Consider this situation: A man talks on the phone with a known bank robber. He then rents a building next to a bank. Next, he buys duct tape and ski masks. Any one of these actions could be a red flag alerting police to a potential robbery. But together, they tell a more complete story of a crime in the making. Similarly, in cybersecurity, any single suspicious activity is worth investigating.
CrowdStrike Falcon OverWatch™ threat hunters frequently uncover security testing activity in the course of routine hunting. While much of this activity can be confidently attributed to planned and sanctioned testing, OverWatch is always careful not to discount a threat on the basis that it looks like a test. Some of the more stealthy adversaries will attempt to evade detection by mimicking or using tools and techniques commonly used by security testers.
For this how-to guide, we’ll walk through how to use the CrowdStrike Falcon LogScale Log Collector to collect and send log events to your CrowdStrike Falcon® LogScale repository. Although the log shipper supports several types of log sources (see the list here), we’ll cover the use case of collecting log events from journald.
CrowdStrike Falcon® LogScale, formerly known as Humio, provides a full range of dashboarding and live query capabilities out of the box. Sometimes, however, you’ll work in an environment where there are other solutions alongside LogScale. For example, let’s say your operations team takes an observability approach that includes metrics scraped by Prometheus, tracing with Jaeger, and dashboard visualizations with Grafana.
