Crowdstrike

Scanner supports Crowdstrike log events that are exported by Falcon Data Replicator to S3. These logs contain information about endpoint, cloud workload, and identity data from the Crowdstrike product ecosystem. In order for Scanner to see these logs, you can configure Crowdstrike Falcon Data Replicator to publish them to S3.

Step 1: Publish to S3

Within Crowdstrike Falcon, navigate to Support and resources and select Falcon Data Replicator. If this option is not available, you may need to talk with your Crowdstrike support team to enable Falcon Data Replicator.

First, you can configure Falcon Data Replicator to push logs to a new S3 bucket hosted in Crowdstrike's AWS account. Second, you can configure data to be replicated from Crowdstrike's S3 bucket to your own S3 bucket.

You can follow Crowdstrike's documentation about Falcon Data Replicator to accomplish this. You may also want to use Crowdstrike's FDR project on GitHub to replicate the logs to your own S3 bucket.

Step 2: Ingest via Scanner Collect

Follow the instructions here to ingest logs from S3 via Scanner Collect

PreviousCloudflare NextCustom Logs - AWS S3

Last updated 1 month ago

Was this helpful?

Good evening

hashtagStep 1: Publish to S3

hashtagStep 2: Ingest via Scanner Collect

Step 1: Publish to S3

Step 2: Ingest via Scanner Collect