Yoshiki Fujiwara(藤原善基)@AWS Community Builder for AWS Community Builders

Posted on Jun 14

Shipping FSx for ONTAP Audit Logs to CrowdStrike Falcon LogScale via HEC — Parser v1.1.0

#aws #crowdstrike #serverless #amazonfsxfornetappontap

Scope note: This article targets CrowdStrike Falcon LogScale HEC ingestion via Amazon FSx for ONTAP S3 Access Points. For on-premises ONTAP or Cloud Volumes ONTAP, the audit log retrieval path differs (e.g., NFS/SMB export or FPolicy), while the parser and HEC delivery model can still be reused. Falcon Next-Gen SIEM connector-based ingestion (via the Falcon console Data Connectors UI) may require a different setup and should be validated separately.

Which path applies to you? If your tenant exposes LogScale repositories and ingest tokens, use the HEC path in this article. If your tenant uses Falcon Next-Gen SIEM Data Connectors, implement this as a connector/parser workflow and validate separately.

TL;DR
Why CrowdStrike LogScale?
Architecture
The HEC Protocol: One Format, Multiple Destinations
Parser v1.1.0: Designed for Speed and Maintainability
FIELD_MAPPING: Zero-Code Adaptation to ONTAP Changes
S3 Access Point Permission Model
Compatibility Verification (Splunk HEC)
LogScale CQL Query Examples
Performance Benchmarks
Deployment
Cost
Data Classification and Privacy
Token and Egress Governance
Production Readiness Checklist
HEC Path vs OTel / Alloy Path
Pipeline Observability
Production Checkpoint Design
Splunk HEC Compatibility Notes
Lessons Learned
What's Next
Partner Discovery Checklist

Validated / Not Yet Validated

Area	Status
Parser unit tests	✅ Verified (108 tests)
Splunk HEC compatibility	✅ Verified
LogScale HEC live ingest	⏳ Pending required LogScale entitlement
LogScale CQL queries	📝 Syntax draft, pending live validation
CrowdStrike UI screenshots	⏳ Pending required LogScale entitlement
Deployment parameterization	✅ Verified — endpoint, HEC path, source, sourcetype, index, memory, timeout are configurable

Live LogScale validation plan (when tenant is available):

Ingest token permission and authentication
HEC ingest success and HTTP response
Repository assignment and data visibility
Parser assignment and field extraction
Timestamp correctness (@timestamp = event time)
CQL query validation against live data
Alert trigger and notification
Dashboard screenshot capture
Fusion SOAR workflow trigger test

TL;DR

For decision makers: CrowdStrike Falcon LogScale receives FSx for ONTAP audit logs via the same HEC (HTTP Event Collector) protocol as Splunk. This means reduced switching cost — you can move between LogScale, Splunk, or any HEC-compatible SIEM without changing your Lambda code. Note: while the HEC wire format is shared, repository/index semantics, parser configuration, query language (CQL vs SPL), alerting rules, and retention policies differ between platforms and require per-platform configuration. Parser v1.1.0 processes 178,000 events/second in parser-only benchmarks. AWS cost: validation estimate ~$1/month under low-volume assumptions.

CrowdStrike pricing note: CrowdStrike licensing and third-party ingestion entitlement vary by contract and product edition. Confirm availability, daily ingest quota, retention, and pricing with your CrowdStrike account team before production planning.

For NetApp teams: This pattern keeps audit data on ONTAP and adds a serverless security analytics path through S3 Access Points, without changing existing SMB/NFS client access or requiring data copies to S3.

For engineers: template.yaml deploys the full stack (Lambda + Scheduler + DLQ + Alarm) in one aws cloudformation deploy command. The parser uses a FIELD_MAPPING table — new ONTAP field names require zero code changes.

FSx for ONTAP → S3 Access Point → EventBridge Scheduler → Lambda
    → CrowdStrike Falcon LogScale (/api/v1/ingest/hec)

This is Part 15 of Serverless Observability for FSx for ONTAP.

Why CrowdStrike LogScale?

Three reasons this combination makes sense:

Unified XDR + File Audit: Falcon EDR endpoint telemetry and FSx file access logs in the same platform. A contractor accessing sensitive files on the NAS? LogScale correlates that with their endpoint behavior.
Index-free architecture: LogScale's index-free architecture reduces index management overhead and is designed for high-scale search workloads. Validate search performance against your own retention, query patterns, and ingest volume.
HEC compatibility: LogScale accepts a Splunk HEC-compatible JSON envelope at /api/v1/ingest/hec. If you're already using Splunk HEC somewhere, the HEC-style JSON envelope is largely reusable, while parser, repository, and query behavior should still be validated per destination.

Architecture

┌─────────────────────────────────────────────────────────────────┐
│ FSx for ONTAP                                                   │
│   vserver audit create -format xml                              │
│   → Audit log files written to audit volume                     │
└──────────────┬──────────────────────────────────────────────────┘
               │ S3 Access Point (read-only)
               ▼
┌─────────────────────────────────────────────────────────────────┐
│ EventBridge Scheduler (every 1–5 minutes)                       │
│   → Invokes Lambda                                              │
└──────────────┬──────────────────────────────────────────────────┘
               │
               ▼
┌─────────────────────────────────────────────────────────────────┐
│ Lambda (Python 3.12, ARM64, 256MB)                              │
│   1. Read new XML files from S3 AP                              │
│      - PoC: checkpoint in SSM Parameter Store                   │
│      - Production: DynamoDB conditional checkpoint              │
│   2. Parse XML → normalize → HEC format                         │
│   3. POST to LogScale /api/v1/ingest/hec                        │
│      Authorization: Bearer <ingest-token>                       │
└──────────────┬──────────────────────────────────────────────────┘
               │ HTTPS (gzip optional)
               ▼
┌─────────────────────────────────────────────────────────────────┐
│ CrowdStrike Falcon LogScale                                     │
│   Repository: fsxn_audit                                        │
│   → Search, dashboards, alerts, correlation with EDR data       │
└─────────────────────────────────────────────────────────────────┘

Real-time path (FPolicy)

For sub-second latency (e.g., ransomware detection), use the FPolicy path:

ONTAP → FPolicy TCP:9898 → ECS Fargate → SQS → Lambda → LogScale

FPolicy sends file operation notifications in real-time — no polling required.

