How to Integrate with your SIEM

Introduction

The Falcon SIEM Connector provides users a turnkey, SIEM-consumable data stream. The Falcon SIEM Connector:

  • Transforms Crowdstrike API data into a format that a SIEM can consume
  • Maintains the connection to the CrowdStrike Event Streaming API and your SIEM
  • Manages the data-stream pointer to prevent data loss

SIEM connector-overview

Prerequisites

Before using the Falcon SIEM Connector, you’ll want to first define the API client and set its scope. Refer to this guide to getting access to the CrowdStrike API for setting up a new API client key. For the new API client, make sure the scope includes read access for Event streams.

SIEM connector event streams scope

The CrowdStrike Falcon SIEM Connector (SIEM Connector) runs as a service on a local Linux server.

The resource requirements (CPU/Memory/Hard drive) are minimal and the system can be a VM.

  • Supported OS (64-bit only):
    • CentOS/RHEL 6.x-7.x
    • Ubuntu 14.x
    • Ubuntu 16.04
    • Ubuntu 18.04
  • Connectivity: Internet connectivity and ability to connect the CrowdStrike Cloud (HTTPS/TCP 443)
  • Authorization: Crowdstrike API Event Streaming scope access
  • Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP is recommended)

Installation and Configuration

To get started, you need to download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon UI.

For a more comprehensive guide, please visit the SIEM Connector Feature Guide.

SIEM Connector Download from tools

Download the package for your operating system to the Linux server you’d like to use.

Open a terminal and run the installation command where <installer package> is the installer that you had downloaded :

  • CentOS:
    sudo rpm -Uvh <installer package>
  • Ubuntu:
    sudo dpkg -i <installer package>

The last step before starting the SIEM Connector is to pick a configuration. There are a couple of decisions to make. The SIEM connector can:

  • Output to a local file (your SIEM or other tools would have to actively read from that file)
  • Output to a syslog server (most modern SIEMs have a build in syslog receiver)
  • Output to a format such as CEF or LEEF for your SIEM

Here is a flow diagram of how to pick the right configuration file:

SIEM Connector configuration flow

To get you started, we’ll use the default output to a JSON file and only change the Client ID and Client Secret. Since we’re just going to be testing with a single SIEM Connector, the app_id can stay as the default. 

Open the SIEM Connector config file with sudo and your favorite editor and change the client_id and client_secret options:

/opt/crowdstrike/etc/cs.falconhoseclient.cfg

SIEM Connector configuration file

Once you save the configuration file you can start the SIEM connector service with one of the following commands:

  • CentOS:
    sudo service cs.falconhoseclientd start
  • Ubuntu 14.x:
    sudo start cs.falconhoseclientd
  • Ubuntu 16.04 and later:
    sudo systemctl start cs.falconhoseclientd.service

To verify that your setup was correct and your connectivity has been established, you can check the log file with the following command:

tail -f /var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log

You should see a Heartbeat. If you see an error message that mentions the access token, double check your Crowdstrike API Client ID and Secret.

Tail for heartbeat

Conclusion

The process above shows how to get started with the CrowdStrike Falcon SIEM Connector. There are many more options for this connector (using a proxy to reach the streaming API, custom log formats and syslog configurations, etc.) that can be found in the “SIEM Connector Feature Guide” as part of the Documentation package in the Falcon UI.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial