CrowdStrike Falcon

Coralogix allows you to ingest Crowdstrike data and add its security context to your other application and infrastructure logs. Doing so leads to more efficient root-cause and impact analysis, and a faster and better response to security incidents. It makes Coralogix analysis and proactive management capabilities available in a unified way across your infrastructure different technology domains as well as across different constituencies (engineering, DevOps, SecOps etc.). You can see the big picture and dive into the details without missing any aspect of it. 

Follow these steps to get Crowdstrike data ingested into Coralogix:

You can use your log shipper of preference, although we strongly suggest using Fluent Bit as a best practice. See our integrations page for other available shippers.

Configuration

The following is an example configuration.

STEP 1. Install Crowdstrike Falcon SIEM connector.

STEP 2. Configure it to stream CrowdStrike events into a local file. By default the SIEM connector stores its data in /var/log/crowdstrike/falconhoseclient/. Change the default data storage location if necessary.

STEP 3. Install and configure Filebeat on the SIEM connector host, by following the information in this link.

Example

Use the example below as a basis for shipping your logs, which adopt a multiline logs pattern.

<filter falcon_log>
  @type concat
  key message
  separator ""
  multiline_start_regexp /^{$/
  multiline_end_regexp /^}$/
</filter>

<filter **>
  @type record_transformer
  @log_level warn
  enable_ruby true
  auto_typecast true
  renew_record true
  <record>
    applicationName ${record['tag']}
    subsystemName ${record['tag']}
    computerName ${hostname}
    text ${record['message']}
  </record>
</filter>

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].