Page Comparison

...

Log Type	Ingestion label	Preferred Logging Protocol - Format	Log Collection Method	Data Source
CrowdStrike Falcon	CS_EDR (Data Replicator)	API Pull Cloud Storage - JSON	C2C - Storage	https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs
CrowdStrike Detection Monitoring	CS_DETECTS (EDR Detections)	API Pull - JSON	C2C	https://cloud.google.com/chronicle/docs/reference/feed-management-api#cs-detects

...

To set up a Data Replicator ingestion feed using Amazon S3:

Property	Default Value	Description
Region	N/A	The S3 region associated with URISelect the region of your S3 bucket.
S3 URI	N/A	The S3 bucket source URI.URI to ingest. (It will be a combination of S3 bucket name and prefix. Eg- S3://<S3 bucket name>/<prefix>)
URI is a	N/A	The type of object file indicated by the URI. Valid values are: `FILES`: The URI points to .
Source deletion option	N/A	Option to delete files and/or directories after transferring.
Access key id	N/A	An account access key that is 20-character alphanumeric string, for example AKIAOSFOODNN7EXAMPLE.
Secret access key	N/A	An account access key that is a 40-character alphanumeric string, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Oauth client ID	N/A	A public, client-specific OAuth identifier.
Oauth client secret	N/A	OAuth 2.0 client secret.
Oauth secret refresh URI	N/A	OAuth 2.0 client secret refresh URI.
Asset namespace	N/A	The namespace the feed will be associated with a single file which will be ingested with each execution of the feed. `FOLDERS`: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed. `FOLDERS_RECURSIVE`: The URI points to a directory. All files and directories contained within the indicated directory will be ingested, including all files and directories within those directories, and so on.
Source deletion option	N/A	Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are: `SOURCE_DELETION_NEVER`: Never delete files from the source. `SOURCE_DELETION_ON_SUCCESS`:Delete files and empty directories from the source after successful ingestion. `SOURCE_DELETION_ON_SUCCESS_FILES_ONLY`:Delete files from the source after successful ingestion.

To set up a Data Replicator ingestion feed using Amazon SQS:

Property	Default Value	Description
Region	N/A	The S3 region associated with URISelect the region of your S3 bucket.
Queue name	N/A	The SQS queue name to read from.
Account number	N/A	The SQS account number for the SQS queue and S3 bucket.
Source deletion option	N/A	Option Whether to delete source files and/or directories after transferringafter they have been transferred to Chronicle. This reduces storage costs. Valid values are: `SOURCE_DELETION_NEVER`: Never delete files from the source. `SOURCE_DELETION_ON_SUCCESS`:Delete files and empty directories from the source after successful ingestion. `SOURCE_DELETION_ON_SUCCESS_FILES_ONLY`:Delete files from the source after successful ingestion.
Queue access key ID	N/A	An account access key that This is the 20 -character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLEcharacter ID associated with your Amazon IAM account.
Queue secret access key	N/A	An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.	Asset namespace	N/A	The namespace that the feed will be associated withThis is the 40 character access key associated with your Amazon IAM account.

Detections:

Property	Default Value	Description
OAuth token endpoint	OAUTH TOKEN ENDPOINT	N/A	Authentication URL (Base URL	OAuth client ID	followed by `/oauth2/token`)
OAUTH CLIENT ID	N/A	OAuth Client ID
OAuth client secret	OAUTH CLIENT SECRET	N/A	OAuth Client Secret
Base BASE URL	api.crowdstrike.com	API Endpoint URL api.crowdstrike.com

...

Versions Compared

Old Version 5

New Version Current

Key