CrowdStrike

Overview

You can send logs to LogScale via HTTP using the HEC by performing POST requests using our HTTP Sink.

Data sink configuration

Now you need to specify how and where to send the data, and how to establish a connection with HTTP.

Metadata

Enter the basic information for the new Data sink.​

Metrics display

Decide whether or not to include this Data sink info in the metrics and graphs of the Home area.

Click Finish when complete. Your new Data sink will appear in the Data sinks area list.

Pipeline configuration

When it comes to using this Data sink in a Pipeline, you must configure the following output parameters. To do it, simply click the Data sink on the canvas and select Configuration.

Output configuration

• HTTP method* - POST

• URL* - To push data from CrowdStrike into LogScale via HTTP, you don’t need a CrowdStrike-specific URL , you need to generate a LogScale HTTP Ingest URL that accepts events.

  • Create an Ingest Token

    1. Go to the Settings tab of your repository.

    2. Scroll to Ingest Tokens.

    3. Click Create Token.

       • Give it a name (e.g., crowdstrike-ingest)

       • Choose structured if you’re sending JSON data

    4. Copy the full ingest URL, which will look like this:

    Copy

    https://cloud.us.humio.com/api/v1/ingest/humio-structured/crowdstrike-alerts?token=abcdef1234567890

• Message - enter the JSON messages you would like to send to CrowdStrike.

• content-type - text/plain

Bulk configuration

• Bulk allow* - Set true to set a bulk amount.

• Delimiter* With delimiter (default newline)

• Event amount & event time limit - they would depend on the length of the messages you want to forward.

Authentication configuration

Set the type to Bearer and select the Secret you created for the bearer token you retrieved from Exabeam Webhook (see above for help on finding this).