Validate the CrowdStrike Intelligence collector

If the “Event streams” scope in Crowdstrike and the “estream” service in the Devo collector are enabled, log into the CrowdStrike web app to generate an event in Devo:

To generate a report on the services running, use this query:

from devo.collectors.out 

where toktains(msg,"in period interval [") or toktains(msg,"The current token does not have access rights"),
toktains(collector_image,"crowdstrike_api_resources_if:")

select
ifthenelse(
  isnotnull(int(split(split(msg,"Found [",1),"]",0))),
  int(split(split(msg,"Found [",1),"]",0)),
  0
) as number

where isnotnull(module_name)

group by hostname, collector_name, module_name,
toktains(msg,"The current token does not have access rights")  as scope_disabled
select sum(number) as indicators_found

If the scope_disabled field is true, enable the scope in CrowdStrike. If there are indicators found, then the service is working. If there are no indicators found, that may indicate that Crowdstrike did not have any information to provide during the time range you queried.

Devo latest

Validate the CrowdStrike Intelligence collector

Related content