How to Setup the CrowdStrike Falcon SIEM Connector

Introduction

The Falcon SIEM Connector provides users a turnkey, SIEM-consumable data stream. The Falcon SIEM Connector:

  • Transforms Falcon Streaming API data into a format that a SIEM can consume
  • Maintains the connection to the CrowdStrike Falcon Streaming API and your SIEM
  • Manages the data-stream pointer to prevent data loss

00-connector-overview

Prerequisites

Before using the Falcon SIEM Connector, you must contact support@crowdstrike.com to enable access to the Falcon Streaming API (formerly “Falcon Firehose API”). Learn more about How to get access to CrowdStrike APIs

The CrowdStrike Falcon SIEM Connector (SIEM Connector) runs as a service on a local Linux server. The resource requirements (CPU/Memory/Hard drive) are minimal. The system can be a VM.

  • OS: CentOS/RHEL 6.x-7.x (64-bit)
  • Connectivity: Internet connectivity and ability to connect the CrowdStrike Cloud (HTTPS/TCP 443)
  • Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP is recommended)

Installation and Configuration

1: To get started, you need to download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon UI (https://falcon.crowdstrike.com/login/).
It is also advisable to download the latest Documentation package to have the “Falcon SIEM Connector Feature Guide” available as a reference.

download-SIEM connector

 

2: Once downloaded, please unzip the package and make sure you see a file called:

cs.falconhoseclient-x.x.x-x.el7.centos.x86_64.rpm

You then need a way to transfer the file onto your Linux server. One of many options is to use the free tool WinSCP for the transfer.
Please place the file under /opt and then connect via SSH (for example with Putty) to the command line of the server

.02-transfer-to-RHEL

 

3: When installing the SIEM connector, please make sure you are “root” on the server.
The installation is simple and automated:

cd /opt
rpm -Uvh cs.falconhoseclient-1.0.32-1.el7.centos.x86_64.rpm

(you might have to adjust the file name depending on the version of the SIEM Connector you are installing).

The installer creates a new directory: /opt/crowdstrike with three sub directories:
bin/ holds the binary of the actual service, as well as the api offset file
etc/ holds the configuration file(s)
log/ holds the log file as well as the default local output file

 

4: The last step before starting the SIEM Connector is to pick a configuration. There are a couple of decisions to make. The SIEM connector can:

  • Output to a local file (your SIEM or other tools would have to actively read from that file)
  • Output to a syslog server (most modern SIEMs have a build in syslog receiver)
  • Do you need a format like CEF or LEEF for your SIEM or do you need to customize the output format?

Here is a flow diagram of how to pick the right configuration file:

05-flow

 

For this is example and to get you started, we will use the default configuration and only change the API-Key and UUID. Note that the app_id can stay the default if you only plan on using one SIEM Connector. Open the file

/opt/crowdstrike/etc/cs.falconhoseclient.cfg

in your favorite editor and change the settings at the top of the file:
04-settings-2

 

Once you save the configuration file you can start the SIEM connector service with the following command:

/etc/init.d/cs.falconhoseclientd start
or alternatively via
service cs.falconhoseclientd start

To verify that your setup was correct and your connectivity has been established, you can use the following command:

tail -f /opt/crowdstrike/log/cs.falconhoseclient.log

03-install

 

Conclusion

The process above shows how to get started with the CrowdStrike Falcon SIEM Connector. There are many more options for this connector (using a proxy to reach the streaming API, custom log formats and syslog configurations, etc.) that can be found in the “Falcon SIEM Connector Feature Guide” as part of the Documentation package in the Falcon UI.

More resources

 

Stop Breaches with CrowdStrike Falcon request a live demo