Versions Compared

Old Version 36

changes.mady.by.user Sarah Bigault

Saved on

compared with

New Version 37

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running this collector:

Code Block
<any_directory>
└── devo-collectors/
    └── devo-collector-crowdstrikeapi/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        └── config/ 
            └── config-crowdstrikeapi.yaml

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in devo-collectors-crowdstrikeapi/certs/. Learn more about security credentials in Devo here.

Editing the config-crowdstrikeapi.yaml file

Code Block
globals:
  debug: <debug_value>
  id: not_used
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
  multiprocessing: false
  queue_max_size_in_mb: 1024
  queue_max_size_in_messages: 1000
  queue_max_elapsed_time_in_sec: 60
  queue_wrap_max_size_in_messages: 100

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  crowdstrike:
    id: <input_id>
    enabled: true
    requests_per_second: <request_per_seconds>
    override_base_url: <override_base_url_value>
    credentials:
      client_id: <client_id_value>
      secret_key: <secret_key_value>
    services:
      incidents:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      hosts:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      vulnerabilities:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      behaviors:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      estream:
        request_period_in_seconds: <request_period_in_seconds_value>
        reset_persistence_auth: <reset_persistence_auth_value>
        overide_offset_save_batch_size_in_events: <overide_offset_save_batch_size_in_events_value>
        overide_max_seconds_after_last_ingestion: <overide_max_seconds_after_last_ingestion_value>
        initial_partition_offsets:
          <partition_id_value>: <partition_offset_value>
        tagging_version: <tagging_version_value>
        additional_tag_mappings:
          <lowercased_event_type_value>: <fourth_tag_level_value>

Replace the placeholders with the required values:

Parameter

Data Type

Type

Value Range

Details

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

input_status

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

requests_per_second

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info

This parameter should be removed if it is not used.

override_base_url

str

Optional

Valid URL following this regex:
pending

By default, the base url is https://api.crowdstrike.com. This parameter allows you to customize the base url.

Info

This parameter should be removed if it is not used.

creds_client

str

Mandatory

Any

User Client ID to authenticate to the service.

creds_secret

str

Mandatory

Any

User Secret Key to authenticate to the service.

period_in_seconds

int

Optional

Minimum length: 1

By default, this service will run every 600 seconds. This parameter allows you to customize this behavior.

Info

This parameter should be removed if it is not used.

start_timestamp_in_epoch_seconds

int

Mandatory

Format: Unix timestamps
Minimum value: 1609455600
Maximum value: Now()

Initial time period used when fetching data from the endpoint.

Note

Updating this value will produce the lost of all persisted data and current pipelines.

<reset_persistence_auth_value>

str

Optional

Format: YYYY-MM-DDTHH:mm:ss.SSSZ

Maximum value: current date

This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the loss of all persisted data and current pipelines.

 

Info

This parameter should be removed if it is not used.

<overide_offset_save_batch_size_in_events_value>

int

Optional

Minimum value: 1
Maximum value: 1000

Although the stream services uses a streaming API (events are fetched continuously one by one), we send the collected events in batches for better performance. This parameter controls the amount of items to be sent per batch. The default value is 10.

Info

This parameter should be removed if it is not used.

<overide_max_seconds_after_last_ingestion_value>

int

Optional

Minimum value: 1
Maximum value: 1000

If the collector did not ingest a batch of events in the last n seconds, the connection will be closed and all the streams will be restarted. This parameter configures this time span.

Info

This parameter should be removed if it is not used.

<initial_partition_offsets_value>

object

Optional

It has the following structure:

Code Block
languagenone
initial_partition_offsets:
       <partition_id_value>: <partition_offset_value>

Where:

  • <partition_id_value>: The partition ID (0, 1, 2…) that will use this initial offset.

  • <partition_offset_value>: The initial offset. This offset will not be included in the ingestion (it will start from the next offset).

the CrowdStrike Events Stream has partitions, each one streaming its own events and hence managing its own event offset. When querying for events, you can specify an initial offset to start receiving events from. This parameter allows you to define initial offsets for the initial run of this service or when the state is being reset.

Info

This parameter should be removed if it is not used.

<tagging_version_value>

str

Optional

A version string (like "1.3.0") or "latest".

This parameter configures the tagging mechanism that every release might introduce.

  1. If you want to keep the original tagging mechanism, remove this parameter.

  2. If you want to use a specific mechanism created for a certain release, set your desired version.

  3. If you want to always have the latest tagging mechanism without having backwards compatibility, use latest.

Info

This parameter should be removed if it is not used.

<additional_tag_mappings_value>

object

Optional

It has the following structure:

Code Block
languagenone
additional_tag_mappings:
        <lowercased_event_type_value>: <fourth_tag_level_value>

Where:

  • <lowercased_event_type_value>: Every event’s metadata.eventType (lowercased) JSON property.

  • <fourth_tag_level_value>: The fourth level for the edr.crowdstrike.falconstreaming.{value} tag.

In case you want to have a custom destination tag for certain events that is not covered by default, you can set it up using this parameter.

Info

This parameter should be removed if it is not used.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-crowdstrike_api_resources_if-docker-image-1.4.2

40adcb246ce2dde11db113202a408e36f23996112fff082c2ba219841eb852e4

Use the following command to add the Docker image to the system:

Code Block
gunzip -c collector-crowdstrike-docker-image-<version>.tgz | docker load

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version>" with a proper value.

The Docker image can be deployed on the following services:

  • Docker

  • Docker Compose

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/crowdstrikeapi/

Code Block
docker run \
--name collector-crowdstrikeapi\
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-crowdstrikeapi.yaml \
--rm -it docker.devo.internal/collector/crowdstrikeapi:<version>
Note

Replace <version> with the required value.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/crowdstrikeapi/ directory.

Code Block
version: '3'
services:
  collector-crowdstrikeapi
    image: docker.devo.internal/collector/crowdstrikeapi:${IMAGE_VERSION:-latest}
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config-crowdstrikeapi.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/crowdstrikeapi/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <version> with the required value.

Copy

...