Crowdstrike FDR
The Crowdstrike FDR source consumes S3 event notifications for object creation events (s3:ObjectCreated:*)
and emits the S3 object as the string body of a log record. This source is similar to the generic
S3 Event source. It expects SQS notifications sent from
the Crowdstrike FDR platform.
Supported Platforms
| Platform | Supported |
|---|---|
| Linux | ✓ |
| Windows | ✓ |
| macOS | ✓ |
| Kubernetes Gateway | ✓ |
Available in the Bindplane Distro for OpenTelemetry Collector v1.76.4+.
Prerequisites
- An AWS account with access to S3 and SQS.
- An SQS queue configured to receive S3 event notifications.
- You have followed your Crowdstrike FDR documentation for configuring replication to S3.
- Configure an S3 bucket to send event notifications to an SQS queue for object creation events.
- Configure your S3 event notifications with
BatchSize: 1to ensure each SQS message contains only one S3 event. - This setting is crucial because if an object cannot be accessed (e.g., 404 error), the entire SQS message is preserved for retry.
- If a message contains multiple objects and one fails, all objects will be reprocessed on retry, causing unnecessary duplication.
- Configure your S3 event notifications with
- Ensure the collector has permission to read and delete messages from the SQS queue.
- Ensure the collector has permission to read objects from the S3 bucket.
How It Works
- The receiver polls an SQS queue for S3 event notifications.
- When an object creation event (
s3:ObjectCreated:*) is received, the receiver downloads the S3 object. - The receiver reads the object into the body of a new log record.
- Non-object creation events are ignored but removed from the queue.
- If an S3 object is not found (404 error), the corresponding SQS message is preserved for retry later.
Configuration Fields
| Field | Type | Default | Required | Description |
|---|---|---|---|---|
| sqs_queue_url | string | true | The URL of the SQS queue to poll for S3 event notifications. | |
| standard_poll_interval | duration | 15 | false | The interval (in seconds) at which the SQS queue is polled for messages. |
| max_poll_interval | duration | 2 | false | The maximum interval (in seconds) at which the SQS queue is polled for messages. |
| polling_backoff_factor | float | 2 | false | The factor by which the polling interval is multiplied after an unsuccessful poll. |
| workers | int | 5 | false | The number of workers to process events. |
| visibility_timeout | duration | 300 | false | How long (in seconds) messages received from the queue will be invisible to other consumers. |