- CrowdStrike Falcon Data Replicator and Amazon Security Lake Integration Guide
CrowdStrike Falcon Data Replicator (FDR) delivers and enriches endpoint, cloud workload and identity data with the CrowdStrike Security Cloud and world-class artificial intelligence (AI), enabling your team to derive actionable insights to improve security operations center (SOC) performance. FDR contains near real-time data collected by the CrowdStrike Falcon® platform via its single, lightweight Falcon agent across all of your cloud workloads, identities and managed endpoints, including laptops, servers, workstations and mobile devices. The data is ingested, transformed and analyzed to address your organization’s unique needs, using cloud delivery and storage mechanisms such as AWS S3 buckets and Google Cloud buckets.
Amazon Security Lake is a fully-managed security data lake service that allows you to centrally aggregate, manage, and use security-related log and event data at scale. Amazon Security Lake makes it easy and cost-effective for organizations to centrally consolidate their security logs and events from AWS, on-premises, and other cloud providers. Amazon Security Lake automates the collection of security-related log and event data from integrated AWS services and third party sources, manages the lifecycle of that data with customizable retention settings and roll up to preferred AWS Regions, and transforms that data into a standard open-source format called Open Cybersecurity Schema Framework (OCSF). You can use the security data that's stored and accessed in Amazon Security Lake for incident response and security data analytics.
This integration guide provides instructions for transforming and loading data from FDR to Amazon Security Lake. This integration will:
- Pull the customer’s FDR data from CrowdStrike's S3 bucket
- Extract and transform a subset of data into Open Cybersecurity Schema Framework (OCSF)
- Convert it to Parquet files
- Upload it to the customer-owned Amazon S3 bucket for Amazon Security Lake to ingest
While FDR data encompasses a large amount of events, only certain events are applicable for Amazon Security Lake. Only events classified to the following OSCF classes are mapped and loaded into Amazon Security Lake:
- DNS (DNS_ACTIVITY)
- File (FILE_ACTIVITY)
- Kernel Extension (MODULE_ACTIVITY)
- Network Activity (NETWORK_ACTIVITY)
- Process Activity (PROCESS_ACTIVITY)
- AWS CLI version greater than
2.11.24 - You must be a customer of CrowdStrike Insights XDR and Falcon Data Replicator
- Contact your CrowdStrike account manager to obtain the FDR OCSF mapping files
- Contact your CrowdStrike account manager to start using FDR
- An AWS account with at least one AWS source pre-configured with Amazon Security Lake (e.g. CloudTrail, VPC Flow, Route53)
In this step, you'll set up FDR in your CrowdStrike Customer ID (CID). This will provide you access to the CrowdStrike-owned S3 bucket, SQS queue, and credentials to fetch the FDR files.
- Contact your CrowdStrike account representative to set up your FDR feed
- In the Falcon console, go to
Support and resources > Resources and tools > API clients and keysand clickCreate new credentialsunder FDR AWS S3 Credentials and SQS Queue- This process provides you with several items you'll need later when setting up an SQS consumer to check for new data:
Client IDto use later asAWS_KEYSecretto use later asAWS_SECRETSQS URLto use later asQUEUE_URL
- This process provides you with several items you'll need later when setting up an SQS consumer to check for new data:
In this step, you'll set up the required resources for CrowdStrike to be registered as a custom provider in Amazon Security Lake and register the supporting source types.
Execute the instructions below in your master Amazon Security Lake account.
Please follow AWS's guidance on creating an IAM role that allows Security Lake to interact with custom sources: Prerequisite: Create IAM role before adding custom sources. If you've already created the IAM role, record the ARN as you'll need it for the next step.
In this step, you'll run a script that will register CrowdStrike sources for each supported OCSF Event Class with Amazon Security Lake.
This script will also create an IAM role that will be used to write data to your Amazon Security Lake bucket.
- From the root of this project's directory, run the following script:
sh ./infrastructure/create_crowdstrike_sources.sh- When prompted for the
ARN of IAM Role that has permissions to Invoke Glue, use the ARN from 2.1
- When prompted for the
The Falcon Data Replicator (FDR) application will write data to your Amazon Security Lake bucket. To do this, you'll need to create an IAM role with the least amount of permissions and has the correct ExternalId. This repo contains a CloudFormation template that will create the role for you.
The template is located here: ./infrastructure/iam_role.yaml and has the following parameters:
| Parameter | Description | Required | Default |
|---|---|---|---|
| BucketName | The name of the S3 bucket to write data to. Use the bucket in the same region you created the custom sources. You can find the buckets used by security lake by going to Security Lake > Regions |
Yes | N/A |
| AccountId | The AWS account ID where the FDR github tool will be deployed. | Yes | N/A |
| RoleName | The name of the role to create. | No | CrowdStrike-AmazonSecurityLake-CustomSourceRole |
| ExternalId | The External ID to use for the role. This is used to prevent privilege escalation. Use the same External ID you used in step 2.2 | No | CrowdStrikeCustomSource |
In this step, you'll configure and run a script that reads files written to your FDR bucket, transforms it to OSFC schema, and loads it into Amazon Security Lake.
- Clone the FDR application project from GitHub to your machine
- Place the mapping files you obtained from your account manager into the
./ocsf/mappingsdirectory of your project - Open
falcon_data_replicator.iniin a text editor and provide CrowdStrike FDR and Amazon Security Lake S3 details:- Under
[Source]:AWS_KEY={{ Replace with value from step 1 }}AWS_SECRET={{ Replace with value from step 1 }}QUEUE_URL={{ Replace with value from step 1 }}REGION_NAME={{ Replace with proper value below }}- If your CID is in
us-1, then replace withus-west-1 - If your CID is in
us-2, then replace withus-west-2 - If your CID is in
eu-1, then replace witheu-central-1
- If your CID is in
- Under
[Destination]:TARGET_ACCOUNT_ID={{ Replace with AWS Security Lake account ID }}TARGET_BUCKET={{ Replace with value you received from Amazon Security Lake }}TARGET_REGION={{ Replace with value you received from Amazon Security Lake }}DO_OCSF_CONVERSION=yesOCSF_ROLE_NAME={{ Replace with name of the role created from the CFT in step 2.3. Default isCrowdStrike-AmazonSecurityLake-CustomSourceRole}}OCSF_ROLE_EXTERNAL_ID={{ Replace with value from step 2.3. Default isCrowdStrikeCustomSource}}
- Under
- Run the application in the same account where your Amazon Security Lake master is configured by issuing the following command:
python falcon_data_replicator.py
To validate that the integration is working successfully, log-in to your AWS account where Amazon Security Lake is configured and click on “Custom Sources”. You should see several CrowdStrike sources based on each of the supported OCSF event classes.
The integration guide is an open source project and not a CrowdStrike product. As such, it carries no formal support, expressed, or implied. If you encounter any issues while deploying the integration guide, you can create an issue on our Github repository for bugs, enhancements, or other requests.
Amazon Security Lake is an AWS product. As such, any questions or problems you experience with this service should be handled through a support ticket with AWS Support.