Skip to content

CrowdStrike Falcon EDR

Automate the forwarding of CrowdStrike Falcon EDR logs to a Syslog endpoint by utilizing the CrowdStrike API and a custom forwarding script.

Prerequisites

  • CrowdStrike Falcon API credentials with access to event data.
  • Scripting environment (e.g., a server with Python installed) for running the forwarding script.
  • Syslog endpoint details: <SYSLOG_ENDPOINT>, <SYSLOG_PORT>.

Configuration Steps

1. Obtain CrowdStrike API Credentials

  • Generate API credentials within the CrowdStrike console. You'll need the API Client ID and Client Secret with permissions to access event data.

2. Fetch Logs from CrowdStrike API

Create a script to authenticate with the CrowdStrike API, fetch event logs, and format them for Syslog forwarding.

Example Python snippet to fetch logs:

import requests
import json

def fetch_crowdstrike_logs(client_id, client_secret):
    # Authenticate
    auth_url = "https://api.crowdstrike.com/oauth2/token"
    auth_data = {
        'client_id': client_id,
        'client_secret': client_secret
    }
    response = requests.post(auth_url, data=auth_data)
    access_token = response.json()['access_token']

    # Fetch logs
    logs_url = "https://api.crowdstrike.com/sensors/entities/datafeed/v2"
    headers = {'Authorization': f'Bearer {access_token}'}
    logs_response = requests.get(logs_url, headers=headers)
    logs = logs_response.json()

    return logs

3. Forward Logs to Syslog

Extend the script to send the fetched log data to the specified Syslog endpoint.

Example addition for forwarding to Syslog:

import socket

def send_to_syslog(syslog_server, syslog_port, log_message):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    syslog_message = f"<14>{json.dumps(log_message)}".encode('utf-8')
    sock.sendto(syslog_message, (syslog_server, syslog_port))
    sock.close()

4. Schedule and Execute the Script

Use cron jobs (Linux) or Task Scheduler (Windows) to run the script at regular intervals, ensuring new events from CrowdStrike Falcon are continuously forwarded.

5. Verify Log Forwarding

Monitor the script's operation and check the Syslog server to confirm that logs from CrowdStrike Falcon are being received.