Skip to main content
Sumo Logic

Collect Logs for CrowdStrike Falcon Platform

This procedure documents how to collect logs from the CrowdStrike Falcon platform into Sumo Logic. CrowdStrike Falcon platform provides Endpoint Detection and Response, Next-Gen Antivirus and Threat Intelligence services through the cloud. It consolidates multiple security functions into a single lightweight agent, and provides visibility through integrations with a central security analytics platform like Sumo Logic.

The Sumo Logic App for CrowdStrike Falcon Host platform allows you to analyze CrowdStrike security events by type, status, and detection method. You can use the App to investigate CrowdStrike-specific events and provide operational visibility to team members from pre-configured searches and Dashboards, without logging into the CrowdStrike console.

Log Types

The Sumo Logic App for CrowdStrike Falcon Host analyzes two log types:

  • Detection Summary Events
  • Authentication Events

For details on the format and definitions, refer to the CrowdStrike documentation

Prerequisites/Requirements

To collect logs for CrowdStrike Falcon Platform, you need to configure a CrowdStrike Falcon SIEM (Security Information and Event Manager) Connector. Sumo Logic recommends installing the SIEM Connector and Sumo Logic Collector on the same machine for best performance.

Crowdstrike Falcon Host Platform Flow

For more information about the CrowdStrike Falcon SIEM Connector, see the CrowdStrike documentation, or contact CrowdStrike Customer Support at info@crowdstrike.com.

Configure a Collector

Configure an Installed Collector.

Configure a Source

Configure a Syslog Source.

Set the Time Zone to GMT (Etc/UTC).

Note the protocol (TCP or UDP) and port number. You will need this information to configure the CrowdStrike Falcon SIEM Connector.

Configure the CrowdStrike Falcon SIEM Connector

Before you Begin

  1. Review the CrowdStrike Falcon SIEM Connector documentation. If you do not have access to the UI, contact customer support at  info@crowdstrike.com.
  2. From the conversation icon, select Docs:
    CrowdStrike Documentation
  3. Under Feature Guides, select Falcon Host SIEM Connector Feature Guide:
    CrowdStrike Falcon Host Platform Guide Links

Download the Falcon SIEM Connector

From the Falcon UI, download the appropriate Falcon SIEM based on the Operating System that will be used.

Generate the CrowdStrike Falcon API ID and Key

  1. You will need your CrowdStrike Falcon Host Streaming API username and password. If you have that already, skip to the next section, Install and Configure the CrowdStrike SIEM Connector. If you do not have your API credentials, go to step 2.
  2. Log into the CrowdStrike console and go to API Key under the Support App.
  3. The API UUID that is displayed is your API Username.

  4. Click Reset API Key to create your unique API Password.
  5. Make note of the API UUID and API Key, as you will need this to configure the CrowdStrike settings in the next section.

Install and Configure the CrowdStrike SIEM Connector

To complete these steps, your machine must meet the minimum requirements in the CrowdStrike SIEM connector documentation. It can be the same machine where the Sumo Logic Collector is installed if you are using a CentOS, RedHat, or Ubuntu Operating System.

  1. Install the CrowdStrike Falcon SIEM Connector as instructed in the documentation.
  2. After installing the connector, you will need to choose which config file you want to use. You should choose the Syslog output file at /opt/crowdstrike/etc/cs.falconhoseclient.cf
  3. There are a number of different parameters you can choose, but the requirements are:
  • output_format = syslog
  • _to_syslog_server = true
  • host  = the IP address of the machine where you installed the Sumo Logic Collector
  • port = the value you wrote down when you configured a syslog source.
  • protocol = the protocol (tcp or udp) that you wrote down when you configured a syslog source.

Start and Verify the CrowdStrike SIEM Connector

  1. Depending on the Operating System in use, consult the CrowdStrike SIEM connector guide for instructions on how to start the SIEM Connector.
  2. Verify that events are being written to your Sumo Logic Instance.

