Export from Crowdstrike to BigQuery

CloudQuery is an open-source data integration platform that allows you to export data from any source to any destination.

The CloudQuery Crowdstrike plugin allows you to sync data from Crowdstrike to any destination, including BigQuery. It's free, open source, requires no account, and takes only minutes to get started.

Ready? Let's dive right in!

Step 1. Install the CloudQuery CLI

The CloudQuery CLI is a command-line tool that runs the sync. It supports MacOS, Linux and Windows.

brew install cloudquery/tap/cloudquery

Step 2. Configure the Crowdstrike source plugin

Create a configuration file for the Crowdstrike plugin and set up authentication.

Crowdstrike is a community plugin, which means that it is maintained by the CloudQuery community. Create a file called crowdstrike.yaml, then copy the example and follow the instructions in the Crowdstrike Plugin Documentation ↗ to fit your needs.

Step 3. Configure the BigQuery destination plugin

Create a configuration file for the BigQuery plugin and set up authentication.

Configuration

Create a file called bigquery.yaml and add the following contents:

kind: destination
spec:
  name: bigquery
  path: cloudquery/bigquery
  version: "v3.3.6"
  write_mode: "append"
  spec:
    project_id: ${PROJECT_ID}
    dataset_id: ${DATASET_ID}
    # Optional parameters
    # dataset_location: ""
    # time_partitioning: none # options: "none", "hour", "day"
    # service_account_key_json: ""
    # endpoint: ""
    # batch_size: 10000
    # batch_size_bytes: 5242880 # 5 MiB
    # batch_timeout: 10s

This example above expects the following environment variables to be set:

PROJECT_ID - The Google Cloud Project ID
DATASET_ID - The Google Cloud BigQuery Dataset ID

Fine-tune this configuration to match your needs. For more information, see the BigQuery Plugin ↗ page in the docs.

Authentication

The BigQuery plugin authenticates using your Application Default Credentials (opens in a new tab). Available options are all the same options described here (opens in a new tab) in detail:

Local Environment:

gcloud auth application-default login (recommended when running locally)

Google Cloud cloud-based development environment:

When you run on Cloud Shell or Cloud Code credentials are already available.

Google Cloud containerized environment:

When running on GKE use workload identity (opens in a new tab).

Google Cloud services that support attaching a service account (opens in a new tab):

Services such as Compute Engine, App Engine and functions supporting attaching a user-managed service account which will CloudQuery will be able to utilize.

On-premises or another cloud provider

The suggested way is to use Workload identity federation (opens in a new tab)
If not available you can always use service account keys and export the location of the key via GOOGLE_APPLICATION_CREDENTIALS. (Not recommended as long-lived keys are a security risk)

Step 4. Start the Sync

Run the following command in your terminal to start the sync

cloudquery sync crowdstrike.yaml bigquery.yaml

And away we go! 🚀 The sync will run until completion, fetching all selected tables from Crowdstrike. Any errors will be logged to a file called cloudquery.log.