FLTR Setup and Configuration - CrowdStrike/logscale-community-content GitHub Wiki
Summary
This article walks through configuration of your Falcon LTR instance, aka FLTR. These steps only take a few minutes to complete! The instructions are verbose to ensure everything is explained completely. This assumes your FLTR instance has already been provisioned.
Prerequisites
Org owner permissions
You must be logged in as the organizational owner, or have been promoted to the organizational owner role. This can be determined by clicking on the user icon in the upper-right corner and looking for the text Organization Owner
.
Change interactions role
Depending on the LogScale version, you may need to add the "Change interactions" option to your role.
- Click on the profile icon in the top-right corner, followed by "Organization settings".
- Click on "Roles" on the left side, followed by "Admin" for the role, and then "Edit role" on the bottom right.
- Check "Change interactions" followed by "Save changes".
Repositories and views
There are two data management concepts within LogScale: repositories and views. A repository contains the actual data, while a view is a view into one or more repositories. You can think of a view as a namespace that contains its own dashboards, queries, alerts, etc without having a direct impact on the repo. The recommended practice is to operate in views instead of directly in the repository.
In the case of FLTR, a repository of your Falcon telemetry data will already be created. This repo name is generally $customerName-fdr
, $customerName-fltr
, or just $customerName
. This will vary depending on the name that was requested during provisioning. You do not need to do anything in this repository, minus a quick config change outlined below. Instead, we'll be creating a view and linking to that repository. All work will be done in that view.
Setup and configuration
Change the user permissions on the repo
These steps walk you through setting the organizational owner as the admin for the FLTR repository.
- Click on the FLTR repo that was created during provisioning, e.g. "fdr-samplecustomer".
- Click on "Settings", then "Permissions", then "+ Add".
- On the new window that pops up, select your username from the list, then click "Next" at the bottom. On the permissions screen, select the "Admin" role followed by "Confirm".
- Finally, click on the Falcon logo in the top-left corner. This will take you back to the "Repositories and views" tab.
Create and configure the view
These are the steps for creating a view of the FLTR data. Users should be operating in the view, not the repo. You can also create multiple views into the same repo, e.g. different teams with different content.
- Click on "+ Add New" on the "Repositories and views" tab.
- Click on "View" when prompted to choose a View or Repository.
- Complete the view details. You can use whatever name and description you'd like. At the bottom under "repository", select the repository name for your Falcon telemetry data, e.g.
customerName
. Keep the "Event filter" as*
to include all of the data. Click "+ Create View" when you're finished.
- You will now be in the view. The view name should be displayed in the upper-left corner of the page.
crowdstrike/fltr-core
package
Install the These steps walk you through installing the crowdstrike/fltr-core
package into a view. The package is the "core content" for FLTR.
- Click on "Marketplace" under the "Settings" tab. You should already be in the view "Settings" tab from the steps above. This will display a list of available packages.
- Scroll down to
crowdstrike/fltr-core
package in the Marketplace list, click on the package, and then "Install package" in the upper-right. This will bring up a window showing the package contents. Click "Install" at the bottom. The package has now been installed.
- Select "Run on behalf of organization" for the query model, and then click the "Install" button.
fdr_aidmaster.csv
file creation
Jumpstart the :warning: IMPORTANT :warning:
Failure to follow these steps will result in a temporary error about aid_master.csv
not being found. The file is generated every 3 hours. The file generation does not happen immediately when the package is first installed. The steps below allow you to jumpstart that process. Please ensure you follow the last step which involves changes the schedule back to the default settings.
- Click on the "Alerts" tab at the top, followed by "Scheduled searches" on the left side. Then click on "FLTR aidmaster Generation" to edit the search.
- In this step, we'll temporarily change the file generation schedule to create the lookup file. Change the value to
* * * * *
under "Search schedule (cron expression)" near the bottom, and click "Save scheduled search".
- Click on "All scheduled searches" near the top. This will take you back to the scheduled search list. At this point you'll be waiting 1-2 minutes for the file to generate. Hit refresh after about a minute. The file has been generated once you see "Last triggered: X seconds ago" in the UI.
- You'll need to change the scheduled search back to the original time scheduled. Click on the "Alerts" tab at the top, followed by "Scheduled searches" on the left side. Then click on "FLTR aidmaster Generation" to edit the search. Change the "Search schedule (cron expression)" back to
H */3 * * *
and click "Save scheduled search".
Summary
All done! This will give you access to all of the queries and dashboards for the crowdstrike/fltr-core
package.
Additional packages
These additional packages can be installed in the same view depending on your needs and requirements:
crowdstrike/fltr-identityprotection
: prebuilt queries and dashboards for CrowdStrike Identity Protection. You'll need an existing subscription for CrowdStrike Identity Protection.crowdstrike/fltr-lolbins
: queries based on "8 LOLBins Every Threat Hunter Should Know" by CrowdStrike Falcon OverWatch Elite.crowdstrike/fltr-tutorial
: this package contains a dashboard-based tutorial for using FLTR. Each dashboard teaches a specific lesson for helping you get the most out of FLTR.