CrowdStrike Falcon Data Replicator
The CrowdStrike Falcon Data Replicator source is different than other S3 sources. Instead of needing to configure your bucket, and a role, CrowdStrike provides all of this configuration and information for you.
The information you'll need to provide from CrowdStrike is:
- AWS Access Key ID - This is a normal AWS Access Key, and it's provided by CrowdStrike to authenticate to your CrowdStrike data.
- AWS Secret Access Key - The secret key associated with your AWS Access Key ID.
- SQS Queue URL - This queue URL provides RunReveal with notifications that new CrowdStrike data is available to be read.
- S3 URL - The bucket that RunReveal will read your CrowdStrike data from.
- Region - The region your S3 bucket calls home.
All of this information is required for the FDR source to work properly. Once provided and the source is created, your CrowdStrike data should begin flowing to RunReveal immediately.
Querying your CrowdStrike Data
Your CrowdStrike data will be available in a few different places in RunReveal
crowdstrike_aidmaster_logs
-- Basic host data collected from CrowdStrike.crowdstrike_data_logs
-- Contains raw data from your CrowdStrike sensors.crowdstrike_managed_logs
-- Information collected from managed assets.
Additionally all CrowdStrike data is available in the logs
table with
the sourceType of crowdstrike-fdr
.