CrowdStrike Falcon LogScale Integration
Integrating NetFlow Optimizer (NFO) with CrowdStrike Falcon LogScale (formerly Humio) provides a high-performance pipeline for network telemetry. By transforming raw NetFlow and IPFIX into a lean, enriched JSON stream, NFO enables real-time visibility and long-term retention of network activity without the prohibitive costs of traditional SIEM ingestion.
The NFO Advantage for LogScale
LogScale is built for speed and massive scale. NFO complements this by ensuring that only high-value, pre-processed data is ingested.
- Significant Volume Reduction: NFO aggregates redundant flow records at the edge—reducing data volume by up to 80% to 90%. This allows you to log every conversation across your infrastructure while staying within your LogScale license limits.
- Instant Context & Enrichment: NFO attaches critical metadata—including DNS names, VM identities, and User IDs—to flow records before they reach your repository. This eliminates the need for complex, time-consuming lookups during active investigations.
- Optimized for Live Search: NFO delivers data in a structured JSON format specifically optimized for LogScale’s index-free architecture, ensuring sub-second query results across terabytes of network data.
How It Works
NFO acts as a high-speed telemetry engine that prepares your network data for modern security operations.
- Ingestion: NFO collects NetFlow, IPFIX, and sFlow from your physical and virtual infrastructure.
- Processing: Data is aggregated to reduce noise and enriched with identity context.
- Output: NFO pushes the enriched JSON logs directly to the LogScale HTTP Event Collector (HEC).
- Investigation: Use the LogScale Query Language (LQL) to search for threats using hostnames and identities instead of just IP addresses.
Get Started
Deployment & Configuration
A step-by-step guide to setting up your LogScale Ingest Token and configuring the NFO HTTP Output to begin the data flow.