Crowdstrike Falcon

Crowdstrike Falcon is a cloud-based platform that provides endpoint protection across your organization. If you currently use Crowdstrike Falcon, you can configure the Falcon SIEM Connector to send events to InsightIDR where you can generate investigations around that data.

When Crowdstrike Falcon is configured as an event source in InsightIDR, it parses and creates alerts on detection summary events (DetectionSummaryEvent) only with a severity of 4 or 5.

InsightIDR ignores the events that mention either Machine Learning or quarantined_file_update.

In order to set up Crowdstrike Falcon, you’ll need to:

  1. Configure the Falcon SIEM Connector and start the service.
  2. Set up the Crowdstrike Falcon event source in InsightIDR.
  3. Verify the configuration works.

Before You Begin

Configure the Falcon SIEM Connector

HP ArcSight Common Event Format (CEF) facilitates communication between devices by defining a syntax for log records. In order to send events to InsightIDR, you must modify certain settings in the default CEF file.

  1. Open the default CEF configuration file located in /opt/crowdstrike/etc/.
  2. Rename /opt/crowdstrike/etc/cs.falconehoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
  3. If you have the line cat = event.DetectName in your config file, you should update it to cat = event.Tactic.
  4. Make the following changes to the config file:
1
output_format=syslog
2
output_to_file=true/false
3
output_path=<filepath>
4
act = event.Technique
5
reason = event.Objective
6
outcome = event.PatternDispositionDescription
7
CSMTRPatternDisposition = event.PatternDispositionValue
  1. If you plan to use a proxy to connect to the Falcon Firehose endpoint, you will need to update http_proxy=://: in your config file. Otherwise, update the Logging section.
  2. Configure your collector as a Syslog server, update the Syslog section to:
1
send_to_syslog_server=true
2
host=<collector ip>
3
port=<listening port>
4
protocol=udp/tcp
  1. Start the service: # service cs.falconhoseclientd start.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Crowdstrike Falcon in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Crowdstrike Falcon event source tile.
  4. Choose the collector with the IP address that is specified in the cs.falconhoseclient.cfg file.
  5. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  6. Enter the same listening port and protocol that is specified in the cs.falconhoseclient.cfg file.
  7. Click Save.

Verify the Configuration

  1. Start the SIEM Connector service by running /etc/init.d/cs.falconhoseclientd start or service cs.falconhoseclientd start.

  2. To verify that your setup was correct and your connectivity has been established, you can run: tail -f /opt/crowdstrike/log/cs.falconhoseclient.log.