Hi everyone,
I've been struggling to find a way to collect Crowdstrike Identity Protection logs in Google Chronicle.
Does anyone have any advice for this matter?
Thank you in advance.
Collecting Crowdstrike IDP logs
+1
+2There is a CS_IDP log type now, but with no default parser:
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers#without-default-parser
For collecting the events, they are available via the new Crowdstrike Alerts API but Google SecOps does not have a native integration to that new API yet, which will support regular Falcon alerts plus IDP alerts.
+1There is a CS_IDP log type now, but with no default parser:
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers#without-default-parser
For collecting the events, they are available via the new Crowdstrike Alerts API but Google SecOps does not have a native integration to that new API yet, which will support regular Falcon alerts plus IDP alerts.
Hello, thanks for your response.
So would that be possible if i create a custom script to ingest these logs?
+2Hello, thanks for your response.
So would that be possible if i create a custom script to ingest these logs?
Hi, just checking if you ever got Crowdstrikes IDP alerts into Chronicle?
+1Hi, just checking if you ever got Crowdstrikes IDP alerts into Chronicle?
Hello Brian,
I still didn't do it, but i found a way to do it (it worked for FileVantage).
So basically i used a python module called FalconPy to fetch the logs from the Crowdstrike's alerts API. You only need to add the permission to read IDP alerts when you create the API credentials.
So the python script i wrote uses FalconPy to collect the logs and writes them in a text file that will be monitored by the Chronicle Forwarder.
Here is the FalconPy's documentation for IDP:
https://docs.falconpy.io/Service-Collections/Identity-Protection.html
+3There is a CS_IDP log type now, but with no default parser:
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers#without-default-parser
For collecting the events, they are available via the new Crowdstrike Alerts API but Google SecOps does not have a native integration to that new API yet, which will support regular Falcon alerts plus IDP alerts.
Support for the new CrowdStrike alerts API is on our short term roadmap.
+2Support for the new CrowdStrike alerts API is on our short term roadmap.
Hi, Thanks Adam, did you have a timeframe, please?
+1Update : I deployed the script on my server and it's working fine. Alerts are being collected.
Also, you can deploy the script as a cloud function on GCP. That way you'll be able to to store the secrets (client id and client secret)
+2Support for the new CrowdStrike alerts API is on our short term roadmap.
Hey Adam, just curious if you had a timeframe on native IDP Integration, please?
+2A further update, finally fiddled around with this a bit more. Not 100% sure on the history here, but Looks like CS moved IDP and other types of alerts from CS Detection Monitoring (detects/quieries/detects) to the CS Alerts API (alerts/queries/detects) in 2023. I don't see any mention of "Crowdstrike Alerts API" in the chronicle change log (https://cloud.google.com/chronicle/docs/release-notes) however I do see CS_ALERTS parser being updated in 2024, and 2025...
In any event, if you go into Feeds, ThirdParty API, Crowdstrike Alerts API, that feed type brings in IDP Alerts.
The Baseurl, OAUTH endpoint, API Client/Secret all in the Falcon Console under Support and Resources> API Keys> Create API client (that's scoped to "Alerts")
I feel like this might have been around for a while, but -- better late than never, aye?!
None of this is intuitive, but -- seems to work!
Good luck living the Crowdstrike/Chronicle dream!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.