Skip to main content
Solved

Query on Sending Data to Multiple Destinations

  • July 18, 2024
  • 5 replies
  • 30 views
Aravind3
Forum|alt.badge.img+8

Hi All,

I have a question: Is it possible to send data from a single source to two different locations? For example, I have a CrowdStrike source and I want to send logs to Chronicle while also saving them in an S3 bucket, or alternatively, send them to another location via Kinesis. Is this possible?

Thank you in advance.
Aravind S

Best answer by AbdElHafez

Hi @aki_ja-7 ,
Thank you for the revert.
Is it possible to send logs one path to chronicle and other path to another location via Kinesis.
I was wonder the one stream won't know right whether the other path exist or not right?

Thanks,
Aravind 


Hi @Aravind3 
I think it could be easier to do so if you have Data Firehose, There is no direct Chronicle SIEM ingestion from Kinesis, but with Data Firehose you could define multiple destinations and it is supported by Chronicle SIEM, but this could be more costly.

Is it possible to use Falcon Data Replicator to send an S3 Bucket A, then use native S3 Bucket replication instead to replicate the same data to another S3 Bucket B but let Chronicle ingest from only one of them ? Or can you use the Replicator to send data to an S3 Bucket but ingest the logs from Chronicle SIEM via the API ?

References:
https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html
https://cloud.google.com/chronicle/docs/administration/feed-management-overview

Thanks,
Hafez

aki_ja-7

5 replies

ionutm
Staff
Forum|alt.badge.img+5
  • ionutm
  • Staff
  • July 19, 2024

The BindPlane agent (Collector  agent) is capable of doing this: https://cloud.google.com/chronicle/docs/ingestion/use-bindplane-agent 

https://observiq.com/docs/getting-started/quickstart-guide

There is still working in progress and documentation to be provided for how this would really work.

aki_ja-7
aki_ja-7
Forum|alt.badge.img
  • aki_ja-7Bronze 1
  • Bronze 1
  • July 21, 2024

Yes, it is possible to send data from a single source to multiple destinations. For your specific case with CrowdStrike, you can achieve this by setting up data pipelines that route the logs to both Chronicle and an S3 bucket, or to another location via Kinesis.

Steps to Achieve This

  1. CrowdStrike to Chronicle:

  2. CrowdStrike to S3 Bucket:

    • Set up a data pipeline using a service like AWS Lambda or AWS Glue to transfer logs from CrowdStrike to an S3 bucket.

  3. CrowdStrike to Kinesis:

    • Configure a data stream in AWS Kinesis to receive logs from CrowdStrike and then process or store them as needed.

Example Workflow

  1. CrowdStrike Logs: Collect logs using the Falcon Data Replicator.
  2. Data Pipeline:
    • To Chronicle: Directly send logs to Chronicle for advanced analytics.
    • To S3: Use AWS Lambda to trigger on new logs and save them to an S3 bucket.
    • To Kinesis: Stream logs to Kinesis for real-time processing and further routing.

By setting up these pipelines, you can ensure that your logs are sent to multiple destinations efficiently.

N
Aravind3
Forum|alt.badge.img+8
  • Aravind3Bronze 2
  • Author
  • Bronze 2
  • July 22, 2024

Yes, it is possible to send data from a single source to multiple destinations. For your specific case with CrowdStrike, you can achieve this by setting up data pipelines that route the logs to both Chronicle and an S3 bucket, or to another location via Kinesis.

Steps to Achieve This

  1. CrowdStrike to Chronicle:

  2. CrowdStrike to S3 Bucket:

    • Set up a data pipeline using a service like AWS Lambda or AWS Glue to transfer logs from CrowdStrike to an S3 bucket.

  3. CrowdStrike to Kinesis:

    • Configure a data stream in AWS Kinesis to receive logs from CrowdStrike and then process or store them as needed.

Example Workflow

  1. CrowdStrike Logs: Collect logs using the Falcon Data Replicator.
  2. Data Pipeline:
    • To Chronicle: Directly send logs to Chronicle for advanced analytics.
    • To S3: Use AWS Lambda to trigger on new logs and save them to an S3 bucket.
    • To Kinesis: Stream logs to Kinesis for real-time processing and further routing.

By setting up these pipelines, you can ensure that your logs are sent to multiple destinations efficiently.


Hi @aki_ja-7 ,
Thank you for the revert.
Is it possible to send logs one path to chronicle and other path to another location via Kinesis.
I was wonder the one stream won't know right whether the other path exist or not right?

Thanks,
Aravind 

AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • Answer
  • July 25, 2024

Hi @aki_ja-7 ,
Thank you for the revert.
Is it possible to send logs one path to chronicle and other path to another location via Kinesis.
I was wonder the one stream won't know right whether the other path exist or not right?

Thanks,
Aravind 


Hi @Aravind3 
I think it could be easier to do so if you have Data Firehose, There is no direct Chronicle SIEM ingestion from Kinesis, but with Data Firehose you could define multiple destinations and it is supported by Chronicle SIEM, but this could be more costly.

Is it possible to use Falcon Data Replicator to send an S3 Bucket A, then use native S3 Bucket replication instead to replicate the same data to another S3 Bucket B but let Chronicle ingest from only one of them ? Or can you use the Replicator to send data to an S3 Bucket but ingest the logs from Chronicle SIEM via the API ?

References:
https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html
https://cloud.google.com/chronicle/docs/administration/feed-management-overview

Thanks,
Hafez

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • August 1, 2024

This is great!  A lot of good suggestions here! 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.