CrowdStrike has gained recognition for its innovative approach to cybersecurity and its role in responding to high-profile cyber incidents. Its solutions have been widely adopted by enterprises, government agencies, and organizations across various industries to strengthen their defenses against cyber threats.
CrowdStrike develops their “Falcon SIEM Connector”, a software package that can be used to connect to CrowdStrike’s cloud, pull out logs and events and forward all end-point activity to a log collector/SIEM.
CrowdStrike is a cybersecurity company that specializes in cloud-delivered endpoint protection and threat intelligence services, providing advanced solutions to detect and prevent cyber threats.
Key features and aspects of CrowdStrike’s offerings include:
- Endpoint Protection: Falcon Endpoint Protection, a cloud-native solution that offers real-time endpoint threat detection, prevention, and response.
- Threat Intelligence: CrowdStrike’s Falcon X platform provides actionable threat intelligence derived from its vast global telemetry data.
- Cloud-Native Architecture: Fast deployment, automatic updates, and scalability without the need for on-premises infrastructure.
- Incident Response: CrowdStrike’s incident response services help organizations respond effectively to cybersecurity incidents.
- Managed Detection and Response (MDR): CrowdStrike offers MDR services to augment an organization’s internal security operations.
- Threat Hunting: Proactive techniques to search for threats that may have gone undetected by traditional security measures. They aim to identify and neutralize threats early in their lifecycle.
- Integration: CrowdStrike integrates with other security tools and technologies through open APIs.
Ingesting CrowdStrike Security Events
Before using the Falcon SIEM Connector, you’ll want to first define the API client and set its scope. Refer to this guide (https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) to getting access to the CrowdStrike API for setting up a new API client key. For the new API client, make sure the scope includes read access for Event streams.
The cs.falconhoseclientd.service can be installed via the
crowdstrike-cs-falconhoseclient_2.11.0_amd64.deb package. This service reaches out to Crowdstrike console to ingest syslog messages and forwards them via a CEF format.
The configuration for API creds and syslog forwarder settings are stored within
/opt/crowdstrike/etc/cs.falconhoseclient.cfg. Adjust to make your changes.
(NOTE that the
client_secret , and
syslog_host will need to be adjusted.)
Falcon SIEM Connector can run as a systemd service.
Visualizations and Events Details
Alerts and Events summary: