Skip to main content
Sumo Logic

Collect logs for the CrowdStrike Falcon Endpoint Protection App

This page shows you how to configure log collection from CrowdStrike Falcon Endpoint Protection and send the logs to Sumo Logic, as well as providing field extraction rule, log, and query examples.

This page shows you how to configure log collection from CrowdStrike Falcon Endpoint Protection and have them sent to Sumo Logic. CrowdStrike Falcon Endpoint Protection provides endpoint detection and response, next-gen antivirus, and threat intelligence services through the cloud. Multiple security functions are consolidated into a single lightweight agent, for visibility across using central security analytics with Sumo Logic.

Collection process overview (DEPRECATED) 

SIEMs (Security Information and Event Management) are used to gather data from a variety of security products to detect, investigate, correlate, and remediate security threats. The Falcon SIEM Connector provides a fast and efficient way to optimize collection across an extensive number of endpoints. 

To set up log collection for CrowdStrike Falcon, you download, install, and configure the CrowdStrike SIEM Connector to send data to Sumo Logic, through performing the following tasks:

  • Step 1. Download and Install CrowdStrike SIEM Connector on a host machine. 
  • Step 2. Configure CrowdStrike SIEM Connector to stream CrowdStrike events into local a file.
  • Step 3 Install Sumo Logic Installed Collector  on the same host and set up local file source

For more information about the CrowdStrike Falcon SIEM Connector, see the CrowdStrike documentation, or contact CrowdStrike Customer Support at

Data collection flow (DEPRECATED)

The following graphic illustrates the Sumo Logic collection of CrowdStrike streaming API events using a SIEM Connector.


Before you begin (DEPRECATED)

It is important that you complete the following tasks before you start to configure log collection for CrowdStrike Falcon:

  • Download the SIEM Connector guide, familiarize yourself with SIEM Connector and its config settings.
  • Contact CrowdStrike support to enable the streaming APIs in your environment. You must do this before using the SIEM connector.

Step 1. Download and install CrowdStrike SIEM Connector on a host machine (DEPRECATED)

You perform this procedure from the Falcon console. You must have permission to be able to download and install from Falcon to complete this task.

To install a CrowdStrike SIEM Connector on a host machine, do the following:

  1. Login to your Falcon console and go to Support > Tool Downloads.

  2. Download the SIEM Connector installer for your operating system.

  3. Open a terminal window.

  4. Run the following installation command appropriate for your OS, replacing the <installer package> variable with the SIEM installer you downloaded:

  • CentOS: sudo rpm -Uvh <installer package>

  • Ubuntu: sudo dpkg -i <installer package>

Step 2. Configure CrowdStrike SIEM Connector (DEPRECATED)

This SIEM connector will stream events data from CrowdStrike Falcon Cloud in JSON format into a local file (output). The default location of the output file is /var/log/crowdstrike/falconhoseclient/output.

 To configure CrowdStrike SIEM Connector, do the following:

  1. In the Falcon console, go to Support > API Clients & Keys.
  2. Create an API client to use with the SIEM connector, and record its API client ID and API client secret. In the the Edit API client dialog, ONLY select the Event streams option, and then click Save.


  1. Open the /opt/crowdstrike/etc/cs.falconhoseclient.cfg file in a text editor.
  2. Edit the following lines in the cs.falconhoseclient.cfg file:
  • Change app_id to SIEM-Connector.
  • client_id - Add your recorded API Client ID
  • client_secret - Add your recorded API Client Secret
  • Make sure output_format is set to json
  • For EventTypeCollection section - Enable all events:
    • DetectionSummaryEvent = true
    • AuthActivityAuditEvent = true
    • UserActivityAuditEvent = true
    • HashSpreadingEvent = true
    • RemoteResponseSessionStartEvent = true
    • RemoteResponseSessionEndEvent = true
  1. Save your changes.
  2. Restart the SIEM Connector, as appropriate for your OS:
  • CentOS: sudo service cs.falconhoseclientd start
  • Ubuntu 14.x: sudo start cs.falconhoseclientd
  • Ubuntu 16.4: sudo systemctl start cs.falconhoseclientd.service

Step 3. Setup a Sumo Logic installed collector and local file source (DEPRECATED)

You setup a Sumo Logic installed collector on the same host as the SIEM Connector. Then, set up a local file source on the installed collector to read the output file from Step 2 and send CrowdStrike Falcon Events to Sumo Logic.

To setup an installed collector and local file source, do the following:

  1. Install a Sumo Logic collector on the same host as the SIEM Connector. Follow the instructions for your operating system as described in Installed Collectors.
  2. Add a local file source to the collector for Streaming API Events. Follow the steps on Local File Source, with these additional changes:
  • Set the Filepath to:  /var/log/crowdstrike/falconhoseclient/output
  • Set the Source Category to: crowdstrike/falcon
  • Under Enable Multiline Processing, check  Boundary Regex  and enter the following regex: ^\{.*


  1. Click Save.

Sample Logs

This section provides a sample log message for each of the following log types:

  • Detection Event 
  • Authentication Event
  • Detection Status Update Event

For more information on Events, please refer to Streaming API Event Dictionary.

