1. Docs
  2. Send Data to Honeycomb
  3. Honeycomb Telemetry Pipeline
  4. Pipeline Manager Sources
  5. Crowdstrike FDR

Crowdstrike FDR

Ent+
Note
This feature is available as an add-on for the Honeycomb Enterprise plan. Please contact your Honeycomb account team for details.

The Crowdstrike FDR source consumes S3 event notifications for object creation events (s3:ObjectCreated:*) and emits the S3 object as the string body of a log record. This source is similar to the generic S3 Event source. It expects SQS notifications sent from the Crowdstrike FDR platform.

Supported Platforms 

Platform Supported
Linux
Windows
macOS
Kubernetes Gateway

Available in the Bindplane Distro for OpenTelemetry Collector v1.76.4+.

Prerequisites 

  • An AWS account with access to S3 and SQS.
  • An SQS queue configured to receive S3 event notifications.
  • You have followed your Crowdstrike FDR documentation for configuring replication to S3.
  1. Configure an S3 bucket to send event notifications to an SQS queue for object creation events.
    • Configure your S3 event notifications with BatchSize: 1 to ensure each SQS message contains only one S3 event.
    • This setting is crucial because if an object cannot be accessed (e.g., 404 error), the entire SQS message is preserved for retry.
    • If a message contains multiple objects and one fails, all objects will be reprocessed on retry, causing unnecessary duplication.
  2. Ensure the collector has permission to read and delete messages from the SQS queue.
  3. Ensure the collector has permission to read objects from the S3 bucket.

How It Works 

  1. The receiver polls an SQS queue for S3 event notifications.
  2. When an object creation event (s3:ObjectCreated:*) is received, the receiver downloads the S3 object.
  3. The receiver reads the object into the body of a new log record.
  4. Non-object creation events are ignored but removed from the queue.
  5. If an S3 object is not found (404 error), the corresponding SQS message is preserved for retry later.

Configuration Fields 

FieldTypeDefaultRequiredDescription
sqs_queue_urlstringtrueThe URL of the SQS queue to poll for S3 event notifications.
standard_poll_intervalduration15falseThe interval (in seconds) at which the SQS queue is polled for messages.
max_poll_intervalduration2falseThe maximum interval (in seconds) at which the SQS queue is polled for messages.
polling_backoff_factorfloat2falseThe factor by which the polling interval is multiplied after an unsuccessful poll.
workersint5falseThe number of workers to process events.
visibility_timeoutduration300falseHow long (in seconds) messages received from the queue will be invisible to other consumers.
On this page: