector, see the CrowdStrike documentation, or contact CrowdStrike Customer Support at info@crowdstrike.com.

Data collection flow

The following graphic illustrates Sumo Logic collection of CrowdStrike streaming API events using a SIEM Connector.

CSF_Collection_Overview.png

Before you begin

It is important that you complete the following tasks before you start to configure log collection for CrowdStrike Falcon:

  • Download the SIEM Connector guide, familiarize yourself with SIEM Connector and its config settings.
  • Contact CrowdStrike support to enable the streaming APIs in your environment. You must do this before using the SIEM connector.

Step 1. Download and install CrowdStrike SIEM Connector on a host machine

You perform this procedure from the Falcon console. You must have permissions to be able to download and install from Falcon to complete this task.

To install a CrowdStrike SIEM Connector on a host machine, do the following:

  1. Login to your Falcon console and go to Support > Tool Downloads.

  2. Download the SIEM Connector installer for your operating system.

  3. Open a terminal window.

  4. Run the following installation command appropriate for your OS, replacing the <installer package> variable with the SIEM installer you downloaded:

  • CentOS: sudo rpm -Uvh <installer package>

  • Ubuntu: sudo dpkg -i <installer package>

Step 2. Configure CrowdStrike SIEM Connector

This SIEM connector will stream events data from CrowdStrike Falcon Cloud in JSON format into a local file (output). The default location of the output file is /var/log/crowdstrike/falconhoseclient/output.

 To configure CrowdStrike SIEM Connector, do the following:

  1. In the Falcon console, go to Support > API Clients & Keys.
  2. Create an API client to use with the SIEM connector, and record its API client ID and API client secret. In the the Edit API client dialog, ONLY select the Event streams option, and then click Save.

CSF_Edit_API_client_dialog.png

  1. Open the /opt/crowdstrike/etc/cs.falconhoseclient.cfg file in a text editor.
  2. Edit the following lines in the cs.falconhoseclient.cfg file:
  • Change app_id to SIEM-Connector.
  • client_id - Add your recorded API Client ID
  • client_secret - Add your recorded API Client Secret
  • Make sure output_format is set to json
  • For EventTypeCollection section - Enable all events:
    • DetectionSummaryEvent = true
    • AuthActivityAuditEvent = true
    • UserActivityAuditEvent = true
    • HashSpreadingEvent = true
    • RemoteResponseSessionStartEvent = true
    • RemoteResponseSessionEndEvent = true
  1. Save your changes.
  2. Restart the SIEM Connector, as appropriate for your OS:
  • CentOS: sudo service cs.falconhoseclientd start
  • Ubuntu 14.x: sudo start cs.falconhoseclientd
  • Ubuntu 16.4: sudo systemctl start cs.falconhoseclientd.service

Step 3. Setup a Sumo Logic installed collector and local file source

You setup a Sumo Logic installed collector on the same host as the SIEM Connector. Then, set up a local file source on the installed collector to read the output file from Step 2 and send CrowdStrike Falcon Events to Sumo Logic.

To setup an installed collector and local file source, do the following:

  1. Install a Sumo Logic collector on the same host as the SIEM Connector. Follow the instructions for your operating system as described in Installed Collectors.
  2. Add a local file source to the collector for Streaming API Events. Follow the steps on Local File Source, with these additional changes:
  • Set the Filepath to:  /var/log/crowdstrike/falconhoseclient/output
  • Set the Source Category to: crowdstrike/falcon
  • Under Enable Multiline Processing, check  Boundary Regex  and enter the following regex: ^\{.*

CSF_Edit_Source_CS-SUMO_dialog.png

  1. Click Save.

Sample Logs

This section provides a sample log message for each of the following log types:

  • Detection Event 
  • Authentication Event
  • Detection Status Update Event

For more information on Events, please refer to Streaming API Event Dictionary.

Event Type Log Message
Detection Event

{

   {

    "metadata": {

        "customerIDString": “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

        "offset": 14947764,

        "eventType": "DetectionSummaryEvent",

        "eventCreationTime": 1536846439000,

        "version": "1.0"