Ransomware response: Treat audit-log polling as an investigation and evidence pipeline. For prevention or near-real-time response, evaluate ONTAP FPolicy external mode and Autonomous Ransomware Protection (ARP) alongside this LogScale integration.

ONTAP Audit Log Lifecycle

Validate ONTAP audit log rotation behavior before production deployment:

How frequently audit logs are rotated (rotate-size / rotate-schedule-minute)
Whether Lambda reads only closed (rotated) files or also active files
Whether existing audit tools require EVTX and whether parallel XML output is feasible
How S3 Access Point LastModified maps to ONTAP file close time
Expected audit volume size per rotation and FSx throughput impact

Format choice: This pipeline uses XML (-format xml) because it can be parsed with Python standard library in Lambda without additional dependencies. EVTX is the FSx for ONTAP default and works well with Windows Event Viewer, but requires EVTX-specific parsing libraries in the Lambda package or Layer.

Existing audit tools: If you already use a batch-based audit log tool that expects EVTX, verify format compatibility before changing ONTAP audit settings. This serverless pipeline is designed for detection and investigation; it is not a drop-in replacement for tools that provide audit summarization, compression, retention workflows, or compliance report templates. Consider a complementary deployment where the existing tool handles audit reporting and this pipeline handles SOC detection and Falcon correlation.

The HEC Protocol: One Format, Multiple Destinations

CrowdStrike LogScale's HEC endpoint (/api/v1/ingest/hec) accepts a Splunk HEC-compatible JSON envelope. The only differences:

Aspect	CrowdStrike LogScale	Splunk
Endpoint	`/api/v1/ingest/hec`	`/services/collector/event`
Auth header	`Authorization: Bearer <token>`	`Authorization: Splunk <token>`
Payload body	Same HEC-style JSON envelope; validate parser/repository behavior per platform	Same HEC-style JSON envelope

This means:

The same Lambda handler can be reused for both by changing the URL, auth header, and destination-specific configuration
You can switch between LogScale and Splunk without modifying event formatting
Testing against a local Splunk Docker validates the HEC payload shape and provides a strong compatibility signal for LogScale; live LogScale ingest still requires tenant validation

HEC Event Format

{
  "time": 1780710900.0,
  "event": {
    "timestamp": "2026-06-06T01:55:00.000000Z",
    "event_type": "4663",
    "source": "fsxn-ontap",
    "svm": "ProductionSVM",
    "user": "CORP\\user-finance-01",
    "client_ip": "10.0.1.50",
    "operation": "File",
    "path": "/share/finance/quarterly-reports/Q2-2026-revenue.xlsx",
    "result": "Audit Success",
    "s3_key": "audit/2026-06-06/events.xml",
    "log_format": "xml"
  },
  "source": "fsxn-ontap",
  "sourcetype": "fsxn:audit:xml",
  "index": "fsxn_audit"
}

time field: Per LogScale HEC docs: "time: Time in seconds since January 1, 1970 in UTC. Is translated to @timestamp on ingestion." Always include this top-level field to ensure correct event timestamp assignment in LogScale. If omitted, LogScale uses ingest time instead of event time.

Multi-tenant note: For MSSP or multi-account deployments, add bounded tenant metadata such as aws_account_id, environment, and customer_alias inside the event object. Avoid putting high-cardinality values into metric dimensions.

Identity enrichment: For stronger Falcon Identity / ITDR correlation, consider splitting user into user_domain and user_name fields, and enriching with SID / UPN / email where possible. IP-only correlation (client_ip) can be unreliable in DHCP, VPN, NAT, and VDI environments.

Portability note: For maximum portability across HEC-compatible destinations, this example keeps searchable attributes inside the event JSON object rather than relying on Splunk-specific fields behavior. LogScale auto-parses JSON event objects into searchable fields. Validate parser and field extraction behavior in your LogScale tenant before depending on any destination-specific metadata fields.

Parser v1.1.0: Designed for Speed and Maintainability

The shared parser (fsxn_log_parser) handles EVTX, XML, and JSON formats. Key design decisions in v1.1.0:

Universal Entry Point

from fsxn_log_parser import parse

result = parse(data, key="audit-2026-06-06.xml", metrics=my_callback)
# result.events  → list of AuditEvent
# result.format  → "xml"
# result.parse_duration_ms → 2.8
# result.event_count → 500

One function handles format detection, parsing, normalization, and metrics — all automatically.

Format Detection (Strategy Pattern)

from fsxn_log_parser import detect_format, register_format

# Built-in: evtx (magic bytes), xml (< prefix), json ([/{ prefix)
fmt = detect_format(data, key="file.xml")  # → "xml"

# Extensible: register custom formats without modifying core code
register_format("custom", lambda data, key: key.endswith(".custom"))

Detection inspects only the first 8–64 bytes — O(1) regardless of file size.