Event Type Log Message
Detection Event



    "metadata": {

        "customerIDString": “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

        "offset": 14947764,

        "eventType": "DetectionSummaryEvent",

        "eventCreationTime": 1536846439000,

        "version": "1.0"


    "event": {

        "ProcessStartTime": 1536846339,

        "ProcessEndTime": 0,

        "ProcessId": 38684386611,

        "ParentProcessId": 38682494050,

        "ComputerName": "CS-SE-EZ64",

        "UserName": "demo",

        "DetectName": "Process Terminated",

        "DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",

        "Severity": 4,

        "SeverityName": "High",

        "FileName": "explorer.exe",

        "FilePath": "\\Device\\HarddiskVolume1\\Windows",

        "CommandLine": "C:\\Windows\\Explorer.EXE",

        "SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",

        "MD5String": "ac4c51eb24aa95b77f705ab159189e24",

        "MachineDomain": "CS-SE-EZ64",

        "FalconHostLink": "",

        "SensorId": "ec86abd353824e96765ecbe18eb4f0b4",

        "DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",

        "LocalIP": "xx.xx.xx.xx",

        "MACAddress": "xx-xx-xx-xx-xx",

        "Tactic": "Malware",

        "Technique": "Ransomware",

        "Objective": "Falcon Detection Method",

        "PatternDispositionDescription": "Prevention, process killed.",

        "PatternDispositionValue": 16,

        "PatternDispositionFlags": {

            "Indicator": false,

            "Detect": false,

            "InddetMask": false,

            "SensorOnly": false,

            "Rooting": false,

            "KillProcess": true,

            "KillSubProcess": false,

            "QuarantineMachine": false,

            "QuarantineFile": false,

            "PolicyDisabled": false,

            "KillParent": false,

            "OperationBlocked": false,

            "ProcessBlocked": false




Authentication Event


  "event": {

    "AuditKeyValues": [


        "Key": "target_name",

        "ValueString": ""



    "OperationName": "activateUser",

    "ServiceName": "CrowdStrike Authentication",

    "Success": true,

    "UserId": "",

    "UserIp": "",

    "UTCTimestamp": 1452711518


  "metadata": {

    "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV",

    "eventType": "AuthActivityAuditEvent",

    "eventCreationTime": 1480375833,

    "offset": 80960


Detection Status Update


    "metadata": {

        "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV",

        "offset": 11049003,

        "eventType": "UserActivityAuditEvent",

        "eventCreationTime": 1479770848


    "event": {

        "UserId": "",

        "UserIp": "",

        "OperationName": "detection_update",

        "ServiceName": "detections",

        "AuditKeyValues": [


                "Key": "detection_id",

                "ValueString": "ldt:b60f82cf1aa342f47363bf3b6bfb6b7d:123456356541"



                "Key": "new_state",

                "ValueString": "in_progress"



                "Key": "assigned_to",

                "ValueString": "Knightley"



                "Key": "assigned_to_uid",

                "ValueString": ""



        "UTCTimestamp": 1479770848



Query examples

This section provides query examples for each event type.

Event Type Query Example
Detection Event

_sourceCategory=*Crowdstrike*  DetectionSummaryEvent

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| where event_type="DetectionSummaryEvent"

| json  "event.Tactic","event.Technique", "event.Objective", "event.ComputerName", "event.UserName", "event.DetectId", "event.DetectDescription", "event.Severity", "event.SeverityName", "event.FileName", "event.FilePath", "event.CommandLine", "event.MD5String", "event.SHA1String", "event.MachineDomain" , "event.FalconHostLink", "event.IOCType", "event.IOCValue", "event.LocalIP", "event.MACAddress" as tactic, technique, objective, computer_name, user_name, detect_id, detect_desc, severity, severity_name, file_name, file_path, cmd_line, md5_string, sha1_string, machine_domain, falconHost_link, IOC_Ttype, IOC_value, local_ip, mac_adderess

| timeslice 1d

| count_distinct (detect_id) by _timeslice, severity_name

| fillmissing timeslice(1d)

| transpose row _timeslice column severity_name

Authentication Event

_sourceCategory=*Crowdstrike*  AuthActivityAuditEvent (userAuthenticate or twoFactorAuthenticate)

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_time

| formatDate(fromMillis(operation_time), "MM/dd/yyyy HH:mm:ss:SSS") as operation_time

| where success="true"

| count by operation_time, operation_name, src_user, user_ip

Detection Status Update

_sourceCategory=*Crowdstrike*  UserActivityAuditEvent

| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time

| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time

| where event_type="UserActivityAuditEvent"

| json "event.OperationName",  "event.UserId", "event.UserIp", "event.ServiceName", "event.AuditKeyValues" as operation_name, user_id, src_user, service_name, audit_values

| count by operation_name

| sort by _count