CrowdStrike Falcon LogScale: ExtraHop Detection & Record Connector

Description

CrowdStrike’s Falcon LogScale offers fast, scalable, and affordable log management, try the community edition with your ExtraHop for free today, Humio

This integration enables LogScale with real-time reception of the Detections and Records ExtraHop is generating from your wire data.

You may choose to send only Records, only selected Record Types, or only Detections.

Download Bundle:
LogScale_ Detection & Record Connector.json (13.1 KB)

The following figure shows an example of ExtraHop Record data in LogScale, where you can then leverage the data for creating dashboards, or running powerful queries using the LogScale Query Language.

Figure 1. ExtraHop Record data in LogScale

The following figure shows an example of ExtraHop Detection data in LogScale. Notice how you can use #source = extrahop:detection_update to select only Detection data. Try using a specific record type too

Figure 2. ExtraHop Detection data in LogScale

Bundle Contents

• (1) Trigger
  • LogScale: Detection & Record Connector

Requirements

• You must have Reveal(x) Enterprise or 360, running firmware 8.8 or later
• An ExtraHop user account that has Unlimited privileges
• You must have Falcon LogScale
• You must be able to create a Falcon LogScale ingest token

Installation Instructions

Configure LogScale

1. Login to LogScale

2. Select the repository for use, or create a new repository

3. After selecting the new or existing repo, Click “Parsers” at the top

4. Click “New Parser”

5. Name: extrahop-json

6. Duplicate Existing

7. Select json-for-action
   

8. Click “Duplicate parser”

9. Click “Settings” at the top, then click “Ingest Tokens” on the left

10. Take note of your ingest hostname

11. Click “Add token”

12. Use STRUCTURED and select the parser created in Step 3

13. Take note of the ingest token

Configure ExtraHop Reveal(x)

Install the bundle

When installing the bundle on a Command appliance or Cloud Control Plane, select the option to install the bundle on all of the connected sensors that should participate in this integration.

1. Download the bundle on this page.
2. Upload and apply the bundle.

Configure ODS targets

When installing this bundle on a Command appliance or 360 console, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.

1. Log into the Admin UI on the Discover appliance.
2. Configure an HTTP target for an open data stream with the following parameters:

• In the Name field, type logscale.
• In the Host field, type in the hostname from step 4a
• In the Port field, type in 443
• From the Type drop-down list, select HTTPS.
• Check “Multiple connections”
• Enter an Additional HTTP header using token from step 4d
  1. Authorization: Bearer YOUR_INGEST_TOKEN

The completed ODS target page should look similar to the following figure:

Configure the trigger

1. In the Web UI on the Reveal(x) 360 Console or Command appliance where you installed the bundle, click the System Settings icon , and then click Triggers.
2. In the list of triggers, click LogScale: Detection & Record Connector
3. In the right pane, click Edit Trigger Script
4. In the left pane in the Options section, select the Enable trigger checkbox
5. Ensure LOGSCALE_ODS variable matches your ODS target name
6. (Optional) Toggle either SEND_DETECTIONS or SEND_RECORDS variable to false if you do not wish to send all Detections and all Records
7. (Optional) Toggle record type boolean variables under falconConnectorConfig to change what Record types are being sent to LogScale
8. (Optional) Click Assignments and then pick specific Devices or Groups for what Records will send. Note: Detection updates have no assignments, all Detections will send if SEND_DETECTIONS = true. By default, all records from all devices will be sent, this option is under “Show Advanced Options” → “Assign to all devices”
9. Click Save, then click Done.
10. Your configured data is available in LogScale in real time