CrowdStrike Falcon LogScale
Forward database audit events to CrowdStrike Falcon LogScale for real-time streaming analytics. Correlate database activity with endpoint telemetry for comprehensive threat detection.
Real-Time Streaming
Sub-second log ingestion with LogScale's streaming architecture for immediate threat visibility.
Endpoint Correlation
Correlate database events with Falcon endpoint data for full attack chain visibility.
Falcon Fusion
Trigger automated responses via Falcon Fusion workflows on database security events.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "crowdstrike-prod") |
| provider | select | Yes | crowdstrike | SIEM provider - select "CrowdStrike Falcon LogScale" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| ingest_url | string | Yes | - | LogScale ingest API endpoint (e.g., "https://cloud.community.humio.com/api/v1/ingest/json") |
| ingest_token | password | Yes | - | LogScale ingest token for your repository |
2 LogScale-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| repository | string | No | - | Target LogScale repository name (configured via token) |
| parser | string | No | dbaudit | LogScale parser to use for events |
| tags | object | No | - | Additional tags to add to events (e.g., {"env": "production"}) |
| compress | boolean | No | true | Enable gzip compression for API requests |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
Create Ingest Token
Create an ingest token in your LogScale repository for DB Audit to send events.
# Create ingest token in LogScale:
# 1. Navigate to your LogScale repository
# 2. Go to Settings → Ingest tokens
# 3. Click "Add token"
# 4. Name it "dbaudit-ingest"
# 5. Optionally assign a parser
# 6. Copy the generated token
# Token format:
# abc123def456...
# The ingest URL depends on your LogScale instance:
# - Community Cloud: https://cloud.community.humio.com
# - US Cloud: https://cloud.us.humio.com
# - EU Cloud: https://cloud.humio.com
# - Self-hosted: https://your-logscale-instance.com
Create Parser (Optional)
Create a custom parser to extract fields from DB Audit events.
// Custom LogScale parser for DB Audit events
// Repository Settings → Parsers → New Parser
parseJson()
| @timestamp := parseTimestamp(field=timestamp, format="yyyy-MM-dd'T'HH:mm:ss.SSSZ")
| event_type := event_type
| severity := severity
| database := source.database
| db_type := source.db_type
| user := actor.user
| client_ip := actor.client_ip
| action_type := action.type
| object := action.object
| rows_affected := action.rows_affected
| contains_pii := classification.contains_pii
Tip: Assign the parser to your ingest token for automatic field extraction on ingest.
Test Ingest Endpoint
Verify the ingest token and endpoint are working correctly.
# Test LogScale ingest endpoint
curl -X POST "https://cloud.community.humio.com/api/v1/ingest/json" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_INGEST_TOKEN" \
-d '[{
"tags": {"source": "dbaudit"},
"events": [{"timestamp": "2024-01-15T10:30:45.123Z", "message": "test event"}]
}]'
# Expected response: empty on success (HTTP 200)
Configure in DB Audit
Add the CrowdStrike Falcon LogScale integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select CrowdStrike Falcon LogScale as the provider
- Enter your LogScale ingest URL and token
- Configure optional tags for your events
- Select event types to forward
- Test the connection and save
Create Alerts (Optional)
Set up LogScale alerts to detect suspicious database activity.
// LogScale Alert - Suspicious Data Access
// Alerts → New Alert
Name: Suspicious Database Data Exfiltration
Description: Detects queries returning large amounts of potentially sensitive data
Query:
#type=dbaudit
| action_type=SELECT
| rows_affected > 10000
| contains_pii=true
Trigger: When results > 0
Throttle: 5 minutes
Actions: Slack, Email, or Falcon Fusion workflow
Event Format
Events are sent to LogScale in JSON format with nested structure for easy querying.
{
"timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source": {
"database": "production-postgres",
"db_type": "postgresql",
"host": "db.example.com"
},
"actor": {
"user": "app_user",
"client_ip": "10.0.1.50",
"application": "backend-api"
},
"action": {
"type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rows_affected": 1500
},
"classification": {
"contains_pii": true,
"data_types": ["email", "phone"]
}
}
Sample LogScale Queries
Use these queries to analyze DB Audit events in LogScale.
// Query all DB Audit events
#type=dbaudit
// Filter by severity
#type=dbaudit severity=critical
// Find large data access patterns
#type=dbaudit action_type=SELECT
| rows_affected > 10000
| groupBy([user, database])
// User activity over time
#type=dbaudit
| timechart(user, function=count)
// Failed authentication attempts
#type=dbaudit event_type=auth_failure
| groupBy(client_ip, function=count)
| sort(_count, order=desc)
// PII access monitoring
#type=dbaudit contains_pii=true
| groupBy([user, database], function=count)
| sort(_count, order=desc)
// Correlation with endpoint events
#type=dbaudit OR #type=ProcessRollup2
| client_ip=*
| groupBy(client_ip)
Troubleshooting
Authentication failed (401/403)
Verify the ingest token is correct and hasn't been revoked. Check that the token has write permissions to the repository.
Events not appearing in LogScale
Check the ingest URL matches your LogScale instance. Verify network connectivity and firewall rules allow outbound HTTPS.
Parser errors
Check the Events page for parsing errors. Ensure the parser syntax matches the event JSON structure.
Rate limiting errors (429)
Reduce batch_size or increase flush_interval_seconds. Contact CrowdStrike if you need higher ingest limits.
Ready to Integrate with CrowdStrike?
Start forwarding database audit events to Falcon LogScale in minutes.