This onboarding guide takes you through how to set up a CrowdStrike Falcon LogScale Collector in Workbench.

Prerequisites

  1. You must have an existing LogScale user with the Member role assigned.
  2. You must have an existing Repository or View that contains the data Expel needs to access.

Quick Start

Setup includes the following steps (select any step for detailed instructions):

  1. Generate API Credentials for LogScale
  2. Add CrowdStrike LogScale as a Security Device in Workbench
  3. Enable Console Access

Step 1: Generate API Credentials for LogScale

Make sure you have met the prerequisites before proceeding with this step.

  1. Log into the CrowdStrike Falcon LogScale console.
  2. From the homepage, select Repositories and views.
  3. Select the Repository or View that contains the data Expel will access.
  4. Select Settings > Tokens.
  5. Select + Add new.
    cs-logscale-repo-token-arrow.png
  6. Configure the new token with the following details:
    • For Name, enter "Expel Integration".
    • Under Permissions, select Data Access.
      cs-logscale-new-token-UPDATED-no-queries-checkbox.png
  7. Select Create token.
  8. Save the token value in a safe place for use in a later step.

Step 2: Add CrowdStrike LogScale as a Security Device in Workbench

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “CrowdStrike” and then select the CrowdStrike Logscale (formerly Humio) Collector integration.
  5. A configuration pane displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName LogScale Collector”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example, “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Connection Settings - provide the appropriate information:
      • Server address - enter the address of the CrowdStrike LogScale instance.
      • API token - enter the value of the API token generated in Step 1.
      • Repository name - enter the name of the CrowdStrike Repository or View to monitor.
  6. Select Save.
  7. Your device should be created successfully within a few seconds.
    Note: Collector integrations don't support health checks and appearing to have little or no activity is expected. The (via Collector) integrations are what‌ present data – the Collector itself just facilitates passing the query to the integration receiving the information.

Step 3: Enable Console Access

To provide effective triage and analysis, we ask that customers enable Expel with console access. Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses Expel traffic comes from.

  1. Log into the CrowdStrike Falcon LogScale console.
  2. Create a local user in LogScale. Alternatively, provision access for Expel in your SSO provider. This user must have the Member role in LogScale. Note this user's credentials, as you will need to provide them in a later step.
  3. Log in to Workbench.
  4. Locate the LogScale Collector device you added in Step 2. Select the dropdown arrow in the first column and select Edit.
  5. Enter your credentials into the Console Login (Optional) section.
    • Console URL - enter your CrowdStrike Falcon LogScale console URL.
    • Username - provide the username for the new LogScale user you created above.
    • Password - provide the password for the new LogScale user you created above.
    • Two-factor secret key (32-character code) - depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, contact Support.
  6. Select Save.