CrowdStrike Falcon Data Replicator
CrowdStrike Falcon Data Replicator is a tool designed to facilitate the integration and export of endpoint telemetry and threat data from the CrowdStrike Falcon platform to external storage solutions or SIEM systems. It captures critical security events, alerts, and activity logs generated by the Falcon agents, allowing organizations to analyze and correlate data for enhanced threat detection, incident response, and compliance reporting.
Setup
The CrowdStrike Falcon Data Replicator source is different than other S3 sources. Instead of needing to configure your bucket, and a role, CrowdStrike provides all of this configuration and information for you.
The information you'll need to provide from CrowdStrike is:
- AWS Access Key ID - This is a normal AWS Access Key, and it's provided by CrowdStrike to authenticate to your CrowdStrike data.
- AWS Secret Access Key - The secret key associated with your AWS Access Key ID.
- SQS Queue URL - This queue URL provides RunReveal with notifications that new CrowdStrike data is available to be read.
- Region - The region your S3 bucket calls home.
All of this information is required for the FDR source to work properly. Once provided and the source is created, your CrowdStrike data should begin flowing to RunReveal immediately.
Querying your CrowdStrike Data
Your CrowdStrike data will be available in a few different places in RunReveal
crowdstrike_aidmaster_logs-- Basic host data collected from CrowdStrike.crowdstrike_data_logs-- Contains raw data from your CrowdStrike sensors.crowdstrike_managed_logs-- Information collected from managed assets.
Additionally all CrowdStrike data is available in the logs table with
the sourceType of crowdstrike-fdr.