Skip to content

Latest commit

 

History

History
140 lines (105 loc) · 4.37 KB

crowdstrike-falcon.md

File metadata and controls

140 lines (105 loc) · 4.37 KB

CrowdStrike Falcon SIEM Connector - Configuration Guide

Prerequisite

Important

Before using this method, you'll have to contact CrowdStrike Support to enable Streaming APIs on your CrowdStrike account.


1. Create an API Client for the CrowdStrike Falcon Streaming API

1.1. Navigate to Support > API Clients and Keys on the CrowdStrike Falcon Web Console

1.2. Click 'Create API client' under OAuth2 API Clients

1.3. Enter the CLIENT NAME and insert a DESCRIPTION if required

1.4. Set the API SCOPES as follows and Click 'Create'

Scope Read
Event streams ☑️

Important

Copy the 'Client ID' and 'Secret' to a safe place for later use


2. Download the CrowdStrike Falcon SIEM Connector Installation Package

2.1. Navigate to Support > Tool Downloads on the CrowdStrike Falcon Web Console

2.2. Select the appropriate 'Falcon SIEM Connector' installation package and Click on the ⬇️ button under Actions

Note

Supported OS (64-bit only)

  • CentOS/RHEL 7/8
  • Ubuntu 20

3. Install the Falcon SIEM Connector

3.1. Copy the Installation package downloaded in Step 2.2. to the host that will be running the Falcon SIEM Connector

CentOS/RHEL

sudo rpm -Uvh [InstallationPackageName]

Ubuntu

sudo dpkg -i [InstallationPackageName]

Note

The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default


4. Configure the Falcon SIEM Connector

4.1. Select the appropriate config file based on the output format supported by your SIEM

Note

Supported Output types

  • JSON (default)
  • Syslog
  • Common Event Format (CEF)
  • Log Event Extended Format (LEEF)

Preset Config files for each output type can be found in the following locations

Output Type Config File
JSON | Syslog /opt/crowdstrike/etc/cs.falconhoseclient.cfg
CEF /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg
LEEF /opt/crowdstrike/etc/cs.falconhoseclient.leef.cfg

Tip

You can replace the original config file /opt/crowdstrike/etc/cs.falconhoseclient.cfg with the preset config file for CEF /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg

cp /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg /opt/crowdstrike/etc/cs.falconhoseclient.cfg

4.2. Edit the /opt/crowdstrike/etc/cs.falconhoseclient.cfg config file and paste the 'Client ID' and 'Secret' generated in Step 1.4. accordingly

[Settings]
# API Client ID
client_id = <client_id>
# API Client Secret
client_secret =  <secret>

Note

You may also need to edit the 'api_url' and 'request_token_url', depending on where your CrowdStrike instance is located.

Instance api_url / request_token_url
US-1 api.crowdstrike.com
US-2 api.us-2.crowdstrike.com
US-GOV-1 api.lagger.gcw.crowdstrike.com
EU-1 api.eu-1.crowdstrike.com 
[Settings]
api_url = https://<api_url>/sensors/entities/datafeed/v2
request_token_url = https://<request_token_url>/oauth2/token

4.3. Confirm the output format is set to 'syslog'

[Settings]
# Output formats
# Supported formats are
#   1.syslog: will output syslog format with flat key=value pairs uses the mapping configuration below.
;             Use syslog format if CEF/LEEF output is required.
#   2.json: will output raw json format received from FalconHose API (default)
output_format = syslog

4.4. Configure Syslog forwarding

[Syslog]
send_to_syslog_server = true
host = <siem_log_collector_ip>/<siem_log_collector_hostname>
port = 514
protocol = tcp

Note

Available options for Syslog Configuration

Key Value
send_to_syslog_server true | false
protocol tcp | udp

4.5. Start the service

systemctl enable --now cs.falconhoseclientd.service