CrowdStrike Optimizer

The Observo AI CrowdStrike Optimizer transforms CrowdStrike Falcon event data by filtering, summarizing, and prioritizing events to reduce volume by 30–60% while maintaining comprehensive security coverage.

Purpose

The Observo AI CrowdStrike Optimizer enables organizations to streamline high-volume CrowdStrike event data through intelligent filtering of event types, smart summarization of network events, and targeted DNS query filtering to focus on critical security insights. By leveraging common filtering rules, aggregation techniques, and Observo’s Top 100 DNS entries or custom lookups, it reduces noise and processing costs while preserving visibility into potential threats. This transform empowers security teams to optimize data pipelines for efficient integration with platforms like Splunk or AWS Security Lake, enhancing threat detection and response.

Usage

Select CrowdStrike Optimizer transform. Add Name (required) and Description (optional).

General Configuration:

  • Bypass Transform: Defaults to disabled. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

  • Add Filter Conditions: Defaults to disabled. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

CrowdStrike:

Common Filtering Rules On Event Types (pulldown): Selectively process or drop specific event types

  • Enabled: Defaults to enabled, meaning it does evaluate all events. Disable to prevent event processing to feed data to the downstream Transforms.

  • Fields to Drop: Add field names which can be dropped. Click the Add button to add a new field to drop.

    Filter Rules (pulldown):

  • Action: Select either Sample or Drop.

    • Sample: Keeps a representative subset of matching events. Select CrowdStrike Event Categories from the dropdown to specify event types for sampling.

      • Sampling Frequency: Configure Sampling Frequency (number) to set the frequency at which events are sampled.

    • Drop: Filters out all matching events, preventing them from being forwarded. Select CrowdStrike Event Categories from the dropdown to specify event types to drop.

    • Select CrowdStrike Event Categories for Drop/Sampling: Select the list of CrowdStrike event types to match against the field value.

      Examples:

      ProcessRollup2

      NetworkConnectIP4

Network Events Smart Summarization (pulldown): Intelligently aggregate high-volume network events

  • Enabled: Defaults to enabled, meaning it evaluates all events. Disable to prevent event processing and feed data to downstream

  • Transforms.

    • Aggregation Interval (Seconds): Set the aggregation interval (in seconds) for summarization.

      • Default: 600 (configure as needed).

    • Add Aggregated Count to Outgoing Event: Defaults to enabled, meaning it adds a field to the event to denote aggregation.

      • Field Name for Aggregated Counts: (string) Define the field name for the aggregated count.

DNS Events (pulldown): Filter common benign DNS queries to focus on potentially suspicious activity

  • Enabled: Defaults to enabled, meaning it evaluates all events. Disable to prevent event processing and feeding data to downstream Transforms.

  • Use Observo Top DNS Entries for Filtering: Defaults to enabled. When enabled, filters events using Observo’s Top 100 DNS entries to remove common benign DNS queries.

  • User Supplied Lookups for DNS Filtering: Upload a custom DNS list via File Upload to use for filtering, allowing tailored DNS query filtering.

Examples

Filter Rules On Event Types

Scenario: Keep a subset of matching CrowdStrike events that match selected CrowdStrike Event Categories (1).

Filter Rules (Pulldown)

Enabled
Action
Sampling Frequency
Event Categories

Toggled to enabled

Click Add Select Sample

20

Select Authentication: * IoSessionConnected * IoSessionLoggedOn * UserIdentity * UserLogoff * UserLogon * UserLogonFailed * UserLogonFailed2

Results: Keep Crowdstrike log entries with Authentication event categories.

Smart Summarization

Smart summarization involves the process of data summarizing network flows through the identification of high-volume network events and adding an aggregated count field.

Network Events Smart Summarization (Pulldown)

Enabled
Aggregation Interval
Add Aggregated Count
Field name for Aggregated Counts

Toggled to enabled

600

Toggled to enabled

Count

Results: Reduces event volume for chatty applications and services while preserving security visibility. For example, thousands of individual connection events between the same source/destination within a short timeframe are replaced with a single summary event containing the count and timespan.

Filter Top 100 DNS Events

Leverage Observo’s Top100 DNS entries or add your own DNS Hosts to filter Crowdstrike Events.

DNS Events (Pulldown)

Enabled
Use Observo’s Top 100
Add your own (Optional)
Type or upload your own DNS entries (Optional)

Toggled to enabled

Toggled to enabled

Click Add

Enter DNS host or upload file

Results: Filter out Crowdstrike events with common benign DNS queries to focus on potentially suspicious activity

CrowdStrike Optimizer Best Practices

Here’s a breakdown of best practices when using Observo AI’s VPC Flow Logs Optimizer, which leverages techniques like dropping fields, filtering traffic, smart summarization, and aggregation:

  1. Drop Events by Category

  • Identify Low-Value Data: Review the default event categories emitted by Crowdstrike and determine which ones are not used for your security, troubleshooting, or compliance needs.

  • Early Data Reduction: Drop extraneous fields at the ingestion stage to reduce data volume and processing cost without impacting key insights.

  1. Smart Summarization

  • Automated Flow Grouping: Leverage ML-powered smart summarization to automatically identify network flows (using the key tuple: source IP, source port, destination IP, destination port, and protocol).

  • Volume Reduction: By aggregating similar flows, you can reduce log volume by over 80% while preserving important statistics like packet counts, bytes transferred, and time ranges.

  • Zero-Click Efficiency: This feature works without manual intervention, meaning your system continually adapts and maintains high-level insight with lower data noise.

  1. Aggregation

  • Custom Aggregation Semantics: In addition to smart summarization, provide options for custom aggregations that let you define how network flows should be grouped based on your domain or infrastructure specifics.

  • Improved Query Performance: Aggregated data not only reduces storage costs but also speeds up downstream queries and analysis, as smaller, summarized datasets are much faster to process.

Overall Recommendations

  • Combine Techniques for Maximum Efficiency: By first dropping non-essential fields and filtering out low-value traffic, you minimize the volume before applying smart summarization and aggregation.

  • Automate Where Possible: Use Observo AI’s dynamic pipelines that automatically adjust to the incoming data, reducing the need for constant manual tuning and boosting developer productivity.

  • Retain Analytical Integrity: Ensure that any reduction in data volume does not compromise critical insights required for security monitoring, troubleshooting, or cost analysis.

These best practices help you achieve a more efficient observability pipeline, lower storage and processing costs, and improve the overall performance of your CrowdStrike events analysis.

Related Functions

  • Cloudtrail Optimizer: Transform group to process Cloudtrail flow logs .

  • GCP Flow Logs: Optimize VPC flow logs using this transform.

PreviousWindows Event CleanerNextCisco ASA Optimizer

Last updated

Was this helpful?