CrowdStrike Falcon Data Replicator

The CrowdStrike Falcon Data Replicator source is different than other S3 sources. Instead of needing to configure your bucket, and a role, CrowdStrike provides all of this configuration and information for you.

The information you'll need to provide from CrowdStrike is:

  1. AWS Access Key ID - This is a normal AWS Access Key, and it's provided by CrowdStrike to authenticate to your CrowdStrike data.
  2. AWS Secret Access Key - The secret key associated with your AWS Access Key ID.
  3. SQS Queue URL - This queue URL provides RunReveal with notifications that new CrowdStrike data is available to be read.
  4. S3 URL - The bucket that RunReveal will read your CrowdStrike data from.
  5. Region - The region your S3 bucket calls home.

All of this information is required for the FDR source to work properly. Once provided and the source is created, your CrowdStrike data should begin flowing to RunReveal immediately.

Querying your CrowdStrike Data

Your CrowdStrike data will be available in a few different places in RunReveal

  • crowdstrike_aidmaster_logs -- Basic host data collected from CrowdStrike.
  • crowdstrike_data_logs -- Contains raw data from your CrowdStrike sensors.
  • crowdstrike_managed_logs -- Information collected from managed assets.

Additionally all CrowdStrike data is available in the logs table with the sourceType of crowdstrike-fdr.