CrowdStrike Integration

In Falcon NG-SIEM, click Data connectors > Data connections from the left menu.

Click the Add connection button in the bottom right corner.

Now, choose the required data connector. In this example, we will use the Falcon LogScale Collector. Select it from the list and click Configure.

Enter the Data source and Connector name. Then, we need to choose the required Parser to our data. In this example, we will choose zscaler-internetaccess.

Accept the required conditions and click Create connection. Click Close in the window that appears.

Click the Generate API key button in the box that appears at the top of the page. Copy the API key and API URL values that appear. These are the values we need to set the required connection in Onum.

Access Onum, go to the Data sinks area and click New data sink. Select the Falcon NG-SIEM Data sink from the list.

Enter a Name for the Data sink. Then, enter the API URL that you got from the connector in the Instance URL field and choose the required Port number (443 in this case).

Click on the Token field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date option. Then, click Add new value and paste the API key that you for from the connector. Click Save when you're done.

Now, select the token you have just created in the Token field.

In the Event format section, choose JSON.

Click Finish.

In Onum, go to the Listeners area and click New listener. Select the HTTP Listener from the list.

Enter a Name for the Listener. Then, enter the Port we're going to listen to (in this example, 3000).

Set up the required TLS configuration.

In the Authentication type option, choose API Key in Header.

• In the API Key in Header Name field, enter Authorization.

• Then, click the API Key in Header Value field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date option. Then, click Add new value and paste the required value from Falcon LogScale Collector. Click Save when you're done.

Now, select the token you have just created in the Token field.

Choose POST as the HTTP Method.

In the Request Path field, enter /services/collector.

In the Message extraction section, select Multiple events at body as stacked JSON in the Strategy field.

Enter any additional values you may need and click Create labels. Create any required labels if you need to break down your data and then click Create listener.

In Falcon NG-SIEM, click Data connectors > Data connections from the left menu, then select the Fleet management tab.

Choose the required VM in this area and access its configuration.

Add the following information:

• The required token value.

• The Onum URL, with the following format: tenantID:port

• In the TLS section at the end, add the path to the required CA certificate file. Add the file in a directory that the Falcon LogScale Collector can read.

Access your Onum tenant and click Pipelines > New pipeline.

At the left menu, select the HTTP Listener we've just created in the Listener tab and drag it into the canvas. Then, go to the Data sinks tab and do the same with your Falcon NG-SIEM Data sink.

Then, in the Actions tab, choose the Parser Action and add it to the canvas. Connect the Listener to the Parser, and then the Parser to the Data sink.

Now we have to configure the Parser. Double-click it and set up the following:

• Choose the msg field as the field to parse.

• Leave the real data option in the Input box.

• Choose the manual option in the Parser block. Click the </> icon at the left of the box to access the code mode and modify the parser as required. In this case, we'll apply this parser to extract 3 different fields (host, event and fields):

{flc:json(fields=["fields":string,"host":string,"event":string"])}

Click Save when you're done.

Double-click the Data sink