# Send data to Falcon Next-Gen SIEM

{% hint style="info" %}
See the changelog of the **Falcon NG-SIEM** Data sink [here](/data-sinks/falcon-next-gen-siem-data-sink.md).
{% endhint %}

## Overview

Onum supports integration with Falcon Next-Gen SIEM.

With our **Falcon NG-SIEM** Data sink, you can send event data to Falcon Next-Gen SIEM via HTTP or HTTPS. It is an efficient and flexible way to ingest data into Falcon Next-Gen SIEM without the need for intermediary files or complex configurations. Events can be sent in either raw or JSON format.

## Falcon Next-Gen SIEM Setup

Follow these steps to define a data connector in Falcon NG-SIEM and get the required API URL and API key we will use in Onum:

{% stepper %}
{% step %}
Access Falcon and click **Next-Gen SIEM > Log management > Data onboarding** from the left menu.

<figure><picture><source srcset="/files/7sgVuN31VnjG7YsE9WSA" media="(prefers-color-scheme: dark)"><img src="/files/qS4nea8x2wnSQXqqrmDq" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Click the **Add connection** button in the top right corner of the **Connections** table.

<figure><picture><source srcset="/files/hj6Y8rLdArPulbJOMQOl" media="(prefers-color-scheme: dark)"><img src="/files/rUBFicVzUxX5oOPILacK" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Now, choose the required data connector. In this example, we will use the **Falcon LogScale Collector**. Select it from the list and click **Configure**.

<figure><picture><source srcset="/files/c2yKFZKb0HaqK5pPZPRt" media="(prefers-color-scheme: dark)"><img src="/files/MY1hENj1clRGytpQE1r2" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Enter a **Connector name** and choose a **Vendor** and **Vendor Product** from the lists (if your product isn’t in the list, you can pick **Generic** for both). Then, we need to choose the required **Parser** to our data. Pick it from the list or click **Create new parser** to define a new one. If you create a new parser, you'll need to pick it from the list after you've created it.

In this example, we will choose `zscaler-internetaccess`.

{% hint style="warning" %}
You may need to create a parser if the one you require is not available. Check [this article](https://falcon.us-2.crowdstrike.com/login?next=%2Fdocumentation%2Fcategory%2Fmv4e4o8e%2Fparsers) for more information about Parsers in Falcon NG-SIEM.
{% endhint %}

<figure><picture><source srcset="/files/BywSeOnvzKqzl5tKufCZ" media="(prefers-color-scheme: dark)"><img src="/files/5Be05FPFHZpVDxAyLxar" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Accept the required conditions and click **Create connection**. Click **Close** in the window that appears.
{% endstep %}

{% step %}
Click the **Generate API key** button in the box that appears at the top of the page. Copy the **API key** and **API URL** values that appear. These are the values we need to set the required connection in Onum.

{% hint style="warning" %}

* Refresh the page if you don't see the box.
* Remember to save the **API key** and **API URL** values when you generate them. Otherwise, you will need to regenerate them again.
  {% endhint %}

<figure><picture><source srcset="/files/Og5tH4GuXkKVJfrE58Ms" media="(prefers-color-scheme: dark)"><img src="/files/zXHIz0ljeqUskXvyjmQq" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

## Onum Setup

{% stepper %}
{% step %}
Access Onum, go to the **Data sinks** area and click **New data sink**. Select the **Falcon NG-SIEM** Data sink from the list.
{% endstep %}

{% step %}
Enter a **Name** for the Data Sink. Then, enter the **API URL** that you got from the connector in the **Instance URL** field.
{% endstep %}

{% step %}
Click on the **Token** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the **API key** that you for from the connector. Click **Save** when you're done.

{% hint style="info" %}
Learn more about Secrets in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}

<figure><picture><source srcset="/files/ZPrkv3iJptZ89Gyv3Y0V" media="(prefers-color-scheme: dark)"><img src="/files/gF2igkkAAjDP5ZCQYDZz" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Now, select the token you have just created in the **Token** field.
{% endstep %}

{% step %}
In the **Event format** section, choose either **JSON** or **Raw**.
{% endstep %}

{% step %}
In the **Advanced configuration** settings, add **Bulk** or **Proxy** settings.

For optimal performance, we strongly recommend enabling **Bulk configuration** and enter these settings to significantly improve performance and reduce system load:<br>

* **Event time limit** -  `2`
* **Number of events** -  `1500`
* **Batch size (bytes)** - `5000000`

Depending on your Pipelines ingestion level, you may need to adjust these values to optimize performance and prevent prolonged waiting periods that could contribute to back pressure.

{% hint style="warning" %}
Only enable Bulk configuration after completing Pipeline debugging. If you need to use Debug mode, temporarily disable Bulk configuration, then re-enable it once debugging is complete.
{% endhint %}
{% endstep %}
{% endstepper %}

## Pipeline configuration

When it comes to using this Data sink in a [Pipeline](/the-workspace/pipelines.md), you must configure the following output parameters. To do it, simply click the Data sink on the canvas and select **Configuration**.&#x20;

### Output configuration

<table><thead><tr><th width="169.8515625">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><strong>Message</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Select the field to include in the output message. The data type must be <code>string</code>.</td></tr></tbody></table>

#### Add fields

Optionally, you may include as many Key-Value pairs as required.

<table><thead><tr><th width="169.8515625">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><strong>Field name</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Enter a name for the new field.</td></tr><tr><td><strong>Value</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Select the field that contains the value data. </td></tr></tbody></table>

<figure><picture><source srcset="/files/NoQqh3pLCWcI31VjMV0F" media="(prefers-color-scheme: dark)"><img src="/files/OfSfNSv0L0IX6o7gnn1s" alt=""></picture><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/data-sinks/data-sink-integrations/send-data-to-crowdstrike-products/send-data-to-falcon-next-gen-siem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.