Performance Optimizations

Technique	Impact
`rpartition("}")` for namespace stripping	~15% faster than `split("}")[-1]`
`child.get("Name")` direct access	Avoids `.attrib` dict creation
`BytesIO` for streaming iterparse	Better buffer management
Local `get = event.get` binding	Reduces attribute lookups
Char-count heuristic for streaming threshold	Avoids O(n) `.encode()`
`struct.unpack_from` on buffer	Zero-copy EVTX parsing

XML Parsing and XXE Hardening

try:
    import defusedxml.ElementTree as SafeET
    _parse_xml_string = SafeET.fromstring
except ImportError:
    # Fallback: stdlib ET.fromstring (no XXE protection —
    # for production with untrusted XML, add defusedxml to your Lambda Layer)
    _parse_xml_string = ET.fromstring

FIELD_MAPPING: Zero-Code Adaptation to ONTAP Changes

The biggest maintainability win in v1.1.0:

FIELD_MAPPING = {
    "timestamp": ["TimeCreated_SystemTime", "timestamp"],
    "event_type": ["EventID", "event_type"],
    "svm":       ["Computer", "SVMName", "svm"],
    "user":      ["SubjectUserName", "UserName", "user"],
    "client_ip": ["IpAddress", "ClientIP", "client_ip"],
    "operation": ["ObjectType", "Operation", "operation"],
    "path":      ["ObjectName", "path"],
    "result":    ["Keywords", "Result", "result"],
}

When ONTAP introduces a new field name (e.g., in a version upgrade), you update this table — no code changes required:

# Support new ONTAP field name
FIELD_MAPPING["user"].insert(0, "NewOntapUserField")

The normalize_event function resolves fields by iterating candidates left-to-right, returning the first non-empty value.

S3 Access Point Permission Model

FSx for ONTAP S3 Access Points use a dual-layer authorization model. Per AWS documentation, both the access point policy AND the underlying file system identity permissions must permit the request.

Layer 1: IAM Policy (Lambda execution role)

The Lambda execution role must have s3:GetObject and s3:ListBucket permissions on the access point ARN:

Resource:
  - arn:aws:s3:<region>:<account>:accesspoint/<name>/object/*   # GetObject
  - arn:aws:s3:<region>:<account>:accesspoint/<name>            # ListBucket

Layer 2: S3 Access Point Resource Policy

The access point itself must have a resource policy granting access to the Lambda execution role. Use s3control put-access-point-policy to configure.

Layer 3: File System Identity

FSx for ONTAP maps S3 API calls to NFS/SMB identity. The NFS export policy or NTFS ACLs on the audit volume must allow read access for the mapped identity.

Key implication: If your Lambda gets AccessDenied despite correct IAM, check the access point resource policy and the file system export policy. All three layers must allow the request.

Troubleshooting ListObjectsV2 AccessDenied: Verify both the access point ARN resource (for s3:ListBucket) and the object ARN resource (for s3:GetObject) are present in the Lambda role policy, and confirm the access point resource policy explicitly allows the Lambda execution role.

For production, enforce read-only access consistently across the Lambda IAM policy, the S3 Access Point resource policy, and the mapped FSx file-system identity.

In multiprotocol environments, validate the volume or qtree security style and effective permissions for the S3 Access Point file-system identity. Mixed security-style volumes can produce unexpected access results if effective permissions differ by path.

Compatibility Verification (Splunk HEC)

Note: Live LogScale ingest validation is pending the required CrowdStrike LogScale entitlement.

Since CrowdStrike LogScale's free trial does not include HEC ingest capability (Data Connectors require a paid Next-Gen SIEM license), we validated using Splunk Enterprise Docker — which accepts the same HEC-style JSON envelope used by this implementation.

Step	Result
XML audit log parsing (5 events)	✅ EventID 4663/4656/4660
HEC delivery	✅ HTTP 200 `{"text":"Success","code":0}`
Indexing	✅ `fsxn_audit` index, all events searchable
Field extraction	✅ user, path, client_ip, event_type, result, svm
Splunk Search UI	✅ All fields parsed and filterable

The HEC-style JSON envelope used in this implementation is compatible with Splunk HEC and provides a strong compatibility signal for LogScale HEC. A successful Splunk HEC test validates payload shape, timestamp metadata, and basic delivery behavior. It does not replace live LogScale tenant validation.

LogScale CQL Query Examples

Note: The CQL examples below are intended as starting points. Validate in your LogScale repository after parser assignment and field extraction are confirmed.

Correlation Use Cases

Once audit events are in LogScale, investigate alongside Falcon endpoint telemetry:

Did the same user trigger Falcon endpoint detections near the file access spike?
Did the client host run compression, staging, or cloud upload tools before high-volume reads?
Did identity risk increase before first-seen access to sensitive shares?

Audit Event Count vs Client I/O Count

For SMB, audit event counts are not identical to raw client I/O counts. ONTAP may suppress repeated read/write events on the same object to avoid excessive logging (e.g., EventID 4663 records only the first SMB read and first SMB write per handle). Treat detection thresholds as audit-event baselines, not storage I/O baselines.

SOC Detection Examples

The detection queries below are starter patterns. Validate CQL syntax, field extraction, threshold values, and business context in your LogScale tenant before enabling alerts. Do not enable these as production alerts without baseline tuning — thresholds should be adjusted per share, user population, and normal business activity. The time-bucketing syntax below is illustrative; adjust to your LogScale CQL version and repository parser behavior.

Mass file deletion detection

#repo=fsxn_audit event_type="4660"
| bucket(span=5m)
| groupBy([_bucket, user, client_ip], function=count())
| _count > 50
| sort(_count, order=desc)

First-seen access to sensitive share

#repo=fsxn_audit path=/share/finance/* OR path=/share/hr/* OR path=/share/legal/*
| groupBy([user], function=[min(@timestamp, as=first_seen), count()])
| first_seen > now() - 24h
| sort(first_seen, order=desc)

This detects first-seen access within the repository retention window, not necessarily the user's first access ever.

High-volume file access (possible exfiltration)

High-volume reads may also be caused by backup, indexing, migration, or legitimate batch processing. Correlate with known job schedules before escalating.

