We have updated our Terms of Service, Code of Conduct, and Addendum.

CrowdStrike API

Options
Draco3
Draco3 Posts: 6
edited June 2023 in General Discussions

I was previously using SPLUNK to get data via a SPLUNK add-on that used an API query to pull down detections from the CrowdStrike platform. We are moving away from SPLUNK and trying to use CRIBL to get CrowdStrike data. CrowdStrike have a SIEM connector but this requires additional infrastructure and I am trying to see if I can use CRIBL to query CrowdStrike via the API to pull this information down. Has anyone attempted or tried this? I was stuck with the client id and key with the REST API, but I think this needs to be done separately and only use an authentication token (bearer) to make the connection.

Tagged:

Best Answer

  • Chris
    Chris Posts: 13 mod
    Answer ✓
    Options

    Hey there! Are you trying to get the event stream or pull events like the Data Replicator provides? I know that Cribl has Source for connecting to the SQS queue that Crowdstrike provides for their data replicator feed, but it doesnt look like the Event Stream collection is native. If you are running on-prem, you can likely create a script and use the Script Collector to get this information in (much like running the TA on a heavy forwarder). The other option in my view, aside from using the SIEM connector to collect and sending to Cribl, is continue using your Heavy Forwarder and then send that data to Cribl.

Answers

  • Chris
    Chris Posts: 13 mod
    Answer ✓
    Options

    Hey there! Are you trying to get the event stream or pull events like the Data Replicator provides? I know that Cribl has Source for connecting to the SQS queue that Crowdstrike provides for their data replicator feed, but it doesnt look like the Event Stream collection is native. If you are running on-prem, you can likely create a script and use the Script Collector to get this information in (much like running the TA on a heavy forwarder). The other option in my view, aside from using the SIEM connector to collect and sending to Cribl, is continue using your Heavy Forwarder and then send that data to Cribl.

  • Draco3
    Draco3 Posts: 6
    Options

    Unfortunately I found that we arent licensed for the SQS/S3 bucket for CrowdStrike. I moved ahead with deploying the CrowdStrike collector and using this as SYSLOG.

Categories