    },

    "event": {

        "ProcessStartTime": 1536846339,

        "ProcessEndTime": 0,

        "ProcessId": 38684386611,

        "ParentProcessId": 38682494050,

        "ComputerName": "CS-SE-EZ64",

        "UserName": "demo",

        "DetectName": "Process Terminated",

        "DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",

        "Severity": 4,

        "SeverityName": "High",

        "FileName": "explorer.exe",

        "FilePath": "\\Device\\HarddiskVolume1\\Windows",

        "CommandLine": "C:\\Windows\\Explorer.EXE",

        "SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",

        "MD5String": "ac4c51eb24aa95b77f705ab159189e24",

        "MachineDomain": "CS-SE-EZ64",

        "FalconHostLink": "https://falcon.crowdstrike.com/activ...xxxxxxxxxxxxxx",

        "SensorId": "ec86abd353824e96765ecbe18eb4f0b4",

        "DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",

        "LocalIP": "xx.xx.xx.xx",

        "MACAddress": "xx-xx-xx-xx-xx",

        "Tactic": "Malware",

        "Technique": "Ransomware",

        "Objective": "Falcon Detection Method",

        "PatternDispositionDescription": "Prevention, process killed.",

        "PatternDispositionValue": 16,

        "PatternDispositionFlags": {

            "Indicator": false,

            "Detect": false,

            "InddetMask": false,

            "SensorOnly": false,

            "Rooting": false,

            "KillProcess": true,

            "KillSubProcess": false,

            "QuarantineMachine": false,

            "QuarantineFile": false,

            "PolicyDisabled": false,

            "KillParent": false,

            "OperationBlocked": false,

            "ProcessBlocked": false

        }

    }

}

Authentication Event

{

  "event": {

    "AuditKeyValues": [

      {

        "Key": "target_name",

        "ValueString": "user@example.com"

      }

    ],

    "OperationName": "activateUser",

    "ServiceName": "CrowdStrike Authentication",

    "Success": true,

    "UserId": "user@example.com",

    "UserIp": "192.0.2.100",

    "UTCTimestamp": 1452711518

  },

  "metadata": {

    "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV",

    "eventType": "AuthActivityAuditEvent",

    "eventCreationTime": 1480375833,

    "offset": 80960

  }

}NOPQRSTUV","eventType":"AuthActivityAuditEvent","eventCreationTime":1480375833,"offset":80960}}
Detection Status Update

{

    "metadata": {

        "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV",

        "offset": 11049003,

        "eventType": "UserActivityAuditEvent",

        "eventCreationTime": 1479770848

    },

    "event": {

        "UserId": "user@example.com",

        "UserIp": "",

        "OperationName": "detection_update",

        "ServiceName": "detections",

        "AuditKeyValues": [

            {

                "Key": "detection_id",

                "ValueString": "ldt:b60f82cf1aa342f47363bf3b6bfb6b7d:123456356541"

            },

            {

                "Key": "new_state",

                "ValueString": "in_progress"

            },

            {

                "Key": "assigned_to",

                "ValueString": "Knightley"

            },

            {

                "Key": "assigned_to_uid",

                "ValueString": "user@example.com"

            }

        ],

        "UTCTimestamp": 1479770848

    }

}

Query examples

This section provides query examples for each event type.

Event Type Query Example
Detection Event

_sourceCategory=*Crowdstrike*  DetectionSummaryEvent

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| where event_type="DetectionSummaryEvent"

| json  "event.Tactic","event.Technique", "event.Objective", "event.ComputerName", "event.UserName", "event.DetectId", "event.DetectDescription", "event.Severity", "event.SeverityName", "event.FileName", "event.FilePath", "event.CommandLine", "event.MD5String", "event.SHA1String", "event.MachineDomain" , "event.FalconHostLink", "event.IOCType", "event.IOCValue", "event.LocalIP", "event.MACAddress" as tactic, technique, objective, computer_name, user_name, detect_id, detect_desc, severity, severity_name, file_name, file_path, cmd_line, md5_string, sha1_string, machine_domain, falconHost_link, IOC_Ttype, IOC_value, local_ip, mac_adderess

| timeslice 1d

| count_distinct (detect_id) by _timeslice, severity_name

| fillmissing timeslice(1d)

| transpose row _timeslice column severity_name

Authentication Event

_sourceCategory=*Crowdstrike*  AuthActivityAuditEvent (userAuthenticate or twoFactorAuthenticate)

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_time

| formatDate(fromMillis(operation_time), "MM/dd/yyyy HH:mm:ss:SSS") as operation_time

| where success="true"

| count by operation_time, operation_name, src_user, user_ip

Detection Status Update

_sourceCategory=*Crowdstrike*  UserActivityAuditEvent

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| where event_type="UserActivityAuditEvent"

| json "event.OperationName",  "event.UserId", "event.UserIp", "event.ServiceName", "event.AuditKeyValues" as operation_name, user_id, src_user, service_name, audit_values

| count by operation_name

| sort by _count