Message Image

Log in

Skip to main content (Press Enter).

Skip auxiliary navigation (Press Enter).

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

Start collaborating

Get 1 Month Free Access to Generative AI Fundamentals on Coursera

Skip main navigation (Press Enter).

IBM Security QRadar

View Only

Expand all | Collapse all

Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Charlie KempSat March 23, 2024 11:51 AM

Morning all, I hope you're doing well! We've had some... "fun-times" should we say trying to ingest ...

Maksym TykhenkoMon March 25, 2024 08:48 AM

Hi Charlie, ~month ago Crowstrike FDR DSM was released for QRadar https://www.ibm.com/docs/en/dsm?topic=configuration-crowdstrike-falcon-data-replicator ...

1. Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

0 Like
Charlie Kemp
Posted Sat March 23, 2024 11:51 AM

Reply
Morning all,

I hope you're doing well!

We've had some... "fun-times" should we say trying to ingest Crowdstrike FDR into our platform, and unfortunately still are without luck. According to support, the logs are coming in, but QRadar is failing to extract the logs from the txt.gz file that is pulls from the SQS queue (this is recommended by both AWS, CS, and IBM at this point).

Has anyone else had any issues with Crowdstrike, or for that matter ANY AWS SQS queues not being able to be extracted, parsed, or visible via. log activity?

Kind Regards,

Charlie

------------------------------
Charlie Kemp
------------------------------
2. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

0 Like
Maksym Tykhenko
Posted Mon March 25, 2024 08:48 AM

Reply
Hi Charlie,

~month ago Crowstrike FDR DSM was released for QRadar https://www.ibm.com/docs/en/dsm?topic=configuration-crowdstrike-falcon-data-replicator

which is working via AWS S3 REST API. Have you tried it?

Kind regards,

------------------------------
Maksym Tykhenko
------------------------------

Original Message

Powered by Higher Logic