Crowdstrike Falcon

Crowdstrike Falcon is a cloud-based platform that provides endpoint protection across your organization. If you currently use Crowdstrike Falcon, you can configure the Falcon SIEM Connector to send events to InsightIDR where you can generate investigations around that data.

When Crowdstrike Falcon is configured as an event source in InsightIDR, it parses and creates alerts on detection summary events (DetectionSummaryEvent) only with a severity of 4 or 5.

InsightIDR ignores the events that mention either Machine Learning or quarantined_file_update.

In order to set up Crowdstrike Falcon, you’ll need to:

1. Configure the Falcon SIEM Connector and start the service.
2. Set up the Crowdstrike Falcon event source in InsightIDR.
3. Verify the configuration works.

Before You Begin

• Install and configure Falcon Connector RPM. See instructions here: https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/
• Contact Crowdstrike support at support@crowdstrike.com to enable API access on your account. You must have administrative privileges

Configure the Falcon SIEM Connector

HP ArcSight Common Event Format (CEF) facilitates communication between devices by defining a syntax for log records. In order to send events to InsightIDR, you must modify certain settings in the default CEF file.

1. Open the default CEF configuration file located in /opt/crowdstrike/etc/.
2. Rename /opt/crowdstrike/etc/cs.falconehoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
3. If you have the line cat = event.DetectName in your config file, you should update it to cat = event.Tactic.
4. Make the following changes to the config file:

 
1
output_format=syslog 
2
output_to_file=true/false 
3
output_path=<filepath>
4
act = event.Technique
5
reason = event.Objective
6
outcome = event.PatternDispositionDescription
7
CSMTRPatternDisposition = event.PatternDispositionValue

5. If you plan to use a proxy to connect to the Falcon Firehose endpoint, you will need to update http_proxy=://: in your config file. Otherwise, update the Logging section.
6. If you plan to send your data to a Syslog server, update the Syslog section to:

 
1
send_to_syslog_server=true
2
host=<host>
3
port=<port>
4
protocol=udp/tcp

7. Start the service: # service cs.falconhoseclientd start.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Crowdstrike Falcon in the event sources search bar.
   • In the Product Type filter, select Third Party Alerts.
3. Select the Crowdstrike Falcon event source tile.
4. Choose your collector and event source. You can also name your event source if you want.
5. If you are sending additional events beyond alerts, select the unparsed logs checkbox. Specify an unused port on the Collector that can receive forwarded Crowdstrike events. We recommend that you use TCP as your protocol.
6. Click Save.

Verify the Configuration

1. Start the SIEM Connector service by running /etc/init.d/cs.falconhoseclientd start or service cs.falconhoseclientd start.

2. To verify that your setup was correct and your connectivity has been established, you can run: tail -f /opt/crowdstrike/log/cs.falconhoseclient.log.