WebsiteBlogLogin

CrowdStrike Integration

Data flow to Falcon NG-SIEM

Overview

In this article, you will learn how to set up a connection from the Falcon LogScale Collector over to Falcon NG-SIEM through Falcon Onum.

  1. First of all, we will start setting up a destination or connector with the corresponding parser in Falcon NG-SIEM to define where to receive our data.

  2. Then, we need to define the required Listener (data coming into Onum) and Data Sink (data going to Falcon NG-SIEM) in Falcon Onum.

  3. Next, we will define which data we want to send and where we want to send it over in the Falcon LogScale Collector.

  4. And finally, we will define a Pipeline in Falcon Onum to draft and configure the whole data flow.

1. Create a Connector in Falcon NG-SIEM

Follow these steps to define the required data connector in Falcon NG-SIEM:

1

Access Falcon and click Next-Gen SIEM > Log management > Data onboarding from the left menu.

2

Click the Add connection button in the top right corner of the Connections table.

3

Now, choose the required data connector. In this example, we will use the Falcon LogScale Collector. Filter and search for it and click Configure.

4

Enter a Connector name and choose a Vendor and Vendor Product from the lists (if your product isn’t in the list, you can pick Generic for both). Then, we need to choose the required Parser to our data. Pick it from the list or click Create new parser to define a new one. If you create a new parser, you'll need to pick it from the list after you've created it.

In this example, we will choose zscaler-internetaccess.

You may need to create a parser if the one you require is not available. Check this article for more information about parsers in Falcon NG-SIEM.

5

Accept the required conditions and click Create connection. Click Close in the window that appears.

6

Click the Generate API key button in the box that appears at the top of the page. Copy the API key and API URL values that appear. These are the values we need to set the required connection in Onum.

  • Refresh the page if you don't see the box. It will appear once your connector is ready to receive data.

  • Remember to save the API key and API URL values when you generate them. Otherwise, you will need to regenerate them again.

2. Set up the required Data Sink and Listener in Falcon Onum

Now we need to configure the required Data Sink and Listener in Onum, which will be used to get the input data and then forward it to the required destination.

2.1 Create a Falcon NG-SIEM Data Sink

1

Access Onum, go to the Data sinks area and click New data sink. Select the Falcon NG-SIEM Data Sink from the list.

2

Enter a Name for the Data Sink. Then, enter the API URL that you got from the connector in the Instance URL field.

3

Click on the Token field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the API key that you for from the connector. Click Save when you're done.

Learn more about secrets in this article.

4

Now, select the token you have just created in the Token field.

5

In the Event format section, you must choose Raw.

Note that if you don't choose Raw, the events will not be sent properly formatted.

6

Leave the Advanced configuration settings as default and click Finish.

2.2 Create a Falcon LogScale Collector Listener

1

In Onum, go to the Listeners area and click New listener. Select the Falcon LogScale Collector Listener from the list.

2

Enter a Name for the Listener. Optionally, add a Description and some Tags to identify the Listener.

3

Then, enter the Port where your Falcon Log Collector instance is sending data.

At this time, all TCP ports from 1024 to 10000 are open.

4

Now you need to generate a token that will be used to connect your Falcon LogScale Collector instance to Onum. You can use an online UUID generator tool to get it.

Note that the Falcon LogScale Collector won’t allow for token values that are just numeric.

Back to Onum, go to the Authentication section, click the Select an API Key field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the token you generated. Click Save when you're done.

You'll later use this token in the Falcon LogScale Collector configuration.

Learn more about secrets in this article.

5

Now, select the token you've just created.

6

In the TLS configuration section, you must enter the required Certificate, Private key and CA Chain. Learn how to generate these self-signed certificates in this article.

Once you have them, click New secret in each field, copy the contents of the generated cert files and create a secret for each certificate.

You can check the process of creating and choosing a secret in the step 3 above, or read more about secrets in Onum in this article.

7

Finally, click Create labels. Create any required labels if you need to break down your data and then click Create listener.

3. Define the data to send over in the Falcon LogScale Collector

Next you have to configure the data you want to send in Falcon LogScale Collector:

1

In Falcon NG-SIEM, click Data connectors > Data connections from the left menu, then select the Fleet management tab.

2

Access the relevant Falcon LogScale Collector instance's config and add the following information:

  • The token value you added in the Falcon LogScale Collector Listener setup in Onum. This will go into the token field of the configuration.

  • The Onum URL, with the following format: distributorURL:port. You must get your distributor URL from the Onum team, as it is not shown in the platform. Add the port you entered in the Onum configuration and include it in the url field of the configuration.

  • In the tls section at the end, add the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read.

Check below a Falcon LogScale Collector sample config file:

FLC config file
 flc-to-onum:
    type: hec
    # Replace with generated token entered in Onum.
    token: <token>
    # Replace with Onum distributor URL & port. Must include the "https://" at the beginning. 
    url: <distributorURL:port>
    tls: 
      # Replace with full file path to CA certificate
      caFile: "<filepath>"

If you're using Windows, you need to escape backslashes (\) with an extra backslash in your CA file path.

3

Click Publish > Publish draft to publish your FLC config.

4

Finally, check your the Fleet Management page to verify the FLC status shows as Okay. You may find the status shows Error if, for example, you did not enter the right matching port you chose in Onum.

4. Create the Pipeline in Falcon Onum

Now we've got all the required pieces, so it's time to put them all together in a Pipeline:

1

Access your Falcon Onum tenant and click Pipelines > New pipeline.

2

At the left menu, select the Falcon LogScale Collector Listener we've just created in the Listener tab and drag it into the canvas. Then, go to the Data sinks tab and do the same with your Falcon NG-SIEM Data Sink.

3

Link the Listener with the Data Sink.

4

Double-click the Data Sink. In the Ouput configuration section, choose the msg field, which is the one we want to be sent out. Click Save.

5

Finally, click Publish, choose the required cluster(s) and click Publish again.

PreviousRehydrate data from Amazon S3NextSelf-Signed SSL/TLS Certificates Creation

Last updated

Was this helpful?