Page Comparison

...

Crowdstrike is one of the top data sources for Devo customers and prospects alike, so would encourage new customers to use this one, and existing ones to transition to this one soon.

Data source description

Data Source	Subtype	Table	Service

Endpoint

End Point

Description

Available from release

Hosts

-

edr.crowdstrike.falconstreaming.agents

hosts

Listing: {base_url}/devices/queries/devices/v1
Details: {base_url}/devices/entities/devices/v2

Check the {base_url} in the config parameters details for further information.

Hosts are endpoints that run the Falcon sensor. You can get information and details about these agents.

Info

Reference documentation:

v1.0.0

Incidents

-

edr.crowdstrike.falconstreaming.incidents

incidents

Listing: {base_url}/incidents/queries/incidents/v1
Details: {base_url}/incidents/entities/incidents/GET/v1

Check the {base_url} in the config parameters details for further information.

Incidents are events that occur in an organization which can represent a cybersecurity threat or an attack.

Info

Reference documentation:

v1.0.0

Spotlight

Vulnerabilities

-

edr.crowdstrike.falconstreaming.vulnerabilities

alias:

edr.crowdstrike.falcon_spotlight.vulnerabilities

vulnerabilities

Listing: {base_url}/spotlight/queries/vulnerabilities/v1
Details: {base_url}/spotlight/entities/vulnerabilities/v2

Check the {base_url} in the config parameters details for further information.

Vulnerabilities are known security risks in an operating system, application, hardware, firmware, or other part of a computing stack.

Info

Reference documentation:

v1.0.0

Behaviors

-

edr.crowdstrike.falconstreaming.behaviors

behaviors

Listing: {base_url}/incidents/queries/behaviors/v1
Details: {base_url}/incidents/entities/behaviors/GET/v1

Check the {base_url} in the config parameters details for further information.

Behaviors are patterns of data transmissions in a network that are out of the norm, used to detect anomalies before cyber attacks occur.

Info

Reference documentation:

crowdstrike/reference/querybehaviors-1

crowdstrike/reference/getbehaviors-1

v1.0.0

File Vantage

edr.crowdstrike.falcon_filevantage.change

filevantage

Listing: {base_url}/filevantage/queries/changes/v2
Details: {base_url}/filevantage/entities/changes/v21

Check the {base_url} in the config parameters details for further information.

Collect data about changes to files, folders, and registries with Falcon FileVantage APIs. Store this data to help you meet certain compliance recommendations and requirements as listed in the Sarbanes–Oxley Act, National Institute for Standards and Technology (NIST), Health Insurance Portability and Accountability Act (HIPAA), and others.

Info

Reference documentation:

https://

developer

falcon.us-2.crowdstrike.com/

crowdstrike

documentation/

reference

216/

getbehaviors

falcon-

1v1.0.0

filevantage

Event Stream (eStream)

AuthActivity AuditEvent

edr.crowdstrike.falconstreaming.auth_activity

estream

The endpoints are dynamically generated by following this (simplified) approach:

Once an authentication token has been obtained, a request to {base_url}/sensors/entities/datafeed/v2 is performed to obtain the “Data Feeds”.
1. Check the {base_url} in the config parameters details for further information.
Each Data Feed will contain a URL and a session token. A request to each of these URLs (along with their corresponding token) will return a streaming response in which every non-empty line represents a different event.
1. Every Data Feed will also contain a “refresh stream” URL, which is accessed every less than 30 minutes.
2. All the Data Feeds are processed in parallel. The amount of available Data Feeds depend on the CrowdStrike account’s configuration.

The Streaming API provides several types of events.

Info
Some of them are documented in https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events .

v1.3.0

IncidentSummaryEvent

edr.crowdstrike.falconstreaming.incident_summary

v1.3.0

RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent

edr.crowdstrike.falconstreaming.remote_response_session

v1.3.0

CustomerIOCEvent

edr.crowdstrike.falconstreaming.customer_ioc

v1.3.0

Event_ExternalAPIEvent

edr.crowdstrike.falconstreaming.external_api

v1.3.0

DetectionSummaryEvent

edr.crowdstrike.falconstreaming.detection_summary

v1.3.0

UserActivityAuditEvent

Depending on the event’s event.ServiceName property (in lowercase):

groups → edr.crowdstrike.falconstreaming.user_activity_groups
devices → edr.crowdstrike.falconstreaming.user_activity_devices
detections → edr.crowdstrike.falconstreaming.user_activity_detections
quarantined_files → edr.crowdstrike.falconstreaming.user_activity_quarantined_files
ip_whitelist → edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
prevention_policy → edr.crowdstrike.falconstreaming.user_activity_prevention_policy
sensor_update_policy → edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
device_control_policy → edr.crowdstrike.falconstreaming.user_activity_device_control_policy

v1.3.0

Vendor setup

In order to configure the Devo | CrowdStrike API Resources collector, you need to create an API client that will be used to authenticate API requests.

...

Rw ui tabs macro

Rw tab

title	Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running this collector:

Code Block

<any_directory>
└── devo-collectors/
    └── devo-collector-crowdstrikeapi/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        └── config/ 
            └── config-crowdstrikeapi.yaml

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in devo-collectors-crowdstrikeapi/certs/. Learn more about security credentials in Devo here.

