This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
There is a way to make a change to the parser to make alerts show up
again as alerts. We turned them off as first-order objects because
people were getting swamped with device alerts plus corresponding rule
alerts. Often you can write rules referenci...
Aigh - yes. I had CS on my mind from a separate post. Minus the S3
bucket (though it's not outlandish to imagine someone having that data
in an S3 bucket), the answers still apply.
If your Crowdstrike package includes AWS S3 storage of the events, you
can establish a cloud-to-cloud transfer between that S3 bucket and
Chronicle, bypassing the need for a GCS bucket. Other options include
using an ingestion key with a log manageme...
CS_EDR is the data coming out of Crowdstrike Falcon Data Replicator;
it's a massive firehose of raw telemetry as well as alerts. CS_DETECTS
is part of the CS managed service where they are monitoring your
endpoints and flagging findings. CS_STREAM is...
Yes, you should be able to do that. There are two ways to get to
Reference Lists in Chronicle following the recent UI switch: in UDM
Search (look for lists) or the Rules Editor (look at the bottom left and
you should see an Open button, which will al...