This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Query on Sending Data to Multiple Destinations

Posted on 07-18-2024 08:23 AM
Aravind3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi All,

I have a question: Is it possible to send data from a single source to two different locations? For example, I have a CrowdStrike source and I want to send logs to Chronicle while also saving them in an S3 bucket, or alternatively, send them to another location via Kinesis. Is this possible?

Thank you in advance.
Aravind S

Solved Solved
1 5 451
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
In response to Aravind3
Reply posted on --/--/---- --:-- AM

Hi @Aravind3 
I think it could be easier to do so if you have Data Firehose, There is no direct Chronicle SIEM ingestion from Kinesis, but with Data Firehose you could define multiple destinations and it is supported by Chronicle SIEM, but this could be more costly.

Is it possible to use Falcon Data Replicator to send an S3 Bucket A, then use native S3 Bucket replication instead to replicate the same data to another S3 Bucket B but let Chronicle ingest from only one of them ? Or can you use the Replicator to send data to an S3 Bucket but ingest the logs from Chronicle SIEM via the API ?

References:
https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html
https://cloud.google.com/chronicle/docs/administration/feed-management-overview

Thanks,
Hafez

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
ionutm
Staff
Reply posted on --/--/---- --:-- AM

The BindPlane agent (Collector  agent) is capable of doing this: https://cloud.google.com/chronicle/docs/ingestion/use-bindplane-agent 

https://observiq.com/docs/getting-started/quickstart-guide

There is still working in progress and documentation to be provided for how this would really work.

Jump to Solution

Posted on --/--/---- --:-- AM
aki_ja-7
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Yes, it is possible to send data from a single source to multiple destinations. For your specific case with CrowdStrike, you can achieve this by setting up data pipelines that route the logs to both Chronicle and an S3 bucket, or to another location via Kinesis.

Steps to Achieve This

  1. CrowdStrike to Chronicle:

  2. CrowdStrike to S3 Bucket:

    • Set up a data pipeline using a service like AWS Lambda or AWS Glue to transfer logs from CrowdStrike to an S3 bucket.

  3. CrowdStrike to Kinesis:

    • Configure a data stream in AWS Kinesis to receive logs from CrowdStrike and then process or store them as needed.

Example Workflow

  1. CrowdStrike Logs: Collect logs using the Falcon Data Replicator.
  2. Data Pipeline:
    • To Chronicle: Directly send logs to Chronicle for advanced analytics.
    • To S3: Use AWS Lambda to trigger on new logs and save them to an S3 bucket.
    • To Kinesis: Stream logs to Kinesis for real-time processing and further routing.

By setting up these pipelines, you can ensure that your logs are sent to multiple destinations efficiently.

Jump to Solution

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
In response to aki_ja-7
Reply posted on --/--/---- --:-- AM

Hi @aki_ja-7 ,
Thank you for the revert.
Is it possible to send logs one path to chronicle and other path to another location via Kinesis.
I was wonder the one stream won't know right whether the other path exist or not right?

Thanks,
Aravind 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
In response to Aravind3
Reply posted on --/--/---- --:-- AM

Hi @Aravind3 
I think it could be easier to do so if you have Data Firehose, There is no direct Chronicle SIEM ingestion from Kinesis, but with Data Firehose you could define multiple destinations and it is supported by Chronicle SIEM, but this could be more costly.

Is it possible to use Falcon Data Replicator to send an S3 Bucket A, then use native S3 Bucket replication instead to replicate the same data to another S3 Bucket B but let Chronicle ingest from only one of them ? Or can you use the Replicator to send data to an S3 Bucket but ingest the logs from Chronicle SIEM via the API ?

References:
https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html
https://cloud.google.com/chronicle/docs/administration/feed-management-overview

Thanks,
Hafez

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

This is great!  A lot of good suggestions here! 

Jump to Solution
0 Likes
Top Solution Authors
View all