Crowdstrike FDR

The Crowdstrike FDR source consumes S3 event notifications for object creation events (s3:ObjectCreated:*) and emits the S3 object as the string body of a log record. This source is similar to the generic S3 Event source. It expects SQS notifications sent from the Crowdstrike FDR platform.

Supported Platforms

Available in the Bindplane Distro for OpenTelemetry Collector v1.76.4+.

Prerequisites

• An AWS account with access to S3 and SQS.

• An SQS queue configured to receive S3 event notifications.

• You have followed your Crowdstrike FDR documentation for configuring replication to S3.

1. Configure an S3 bucket to send event notifications to an SQS queue for object creation events.

   • Configure your S3 event notifications with BatchSize: 1 to ensure each SQS message contains only one S3 event.

   • This setting is crucial because if an object cannot be accessed (e.g., 404 error), the entire SQS message is preserved for retry.

   • If a message contains multiple objects and one fails, all objects will be reprocessed on retry, causing unnecessary duplication.

2. Ensure the collector has permission to read and delete messages from the SQS queue.

3. Ensure the collector has permission to read objects from the S3 bucket.

How It Works

1. The receiver polls an SQS queue for S3 event notifications.

2. When an object creation event (s3:ObjectCreated:*) is received, the receiver downloads the S3 object.

3. The receiver reads the object into the body of a new log record.

4. Non-object creation events are ignored but removed from the queue.

5. If an S3 object is not found (404 error), the corresponding SQS message is preserved for retry later.

Configuration Fields