Panther has the ability to fetch CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator.

CrowdStrike customers need to have the Falcon Data Replicator enabled before setting up this integration.

Create a new CrowdStrike source in Panther

  1. Login to your Panther account

  2. Go to Log analysis > Sources from the sidebar menu

  3. Click Add Source

  4. Select CrowdStrike from the list of available types

  5. In the following form, fill in the following fields:

    1. Name: A friendly name for the source e.g. CrowdStrike logs

    2. SQS Url: The url for the CrowdStrike-managed SQS queue that is provided to you by CrowdStrike.

    3. AWS Access Key, AWS Access Secret: The AWS access key and secret provided to you by CrowdStrike. Panther will

      use these keys in order to access the SQS queue as well as download the CrowdStrike log files from the CrowdStrike-managed S3 bucket.

  6. Click on Next and then Save Source.

  7. You are done! You can now start writing detections and exploring your CrowdStrike data.