# CrowdStrike Integration ## Overview In this article, you will learn how to set up a connection from the **Falcon LogScale Collector** over to **Falcon NG-SIEM** through **Falcon** **Onum**. 1. First of all, we will start setting up a destination or **connector** with the corresponding parser in **Falcon NG-SIEM** to define where to receive our data. 2. Then, we need to define the required **Listener** (data coming into Onum) and **Data Sink** (data going to Falcon NG-SIEM) in **Falcon Onum**. 3. Next, we will define which data we want to send and where we want to send it over in the **Falcon LogScale Collector**. 4. And finally, we will define a **Pipeline** in **Falcon Onum** to draft and configure the whole data flow. ## 1. Create a Connector in Falcon NG-SIEM Follow these steps to define the required data connector in Falcon NG-SIEM: {% stepper %} {% step %} Access Falcon and click **Next-Gen SIEM > Log management > Data onboarding** from the left menu. {% endstep %} {% step %} Click the **Add connection** button in the top right corner of the **Connections** table. {% endstep %} {% step %} Now, choose the required data connector. In this example, we will use the **Falcon LogScale Collector**. Filter and search for it, select it and click **Configure**. {% endstep %} {% step %} Enter a **Connector name** and choose a **Vendor** and **Vendor Product** from the lists (if your product isn’t in the list, you can pick **Generic** for both). Then, we need to choose the required **Parser** to our data. Pick it from the list or click **Create new parser** to define a new one. If you create a new parser, you'll need to pick it from the list after you've created it. {% hint style="warning" %} You may need to create a parser if the one you require is not available. Check [this article](https://falcon.us-2.crowdstrike.com/login?next=%2Fdocumentation%2Fcategory%2Fmv4e4o8e%2Fparsers) for more information about parsers in Falcon NG-SIEM. {% endhint %} {% endstep %} {% step %} Accept the required conditions and click **Create connection**. Click **Close** in the window that appears. {% endstep %} {% step %} Click the **Generate API key** button in the box that appears at the top of the page. Copy the **API key** and **API URL** values that appear. These are the values we need to set the required connection in Onum. {% hint style="warning" %} * Refresh the page if you don't see the box. It will appear once your connector is ready to receive data. * Remember to save the **API key** and **API URL** values when you generate them. Otherwise, you will need to regenerate them again. {% endhint %} {% endstep %} {% endstepper %} ## 2. Set up the required Data Sink and Listener in **Falcon** Onum Now we need to configure the required [Data Sink](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/the-workspace/pipelines/data-sinks) and [Listener](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/the-workspace/listeners) in Onum, which will be used to get the input data and then forward it to the required destination. ### 2.1 Create a Falcon NG-SIEM Data Sink {% stepper %} {% step %} Access Onum, go to the **Data sinks** area and click **New data sink**. Select the [**Falcon NG-SIEM** Data Sink](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/the-workspace/data-sinks/data-sink-integrations/send-data-to-crowdstrike-products/send-data-to-falcon-next-gen-siem) from the list. {% endstep %} {% step %} Enter a **Name** for the Data Sink. Then, enter the **API URL** that you got from the connector in the **Instance URL** field. {% endstep %} {% step %} Click on the **Select token** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the **API key** that you for from the connector. Click **Save** when you're done. {% hint style="info" %} Learn more about secrets in [this article](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/administration/global-settings/organization-settings/secrets-management). {% endhint %} {% endstep %} {% step %} Now, select the token you have just created. {% endstep %} {% step %} In the **Event format** section, you must choose **Raw**. {% hint style="warning" %} Note that if you don't choose **Raw**, the events will not be sent properly formatted. {% endhint %} {% endstep %} {% step %} In the **Advanced configuration** settings, add **Bulk** settings. For optimal performance, we strongly recommend enabling **Bulk configuration** and enter these settings to significantly improve performance and reduce system load: * **Event time limit** - `2` * **Number of events** - `1500` * **Batch size (bytes)** - `5000000` \ Depending on your Pipelines ingestion level, you may need to adjust these values to optimize performance and prevent prolonged waiting periods that could contribute to back pressure. {% hint style="warning" %} Only enable **Bulk configuration** after completing Pipeline debugging. If you need to use debug mode, temporarily disable bulk configuration, then re-enable it once debugging is complete. {% endhint %} {% endstep %} {% step %} Enable **Proxy configuration** if needed and click **Finish** once you're done. {% endstep %} {% endstepper %} ### 2.2 Create a **Falcon LogScale Collector** Listener {% stepper %} {% step %} In Onum, go to the **Listeners** area and click **New listener**. Select the [**Falcon LogScale Collector** Listener](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/the-workspace/data-sinks/data-sink-integrations/send-data-to-crowdstrike-products/send-data-to-falcon-logscale) from