Crowdstrike Falcon

Crowdstrike Falcon is a cloud-based platform that provides endpoint protection across your organization. If you currently use Crowdstrike Falcon, you can configure the Falcon SIEM Connector to send events to InsightIDR where you can generate investigations around that data.

When Crowdstrike Falcon is set as an event source for InsightIDR, it only parses detection summary events by looking for DetectionSummaryEvent in the log line. It will ignore the events that are either Machine Learning or quarantined_file_update.

In order to set up Crowdstrike Falcon, you’ll need to:

1. Configure the Falcon SIEM Connector and start the service.
2. Set up the Crowdstrike Falcon event source in InsightIDR.
3. Verify the configuration works.

Before You Begin

• Install and configure Falcon Connector RPM. See instructions here: https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/
• Contact Crowdstrike support at support@crowdstrike.com to enable API access on your account. You must have administrative privileges

Configure the Falcon SIEM Connector

HP ArcSight Common Event Format (CEF) facilitates communication between devices by defining a syntax for log records. In order to send events to InsightIDR, you must modify certain settings in the default CEF file.

1. Open the default CEF configuration file located in /opt/crowdstrike/etc/.
2. Rename /opt/crowdstrike/etc/cs.falconehoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
3. If you have the line cat = event.DetectName in your config file, you should update it to cat = event.Tactic.
4. Make the following changes to the config file:

 
1
output_format=syslog 
2
output_to_file=true/false 
3
output_path=<filepath>
4
act = event.Technique
5
reason = event.Objective
6
outcome = event.PatternDispositionDescription
7
CSMTRPatternDisposition = event.PatternDispositionValue

5. If you plan to use a proxy to connect to the Falcon Firehose endpoint, you will need to update http_proxy=://: in your config file. Otherwise, update the Logging section.
6. If you plan to send your data to a Syslog server, update the Syslog section to:

 
1
send_to_syslog_server=true
2
host=<host>
3
port=<port>
4
protocol=udp/tcp

7. Start the service: # service cs.falconhoseclientd start.

Set Up this Event Source in InsightIDR

1. From the left menu, go to Data Collection.
2. When the “Data Collection” page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Third Party Alerts” section, click the Crowdstrike icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. If you are sending additional events beyond alerts, select the unparsed logs checkbox. Specify an unused port on the Collector that can receive forwarded Crowdstrike events. We recommend that you use TCP as your protocol.
6. Click Save.

Verify the Configuration

1. Start the SIEM Connector service by running /etc/init.d/cs.falconhoseclientd start or service cs.falconhoseclientd start.

2. To verify that your setup was correct and your connectivity has been established, you can run: tail -f /opt/crowdstrike/log/cs.falconhoseclient.log.