Overview
To view CrowdStrike Falcon logs through the Logsign Unified SecOps Platform product, you will need to perform some configurations.
First, enter the link you have for CrowdStrike Falcon. You are expected to be an authorized user who can access the management panel and take actions.
Prerequisites
- Logsign Unified SecOps Platform 6.4.24+ versions support this integration.
Configure On CrowdStrike Falcon
When you click on the icon resembling three lines in the top left corner of the page, you will see an area similar to the one in the image.
You need to click on ‘Support and resources’ at the bottom of this area, then select the ‘API Clients and keys’ tab in the window that opens on the side.
On this screen, there is a ‘Create API client’ option in the top right corner. Click on it to create an API.
While creating the API connection, we need to give it a name and then define the ‘Scope.’
In this section, it will be sufficient to only select the options with Read permission. You will need to select the scopes listed below:
• Alerts
• App Logs
• Apps
• Configuration Assessment
• Detections
• Device control policies
• Hosts
• Assets
• Incidents
• Quarantined Files
• Vulnerabilities
• User management
Once created, you will see a screen like this. You need to save this information. After saving it, you will need to log into Logsign Unified SecOps Platform and add the source based on the saved information.
Log into Logsign Unified SecOps Platform and then click on the Settings option in the top menu. In the window that opens, click on ‘Data Collection’ on the left side to view the sources you have added to Logsign Unified SecOps Platform. Click on the ’ + Device ’ option on the right side to begin the process of adding a source.
First, under Devices, select API, and then choose CrowdStrike Falcon in the Provider section. Fill in the fields based on the information we have obtained.
For the Region section, you can refer to the values I have provided below:
• US-1 | United States | api.crowdstrike.com
• US-2 | United States-2 | api.us-2.crowdstrike.com
• EU-1 | Europe | api.eu-1.crowdstrike.com
• EU-2 | Europe-2 | api.eu-2.crowdstrike.com
• US-GOV-1 | South America | api.lagov.crowdstrike.com
• US-GOV-2 | Middle East | api.usgov.crowdstrike.com
After adding the source, you will start seeing the logs in the ‘Search’ section after a while.