the list. {% endstep %} {% step %} Enter a **Name** for the Listener. Optionally, add a **Description** and some **Tags** to identify the Listener. {% endstep %} {% step %} For most cloud-based Onum installations, the **Socket** section **is not visible**, and port `443` is used by default. If you see it, enter the required port in the **Port** field. At this time, all TCP ports from `1024` to `10000` are open. {% endstep %} {% step %} Now you need to generate a token that will be used to connect your Falcon LogScale Collector instance to Onum. You can use an [online UUID generator tool](https://www.uuidgenerator.net/) to get it. {% hint style="warning" %} Note that the Falcon LogScale Collector won’t allow for token values that are just numeric. {% endhint %} Back to Onum, go to the **Authentication** section, click the **Select an** **API Key** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the token you generated. Click **Save** when you're done. You'll later use this token in the Falcon LogScale Collector configuration. {% hint style="info" %} Learn more about secrets in [this article](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/administration/global-settings/organization-settings/secrets-management). {% endhint %} {% endstep %} {% step %} Now, select the token you've just created. {% endstep %} {% step %} In most cloud-based Onum installations, the **TLS configuration** section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain**. Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values. {% endstep %} {% step %} Now there are two possible scenarios: * If you didn't enter your TLS certificates, click **Create listener** and you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. You can also download the certificate in case you need it. {% hint style="info" %} You can access all this information in the Listener details after creation, so don't worry. {% endhint %} * If you entered the TLS certificates, you'll go directly to the next step to create the Listener labels. {% endstep %} {% step %} Finally, click **Create labels**. Create any required [labels](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/the-workspace/listeners/labels) if you need to break down your data and then click **Create listener**. {% endstep %} {% endstepper %} ## 3. Define the data to send over in the Falcon LogScale Collector Next you have to configure the data you want to send in Falcon LogScale Collector: {% stepper %} {% step %} In Falcon NG-SIEM, click **Data connectors > Data connections** from the left menu, then select the **Fleet management** tab. {% endstep %} {% step %} Access the relevant Falcon LogScale Collector instance's config and add the following information under the `sinks` section: * The token value you added in the **Falcon LogScale Collector** Listener setup in Onum. This will go into the `token` field of the configuration. * The Onum URL, with the following format: `https://`. * If you are working in a cloud tenant, you will find this URL in the Listener settings under **Address**. Click your Listener in the **Listeners** area to access its details. * Add the port you entered in the Onum configuration and include it in the `url` field of the configuration. If you are working in a cloud tenant, you can also see the **Port** in the Listener settings. {% hint style="warning" %} If you cannot get this information, contact the [Onum team](https://app.gitbook.com/s/cSjT21I4EUhzghjc1rER/). {% endhint %} Check below a Falcon LogScale Collector sample config file: {% code title="FLC config file" %} ```yaml sinks: flc-to-onum: type: hec token: # Replace with generated token entered in Onum. url: https:// # Replace with Onum distributor URL & port. Must include the "https://" at the beginning. ``` {% endcode %} {% hint style="warning" %} If you manually entered the TLS certificates in the Listener configuration, you must add the following `tls` section at the end of the config file. Enter the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read. ```yaml tls: caFile: "" # Replace with full file path to CA certificate. ``` If you're using Windows, you need to escape backslashes (`\`) with an extra backslash in your CA file path. {% endhint %} {% endstep %} {% step %} Click **Publish > Publish draft** to publish your FLC config. {% endstep %} {% step %} Finally, check your the **Fleet Management** page to verify the FLC status shows as **Okay**. You may find the status shows **Error** if, for example, you did not enter the right matching port you chose in Onum. {% endstep %} {% endstepper %} ## 4. Create the Pipeline in **Falcon** Onum Now we've got all the required pieces, so it's time to put them all together in a Pipeline: {% stepper %} {% step %} Access your Falcon Onum tenant and click **Pipelines > New pipeline**. {% endstep %} {% step %} At the left menu, select the **Falcon LogScale Collector** Listener we've just created in the **Listener** tab and drag it into the canvas. Then, go to the **Data sinks** tab and do the same with your **Falcon NG-SIEM** Data Sink. {% endstep %} {% step %} Link the Listener with the Data Sink. {% endstep %} {% step %} Double-click the Data Sink. In the **Ouput configuration** section, choose the `msg` field as **Raw message**, which is the one we want to be sent out. Click **Save**. {% endstep %} {% step %} Finally, click **Publish**, choose the required cluster(s) and click **Publish** again. {% endstep %} {% endstepper %}