Send records from ExtraHop to CrowdStrike Falcon LogScale
You can configure your ExtraHop Reveal(x) Enterprise system to send transaction-level records to a CrowdStrike Falcon LogScale repository for long-term storage, and then query those records from the ExtraHop system and the ExtraHop REST API.
Here are some important considerations about enabling a LogScale repository as the recordstore:
- The amount of recordstore lookback that can be queried is determined by the data retention settings configured for your LogScale system.
- You can enable a separate LogScale repository for each ExtraHop sensor.
- From an ExtraHop console, you can query records from LogScale repositories on all connected ExtraHop sensors if those repositories are associated with the same LogScale view.
- If all ExtraHop sensors send records to the same repository, you can transfer recordstore settings and manage all sensors from the ExtraHop console.
- Any triggers configured to send records through commitRecord to a recordstore are automatically redirected to the LogScale repository. No further configuration is required.
Enable LogScale as the recordstore
Before you begin
- Your ExtraHop system must be licensed for the LogScale recordstore.
- Your ExtraHop system must be running Reveal(x) Enterprise firmware version 9.5 or later.
- Any console and all connected sensors must be running the same ExtraHop firmware version.
- Your ExtraHop user account must have System and Access Administration privileges.
- Your LogScale system must have version 1.111.0 or later.
- Your LogScale user account must have administrator privileges.
- You must have a LogScale ingest token associated with a repository or an organization token that includes permission for ingest across all repositories within the organization.
- You must have a LogScale view token that includes data read access permission.
After your configuration is complete, you can query for stored records in the ExtraHop system
by clicking Records from the top navigation menu or from the
ExtraHop REST API.
Transfer recordstore settings
If you have an ExtraHop console connected to your ExtraHop sensors, you can configure and manage the recordstore settings on the sensor, or transfer the management of the settings to the console. Transferring and managing the recordstore settings on the console enables you to keep the recordstore settings up to date across multiple sensors.
Recordstore settings are configured for connected
third-party recordstores and do not apply to the ExtraHop recordstore.
Thank you for your feedback. Can we contact you to ask follow up questions?