Field Extraction Rule

This is an example of a CrowdStrike Falcon platform field extraction rule:

| parse "CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|*|*|" as detect_type,sev 
| extract "suser=(?<user>.*?)(?:\s|$)" nodrop
| extract "shost=(?<host>.*?)(?:\s|$)" nodrop
| extract "fname=(?<file>.*?)(?:\s|$)" nodrop
| extract "filePath=(?<path>.*?)(?: \w+=|$)" nodrop
| extract "cs1=(?<commandline>.*?)(?: \w+=|$)" nodrop
| extract "cs2=(?<doc_filename>.*?)(?: \w+=|$)" nodrop
| extract "cs3=(?<doc_filepath>.*?)(?: \w+=|$)" nodrop
| extract "cs6=(?<FalconHostLink>.*?)(?:\s|$)" nodrop
| extract "cn3=(?<offset>.*?)(?:\s|$)" nodrop
| extract "spid=(?<spid>.*?)(?:\s|$)" nodrop
| extract "sntdom=(?<host_domain>.*?)(?:\s|$)" nodrop
| extract "deviceCustomDate1=(?<doc_written_time>.*?)(?: \w+=|$)" nodrop
| extract "externalID=(?<sensorid>.*?)(?:\s|$)" nodrop

Sample Log Messages

<1> 2017-02-02T12:42:27-07:00 myhost336 CrowdStrike Falcon[5509]: CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|Network Access In A Detection Summary Event|3|cn3Label=Offset suser=sta6ds dst=110.45.195.195 fname=KMPlayer.exe cn3=254180 sntdom=EEINTERhrew spt=61769 cs6=https://falcon.crowdstrike.com/detec...65696612526574 filePath=\Device\HarddiskVolume1\users\zta6ds\Documents\Install\     (--) dpt=80 cs1="C:\users\zta6ds\Documents\Install\     (--)\KMPlayer.exe"  shost=EEUAN40012 cs6Label=FalconHostLink cs1Label=CommandLine spid=910686634860 src=172.17.37.100 externalID=fa04be66bae449e644e0493ed860587c deviceCustomDate1=2016-06-13 12:42:27 deviceCustomDate1Label=AccessTimestamp

<1> 2017-02-02T12:27:37-07:00 myhost336 CrowdStrike Falcon[5509]: CEF:0|CrowdStrike|FalconHost|1.0|cs3Label=EntitlementGroup deviceCustomDate1Label=Timestamp cs2Label=Entitlement suser=Customer deviceCustomDate1=2017-02-02 12:27:37 cn3=253265 outcome=true cn3Label=Offset cs4Label=TargetName cs1Label=ServiceName cat=validateEntitlementsHmac sourceTranslatedAddress=10.20.8.201 cs1=CrowdStrike Authentication

<1> 2017-02-02T12:42:28-07:00 myhost336 CrowdStrike Falcon[5509]: CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|DNS Request In A Detection Summary Event|3|shost=J7RFZV1D cs6=https://falcon.crowdstrike.com/detec...86113599520768 fname=msiexec.exe cs6Label=FalconHostLink deviceCustomDate1=2017-02-02 12:42:28 spid=1509450465343 dhost=oceania.pool.ntp.org cn3Label=Offset cn3=254181 cs1="C:\Windows\system32\msiexec.exe" suser=c0000601 sntdom=Kodelo cs1Label=CommandLine filePath=\Device\HarddiskVolume2\Windows\System32 externalID=9a31ca7f389f43ce76de8d03a6695c8f deviceCustomDate1Label=DnsRequestTime

Query Sample

DNS Request Severity Over Time

_sourceCategory=CrowdStrike DetectionSummaryEvent DNS Request Detection Summary
| parse "CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|*|*|" as detect_type,sev 
| extract "suser=(?<user>.*?)(?:\s|$)" nodrop
| extract "shost=(?<host>.*?)(?:\s|$)" nodrop
| extract "fname=(?<file>.*?)(?:\s|$)" nodrop
| extract "filePath=(?<path>.*?)(?: \w+=|$)" nodrop
| extract "cs1=(?<commandline>.*?)(?: \w+=|$)" nodrop
| extract "cs6=(?<FalconHostLink>.*?)(?:\s|$)" nodrop
| extract "cn3=(?<offset>.*?)(?:\s|$)" nodrop
| extract "spid=(?<spid>.*?)(?:\s|$)" nodrop
| extract "sntdom=(?<host_domain>.*?)(?:\s|$)" nodrop
| extract "externalID=(?<sensorid>.*?)(?:\s|$)" nodrop
| timeslice 5m 
| count _timeslice, sev
| transpose row _timeslice column sev

Sumo Logic App

Once you have configured collection, you can install the Sumo Logic App for CrowdStrike Falcon Platform app. The app allows you to analyze CrowdStrike security events by type, status, and detection method. You can use the app to investigate CrowdStrike-specific events and provide operational visibility to team members from pre-configured searches and dashboards, without logging into the CrowdStrike console.