#repo=fsxn_audit result="Audit Success"
| bucket(span=1h)
| groupBy([_bucket, user, client_ip], function=count())
| _count > 1000
| sort(_count, order=desc)

Response Automation with Fusion SOAR

After a detection is validated and tuned, connect LogScale alerts to Falcon Fusion SOAR workflows for enrichment and response orchestration. A typical workflow:

Enrich the user and client host context
Check Falcon detections or incidents in the same time window
Check known backup, indexing, or migration job schedules
Notify the SOC channel and storage owner
Escalate to containment or identity action only after human approval

NFS-Friendly Detection Note

For NFS-heavy environments, prefer normalized fields such as operation, path, user, and client_ip rather than Windows-specific event_type values. NFS operations use operation names (e.g., REMOVE, RENAME, READ) that map differently from SMB EventIDs.

Find all file access by a specific user

#repo=fsxn_audit user="CORP\\user-finance-01"
| table([@timestamp, event_type, path, result, client_ip])

Detect unusual access patterns (after-hours access)

#repo=fsxn_audit
| parseTimestamp(field=timestamp, format="yyyy-MM-dd'T'HH:mm:ss")
| hour := formatTime(field=@timestamp, format="HH")
| hour > "19" OR hour < "07"
| groupBy([user, path], function=count())
| sort(_count, order=desc)

Files not accessed in 30 days

#repo=fsxn_audit
| groupBy(path, function=[max(@timestamp, as=last_access)])
| last_access < now() - 30d
| sort(last_access, order=asc)

Failed access attempts (permission issues)

#repo=fsxn_audit result="Audit Failure"
| groupBy([user, path], function=count())
| _count > 3
| sort(_count, order=desc)

Performance Benchmarks

Caveat: The 178K events/sec result is a parser-only microbenchmark. End-to-end throughput depends on S3 Access Point read performance (tied to FSx provisioned throughput), Lambda memory, HEC batching, network latency, LogScale ingest quota, and retry behavior.

Environment: Lambda ARM64 (Graviton) 256MB, Python 3.12
Parser: v1.1.0 (FIELD_MAPPING, iterparse, XXE hardening when defusedxml is packaged)

┌─────────────────────┬──────────┬─────────────────────┐
│ Input               │ Time     │ Throughput          │
├─────────────────────┼──────────┼─────────────────────┤
│ 5 events (2KB)      │ 0.045ms  │ 111,000 events/sec  │
│ 500 events (135KB)  │ 2.8ms    │ 178,000 events/sec  │
│ 5,000 events (1.3MB)│ ~28ms    │ ~178,000 events/sec │
├─────────────────────┼──────────┼─────────────────────┤
│ 1M events/day       │ ~6 sec   │ total daily compute │
└─────────────────────┴──────────┴─────────────────────┘

At 178K events/sec, a 5-minute Lambda invocation can process ~53 million events — far exceeding any realistic FSx for ONTAP audit log volume.

Deployment

# 1. Store ingest token in Secrets Manager
aws secretsmanager create-secret \
  --name "crowdstrike/fsxn-ingest-token" \
  --secret-string '{"ingest_token":"<your-token>"}'

# 2. Deploy stack
aws cloudformation deploy \
  --template-file integrations/crowdstrike/template.yaml \
  --stack-name fsxn-crowdstrike-integration \
  --parameter-overrides \
    FsxS3AccessPointArn=arn:aws:s3:<region>:<account>:accesspoint/<name> \
    LogScaleIngestTokenSecretArn=<secret-arn> \
    LogScaleUrl=https://cloud.us.humio.com \
    HecPath=/api/v1/ingest/hec \
  --capabilities CAPABILITY_NAMED_IAM

# 3. Upload handler code (template creates a placeholder; upload the actual handler)
cd integrations/crowdstrike/lambda && zip function.zip handler.py
aws lambda update-function-code \
  --function-name fsxn-crowdstrike-integration-shipper \
  --zip-file fileb://function.zip

S3 Access Point design: When creating the access point, document the chosen file access type (read-only recommended — Lambda only needs to list and read converted audit logs), file-system user identity (UNIX for UNIX-style volumes, Windows for NTFS), and network configuration (VPC-restricted for production).

ONTAP pre-flight checks (run before Lambda deployment):

vserver audit show -instance and vserver audit show -fields destination,format,events — confirm audit is enabled with XML format

volume show -fields security-style,junction-path — verify audit volume

vserver security file-directory show-effective-permissions — verify read access for the S3 AP identity

Verify the S3 Access Point file-system identity can read the audit log path

Splunk HEC compatibility testing: For local validation without the required LogScale entitlement, set LogScaleUrl to your Splunk Docker endpoint (e.g., https://localhost:8088) and HecPath=/services/collector/event. The payload format is validated against the same HEC envelope.

defusedxml for production: For production XML parsing hardening, include defusedxml in the Lambda deployment package or Lambda Layer.

Recommended CI checks: cfn-lint for template, pytest for parser/handler, dependency vulnerability scan, secret scanning, malicious XML / XXE regression test, and local Splunk HEC integration test.

Time from zero to first HEC-compatible test event in Splunk Docker: ~30 minutes. Live LogScale first-event timing is pending tenant validation.

Production deployment: For production, version the Lambda artifact and promote it across environments through CI/CD. Keep the CloudFormation template, Lambda package, parser version, and dashboard definitions tied to the same release tag. Use SAM build/deploy or a CI pipeline instead of manual update-function-code.

Cost

Component	Monthly
Lambda (5-min schedule, ~1s avg execution)	~$0.50
Secrets Manager	~$0.40
EventBridge Scheduler	~$0.00
S3 AP reads	~$0.05
AWS total	~$1/month

Cost caveats: The AWS estimate assumes Lambda is not in a VPC requiring NAT Gateway, low CloudWatch Logs retention, no custom KMS key, and low retry volume. CrowdStrike licensing cost is excluded. S3 Access Point read cost and performance depend on request volume, object size, and the underlying FSx for ONTAP file system throughput configuration. Additional CloudWatch custom metrics, dashboards, alarms, and log retention may increase AWS cost depending on metric cardinality and retention settings.

