CrowdStrike Falcon EDR
Automate the forwarding of CrowdStrike Falcon EDR logs to a Syslog endpoint by utilizing the CrowdStrike API and a custom forwarding script.
Prerequisites
- CrowdStrike Falcon API credentials with access to event data.
- Scripting environment (e.g., a server with Python installed) for running the forwarding script.
- Syslog endpoint details:
<SYSLOG_ENDPOINT>
,<SYSLOG_PORT>
.
Configuration Steps
1. Obtain CrowdStrike API Credentials
- Generate API credentials within the CrowdStrike console. You'll need the API Client ID and Client Secret with permissions to access event data.
2. Fetch Logs from CrowdStrike API
Create a script to authenticate with the CrowdStrike API, fetch event logs, and format them for Syslog forwarding.
Example Python snippet to fetch logs:
import requests
import json
def fetch_crowdstrike_logs(client_id, client_secret):
# Authenticate
auth_url = "https://api.crowdstrike.com/oauth2/token"
auth_data = {
'client_id': client_id,
'client_secret': client_secret
}
response = requests.post(auth_url, data=auth_data)
access_token = response.json()['access_token']
# Fetch logs
logs_url = "https://api.crowdstrike.com/sensors/entities/datafeed/v2"
headers = {'Authorization': f'Bearer {access_token}'}
logs_response = requests.get(logs_url, headers=headers)
logs = logs_response.json()
return logs
3. Forward Logs to Syslog
Extend the script to send the fetched log data to the specified Syslog endpoint.
Example addition for forwarding to Syslog:
import socket
def send_to_syslog(syslog_server, syslog_port, log_message):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
syslog_message = f"<14>{json.dumps(log_message)}".encode('utf-8')
sock.sendto(syslog_message, (syslog_server, syslog_port))
sock.close()
4. Schedule and Execute the Script
Use cron jobs (Linux) or Task Scheduler (Windows) to run the script at regular intervals, ensuring new events from CrowdStrike Falcon are continuously forwarded.
5. Verify Log Forwarding
Monitor the script's operation and check the Syslog server to confirm that logs from CrowdStrike Falcon are being received.