Skip to main content
Skip table of contents

CrowdStrike Falcon LogScale

What is Falcon LogScale?

Falcon LogScale is a SIEM and log management solution. Falcon LogScale provides an aggregated view of all relevant network security data sources to explore and manage ever increasing threats and vulnerabilities within one cost effective platform with an easy and intuitive search language.

Why Should You Use the Falcon LogScale Connector?

The Falcon LogScale connector provides visibility into the assets managed by Falcon LogScale. You can use this visibility to:

  • ensure assets are managed per your security policies

  • monitor each endpoint and its status 

How Does This Connector Work?

Lucidum executes read-only requests to the Falcon LogScale API and ingests only meta-data about Falcon LogScale devices. Lucidum does not retrieve any data stored on your assets.

Configuring the Connector in Lucidum

Field

Description

Example

URL

URL for the Falcon LogScale API

https://cloud.us.humio.com:443/api/v1/

Repository

Falcon LogScale repository from which to ingest data

lucidum-data

API Token

A repository API token.

gAAAAABl1R-MEN70SN79sMZXnfUwz6rg5q8txqkm1fZbgTrCrzIu-vjBVrdOUjg1OJ1iw8lqqK7FZGfUR8M6a0-akluUEbP-Mnp2z-WziCBDdT8bczVQTsw0E8e2qliMMVULXKRdm5bSnxzmEZzIPe_uztAVwrGeFthfAjbk2OE6TQDvQ1PdYFr=

Asset Data Query

Query in LQL format that retrieves a list of assets.

For details, see: https://library.humio.com/training/queries-tutorial.html

groupBy([ComputerName, FileName], function=collect(DomainName))

Asset Data Mapping

Maps field values from Falcon LogScale to fields in the Lucidum Asset Database.

“Device Name”->Asset_Name

User Data Query

Query in LQL format that retrieves a list of users.

For details, see:

https://library.humio.com/training/queries-tutorial.html

event_simpleName=UserLogon event_platform=Mac

User Data Mapping

Maps field values from Falcon LogScale to fields in the Lucidum User Database.

“user.roles”->Role_Name

Asset Data Mapping

Lucidum has populated the Asset Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.

To create a mapping:

  1. You can map only the Lucidum fields (values to the right of ->) that are already included in the Asset Data Mapping field. Currently, you cannot add new mappings.

  2. Put your cursor in the Asset Data Mapping field.

  3. Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).

  4. Enter

    “Falcon LogScale field name”->Lucidum field name.

    where:

    • “Falcon LogScale field name” is a field name used in Falcon LogScale

    • Lucidum_Field_Name is the name of the field in the Lucidum Asset database.

  5. Press Enter.

  6. The new mapping appears in the Asset Data Mapping field.

User Data Mapping

Lucidum has populated the User Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.

To create a mapping:

  1. You can map only the Lucidum fields (values to the right of ->) that are already included in the User Data Mapping field. Currently, you cannot add new mappings.

  2. Put your cursor in the User Data Mapping field.

  3. Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).

  4. Enter

    “Falcon LogScale field name”->Lucidum field name.

    where:

    • “Falcon LogScale field name” is a field name used in Falcon LogScale

    • Lucidum_Field_Name is the name of the field in the Lucidum Asset database.

  5. Press Enter.

  6. The new mapping appears in the User Data Mapping field.

Source Documentation

Creating a Repository API Token

https://library.humio.com/falcon-logscale-cloud/security-apitokens-repo-creating.html

Required Permissions

Object

Permissions

API Token

Data read access

API Documentation

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/df7ab511-7435-11ea-9384-00505692583a/API_Guide_V4.1.pdf

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.