CrowdStrike API

I was previously using SPLUNK to get data via a SPLUNK add-on that used an API query to pull down detections from the CrowdStrike platform. We are moving away from SPLUNK and trying to use CRIBL to get CrowdStrike data. CrowdStrike have a SIEM connector but this requires additional infrastructure and I am trying to see if I can use CRIBL to query CrowdStrike via the API to pull this information down. Has anyone attempted or tried this? I was stuck with the client id and key with the REST API, but I think this needs to be done separately and only use an authentication token (bearer) to make the connection.

Hey there! Are you trying to get the event stream or pull events like the Data Replicator provides? I know that Cribl has Source for connecting to the SQS queue that Crowdstrike provides for their data replicator feed, but it doesn’t look like the Event Stream collection is native. If you are running on-prem, you can likely create a script and use the Script Collector to get this information in (much like running the TA on a heavy forwarder). The other option in my view, aside from using the SIEM connector to collect and sending to Cribl, is continue using your Heavy Forwarder and then send that data to Cribl.

Unfortunately I found that we aren’t licensed for the SQS/S3 bucket for CrowdStrike. I moved ahead with deploying the CrowdStrike collector and using this as SYSLOG.