LogScale App for CrowdStrike

The attached bundle is meant to be used as a companion to your CrowdStrike Falcon deployment. The bundle sends data from your un-managed systems. These systems are typically new devices just brought up on the network, legacy systems, IoT and ICS/SCADA systems. This will write ExFlow data to your Humio Webhook.

Before you deploy:
You will need to create an ODS Target named “Humio” (Case Sensitive)
NOTE: If you are using the new free Community Edition (16Gb/Day and 7 Day Retention) that host is currently cloud.community.humio.com.
Also, make sure you check the “multiple connections” checkbox.

Bundle Contents:

  • Device Group for Linux systems W/O Falcon Sensor (Will Say Humio Unmanged)

  • Device Group for Windows Systems W/O Falcon Sensor (Will Say Humio Unmanged)

  • Triggers for Linux/Windows and New Device ( < 24 hours) systems.

Make sure the triggers are assigned to the appropriate device groups.

  • Linux trigger to Linux Unmanged

  • Windows trigger to Windows Unmanaged

  • New Device Trigger to New Device < 24 Hours

Edit the humioHook variable in each trigger (line 5) with the webhook matching your Humio Instance.

HumioRxUnmangedBundle.json (8.9 KB)

Once you have deployed the bundle, check back at your dashboard and it should look similar to the dashboard below: (you will need the trace appliance for the ‘PCAP’ column to work)


Attached is the “Unmanaged Detection to Humio” bundle which is a trigger that on DETECTION_UPDATE it checks the offender against the Falcon API, if there is no Asset ID (AID) it is counted and sent to Humio as an Unmanaged Device with a detection.
Unmanaged Device Detections to Humio.json (5.9 KB)

Rx Team, there is a bug in the community edition that does not allow geomaps to render. This is why the first two cells are blank when you set up the Humio bundle on the Community Edition.

We are working on a solution ASAP!!!

Thanks guys!


Rx Team

The bundle has been updated to work with the latest version of LogScale