The CrowdStrike Pack
CrowdStrike is a class-leading endpoint monitoring solution. It collects a wealth of activity data from each managed endpoint that can be fairly voluminous. This includes network connectivity, DNS request, process activity, health checks, and the list goes on. In fact, there are over 400 event types reported by CrowdStrike! These events are a gold mine for threat hunters and blue teams looking for unusual or malicious activity. It can be extremely costly to place all this data in a SIEM. Cribl offers a much more cost-effective solution by giving you the choice to send a full-fidelity copy of these logs to a cheap object storage data lake, and the SIEM-worthy events to a SIEM.
The Cribl Pack for CrowdStrike addresses the common challenges of processing all this data. The end result is asset level enrichment (e.g. Computername from aid field) & 40-95% reduction in data volumes sent to a SIEM. The reduction isn't just a matter of dropping unwanted events, but a combination of:
- aggregating network events removing DNS requests mapping to top 100K popular websites
- dropping unwanted events based on event_simpleName field value
- removing unwanted fields
- removing null fields
- removing duplicate fields
- sampling noisy 'External API' events
Check out https://packs.cribl.io to download the Pack.
## Follow Cribl
LinkedIn: https://www.linkedin.com/company/cribl/
Twitter: https://www.twitter.com/cribl_io
Sign up for a Cribl.Cloud account: https://cribl.cloud/signup/
Learn more about Cribl: https://cribl.io