CrowdStrike Falcon Integration via API

Overview

To view CrowdStrike Falcon logs through the Logsign Unified SecOps Platform product, you will need to perform some configurations.

First, enter the link you have for CrowdStrike Falcon. You are expected to be an authorized user who can access the management panel and take actions.

 

Prerequisites

  • Logsign Unified SecOps Platform 6.4.24+ versions support this integration.

Configure On CrowdStrike Falcon

Ekran Resmi 2024-09-20 12.32.32.png

When you click on the icon resembling three lines in the top left corner of the page, you will see an area similar to the one in the image. 

Ekran Resmi 2024-09-20 12.32.53.png

You need to click on ‘Support and resources’ at the bottom of this area, then select the ‘API Clients and keys’ tab in the window that opens on the side.

On this screen, there is a ‘Create API client’ option in the top right corner. Click on it to create an API.

Ekran Resmi 2024-09-20 14.13.59.png

While creating the API connection, we need to give it a name and then define the ‘Scope.’

Ekran Resmi 2024-09-20 12.34.16.png

In this section, it will be sufficient to only select the options with Read permission. You will need to select the scopes listed below:

• Alerts

• App Logs

• Apps

• Configuration Assessment

• Detections

• Device control policies

• Hosts

• Assets

• Incidents

• Quarantined Files

• Vulnerabilities

• User management

blurred_api_credentials.png

Once created, you will see a screen like this. You need to save this information. After saving it, you will need to log into Logsign Unified SecOps Platform and add the source based on the saved information.

Ekran Resmi 2024-09-20 14.46.42.png

Log into Logsign Unified SecOps Platform and then click on the Settings option in the top menu. In the window that opens, click on ‘Data Collection’ on the left side to view the sources you have added to Logsign Unified SecOps Platform. Click on the ’ + Device ’ option on the right side to begin the process of adding a source.

Ekran Resmi 2024-09-20 12.40.00.png

First, under Devices, select API, and then choose CrowdStrike Falcon in the Provider section. Fill in the fields based on the information we have obtained.

For the Region section, you can refer to the values I have provided below:

US-1 | United States | api.crowdstrike.com

US-2 | United States-2 | api.us-2.crowdstrike.com

EU-1 | Europe | api.eu-1.crowdstrike.com

EU-2 | Europe-2 | api.eu-2.crowdstrike.com

US-GOV-1 | South America | api.lagov.crowdstrike.com

US-GOV-2 | Middle East | api.usgov.crowdstrike.com

After adding the source, you will start seeing the logs in the ‘Search’ section after a while.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.