Send data to Falcon Next-Gen SIEM

In Falcon NG-SIEM, click Data connectors > Data connections from the left menu.

Click the Add connection button in the bottom right corner.

Now, choose the required data connector. In this example, we will use the Falcon LogScale Collector. Select it from the list and click Configure.

Enter the Data source and Connector name. Then, we need to choose the required Parser to our data. In this example, we will choose zscaler-internetaccess.

You may need to create a parser if the one you require is not available. Check this article for more information about Parsers in Falcon NG-SIEM.

Accept the required conditions and click Create connection. Click Close in the window that appears.

Click the Generate API key button in the box that appears at the top of the page. Copy the API key and API URL values that appear. These are the values we need to set the required connection in Onum.

Access Onum, go to the Data sinks area and click New data sink. Select the Falcon NG-SIEM Data sink from the list.

Enter a Name for the Data Sink. Then, enter the API URL that you got from the connector in the Instance URL field and enter 443 as the Port number. Port 443 is required for the Falcon NG-SIEM connection.

Click on the Token field and select New secret. In the window that appears, give your secret a Name and choose if you want to give a Expiration date to your token or not. Then, click Add new value and paste the API key that you for from the connector. Click Save when you're done.

Now, select the token you have just created in the Token field.

In the Event format section, choose Raw.

Click Finish.