Outgoing feed - Crowdstrike Falcon LogScale Outgoing feed

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

	Specifications
Transport type	LogScale Outgoing feed
Content type	LogScale JSON model
Published data	Create a Lookup file on your LogScale instance and push Indicator and Observable data to it.

Requirements

• A LogScale repository.

• LogScale Ingest API token.

• (Optional) A Lookup file in LogScale to write to.
  Creating this file beforehand isn’t strictly necessary, although it is advised for expedience. Creating a Lookup file and giving its columns the same names as the corresponding fields in Intelligence Center (i.e. Type, Value, Maliciousness, Source) facilitates fast recognition of the mapped data.

Configure the outgoing feed

1. Create a new Outgoing feed.

2. Fill out these fields:

   Note

   Required fields are marked with an asterisk (*).

   Field	Description
   Outgoing feed name*	Enter a name for this Outgoing feed.
   Datasets*	Select one or more existing datasets from the drop-down menu. The menu only displays datasets that contain Observables or Entities supported by the Transport type you’ve selected.
   Update strategy*	Select an update strategy. See ic_intersphinx:integrations/extensions/outgoing-feeds/update-strategy/ for more information.
   Transport type*	Select LogScale Outgoing feed from the drop-down menu.
   Content type*	Select LogScale JSON model from the drop-down menu.
   API URL*	Default: httP://cloud.community.humio.com Set this to the URL for your LogScale instance.
   Ingest API Token*	Enter your LogScale Ingest API token.
   Repository*	Enter the name of your repository in Logscale.
   Filename	Enter the name of the Lookup file you created in LogScale. If you haven’t created a Lookup file yet, you can leave this field empty. The feed will then create a new file when it is first run. Entering a different name will also result in the creation of a new file.
   SSL verification	Check the box to enable.
   Path to SSL certificate file	Required if SSL is enabled.
   Include Table Fields*	From the dropdown, select the Observable fields you would like to include on the Outgoing feed. Select X on an included field to exclude it.
   Execution schedule*	Select a execution type from the dropdown and then select a corresponding frequency from the second dropdown.

3. Save your changes by selecting Save.