CrowdStrike Falcon LogScale Integrated Into Query Federated Search

Query announces the CrowdStrike Falcon LogScale (formerly known as Humio) Connector.

CrowdStrike Falcon LogScale – also known as LogScale Cloud, and formerly Humio – is a CrowdStrike-managed log storage platform that handles the end-to-end tasks of ingesting, storing, querying, and visualizing log data. The various ingested data sources are organized into one or more Repositories which can either be built using a specific schema from a specific source or can co-mingle multiple different schemas and data sources. LogScale makes it easy to organize EDR telemetry from CrowdStrike Falcon and Falcon Data Replicator (FDR), as well as several other log sources, either manually via the various Ingest mechanisms or using third-party tools such as Cribl Stream.

Query’s entire data model is built around the Open Cybersecurity Schema Framework (OCSF) – named the Query Data Model (QDM) – which expresses all search intents with OCSF/QDM concepts such as Entities/Observables used to represent facts and indicators whereas Event Classes represent things that have happened and are normalized against network, application, file system, identity, and 1st party security findings.

Query integrates with CrowdStrike Falcon LogScale by providing a full-featured 1:1 query translation, query planning, and parallelized query execution engine on top of the native LogScale Search APIs. After providing the instance URL, API Token, and Repository you can model nearly any data point within your Repositories against the OCSF/QDM schema. Query will handle translation into the Falcon Query Language (FQL) – formerly known as Liquid Query Language (LQL) – based on your search intent, handle the entire query lifecycle, and return results to you in a normalized and standardized schema. The benefits are:

• Cheaper and faster searches by not utilizing cross-Repo searches, and searching only the Repos you require to be searched for the details you want.
• Your analysts no longer need to become experts in FQL and can instead focus on triage, escalations, and remediation.
• Only the data required for analysis, investigations, incident response, or otherwise is retrieved.

For more information, refer to our documentation here.