Documentationbreadcrumb arrow Pluginsbreadcrumb arrow Falcon LogScale data sourcebreadcrumb arrow Configure the Falcon LogScale data source

Configure the Falcon LogScale data source

Add a data source by filling in the following fields:

Basic fields

FieldDescription
NameA name for this particular Falcon LogScale data source.
URLWhere Falcon LogScale is hosted, for example, https://cloud.community.humio.com.
TimeoutHTTP request timeout in seconds.

Mode Selection

The Falcon LogScale data source supports two modes of operation:

  • LogScale (default)

    • Standard mode for Falcon LogScale.
    • Supports token authentication, basic authentication, and OAuth forward.
    • Uses GraphQL API for repository listing and health checks
    • Repositories are dynamically queried from the instance

  • NGSIEM

    • Mode for Falcon NextGen SIEM. Requires OAuth2 client credentials authentication.
    • Provides access to standard NGSIEM repositories: search-all, investigate_view, and third-party.

Authentication fields

FieldDescription
Basic authEnter a Falcon LogScale username and password.
TLS Client AuthBuilt-in option for authenticating using Transport Layer Security.
Skip TLS VerifyEnable to skip TLS verification.
With CredentialsEnable to send credentials such as cookies or auth headers with cross-site requests.
With CA CertEnable to verify self-signed TLS Certs.

Custom HTTP Header Data sources managed by provisioning within Grafana can be configured to add HTTP headers to all requests going to that data source. The header name is configured in the jsonData field, and the header value should be configured in secureJsonData. For more information about custom HTTP headers, refer to Custom HTTP Headers.

LogScale Token Authentication

You can authenticate using your personal LogScale token. To generate a personal access token, log into LogScale and navigate to User Menu > Manage Account > Personal API Token. Then, set or reset your token. Copy and paste the token into the token field.

OAuth2 Client Credentials Authentication

Required for NGSIEM mode

OAuth2 authentication uses the OAuth2 client credentials grant flow to authenticate with the data source. To learn more about CrowdStrike’s OAuth2 authentication, refer to CrowdStrike OAuth2-Based APIs.

To configure OAuth2 Client Credentials authentication:

  1. Select NGSIEM mode in the Mode drop-down (this will automatically enable OAuth2 authentication)
  2. Enter your client ID and client secret in their respective fields.

Forward OAuth Identity

Note: This feature is experimental, which means it may not work as expected, it may cause Grafana to behave in an unexpected way, and breaking changes may be introduced in the future.

Prerequisites

OAuth identity forwarding is only possible with a self-hosted LogScale instance appropriately configured with the same OAuth provider as Grafana. Not all OAuth/OIDC configurations may be supported currently.

With this authentication method enabled, a token will not need to be provided to make use of a LogScale data source. Instead, users that are logged in to Grafana with the same OAuth provider as the LogScale instance will have their token forwarded to the data source and that will be used to authenticate any requests.

Note: Some Grafana features will not function as expected e.g. alerting. Grafana backend features require credentials to always be in scope which will not be the case with this authentication method.

Default LogScale Repository

You can set a default LogScale repository to use for your queries. If you do not specify a default repository, you must select a repository for each query.

Data links allow you to link to other data sources from your Grafana panels. For more information about data links, refer to Data links.

To configure a data link, click the add button in the data links section of the data source configuration page. Fill out the fields as follows:

FieldDescription
FieldThe field that you want to link to. It can be the exact name or a regex pattern.
LabelThis provides a meaningful name to the data link.
RegexA regular expression to match the field value. If you want the entire value, use (.*)
URL or QueryA URL link or query provided to a selected data source. You can use variables in the URLs or queries. For more information on data link variables, refer to Configure data links
Internal linkSelect this option to link to a Grafana data source.

Configure the data source with provisioning

It is possible to configure data sources using configuration files with Grafana’s provisioning system. To read about how it works, including all the settings that you can set for this data source, refer to Provisioning Grafana data sources

Here are some provisioning examples for this data source using basic authentication:

YAML 
apiVersion: 1
datasources:
  - name: Falcon LogScale
    type: grafana-falconlogscale-datasource
    url: https://cloud.us.humio.com
    jsonData:
      mode: LogScale
      defaultRepository: <defaultRepository or blank>
      authenticateWithToken: true
    secureJsonData:
      accessToken: <accessToken>

Provision the data source using NGSIEM:

YAML 
apiVersion: 1
datasources:
  - name: Falcon NGSIEM
    type: grafana-falconlogscale-datasource
    url: https://your-ngsiem-instance.crowdstrike.com
    jsonData:
      mode: NGSIEM
      oauth2: true
      oauth2ClientId: <your-client-id>
      defaultRepository: search-all
    secureJsonData:
      oauth2ClientSecret: <your-client-secret>

Import a dashboard for Falcon LogScale

Follow these instructions for importing a dashboard.

You can find imported dashboards in Configuration > Data Sources > select your Falcon LogScale data source > select the Dashboards tab to see available pre-made dashboards.