What’s included in C1 system logs?
System logs include a record of actions taken by the C1 API. The C1 API is used for all app-level actions and captures both end-user and administrative activities. C1 system logs are stored in OCSF (Open Cybersecurity Schema Framework), a leading open-source data format developed by AWS, IBM, and Splunk. Learn more about OCSF by viewing the OCSF schema documentation.How do I get access to the system logs?
System logs are stored internally in C1 and can be accessed via API or exported to an external data source such as an S3 bucket or Azure Blob container.Where can I see a list of all the API events included in the system logs?
You can download our authoritative list of API events, which is presented in Sigma Detection Format.-
YAML format: Go to
<YOUR C1 TENANT URL>/api/v1/ocsf-events.yaml -
JSON format: Go to
<YOUR C1 TENANT URL>/api/v1/ocsf-events.json
Sync C1 system logs into your SIEM
Follow this process to import C1 logs into your security information and event management (SIEM) platform.Step 1: Create an external data source
If you haven’t already done so, create an external data source to sync the system logs to.Step 2: Create a system log exporter
1
Navigate to Settings > System log and click Add exporter.
2
Set up the new exporter:
- Give the exporter a name, such as “System log to S3”.
- Select the Datasource you created in Step 1.
- Optional. Input an file prefix.
- Select your output format and compression algorithm.
3
Click Save.
Step 3: Connect your SIEM
This step will vary depending on the SIEM that you are using. In general terms, however, you will want to add the datasource to your SIEM. A partial list of SIEM directions:- Import S3 buckets into Panther
- Import S3 buckets into Splunk
- Import S3 buckets into CrowdStrike Falcon Next-Gen SIEM
Using C1 logs with CrowdStrike Falcon Next-Gen SIEM
Ingesting an S3 bucket via the Amazon S3 Data Connector requires a Falcon Next-Gen SIEM subscription. Without it, the connector appears in the CrowdStrike Store but can’t be configured.
Reading system log files
C1 system logs use the Open Cybersecurity Schema Framework (OCSF) to format log events. Check out the OCSF documentation for full details of OCSF API activity formatting, but here are a few key details to help you quickly make sense of C1 system log output.-
“activity_id”: The “activity_id” entry in a log line tells you what type of API call activity triggered the event. By filtering logs by these activity IDs, you can zero in on key types of activity in the C1 system.
- “activity_id”:1 - “Create” activity
- “activity_id”:2 - “Read” activity
- “activity_id”:3 - “Update” activity
- “activity_id”:4 - “Delete” activity