Document toolboxDocument toolbox

edr.crowdstrike

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
2 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ]

Introduction

The tags beginning with edr.crowdstrike identify events generated by Crowdstrike.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

 

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

edr

crowdstrike

  • falconstreaming

  • incidents

  • cannon

  • asepvalueupdate

  • channelversionrequired

  • dnsrequest

  • endofprocess

  • neighborlistip4

  • networkconnectip4

  • other

  • processrollup2

  • processrollup2stats

  • sensorheartbeat

  • syntheticprocessrollup2

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.cannon

edr.crowdstrike.cannon

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.syntheticprocessrollup2

edr.crowdstrike.cannon.syntheticprocessrollup2

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. Get in touch with us to start sending your data to the Devo platform.

For Falcon Streaming, follow these instructions: 

Get in touch with us to download the collector. Devo's CrowdStrike Falcon Streaming Collector collects audit and detection data.

This collector does the following:

  • Authenticates with the Falcon Streaming API.

  • Discovers available streams.

  • Creates a long-running stream connection to available streams.

  • As events come in, they are shipped into the Devo domain.

  • After an event is shipped to Devo, the offset id is saved to the state store to resume from the same
    point if stopped.

Setup

  1. Obtain access to the CrowdStrike API and acquire a client_id and client_secret for use.

    1. The API scope necessary for the client is “Event Streams”.

      1. If you have errors discovering streams, check that this is added to the API role.

  2. Add the CrowdStrike Falcon Streaming Collector to your domain and set your client_id and client_secret in the collector's parameters JSON.

  3. Done! Once the collector is added and running, you will see your falcon data in the edr.crowdstrike.falconstreaming table.

Error/Troubleshooting

  • You get error (401) discovering streams - access denied, invalid bearer token.

    • The URL Endpoint may not be correct. The default api_url setting is api.crowdstrike.com, but your customer may be configured with a different endpoint such as api.us-2.crowdstrike.com.

      • Update the api_url parameter and try again.

  • You get another error (not 401) regarding discovering streams.

    • Check that “Event Streams” is part of the API scope for the credentials provided.