Send data to Falcon Next-Gen SIEM

Access Falcon and click Next-Gen SIEM > Log management > Data onboarding from the left menu.

Click the Add connection button in the top right corner of the Connections table.

Now, choose the required data connector. In this example, we will use the Falcon LogScale Collector. Select it from the list and click Configure.

Enter a Connector name and choose a Vendor and Vendor Product from the lists (if your product isn’t in the list, you can pick Generic for both). Then, we need to choose the required Parser to our data. Pick it from the list or click Create new parser to define a new one. If you create a new parser, you'll need to pick it from the list after you've created it.

In this example, we will choose zscaler-internetaccess.

Accept the required conditions and click Create connection. Click Close in the window that appears.

Click the Generate API key button in the box that appears at the top of the page. Copy the API key and API URL values that appear. These are the values we need to set the required connection in Onum.

Access Onum, go to the Data sinks area and click New data sink. Select the Falcon NG-SIEM Data sink from the list.

Enter a Name for the Data Sink. Then, enter the API URL that you got from the connector in the Instance URL field.

Click on the Token field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the API key that you for from the connector. Click Save when you're done.

Now, select the token you have just created in the Token field.

In the Event format section, choose either JSON or Raw.

Leave the Advanced configuration settings as default and click Finish.