LogScale cost, third-party ingestion entitlement, daily ingest quota, and retention depend on your CrowdStrike product edition and contract. Confirm these details with your CrowdStrike account team before production planning.

Daily ingest estimate: daily_gb = events_per_day * avg_event_size_bytes / (1024^3)

Cost optimization options:

Filter low-value event types only after compliance and incident-response sign-off (e.g., handle-close events may be high volume but useful in forensic timelines)
Truncate or hash high-cardinality fields to reduce event size
Compress HEC request payloads (gzip)
Tune ONTAP audit policy scope to relevant shares only

Data Classification and Privacy

FSx for ONTAP audit logs contain information that may be business-sensitive or subject to privacy regulations:

Field	Sensitivity	Example
`user`	PII — identifies individuals	`CORP\user-finance-01`
`client_ip`	Network topology exposure	`10.0.1.50`
`path`	Business-sensitive file paths	`/share/finance/quarterly-reports/Q2-2026-revenue.xlsx`
`svm`	Infrastructure naming	`ProductionSVM`
`timestamp`	Access pattern analysis	Working hours / after-hours

Considerations:

File paths may reveal business operations, project codenames, or M&A activity
Username + path + timestamp combinations enable detailed behavior profiling
IP addresses expose internal network topology
Sending this data to an external platform (CrowdStrike) requires appropriate data processing agreements
Evaluate whether PII redaction (e.g., via OTel Collector transform processor) is required before external transmission
Confirm your organization's data classification policy covers audit log content shipped to third-party SIEMs
Treat the SIEM repository itself as a sensitive data store — file paths, usernames, and timestamps can reveal business activity and user behavior

Future consideration for regulated environments: For healthcare, public sector, or financial services, consider a minimization mode that hashes or drops selected fields (user, client_ip, or full path) before external transmission, while preserving enough metadata for investigation. The OTel Collector transform processor or a pre-processing Lambda can implement field-level redaction.

Example minimization policy:

Keep: event_type, operation, result, svm, timestamp

Hash: user, client_ip

Truncate: path to directory level (replace file names with hashes)

FIELD_MAPPING Masking Strategy (v1.2.0 proposal)

Extend the existing FIELD_MAPPING table with a per-field action parameter:

FIELD_MAPPING = {
    "timestamp": {"keys": ["TimeCreated_SystemTime", "timestamp"], "action": "keep"},
    "user":      {"keys": ["SubjectUserName", "UserName"],         "action": "hash"},
    "client_ip": {"keys": ["IpAddress", "ClientIP"],               "action": "mask_subnet"},
    "path":      {"keys": ["ObjectName", "path"],                  "action": "truncate_dir"},
    "event_type": {"keys": ["EventID", "event_type"],              "action": "keep"},
    "result":    {"keys": ["Keywords", "Result"],                   "action": "keep"},
}

Actions:

keep: Pass through unchanged
hash: hashlib.sha256(salt + value).hexdigest()[:16] — preserves correlation without exposing identity
mask_subnet: 10.0.1.50 → 10.0.1.0/24 — hides host, preserves network segment
truncate_dir: /share/finance/Q2-revenue.xlsx → /share/finance/[REDACTED]

Operational requirement: Maintain a secure lookup table (separate from SIEM) mapping hashed values to originals. This enables authorized investigators to de-anonymize during incident response with dual-approval.

Salt management: The hash salt MUST NOT be hardcoded in Lambda code or environment variables. Store it in AWS Secrets Manager (or derive from KMS GenerateDataKey). Lambda retrieves and caches the salt at cold start via the same auth_cache pattern used for HEC tokens. Rotate the salt quarterly; maintain a salt history table to support lookups against older hashes.

Audit Log Immutability (S3 Object Lock)

For compliance environments requiring tamper-evident audit trails:

S3 Object Lock (COMPLIANCE mode): Once set, even root cannot delete objects before the retention period expires. Suitable for SEC 17a-4, FINRA, FISC.
Governance mode: Allows privileged users to override (suitable for internal policy enforcement without regulatory mandate).

# Enable Object Lock on the audit log bucket (must be set at bucket creation)
aws s3api create-bucket --bucket fsxn-audit-immutable \
  --object-lock-enabled-for-object-lock true

# Set default retention (COMPLIANCE mode, 7 years)
aws s3api put-object-lock-configuration --bucket fsxn-audit-immutable \
  --object-lock-configuration '{
    "ObjectLockEnabled": "Enabled",
    "Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Years": 7}}
  }'

Token and Egress Governance

Token Management

Store in Secrets Manager: Never embed HEC ingest tokens in Lambda environment variables or code. Use secretsmanager:GetSecretValue at runtime with caching.
Rotate periodically: Generate new ingest tokens in LogScale and update the Secrets Manager secret. The Lambda's auth_cache module handles reload-on-401/403 automatically.
Least-privilege token scope: Create a dedicated ingest token scoped to the fsxn_audit repository only — not a global token.

Egress Control

Restrict Lambda egress where feasible: If the Lambda runs in a VPC, route outbound traffic through an approved egress path (proxy, firewall, or controlled NAT) and restrict destinations to approved CrowdStrike LogScale endpoints according to your network policy.
Alarm on authentication failures: Set a CloudWatch Metric Filter + Alarm for HTTP 401/403 responses from the HEC endpoint. This detects token expiration, revocation, or misconfiguration early.

Monitoring

# Example: CloudWatch Metric Filter pattern for HEC auth failures
# { $.status_code = 401 || $.status_code = 403 }

Configure a CloudWatch Alarm that triggers on >0 auth failures in a 5-minute window to alert on token issues before data loss occurs.

