Crowdstrike Falcon

Crowdstrike Falcon is a cloud-based platform that provides endpoint protection across your organization. If you currently use Crowdstrike Falcon, you can configure the Falcon SIEM Connector to send events to InsightIDR where you can generate investigations around that data. Alternatively, you can configure a cloud event source to retrieve data from the Crowdstrike Falcon API.

Insight IDR collects Alerts (Cloud Connection method only) and DetectionSummaryEvents (Collector method only) from Crowdstrike Falcon.

To set up Crowdstrike Falcon:

  1. Read the requirements and complete any prerequisite steps.
  2. Use either the Cloud Connection method or the Collector method to configure Crowdstrike Falcon to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Requirements

Before you can set up a Crowdstrike Falcon event source you'll need:

  • A Crowdstrike Falcon account with administrator access.
    • Note that you'll configure InsightIDR to use the Crowdstrike Event Streams (eStream) API to pull alerts from the \alerts endpoint.
  • To collect Alerts using the Cloud Connection method, you must first install the Raptor release of Crowdstrike Falcon. For more information, contact Crowdstrike Customer Support at: https://supportportal.crowdstrike.com.

Configure Crowdstrike Falcon to send data to InsightIDR for Cloud Connection method

This step is only required if you are utilising the Cloud Connection method.

To ensure InsightIDR can receive data from Crowdstrike Falcon, you must configure your event source.

To obtain credentials from Crowdstrike:

This task is only required if you're using the API collection method. If you are using another collection method and are not sure how to set it up, contact Crowdstrike Customer Support at: https://supportportal.crowdstrike.com

  1. In your Crowdstrike Falcon environment, sign into the Management Console as an admin-level user.
  2. Go to Support and resources > API clients and keys.
  3. Create a new API client.
  4. Select Read access for Alerts and Read access for Event Streams.
  5. Take note of the Client ID and Secret.

Configure the Falcon SIEM Connector for the Collector method

This step is only required if you are utilising the Collector method.

HP ArcSight Common Event Format (CEF) facilitates communication between devices by defining a syntax for log records. In order to send events to InsightIDR, you must modify certain settings in the default CEF file.

  1. Open the default CEF configuration file located in /opt/crowdstrike/etc/.
  2. Rename /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
  3. If you have the line cat = event.DetectName in your config file, you should update it to cat = event.Tactic.
  4. Make the following changes to the config file:
 
1
output_format=syslog 
2
output_to_file=true/false 
3
output_path=<filepath>
4
act = event.Technique
5
reason = event.Objective
6
outcome = event.PatternDispositionDescription
7
CSMTRPatternDisposition = event.PatternDispositionValue
  1. If you plan to use a proxy to connect to the Falcon Firehose endpoint, you will need to update http_proxy=<protocol>://<host>:<port> in your config file. Otherwise, update the Logging section.
  2. To configure your collector as a Syslog server, update the Syslog section to:
 
1
send_to_syslog_server=true
2
host=<collector ip>
3
port=<listening port>
4
protocol=udp/tcp
  1. Start the service: # service cs.falconhoseclientd start.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select Crowdstrike Falcon

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
  • Search for Crowdstrike Falcon in the event sources search bar.
  • In the Product Type filter, select Third Party Alerts.
  1. Select Crowdstrike Falcon.

Task 2: Set up your collection method

There are two methods of collecting data from Crowdstrike Falcon; through a cloud connection or through a collector.

