Overview
CrowdStrike Falcon is an endpoint security platform designed to detect and prevent cyberattacks. It is developed by CrowdStrike, a cybersecurity company that specializes in cloud-based endpoint protection. Falcon Host uses artificial intelligence and machine learning algorithms to analyze behavior patterns and detect potential threats on endpoints, such as laptops, desktops, and servers.
Prerequisites
- Logsign 6.3.23+ versions support this integration.
Settings
CrowdStrike Falcon SIEM Connector runs as a service on a local Linux server. Source requirements (CPU/Memory/Hard drive) are minimal, the system can be a VM.
- Supported OS (64 bit only):
- CentOS/RHEL 6.x-7.x
- Ubuntu 14.x
- Ubuntu 16.04
- Ubuntu 18.04
- Ubuntu 20.04
- Connection: Internet connection and ability to connect to CrowdStrike Cloud should be (HTTPS/TCP 443).
- Authorization: Crowdstrike API Event Streaming scope access must be provided.
- Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP recommended).
- You need to download the RPM installation packages for the SIEM Connector from the CrowdStrike Falcon UI.
- You need to download the package of your operating system to the Linux server you want to use. Open a terminal and run the install command where the installer you downloaded is <installer package>:
- CentOS:
sudo rpm -Uvh <installer package> - Ubuntu:
sudo dpkg -i <installer package>
- Falcon SIEM Connector is installed in /opt/crowdstrike/ by default.
- Configure the SIEM Connector to forward Json events to Logsign. The configuration files are located in the /opt/crowdstrike/etc/ directory.
- SIEM connector uses the /opt/crowdstrike/etc/cs.falconhoseclient.cfg configuration by default.
- Open the /opt/crowdstrike/etc/cs.falconhoseclient.cfg file with the text editor and make the following edits:
- app_id = Write the Logsign SIEM
- client_id = Add registered client_id.
- client_secret = Add registered client_secret.
- output_format = json.
- EventTypeCollection enable all events:
- DetectionSummaryEvent = true
- AuthActivityAuditEvent = true
- UserActivityAuditEvent = true
- HashSpreadingEvent = true
- RemoteResponseSessionStartEvent = true
- RemoteResponseSessionEndEvent = true
Steps for Syslog Forwarding
Below is an example showing how to forward logs in JSON format via syslog. If it does not exist, please add it:
##
##[output]
type=syslog
protocol=udp
host=<syslog_server_ip>
port=514
format=json
##
Replace `<syslog_server_ip>` with the IP address of your SIEM server. Also, ensure the `port` value is set to the appropriate syslog port (commonly 514).
Save the Configuration File:
Save the changes and exit the editor. If you are using the Nano editor, you can save the changes with `CTRL + O`, and exit with `CTRL + X`.
11.After saving the configuration file, you can start the SIEM connector service with one of the following commands:
- CentOS:
sudo service cs.falconhoseclientd start - Ubuntu 14.x:
sudo start cs.falconhoseclientd - Ubuntu 16.04 and after:
sudo systemctl start cs.falconhoseclientd.service
12.To verify that your setup is correct and your connection is established, you can check the log file with the following command:
- journalctl -u /var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log
13. With these steps, the forwarding requirements are completed.