Production Readiness Checklist

Before promoting this integration from PoC to production:

Validation

[ ] Validate live LogScale ingest — Confirm events appear in the fsxn_audit repository with correct field extraction (pending paid tenant)
[ ] Confirm LogScale repository and ingest token design — Create a dedicated repository, assign the expected parser to the ingest token, document token ownership, rotation, and emergency revocation
[ ] Confirm repository/parser/retention — Verify LogScale repository settings: assigned parser, retention period, ingest quota allocation
[ ] Set top-level HEC time — Ensure Lambda sets epoch-seconds time field on every HEC event (see HEC Event Format section)

Reliability

[ ] Define retry/DLQ/replay strategy — Configure SQS DLQ for failed HEC deliveries; document the replay procedure (see docs/en/runbooks/dlq-replay.md)
[ ] Validate IAM least privilege — Audit Lambda execution role: only s3:GetObject, s3:ListBucket on the AP, secretsmanager:GetSecretValue on the token secret. For checkpoint: PoC uses ssm:GetParameter/PutParameter; production uses DynamoDB (dynamodb:GetItem, PutItem, UpdateItem with condition expressions)
[ ] Confirm token rotation procedure — Test Secrets Manager secret rotation and verify Lambda handles token refresh without data loss
[ ] Estimate daily volume — Calculate expected daily ingest volume (events × avg event size) against the ingest quota and retention terms confirmed for your CrowdStrike tenant
[ ] Enable CloudWatch Alarms — DLQ depth > 0, Lambda error rate > 1%, checkpoint staleness > 15 minutes

Security and Governance

[ ] Confirm tenant isolation model — For MSSP or multi-account: define repository/index separation, token scope, IAM boundary, and customer-specific retention
[ ] Define audit evidence handling — Confirm retention, export procedure, chain-of-custody requirements, and how delivery gaps are detected and explained
[ ] Protect the audit log volume — Confirm audit log volume placement, backup/replication policy, retention, and recovery procedure. Do not place audit log destination on the SVM root volume (root volume content is not replicated in SVM DR). If audit logs are part of regulated evidence, align ONTAP audit log volume protection with the SIEM retention and evidence export policy
[ ] Data classification sign-off — Confirm audit log content classification and external transmission approval (see Data Classification section)
[ ] Egress governance — Implement token storage, rotation, egress restriction, and 401/403 alarming (see Token and Egress Governance section)
[ ] Harden XML parsing — Package defusedxml in the Lambda Layer or fail closed if unavailable (see XML Parsing and XXE Hardening section)
[ ] Define SIEM access governance — Confirm who can search FSx audit logs, who can export results, and how incident evidence is retained
[ ] Define audit reporting workflow — Identify recurring audit reports (monthly access summary, deletion tracking, sensitive folder access), export format, report owner, approval process, and retention period. See also: Existing Audit Tool Coexistence Guide
[ ] Validate audit format coexistence — If an existing audit tool requires EVTX, confirm whether a separate SVM or format migration strategy is needed (ONTAP does not support simultaneous EVTX and XML output per SVM). See coexistence guide

Observability

[ ] Validate delivery SLO measurement — Confirm LogFileAgeSeconds is a suitable proxy for audit log close-to-delivery lag in your environment
[ ] Emit pipeline health metrics — Use CloudWatch EMF or Lambda Powertools Metrics to emit files processed, events parsed, events sent, HEC success/failure, delivery latency, and log file age. Use SQS native metrics for DLQ depth

HEC Path vs OTel / Alloy Path

This article uses the HEC path because Falcon LogScale provides a Splunk HEC-compatible endpoint. For teams that standardize on OpenTelemetry, the same normalized audit events can also be routed through an OTel Collector or Grafana Alloy pipeline.

Use HEC when:

The target SIEM natively supports HEC (LogScale, Splunk)
You want a lightweight Lambda-to-SIEM delivery path
You are validating Splunk / LogScale compatibility

Use OTel / Alloy when:

You need multi-backend routing (e.g., Grafana + Splunk + custom)
You want field transformation, redaction, or sampling before export
You want a common telemetry contract across multiple backends

For OTel / Alloy-based routing, apply minimization before export: hash user and client_ip, truncate path to directory level, and use only bounded low-cardinality attributes such as event_type, operation, and result as metric dimensions when deriving metrics.

High-cardinality warning: Do not promote user, full path, or client_ip to metric labels. Keep them as log fields / event attributes. Use only bounded, low-cardinality dimensions such as environment, region, fsx_file_system_id, event_type, operation, and result. Use svm only if the number of SVMs is bounded and operationally meaningful.

Decision Matrix: Which Path to Choose?

Factor	→ HEC Direct	→ OTel/Alloy
Single SIEM destination (LogScale or Splunk)	✅	—
Minimize infrastructure components	✅	—
Multi-backend fanout needed	—	✅
Field redaction/hashing before external transmission	—	✅
Need trace_id correlation with application traces	—	✅
Already running OTel Collector in environment	—	✅
PoC / validation phase (simplicity first)	✅	—
Regulatory minimization required (hash PII at edge)	—	✅

Start with HEC, evolve to OTel: Most teams start with the HEC direct path (this article) for initial validation, then add an OTel Collector when multi-backend routing or pre-processing needs emerge. The normalized field schema is identical in both paths — switching is a routing change, not a data model change.

Pipeline Observability

Suggested Delivery SLO

99% of audit log files are delivered to the target SIEM within 10 minutes
of being closed by ONTAP. No checkpoint staleness over 15 minutes during
expected audit activity windows.

To measure this SLO, track LogFileAgeSeconds (current_time minus the audit
log object's last modified time from S3 AP). DeliveryLatencyMs only measures
Lambda-side processing and HEC response latency, not end-to-end lag.

Note: LogFileAgeSeconds is a practical proxy for end-to-end lag. Validate
how S3 Access Point LastModified maps to ONTAP audit log rotation / close
timing in your environment.

Pipeline Health Metrics

For production observability, emit pipeline health metrics using CloudWatch Embedded Metric Format (EMF) or AWS Lambda Powertools Metrics.

