Crowdstrike Falcon is a cloud-based platform that provides endpoint protection across your organization. If you currently use Crowdstrike Falcon, you can configure the Falcon SIEM Connector to send events to InsightIDR where you can generate investigations around that data.
When Crowdstrike Falcon is set as an event source for InsightIDR, it only parses detection summary events by looking for
DetectionSummaryEvent in the log line. It will ignore the events that are either
Machine Learning or
In order to set up Crowdstrike Falcon, you’ll need to:
- Configure the Falcon SIEM Connector and start the service.
- Set up the Crowdstrike Falcon event source in InsightIDR.
- Verify the configuration works.
Before You Begin
- Install and configure Falcon Connector RPM. See instructions here: https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/
- Contact Crowdstrike support at email@example.com to enable API access on your account. You must have administrative privileges
Configure the Falcon SIEM Connector
HP ArcSight Common Event Format (CEF) facilitates communication between devices by defining a syntax for log records. In order to send events to InsightIDR, you must modify certain settings in the default CEF file.
- Open the default CEF configuration file located in
- If you have the line
cat = event.DetectNamein your config file, you should update it to
cat = event.Tactic.
- Make the following changes to the config file:
1output_format=syslog2output_to_file=true/false3output_path=<filepath>4act = event.Technique5reason = event.Objective6outcome = event.PatternDispositionDescription7CSMTRPatternDisposition = event.PatternDispositionValue
- If you plan to use a proxy to connect to the Falcon Firehose endpoint, you will need to update http_proxy=
:// : in your config file. Otherwise, update the Logging section.
- If you plan to send your data to a Syslog server, update the Syslog section to:
- Start the service:
# service cs.falconhoseclientd start.
Set Up this Event Source in InsightIDR
- From the left menu, go to Data Collection.
- When the “Data Collection” page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Third Party Alerts” section, click the Crowdstrike icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- If you are sending additional events beyond alerts, select the unparsed logs checkbox. Specify an unused port on the Collector that can receive forwarded Crowdstrike events. We recommend that you use TCP as your protocol.
- Click Save.
Verify the Configuration
Start the SIEM Connector service by running
service cs.falconhoseclientd start.
To verify that your setup was correct and your connectivity has been established, you can run:
tail -f /opt/crowdstrike/log/cs.falconhoseclient.log.