What is Falcon LogScale? #
CrowdStrike Falcon LogScale is a SIEM and log management solution. Falcon LogScale provides an aggregated view of all relevant network security data sources to explore and manage ever increasing threats and vulnerabilities within one cost effective platform with an easy and intuitive search language.
Why Should You Use the Falcon LogScale Connector? #
The Falcon LogScale connector provides visibility into the assets managed by Falcon LogScale. You can use this visibility to:
-
ensure assets are managed per your security policies
-
monitor each endpoint and its status
How Does This Connector Work? #
Lucidum executes read-only requests to the Falcon LogScale API and ingests only meta-data about Falcon LogScale devices. Lucidum does not retrieve any data stored on your assets.
Configuring the Connector in Lucidum #
|
Field |
Description |
Example |
|---|---|---|
|
URL |
URL for the Falcon LogScale API |
https://cloud.us.humio.com:443/api/v1/ |
|
Repository |
Falcon LogScale repository from which to ingest data |
lucidum-data |
|
API Token |
A repository API token. |
gAAAAABl1R-MEN70SN79sMZXnfUwz6rg5q8txqkm1fZbgTrCrzIu-vjBVrdOUjg1OJ1iw8lqqK7FZGfUR8M6a0-akluUEbP-Mnp2z-WziCBDdT8bczVQTsw0E8e2qliMMVULXKRdm5bSnxzmEZzIPe_uztAVwrGeFthfAjbk2OE6TQDvQ1PdYFr= |
|
Asset Data Query |
Query in LQL format that retrieves a list of assets. For details, see: https://library.humio.com/training/queries-tutorial.html |
groupBy([ComputerName, FileName], function=collect(DomainName)) |
|
Asset Data Mapping |
Maps field values from Falcon LogScale to fields in the Lucidum Asset Database. |
“Device Name”->Asset_Name |
|
User Data Query |
Query in LQL format that retrieves a list of users. For details, see: |
event_simpleName=UserLogon event_platform=Mac |
|
User Data Mapping |
Maps field values from Falcon LogScale to fields in the Lucidum User Database. |
“user.roles”->Role_Name |
Asset Data Mapping #
Lucidum has populated the Asset Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.
To create a mapping:
-
You can map only the Lucidum fields (values to the right of ->) that are already included in the Asset Data Mapping field. Currently, you cannot add new mappings.
-
Put your cursor in the Asset Data Mapping field.
-
Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).
-
Enter
“Falcon LogScale field name”->Lucidum field name.where:
-
“Falcon LogScale field name” is a field name used in Falcon LogScale
-
Lucidum_Field_Name is the name of the field in the Lucidum Asset database.
-
-
Press Enter.
-
The new mapping appears in the Asset Data Mapping field.
User Data Mapping #
Lucidum has populated the User Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.
To create a mapping:
-
You can map only the Lucidum fields (values to the right of ->) that are already included in the User Data Mapping field. Currently, you cannot add new mappings.
-
Put your cursor in the User Data Mapping field.
-
Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).
-
Enter
“Falcon LogScale field name”->Lucidum field name.where:
-
“Falcon LogScale field name” is a field name used in Falcon LogScale
-
Lucidum_Field_Name is the name of the field in the Lucidum Asset database.
-
-
Press Enter.
-
The new mapping appears in the User Data Mapping field.
Source Documentation #
Creating a Repository API Token #
https://library.humio.com/falcon-logscale-cloud/security-apitokens-repo-creating.html
Required Permissions #
|
Object |
Permissions |
|---|---|
|
API Token |
Data read access |
