Crowdstrike

Scanner supports Crowdstrike log events that are exported by Falcon Data Replicator to S3. These logs contain information about endpoint, cloud workload, and identity data from the Crowdstrike product ecosystem. In order for Scanner to see these logs, you can configure Crowdstrike Falcon Data Replicator to publish them to S3.

Step 1: Publish to S3

Within Crowdstrike Falcon, navigate to Support and resources and select Falcon Data Replicator. If this option is not available, you may need to talk with your Crowdstrike support team to enable Falcon Data Replicator.

First, you can configure Falcon Data Replicator to push logs to a new S3 bucket hosted in Crowdstrike's AWS account. Second, you can configure data to be replicated from Crowdstrike's S3 bucket to your own S3 bucket.

You can follow Crowdstrike's documentation about Falcon Data Replicator to accomplish this. You may also want to use Crowdstrike's FDR project on GitHub to replicate the logs to your own S3 bucket.

Step 2: Ingest via Scanner Collect

Follow the instructions here to ingest logs from S3 via Scanner Collect