# Crowdstrike FDR

The Crowdstrike FDR source consumes S3 event notifications for object creation events (`s3:ObjectCreated:*`) and emits the S3 object as the string body of a log record. This source is similar to the generic [S3 Event source](/integrations/sources/aws-s3-event.md). It expects SQS notifications sent from the Crowdstrike FDR platform.

### Supported Platforms

| Platform           | Supported |
| ------------------ | --------- |
| Linux              | ✓         |
| Windows            | ✓         |
| macOS              | ✓         |
| Kubernetes Gateway | ✓         |

Available in the Bindplane Distro for OpenTelemetry Collector `v1.76.4+`.

### Prerequisites

* An AWS account with access to S3 and SQS.
* An SQS queue configured to receive S3 event notifications.
* You have followed your [Crowdstrike FDR documentation](https://www.crowdstrike.com/en-us/resources/data-sheets/falcon-data-replicator/) for configuring replication to S3.

1. Configure an S3 bucket to send event notifications to an SQS queue for object creation events.
   * Configure your S3 event notifications with `BatchSize: 1` to ensure each SQS message contains only one S3 event.
   * This setting is crucial because if an object cannot be accessed (e.g., 404 error), the entire SQS message is preserved for retry.
   * If a message contains multiple objects and one fails, all objects will be reprocessed on retry, causing unnecessary duplication.
2. Ensure the collector has permission to read and delete messages from the SQS queue.
3. Ensure the collector has permission to read objects from the S3 bucket.

### How It Works

1. The receiver polls an SQS queue for S3 event notifications.
2. When an object creation event (`s3:ObjectCreated:*`) is received, the receiver downloads the S3 object.
3. The receiver reads the object into the body of a new log record.
4. Non-object creation events are ignored but removed from the queue.
5. If an S3 object is not found (404 error), the corresponding SQS message is preserved for retry later.

### Configuration Fields

<table><thead><tr><th width="163.03515625">Field</th><th width="107.3203125">Type</th><th width="103.77734375">Default</th><th width="106.66015625">Required</th><th>Description</th></tr></thead><tbody><tr><td>sqs_queue_url</td><td>string</td><td></td><td><code>true</code></td><td>The URL of the SQS queue to poll for S3 event notifications.</td></tr><tr><td>standard_poll_interval</td><td>duration</td><td>15</td><td><code>false</code></td><td>The interval (in seconds) at which the SQS queue is polled for messages.</td></tr><tr><td>max_poll_interval</td><td>duration</td><td>2</td><td><code>false</code></td><td>The maximum interval (in seconds) at which the SQS queue is polled for messages.</td></tr><tr><td>polling_backoff_factor</td><td>float</td><td>2</td><td><code>false</code></td><td>The factor by which the polling interval is multiplied after an unsuccessful poll.</td></tr><tr><td>workers</td><td>int</td><td>5</td><td><code>false</code></td><td>The number of workers to process events.</td></tr><tr><td>visibility_timeout</td><td>duration</td><td>300</td><td><code>false</code></td><td>How long (in seconds) messages received from the queue will be invisible to other consumers.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/integrations/sources/crowdstrike-fdr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.