Today, Query is announcing and making available as an open source tool, Query Open Pipeline (QOP). Query Open Pipeline will initially have support for CrowdStrike Falcon Data Replicator. QOP is an AWS native data mobility solution. It allows CrowdStrike Falcon Data Replicator ETL into the Amazon Security Lake, which provides automatic partitioning, format conversion, and mapping into the latest GA version of OCSF, version 1.2.0. QOP supports streaming and “replay” of CrowdStrike FDR raw data into the Amazon Security Lake. 

Using Amazon Web Services (AWS) Cloud native services from analytics, application integration, serverless compute, and storage, QOP handles batching, Extraction, Transformation, and Loading (ETL) of raw CrowdStrike FDR data into normalized and standardized OCSF and makes it available to the Amazon Security Lake.

QOP allows users to search their data with Amazon Athena, visualize it with Amazon QuickSight, or using Query atop the Amazon Security Lake to assist incident response analysts, investigators, and threat hunters where EDR telemetry is helpful.QOP is a collaborative, community effort. As a community project we hope that current consumers of CrowdStrike FDR and/or the Amazon Security Lake find this solution beneficial.

Additionally, given the wide breadth of FDR data that come from different operating systems, CrowdStrike licensing tiers, and capture operations – we currently cover only about 120 of the nearly 1000 FDR events. We will accept pull requests to improve normalization, to expand mapped events, and share mappings.

To access the scripts and contribute to the community conversation, please go to Github