EMF dimensions: Avoid high-cardinality dimensions such as user, path, client_ip, and s3_key. Use bounded dimensions such as FunctionName, environment, and target.

Metric	Unit	Purpose
`FilesScanned`	Count	Files listed per invocation
`FilesProcessed`	Count	Files successfully parsed and shipped
`EventsParsed`	Count	Total audit events extracted
`EventsSent`	Count	Events successfully delivered to HEC
`HecSuccess`	Count	HTTP 2xx responses
`HecFailure`	Count	HTTP 4xx/5xx responses
`DeliveryLatencyMs`	Milliseconds	Time from S3 read to HEC response
`CheckpointAgeSeconds`	Seconds	Time since last checkpoint advance (derived from checkpoint state; recommended for production)
`DlqMessages`	Count	Messages in dead letter queue (from SQS native metric)
`LogFileAgeSeconds`	Seconds	Time since audit log file was last modified (measures SLO)

Gray Failure Detection

Watch for gray failures, not only hard failures:

HEC returns intermittent 429 / 5xx but Lambda doesn't error
Checkpoint advances slowly but does not stop
DLQ remains empty but delivery latency increases
Event count drops unexpectedly compared to historical baseline

Handle HEC 429 / 5xx with exponential backoff and bounded retries. Do not advance the checkpoint until delivery succeeds or the failed object is safely moved to DLQ for replay.

Observability as Code

For production, manage not only the Lambda pipeline but also dashboards, alarms, metric filters, and runbook links as code. The CloudFormation template should include:

CloudWatch Dashboard for pipeline health
Alarms for DLQ depth, Lambda errors, HEC 401/403, HEC 5xx, checkpoint staleness
Metric filters for authentication failures
Runbook links in alarm descriptions

Splunk HEC Compatibility Notes

For teams using this integration with Splunk (via HecPath=/services/collector/event):

Verification Coverage

Aspect	Status
HEC timestamp (`time` metadata)	✅ Reflected as event time
sourcetype assignment	✅ `fsxn:audit:xml` assigned
source assignment	✅ `fsxn-ontap` assigned
JSON field extraction	✅ All `event` fields searchable
Duplicate replay tolerance	📝 Pending production replay test

HEC Acknowledgement Gap

Splunk HEC provides Indexer Acknowledgement (/services/collector/ack) — a mechanism to confirm events are committed to disk, not just accepted into the ingestion pipeline.

Aspect	Splunk HEC	LogScale HEC
Delivery guarantee	`ackId` confirms disk write	HTTP 200 = accepted (best-effort)
Retry safety	Replay until ack received	No built-in replay mechanism
Data loss window	Zero (if ack used correctly)	Between acceptance and disk flush

Recommendation for production: Use a write-ahead pattern — persist events to S3 (or DynamoDB) before HEC delivery. Treat HEC as best-effort delivery. On failure, replay from the durable store. This pattern works identically for both Splunk and LogScale.

DLQ Replay Strategy

When HEC is unavailable and events accumulate in the DLQ (SQS):

Approach	Pros	Cons	Recommended
Replay DLQ JSON directly to HEC	Fast, no re-parsing	Requires DLQ messages to be complete HEC payloads	✅
Reset checkpoint and re-parse from S3	Guaranteed consistency	Slower, re-reads S3, may re-process already-delivered events	—

Recommended: Store the complete HEC JSON payload in DLQ messages. On recovery, drain the DLQ and POST each message directly to the HEC endpoint. This avoids re-parsing and ensures idempotent delivery (same time + event content).

See docs/en/runbooks/dlq-replay.md for the step-by-step procedure.

SPL vs CQL Query Comparison

For SOC analysts working across both platforms:

Operation	Splunk SPL	LogScale CQL
Time bucket (5 min)	`\	bin _time span=5m`
Top 10 users	`\	top limit=10 user`
Count by user	`\	stats count by user`
Filter + aggregate	`source="fsxn" event_type=4660 \	stats count by user`
Time range	`earliest=-1h latest=now`	Query time picker or `@timestamp > now() - 1h`
String match	`path="finance"`	`path = /share/finance/*` (glob)

Key difference: SPL uses a pipe-forward streaming model where each command transforms the event set sequentially. CQL uses a similar pipe model but with different function names and grouping semantics. The normalized field names (user, path, client_ip, event_type, result) are intentionally aligned so queries translate 1:1 in structure.

Production Checkpoint Design

For production, checkpoint should be advanced only after successful HEC delivery. Use DynamoDB conditional writes to avoid concurrent Lambda invocations advancing the same checkpoint.

DynamoDB Schema

Attribute	Type	Purpose
`file_path`	String (PK)	S3 key of the audit log file
`etag`	String	Object ETag for idempotency
`status`	String	PENDING → PROCESSING → COMPLETED / FAILED
`lease_expiry`	Number (epoch)	Auto-release time for ghost lock prevention
`event_count`	Number	Events successfully delivered
`updated_at`	String (ISO)	For staleness detection
`ttl`	Number (epoch)	Auto-delete COMPLETED records after 7 days

Lease-Based Concurrency Control

Lambda invocation
    │
    ├── DynamoDB ConditionExpression:
    │   "attribute_not_exists(file_path)
    │    OR #s = :failed
    │    OR lease_expiry < :now"
    │
    ├── [Success] → Set status=PROCESSING, lease_expiry=now+15m
    │                → Read S3 → Parse → Ship to HEC
    │                → Set status=COMPLETED
    │
    └── [ConditionalCheckFailed] → Skip (another instance owns it)

Ghost Lock Prevention

If Lambda crashes or times out, the lease_expiry attribute ensures another invocation can reclaim the file after 15 minutes:

# Acquire lease with ghost-lock prevention
table.update_item(
    Key={"file_path": s3_key},
    UpdateExpression="SET #s = :processing, lease_expiry = :expiry, updated_at = :now",
    ConditionExpression=(
        "attribute_not_exists(file_path) OR #s = :failed OR lease_expiry < :now"
    ),
    ExpressionAttributeNames={"#s": "status"},
    ExpressionAttributeValues={
        ":processing": "PROCESSING",
        ":failed": "FAILED",
        ":expiry": int(time.time()) + 900,  # 15 min lease
        ":now": datetime.utcnow().isoformat(),
    },
)

Alarm: Set a CloudWatch alarm when any item has status=PROCESSING for longer than 2× the lease period. This detects systematic Lambda failures that bypass the normal retry path.

