Crowdstrike Falcon LogScale Actions

Action for Crowdstrike Falcon LogScale #

  • Send Data to Logscale. Sends a custom set of Lucidum data to Crowdstrike Falcon LogScale.

Prerequisites #

Before you can execute actions on LogScale devices, you must first configure an API connection to LogScale. To do this, see the instructions for creating a LogScale connector in Lucidum: CrowdStrike Falcon LogScale.

Workflows #

LogScale Configuration #

logscale_config.png
  • Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

  • URL. The URL of the LogScale console, for example, https://lucidum.ingest.logscale.us-2.crowdstrike.com.

  • API Token. An Token Key associated with a user account that has read and write access to LogScale devices. From the LogScale console Settings page, select the API tab to access your API keys. Then generate and copy an API key.

  • Max # of Records per Payload. The maximum number of records to send to LogScale in each action. The default value is “100”.

Create or Edit an Action #

You can create the following types of Actions for LogScale:

  • Send Data to LogScale. Sends a custom set of Lucidum data to LogScale.

To create an action for LogScale:

  1. In the Create a New Action page, in the General step, enter:

    logscale_action_general.png
    • Action Type. Select Send Data to LogScale.

    • Configuration Name. Select an action configuration from the pulldown options.

    • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

    • Description. Description of the action.

  2. Click the Next (>) icon.

  3. In the Filters page, click Configure Filters.

    logscale_filters1.png
  4. The Build a Query page appears.

    build_query1_updated.png
  5. In the Build a Query page, you define the query for the assets or users that the action will act upon.

  6. Click Next.

  7. In the Build a Current Query page, enter the fields, operators, and values for the query. For existing actions, the query is already loaded in this page.

    logscale_filters2.png
  8. For details on creating and editing queries in Lucidum, see the section on Building Queries.

    NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

  9. Click the Apply (page and pencil) icon.

  10. Click the Next (>) icon.

  11. In the Schedule step, enter:

    logscale_schedule.png
    • Schedule Type. Define the schedule for the action. Choices are:

      • Recurrence. Specify a frequency for the recurring schedule.

      • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

  12. Click the Next (>) icon.

  13. In the Details step, enter the following:

    logscale_details.png
    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query in the Filters field, you can select these fields in the Query Results page > Edit Column button.

    • Dedupe Previous Jobs. De-dupe Previous Jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers between 0 (zero) and the number specified in Settings > Data Settings > Action Result Retention in Days. This setting specifies the number of days that Lucidum stores action results.

      • If you specify “0” (zero), Lucidum includes all the records from the query in each delivery to LogScale.

      • If you specify “1” (one), Lucidum examines the previous payload and excludes records for asset IDs or user IDs that were sent in the delivery to LogScale.

      • If you specify “2” (two), Lucidum examines the last two payloads and excludes records for asset IDs or user IDs that were sent in the previous two deliveries to LogScale.