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

Use the Cloud Connection method
  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will become the name of the log that contains the event data in Log Search.
  3. Optionally, select the option to send unparsed data.
  4. Select your LDAP Account Attribution preference:
  • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
  • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  1. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  2. Click Add a New Connection.
  3. In the Create a Cloud Connection screen, enter a name for the new connection.
  4. In the Client ID field, enter the Client ID that you obtained in the previous section, [Configure Crowdstrike Falcon to send data to InsightIDR](#configure-Crowdstrike Falcon-to-send-data-to-insightidr).
  5. In the Region field, enter the region of your Crowdstrike Falcon instance.
  6. In the Client Secret field, add a new credential:
  • Name your credential.
  • Describe your credential.
  • Select the credential type.
  • Enter the Secret that you obtained in the previous section, [Configure Crowdstrike Falcon to send data to InsightIDR](#configure-Crowdstrike Falcon-to-send-data-to-insightidr).
  1. Click Save Connection.
  2. Click Save.
Use the Collector method
  1. In the Add Event Source panel, select Run On Collector.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Crowdstrike Falcon.
  3. Optionally, select the option to send unparsed data.
  4. Choose the collector with the IP address that is specified in the cs.falconhoseclient.cfg file.
  5. Enter the same listening port and protocol that is specified in the cs.falconhoseclient.cfg file.
  6. Click Save.
  7. Start the SIEM Connector service by running /etc/init.d/cs.falconhoseclientd start or service cs.falconhoseclientd start.
  8. To verify that your setup was correct and your connectivity has been established, you should tail the cs.falconclient.log file. This log file may be in /var/log/crowdstrike/falconhoseclient or /opt/crowdstrike or another folder depending on how you installed the Falcon SIEM Connector.

Test the configuration

The event IDs that InsightIDR parses are:

  • Alerts
  • DetectionSummaryEvents

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. In the Log Search filter panel, search for the event source you named in Task 2. Crowdstrike Falcon logs should flow into the log set: Third Party Alerts.
  2. Select the log sets and the logs within them.
  3. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default and appears under the log set: Third Party Alerts.

Here are two typical log entries that are created by the event source:

Alert event

 
1
{
2
  "activity_id": "3D14C6B6-XXXX-460EC4FCD27D",
3
  "aggregate_id": "aggind:dca1XXXX1660:097877B9-C71F-42C7-A836-2944D119B6CB",
4
  "cid": "0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
5
  "composite_id": "28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
6
  "confidence": 30,
7
  "context_timestamp": "2022-05-15T10:32:00.000Z",
8
  "created_timestamp": "2022-05-15T11:34:56.887790892Z",
9
  "description": "User access from an unusual location",
10
  "display_name": "Unusual user geolocation",
11
  "end_time": "2022-05-15T10:32:00.000Z",
12
  "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/dca1xxxx1660",
13
  "id": "ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
14
  "location_country_code": "US",
15
  "name": "AnomalousGeoLocationAccess",
16
  "objective": "Gain Access",
17
  "okta_application_id": "0oa1xxxxL5d7",
18
  "pattern_id": 51125,
19
  "product": "idp",
20
  "scenario": "machine_learning",
21
  "severity": 31,
22
  "show_in_ui": true,
23
  "source_account_name": "demo.user@example.com",
24
  "source_account_okta_id": "00u4xxxxf5d7",
25
  "source_endpoint_address_ip4": "192.0.2.100",
26
  "source_endpoint_ip_address": "192.0.2.100",
27
  "sso_application_identifier": "Okta Admin Console",
28
  "sso_application_uri": "0oa1xxxxL5d7",
29
  "start_time": "2022-05-15T10:32:00.000Z",
30
  "status": "new",
31
  "tactic": "Initial Access",
32
  "tactic_id": "TA0001",
33
  "technique": "Valid Accounts",
34
  "technique_id": "T1078",
35
  "timestamp": "2022-05-15T10:34:56.509Z",
36
  "type": "xdr",
37
  "updated_timestamp": "2022-05-15T11:34:56.887790892Z"
38
}

DetectionSummaryEvent event

 
1
CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|Exploit|4|externalId=123456fdfbb789db61cc398ef01c1377 cn2Label=ProcessId cn2=28039534917112 cn1Label=ParentProcessId cn1=27874350988291 dhost=RPD07_01 duser=N/A msg=Detected and blocked a heap spray attempt, which was likely part of an attempted exploit. fname=Acrobat.exe filePath=\Device\HarddiskVolume2\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat cs5Label=CommandLine cs5="C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe" -Embedding fileHash=1f3f9a0bbda9b383e1e248b35f1b81ea dntdom=N/A cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/777049fdfbb746db61cc398ef01c1377/395223296275?_cid\=e9f0d5fbbee04aa1a6593f1f465d9fb8 cn3Label=Offset cn3=24813 rt=1594167159000 src=10.80.153.236 smac=12-f5-71-cc-f6-3c cat=Exploit act=Exploit Mitigation reason=Falcon Detection Method outcome=1024 CSMTRPatternDisposition=Prevention, operation blocked