Editing the config-crowdstrikeapi.yaml file

Code Block

globals:
  debug: <debug_value>
  id: not_used
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
  multiprocessing: false
  queue_max_size_in_mb: 1024
  queue_max_size_in_messages: 1000
  queue_max_elapsed_time_in_sec: 60
  queue_wrap_max_size_in_messages: 100

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  crowdstrike:
    id: <input_id>
    enabled: true
    requests_per_second: <request_per_seconds>
    override_base_url: <override_base_url_base_url_value>
    credentials:
      client_id: <client_id_value>
      secret_key: <secret_key_value>
    credentialsservices:
      client_idincidents:
<client_id_value>        secret_key: <secret_key_value>request_period_in_seconds: <request_period_in_seconds_value>
        services:start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      incidentshosts:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      hostsvulnerabilities:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      vulnerabilitiesbehaviors:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      behaviorsfilevantage:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
      estream:
        request_period_in_seconds: <request_period_in_seconds_value>
        reset_persistence_auth: <reset_persistence_auth_value>
        overide_offset_save_batch_size_in_events: <overide_offset_save_batch_size_in_events_value>
        overide_max_seconds_after_last_ingestion: <overide_max_seconds_after_last_ingestion_value>
        initial_partition_offsets:
          <partition_id_value>: <partition_offset_value>
        tagging_version: <tagging_version_value>
        additional_tag_mappings:
          <lowercased_event_type_value>: <fourth_tag_level_value>

Replace the placeholders with the required values:

Parameter

Data Type

Type

Value Range

Details

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

input_status

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

requests_per_second

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info
This parameter should be removed if it is not used.

override_base_url

str

Optional

Valid URL following this regex:
pending

By default, the base url is https://api.crowdstrike.com. This parameter allows you to customize the base url.

Info
This parameter should be removed if it is not used.

creds_client

str

Mandatory

Any

User Client ID to authenticate to the service.

creds_secret

str

Mandatory

Any

User Secret Key to authenticate to the service.

period_in_seconds

int

Optional

Minimum length: 1

By default, this service will run every 600 seconds. This parameter allows you to customize this behavior.

Info
This parameter should be removed if it is not used.

start_timestamp_in_epoch_seconds

int

Mandatory

Format: Unix timestamps
Minimum value: 1609455600
Maximum value: Now()

Initial time period used when fetching data from the endpoint.

Note
Updating this value will produce the lost of all persisted data and current pipelines.

<reset_persistence_auth_value>

str

Optional

Format: YYYY-MM-DDTHH:mm:ss.SSSZ

Maximum value: current date

This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the loss of all persisted data and current pipelines.

Info
This parameter should be removed if it is not used.

<overide_offset_save_batch_size_in_events_value>

int

Optional

Minimum value: 1
Maximum value: 1000

Although the stream services uses use a streaming API (events are fetched continuously one by one), we send the collected events in batches for better performance. This parameter controls the amount of items to be sent per batch. The default value is 10.

Info
This parameter should be removed if it is not used.

<overide_max_seconds_after_last_ingestion_value>

int

Optional

Minimum value: 1
Maximum value: 1000

If the collector did not ingest a batch of events in the last n seconds, the connection will be closed and all the streams will be restarted. This parameter configures this time span.

Info
This parameter should be removed if it is not used.

<initial_partition_offsets_value>

object

Optional

It has the following structure:

Code Block

language	none

initial_partition_offsets:
       <partition_id_value>: <partition_offset_value>

Where:

<partition_id_value>: The partition ID (0, 1, 2…) that will use this initial offset.
<partition_offset_value>: The initial offset. This offset will not be included in the ingestion (it will start from the next offset).

the CrowdStrike Events Stream has partitions, each one streaming its own events and hence managing its own event offset. When querying for events, you can specify an initial offset to start receiving events from. This parameter allows you to define initial offsets for the initial run of this service or when the state is being reset.

Info
This parameter should be removed if it is not used.

<tagging_version_value>

str

Optional

A version string (like "1.3.0") or "latest".

This parameter configures the tagging mechanism that every release might introduce.

If you want to keep the original tagging mechanism, remove this parameter.
If you want to use a specific mechanism created for a certain release, set your desired version.
If you want to always have the latest tagging mechanism without having backwards compatibility, use latest.

Info
This parameter should be removed if it is not used.

<additional_tag_mappings_value>

object

Optional

It has the following structure:

Code Block

language	none

additional_tag_mappings:
        <lowercased_event_type_value>: <fourth_tag_level_value>

Where:

<lowercased_event_type_value>: Every event’s metadata.eventType (lowercased) JSON property.
<fourth_tag_level_value>: The fourth level for the edr.crowdstrike.falconstreaming.{value} tag.

In case you want to have a custom destination tag for certain events that is not covered by default, you can set it up using this parameter.

Info
This parameter should be removed if it is not used.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image	SHA-256 hash
collector-crowdstrike_api_resources_if-docker-image-1.4.23	`40adcb246ce2dde11db113202a408e36f23996112fff082c2ba219841eb852e477d573200116064f04931774b505546f71810b0238e76be4c97d80d35f4d936f`

Use the following command to add the Docker image to the system:

Code Block
gunzip -c collector-crowdstrike-docker-image-<version>.tgz \| docker load

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version>" with a proper value.

The Docker image can be deployed on the following services:

Docker
Docker Compose

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/crowdstrikeapi/

Code Block

docker run \
--name collector-crowdstrikeapi\
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-crowdstrikeapi.yaml \
--rm -it docker.devo.internal/collector/crowdstrikeapi:<version>

Note
Replace `<version>` with the required value.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/crowdstrikeapi/ directory.

Code Block

version: '3'
services:
  collector-crowdstrikeapi
    image: docker.devo.internal/collector/crowdstrikeapi:${IMAGE_VERSION:-latest}
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config-crowdstrikeapi.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/crowdstrikeapi/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<version>` with the required value.

Copy

...

Versions Compared

Old Version 37

New Version 38

Key

Data source description

Vendor setup

Structure

Devo credentials

Editing the config-crowdstrikeapi.yaml file

Download the Docker image

Docker

Docker Compose