The CrowdStrike Falcon platform is a powerful solution that includes EDR (Endpoint Detection and Response), next-generation anti-virus, and device control for endpoints. It also provides a whole host of other operational capabilities across IT operations and security including Threat Intelligence. The CrowdStrike API is managed from the CrowdStrike Falcon UI by the Falcon Administrator. From there, multiple API clients can be defined along with their required scope
Crowdstrike is one of the top data sources for Devo customers and prospects alike, so would encourage new customers to use this one, and existing ones to transition to this one soon.
Data source description
Data Source
Subtype
Table
Service
End Point
Description
Available from release
Hosts
-
edr.crowdstrike.falconstreaming.agents
hosts
Listing: {base_url}/devices/queries/devices/v1
Details: {base_url}/devices/entities/devices/v2
Check the {base_url} in the config parameters details for further information.
Hosts are endpoints that run the Falcon sensor. You can get information and details about these agents.
Check the {base_url} in the config parameters details for further information.
Collect data about changes to files, folders, and registries with Falcon FileVantage APIs. Store this data to help you meet certain compliance recommendations and requirements as listed in the Sarbanes–Oxley Act, National Institute for Standards and Technology (NIST), Health Insurance Portability and Accountability Act (HIPAA), and others.
The endpoints are dynamically generated by following this (simplified) approach:
Once an authentication token has been obtained, a request to {base_url}/sensors/entities/datafeed/v2 is performed to obtain the “Data Feeds”.
Check the {base_url} in the config parameters details for further information.
Each Data Feed will contain a URL and a session token. A request to each of these URLs (along with their corresponding token) will return a streaming response in which every non-empty line represents a different event.
Every Data Feed will also contain a “refresh stream” URL, which is accessed every less than 30 minutes.
All the Data Feeds are processed in parallel. The amount of available Data Feeds depend on the CrowdStrike account’s configuration.
The Streaming API provides several types of events.
In order to configure the Devo | CrowdStrike API Resources collector, you need to create an API client that will be used to authenticate API requests.
After getting your Crowdstrike Falcon Cloud credentials, log into the CrowdStrike Falcon Cloud dashboard.
Click the three dots in the left menu bar.
Click API Clients and Keys. This will open a page to create an API client.
Click Add API Client at the top right corner. Enter a CLIENT NAME and DESCRIPTION.
Then, enable the API scopes for your new API client. Click the required Read permissions for each scope and click ADD to create the client.
Finally, copy the Client ID and Client Secret shown on the next screen. You will need these values to configure the collector.
Devo collector features
Feature
Details
Allow parallel downloading (multipod)
Not allowed
Running environments
Cloud collector, on-premise
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
API limitations
Crowdstrike does not apply limitations as long as its use is reasonable.
Change log
Release
Released on
Release type
Details
Recommendations
v1.0.0
FEATURE
New Features:
Initial release that includes the following data sources from CrowdStrike API:
Hosts
Incidents
Vulnerabilities
Behaviors
Upgrade
v1.1.0
IMPROVEMENTSVULNS
Improvements:
The underlay IFC SDK has been updated from v1.1.2 to v1.1.3.
The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.
Vulnerabilities mitigation:
All critical and high vulnerabilities have been mitigated.
Upgrade
v1.2.0
IMPROVEMENTS VULNS
Improvements:
Upgraded underlay IFC SDK v1.1.3 to v1.3.0.
The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.
When an exception is raised by the Collector Setup, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.
When an exception is raised by the Collector Pull method, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.
When an exception is raised by the Collector pre-pull method, the collector retries after 30 seconds. No maximum retries are applied.
Upgrade
v1.3.0
IMPROVEMENTSFEATURE
Improvements:
Upgraded underlay IFC SDK v1.3.0 to v1.4.0.
Updated the underlying DevoSDK package to v3.6.4 and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.
Support for stopping the collector when a GRACEFULL_SHUTDOWN system signal is received.
Re-enabled the logging to devo.collector.out for Input threads.
Improved self-kill functionality behavior.
Added more details in log traces.
Added log traces for knowing system memory usage.
New Features:
CrowdStrike Event Stream (eStream) data source is now available. This service leverages the CrowdStrike Falcon Event Streams API to obtain the customer’s DataFeed URLs and continuosly fetch events that will be ingested under the edr.crowdstrike.falconstreaming.* family of tables. For more information, check the CrowdStrike’s official documentation.
Upgrade
v1.3.1
IMPROVEMENTS
Improvements:
The RegEx validation has been updated to enforce the HTTP[S] protocol for all services when this parameter is filled in by the user.
The Event Stream (eStream) service has been updated to use the same overriding parameter for the base_url than the other previous services. This allows to the user define this only one time for all available services through override_base_url user config file.
Recommended Version
v1.4.0
IMPROVEMENTS BUG FIXING
Improvements:
Added @devo_pulling_id field.
Update the `details` endpoint to use the v2 API (due to v1 deprecation)
Bug Fixing:
Fixed a bug that prevented overriding the base URL.
Recommended Version
v1.4.2
IMPROVEMENTS
Improvements:
Updated DCSDK from 1.7.2 to 1.8.0:
Ability to validate collector setup and exit without pulling any data.
Ability to store in the persistence the messages that couldn't be sent after the collector stopped.
Ability to send messages from the persistence when the collector starts and before the puller begins working.
Ensure special characters are properly sent to the platform.
Recommended Version
v1.4.3
IMPROVEMENTS
Improvements:
New functionality, access to File Vantage API
Updated DCSDK from 1.8.0 to 1.10.2:
Upgrade internal dependencies
Store lookup instances into DevoSender to avoid creation of new instances for the same lookup
Ensure service_config is a dict into templates
Ensure special characters are properly sent to the platform
Changed log level to some messages from info to debug
Changed some wrong log messages
Upgraded some internal dependencies
Changed queue passed to setup instance constructor
Added input metrics
Modified output metrics
Updated DevoSDK to version 5.1.6
Standardized exception messages for traceability
Added more detail in queue statistics
Updated PythonSDK to version 5.0.7
Introduced pyproject.toml
Added requirements.dev.txt
Fixed error in pyproject.toml related to project scripts endpoint
