Configure CrowdStrike Log Collector

The Alert Logic CrowdStrike collector is an AWS-based API Poll (PAWS) log collector library mechanism designed to collect logs from the CrowdStrike platform.

You can view logs collected by CrowdStrike collectors in the Search page in the Alert Logic console. To learn more about the Search feature, see Get Started with Search. To learn how to create correlations to generate incidents or observations from the collected logs, see Correlations and Notifications.

You must complete the following to successfully configure and verify your CrowdStrike log collector:

  1. Obtain an API client ID and secret key
  2. Configure collection in the Alert Logic console
  3. Verify successful configuration

Obtain an API client ID and secret key

You must have an admin role in CrowdStrike Falcon platform to generate an API client ID and an API secret key in the CrowdStrike Falcon platform.

To generate the API client ID and secret key:

  1. On the CrowdStrike Falcon platform, navigate to API Clients and Keys.
  2. In the OAuth2 API Clients table, click Add new API client.
  3. Enter the following details to define your API client:
    1. In the Client Name field, enter the client name.
    2. In the Description field, enter the description for the client.
  4. In the API Scopes field, enable the Read scope for Incident API and enable the Read scope for the Detection API.
  5. Click Add to save the API client to generate the Client ID and Secret Key. Copy and paste the Client ID and Secret Key in a safe place for later.

Configure collection in the Alert Logic console

After you generate the API client ID and the API secret key, you must complete the next steps of the collection configuration process in the Alert Logic console. You can configure more than one instance of the CrowdStrike collector if you need to monitor logs for more than one CrowdStrike account.

To access the Application Registry page, click the menu icon (). Click Configure, and then click Application Registry.

To add a new CrowdStrike collector:

  1. In the Application Registry, click the CrowdStrike tile.
  2. In the Application Name field, enter a descriptive name for the collector.
  3. In the Client ID field, enter the client ID you generated from Obtain an API client ID and secret key.
  4. In the Secret Key field, enter your secret key you generated from Obtain an API client ID and secret key.
  5. Under API Names, select the Incident and Detect logs for Alert Logic to collect from CrowdStrike.
  6. (Optional) In the Collection Start field, provide a collection start time stamp in (2020-01-01T16:00:00Z) format.
  7. Click ADD. Wait 10 minutes for the application to be successfully created and appear in your application list. Do not click ADD again while the request is processing.

Verify successful configuration

You can verify that your CrowdStrike collector is configured correctly in the Configured Applications tab within approximately 10 minutes of adding the integration. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.

To view logs collected by a specific CrowdStrike collector:

  1. In the Application Registry, click the Configured Applications tab.
  2. Click the View dropdown menu for the CrowdStrike collector.
  3. Click VIEW LOGS to open log search results for the collector.

The Health console also indicates whether the application collector is healthy or unhealthy. For more information, see Health.