Use updated_at to derive CheckpointAgeSeconds for dashboarding and checkpoint staleness alarms.

Multi-SVM / Multi-FileSystem Key Design

For large-scale environments with multiple FSx file systems or SVMs, use a composite partition key to avoid DynamoDB hot partitions:

PK: {fsx_file_system_id}#{svm_name}#{s3_key}

Example: fs-0123456789abcdef0#svm-prod#audit/2026-06-14/events-001.xml

This ensures DynamoDB distributes writes across partitions even at scale (100+ SVMs), avoiding RCU/WCU burst throttling on a single partition.

Catch-up Storm Prevention

After a Lambda outage (hours of accumulated unprocessed files), recovery can cause a burst of S3 AP read requests that impacts FSx ONTAP production workloads.

Mitigations:

Reserved Concurrency = 1: During catch-up, limit Lambda to a single concurrent execution to serialize file processing
Max files per invocation: Cap at 50 files per Lambda run; let the next scheduled invocation handle the rest
Backoff on queue depth: If DynamoDB shows >100 PENDING items, add a 5-second sleep between file reads
Runbook: Document the recovery procedure — temporarily increase ScheduleRate to rate(1 minute) while keeping concurrency at 1

Production Readiness Checklist item: Validate recovery behavior by simulating a 4-hour Lambda outage and measuring S3 AP read throughput during catch-up against the FSx provisioned throughput capacity.

Lessons Learned

1. HEC compatibility is a hidden superpower

By targeting the HEC protocol, we reduced the amount of destination-specific Lambda code needed for LogScale support. The payload envelope remains largely reusable, while repository, parser, query language, alerting, and retention settings still require LogScale-specific validation.

2. The trial doesn't include ingest

CrowdStrike's Falcon EDR trial includes the Next-Gen SIEM UI (read-only search, dashboards) but does NOT include Data Connectors / HEC ingest. The "Add data connector" page returns 404. CrowdStrike trial and licensing behavior may vary by product edition and contract. Confirm Falcon LogScale or Next-Gen SIEM ingest entitlement, daily quota, retention, and pricing with your CrowdStrike account team before production planning.

3. FIELD_MAPPING > hardcoded `.get()` chains

The v1.0.0 parser had 10 lines of chained .get() calls in normalize_event. The v1.1.0 FIELD_MAPPING table:

Makes field resolution self-documenting
Supports new ONTAP versions without code changes
Centralizes all field name knowledge in one place
Is still fast (inner loop uses local get binding)

4. Test with Docker, deploy to Cloud

Splunk Enterprise Docker (splunk/splunk:latest --platform linux/amd64) provides a fully functional HEC in 2 minutes. We used it to validate the HEC-style payload shape before live LogScale tenant validation — at $0 cost.

What's Next

CrowdStrike UI verification: When the required CrowdStrike LogScale or Next-Gen SIEM entitlement is available, capture search screenshots showing FSx audit events with full field extraction
Charlotte AI integration: Using natural language to query audit logs ("show me all file deletions by contractors this week")
Falcon Identity correlation: Cross-referencing file access with AD authentication events for insider threat detection
OTel / Alloy routing option: Add an optional pipeline that routes normalized audit events through OpenTelemetry Collector or Grafana Alloy for multi-backend delivery and field minimization
Existing audit tool coexistence: Explore complementary deployment where existing batch-based tools handle audit reporting and this pipeline handles SOC detection and Falcon correlation
ARP / FPolicy correlation: Correlate LogScale audit events with ONTAP Autonomous Ransomware Protection alerts and FPolicy notifications for ransomware investigation
Falcon content package: Package starter LogScale detections for mass delete, abnormal access volume, after-hours access, and repeated access failures — with metadata (name, required fields, CQL, thresholds, false positives, MITRE mapping, response, tuning notes), dashboards, lookup tables, and Fusion SOAR workflow templates for repeatable deployment
Identity-aware file access graph: Correlate FSx audit logs with AD / IdP authentication events, EDR telemetry, and CloudTrail to build an investigation graph for insider threat and ransomware analysis

Partner Discovery Checklist

Before deployment, validate the following with the customer:

FSx audit configuration (format, rotation, volume location)
S3 Access Point identity and security style
Expected daily event volume and file sizes
SIEM entitlement and daily ingest quota
Retention and compliance requirements
Privacy / PII redaction requirements
Network egress policy and approved endpoints
Audit log format decision (XML for serverless parsing, EVTX for Windows Event Viewer)
Audit destination volume and protection policy (backup, replication, retention)
Volume/qtree security style and effective permissions for S3 AP identity
SMB/NFS audit policy coverage and scope
Existing audit tool deployment: scope, format expectations, reporting use cases, and complementary vs replacement positioning
ARP / FPolicy coexistence with this pipeline

CrowdStrike discovery:

Is the customer using Falcon LogScale repositories or NG-SIEM connectors?
Is HEC ingestion enabled and contractually allowed?
What is the daily ingest entitlement and retention?
Which repository/parser/token will own FSx audit logs?
Who owns detection tuning and alert routing?
Will Fusion SOAR / Charlotte AI be used for investigation workflows?
LogScale repository/view strategy per customer (MSSP)
Ingest token per customer and rotation owner (MSSP)
Parser package ownership and change control

GitHub Repository

Table of Contents