Skip to main content

Context ManagementContext Management Administration Guide

Table of Contents

Prerequisites to Automatically Populate a CrowdStrike Context Table

Before data can automatically populate a CrowdStrike context table in the Context Management service, you must ensure that the following prerequisites are met:

Note

If you plan to enter data into the CrowdStrike context table manually or via CSV, these prerequisites are not required.

  • You have completed one of the following requirements, depending on how you plan to ingest CrowdStrike data:

    • Via the Exabeam Ingester for CrowdStrike – Make sure that your Exabeam license includes the Exabeam Ingester for CrowdStrike add-on. It ingests data directly from your CrowdStrike source and makes it available for processing in a Context Management table. This add-on is available for all Exabeam licenses. For more information about add-on licenses, see Add Ons in the Exabeam Security Operations Platform Guide.

    • Via a Cloud Collector – If you do not have the ingester add-on as part of your license, you can create a CrowdStrike Context cloud collector in the Cloud Collector service. It ingests data from your CrowdStrike source and makes it available for processing in a Context Management table. For information about creating a new cloud collector, follow the steps in the CrowdStrike Context Cloud Collector section of the Cloud Collector Administrative Guide.

      Note

      Early Access Program

      Onboarding a CrowdStrike context table via a cloud collector is a part of an early access program that offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.

  • If you opt to ingest CrowdStrike data via the Exabeam Ingester, ensure that in your CrowdStrike Store, you have configured Exabeam Analytics for CrowdStrike.

  • If you opt to ingest CrowdStrike data via a cloud collector, and you want to leverage the full enrichment affects from your CrowdStrike data, you must also do the following to configure the appropriate enrichment rules in Log Stream:

    • Copy the configuration file contents found on the following page and save it as a .conf file: Enrichment Rules for CrowdStrike

    • Open the Log Stream application and import the saved .conf file as follows:

      • In Log Stream, click the Enrichments tab at the top of the page.

      • In the middle of the Enrichments page, click the Import button. The Import Enricher dialog box opens.

      • Click Select File and then find and select the saved .conf file.

      • Click Import Enricher. When asked if you want to enable the custom enrichers, click OK. The .conf file is imported into Log Stream and the following new enrichment rules are listed as custom rules:

        • CrowdStrike asset ID to Source Host Lookup

        • CrowdStrikeNetwork Connection Assets in

        • CrowdStrikeNetwork Connection Assets Out

        • CrowdStrike asset ID to User Lookup

  • If you want to leverage CrowdStrike data enrichments in Log Stream, but you have an Exabeam license other than the New-Scale Analytics license, you must sign up for the Log Stream Enrichments early access program. To sign up for this program, email the following Exabeam group to request access: [email protected]. For more information about working with enrichment rules, see Enrichments in the Log Stream Guide.