Skip to main content

Context ManagementContext Management Administration Guide

Table of Contents

Prerequisites to Automatically Populate a CrowdStrike Context Table

Before data can automatically populate a CrowdStrike context table in the Context Management service, you must ensure that the following prerequisites are met:

Note

If you plan to enter data into the CrowdStrike context table manually or via CSV, these prerequisites are not required.

  • You have completed one of the following requirements, depending on how you plan to ingest CrowdStrike data:

    • Via the Exabeam Ingester for CrowdStrike – Make sure that you have both the New-Scale Analytics Exabeam license and the Ingester for CrowdStrike add-on. Data will be ingested directly from your CrowdStrike source and will be available for processing in a Context Management table. For more information about add-on licenses, see Add Ons in the Exabeam Security Operations Platform Guide.

    • Via a Cloud Collector – If you do not have the ingester add-on as part of your license, you can create a CrowdStrike Context cloud collector in the Cloud Collector service. It ingests data from your CrowdStrike source and makes it available for processing in a Context Management table. For information about creating a new cloud collector, follow the steps in the CrowdStrike Context Cloud Collector section of the Cloud Collector Administrative Guide.

      Note

      If you want to use the cloud collector option to ingest CrowdStrike data, the collector must be created before the context table. If you previously onboarded a CrowdStrike context table and you want to integrate with the cloud collector, you must delete the context table and recreate it after the CrowdStrike cloud collector is created and running.

  • If you opt to ingest CrowdStrike data via the Exabeam Ingester, ensure that in your CrowdStrike Store, you have configured Exabeam Analytics for CrowdStrike.

  • If you opt to ingest CrowdStrike data via a cloud collector, and you want to leverage the full enrichment affects from your CrowdStrike data, you must also do the following to configure the appropriate enrichment rules in Log Stream:

    Note

    The Enrichments tab in Log Stream is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics

    • Copy the configuration file contents found on the following page and save it as a .conf file: Enrichment Rules for CrowdStrike

    • Open the Log Stream application and import the saved .conf file as follows:

      • In Log Stream, click the Enrichments tab at the top of the page.

      • In the middle of the Enrichments page, click the Import button. The Import Enricher dialog box opens.

      • Click Select File and then find and select the saved .conf file.

      • Click Import Enricher. When asked if you want to enable the custom enrichers, click OK. The .conf file is imported into Log Stream and the following new enrichment rules are listed as custom rules:

        • CrowdStrike asset ID to Source Host Lookup

        • CrowdStrikeNetwork Connection Assets in

        • CrowdStrikeNetwork Connection Assets Out

        • CrowdStrike asset ID to User Lookup