Falcon Next-Gen SIEM

Name*

Enter a name for the new Data sink.

Description

Optionally, enter a description for the Data sink.

Tags

Add tags to easily identify your Data sink. Hit the Enter key after you define each tag.

Falcon NG-SIEM instance URL*

Add the URL to connect to your Falcon NG-SIEM instance (eg, https://falcon.us-1.crowdstrike.com).

URL port number*

Connection port. If not specified, port 8088 is used by default.

Basic

For Basic authentication, enter your Username* and Password*. Select your password from the list of your tenant's Secrets or create a new one.

The username is the same as the one used to log in to the instance via the browser, and the password is the token value you'll use.

Token

For Token authentication, choose the required Token*. Select your token from the list of your tenant's Secrets or create a new one.

JSON

Choose this option if you want to send your events in JSON format.

Raw

Choose this option if you want to send your events in raw format. Set the following parameters:

• Channel* - Indicate the ID of the channel used to send events. This helps streamline event searches on the server. Learn more about channels in this article.

• Source type* - Select the required source type to parse your data from the dropdown list. See here for a comprehensive list.

  • Choose manual if you don't have a specific source type to use.

  • Select none to add a custom source type in the Custom source type* field that appears.

  Learn how to create new source types here.

Bulk configuration

Activate the Bulk configuration toggle if you want to allow bulk sending. Configure the following parameters:

• Event time limit* - If the bulk amount is not reached, enter the maximum time lapse between sends (in seconds). The minimum value is 1.

Now, set the conditions to trigger bulk sending:

• Event amount - Enter the maximum number of events per batch. The minimum value is 1 and the maximum value is 15000 (default).

• Event size - Enter the maximum number of bytes in each batch. The minimum value is 1 and the maximum value is 5000000 (default).

TLS configuration

Activate the TLS configuration toggle if you want to set a TLS connection. Configure the following parameters:

• Minimum TLS version* - Choose the minimum TLS version required for incoming connections.

• Certificate* - Select your CA certificate from the list of your tenant's Secrets or create a new one.

• Private key* - Select your private key from the list of your tenant's Secrets or create a new one.

By default, the Skip TLS validations toggle is activated. Deactivate it to configure the following:

• CA chain* - CA chain used by the Data sink to verify client certificates. Choose it from the list of your tenant's Secrets or create a new one.

• Subject Alternative Name - Optionally, enter a Subject Alternative Name (SAN) for your TLS connection.

Proxy configuration

If your organization uses proxy servers, activate the Proxy configuration toggle and establish the connection here:

• Scheme* - Choose the required proxy scheme (HTTP or HTTPS).

• Host* - Set the required proxy address.

• Port* - Set the required proxy port.

• Username - Enter your proxy username.

• Password - Select your proxy password from the list of your tenant's Secrets or create a new one.

Use Gzip compression

Activate the Use Gzip compression toggle to allow using this type of compression.

Raw message*

Select the field to include in the output message. The data type must be string.

Host

Select the field that contains the host information. The data type must be string.

Source

Select the field that contains the source information. The data type must be string.

Index

Select the field that contains the index information. The data type must be string.