SOCFortress Integrations — CrowdStrike EndPoint Protection

SOCFortress
3 min readJul 21, 2023

Intro

CrowdStrike has gained recognition for its innovative approach to cybersecurity and its role in responding to high-profile cyber incidents. Its solutions have been widely adopted by enterprises, government agencies, and organizations across various industries to strengthen their defenses against cyber threats.

CrowdStrike develops their “Falcon SIEM Connector”, a software package that can be used to connect to CrowdStrike’s cloud, pull out logs and events and forward all end-point activity to a log collector/SIEM.

About CrowdStrike

CrowdStrike is a cybersecurity company that specializes in cloud-delivered endpoint protection and threat intelligence services, providing advanced solutions to detect and prevent cyber threats.

Key features and aspects of CrowdStrike’s offerings include:

  • Endpoint Protection: Falcon Endpoint Protection, a cloud-native solution that offers real-time endpoint threat detection, prevention, and response.
  • Threat Intelligence: CrowdStrike’s Falcon X platform provides actionable threat intelligence derived from its vast global telemetry data.
  • Cloud-Native Architecture: Fast deployment, automatic updates, and scalability without the need for on-premises infrastructure.
  • Incident Response: CrowdStrike’s incident response services help organizations respond effectively to cybersecurity incidents.
  • Managed Detection and Response (MDR): CrowdStrike offers MDR services to augment an organization’s internal security operations.
  • Threat Hunting: Proactive techniques to search for threats that may have gone undetected by traditional security measures. They aim to identify and neutralize threats early in their lifecycle.
  • Integration: CrowdStrike integrates with other security tools and technologies through open APIs.

Ingesting CrowdStrike Security Events

Before using the Falcon SIEM Connector, you’ll want to first define the API client and set its scope. Refer to this guide (https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) to getting access to the CrowdStrike API for setting up a new API client key. For the new API client, make sure the scope includes read access for Event streams.

The cs.falconhoseclientd.service can be installed via the crowdstrike-cs-falconhoseclient_2.11.0_amd64.deb package. This service reaches out to Crowdstrike console to ingest syslog messages and forwards them via a CEF format.

The configuration for API creds and syslog forwarder settings are stored within /opt/crowdstrike/etc/cs.falconhoseclient.cfg. Adjust to make your changes.

(NOTE that the api_url , cliend_id , client_secret , and syslog_host will need to be adjusted.)

Falcon SIEM Connector can run as a systemd service.

Visualizations and Events Details

Alerts and Events summary:

Detections:

User Activity:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).