# CrowdStrike Integration ## Overview In this article, you will learn how to set up a connection from the **Falcon LogScale Collector** over to **Falcon NG-SIEM** through **Falcon** **Onum**. 1. First of all, we will start setting up a destination or **connector** with the corresponding parser in **Falcon NG-SIEM** to define where to receive our data. 2. Then, we need to define the required **Listener** (data coming into Onum) and **Data Sink** (data going to Falcon NG-SIEM) in **Falcon Onum**. 3. Next, we will define which data we want to send and where we want to send it over in the **Falcon LogScale Collector**. 4. And finally, we will define a **Pipeline** in **Falcon Onum** to draft and configure the whole data flow. ## 1. Create a Connector in Falcon NG-SIEM Follow these steps to define the required data connector in Falcon NG-SIEM: {% stepper %} {% step %} Access Falcon and click **Next-Gen SIEM > Log management > Data onboarding** from the left menu. {% endstep %} {% step %} Click the **Add connection** button in the top right corner of the **Connections** table. {% endstep %} {% step %} Now, choose the required data connector. In this example, we will use the **Falcon LogScale Collector**. Filter and search for it, select it and click **Configure**. {% endstep %} {% step %} Enter a **Connector name** and choose a **Vendor** and **Vendor Product** from the lists (if your product isn’t in the list, you can pick **Generic** for both). Then, we need to choose the required **Parser** to our data. Pick it from the list or click **Create new parser** to define a new one. If you create a new parser, you'll need to pick it from the list after you've created it. {% hint style="warning" %} You may need to create a parser if the one you require is not available. Check [this article](https://falcon.us-2.crowdstrike.com/login?next=%2Fdocumentation%2Fcategory%2Fmv4e4o8e%2Fparsers) for more information about parsers in Falcon NG-SIEM. {% endhint %} {% endstep %} {% step %} Accept the required conditions and click **Create connection**. Click **Close** in the window that appears. {% endstep %} {% step %} Click the **Generate API key** button in the box that appears at the top of the page. Copy the **API key** and **API URL** values that appear. These are the values we need to set the required connection in Onum. {% hint style="warning" %} * Refresh the page if you don't see the box. It will appear once your connector is ready to receive data. * Remember to save the **API key** and **API URL** values when you generate them. Otherwise, you will need to regenerate them again. {% endhint %} {% endstep %} {% endstepper %} ## 2. Set up the required Data Sink and Listener in **Falcon** Onum Now we need to configure the required [Data Sink](/the-workspace/pipelines/data-sinks.md) and [Listener](/the-workspace/listeners.md) in Onum, which will be used to get the input data and then forward it to the required destination. ### 2.1 Create a Falcon NG-SIEM Data Sink {% stepper %} {% step %} Access Onum, go to the **Data sinks** area and click **New data sink**. Select the [**Falcon NG-SIEM** Data Sink](/the-workspace/data-sinks/data-sink-integrations/send-data-to-crowdstrike-products/send-data-to-falcon-next-gen-siem.md) from the list. {% endstep %} {% step %} Enter a **Name** for the Data Sink. Then, enter the **API URL** that you got from the connector in the **Instance URL** field. {% endstep %} {% step %} Click on the **Select token** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the **API key** that you for from the connector. Click **Save** when you're done. {% hint style="info" %} Learn more about secrets in [this article](/administration/global-settings/organization-settings/secrets-management.md). {% endhint %} {% endstep %} {% step %} Now, select the token you have just created. {% endstep %} {% step %} In the **Event format** section, you must choose **Raw**. {% hint style="warning" %} Note that if you don't choose **Raw**, the events will not be sent properly formatted. {% endhint %} {% endstep %} {% step %} In the **Advanced configuration** settings, add **Bulk** settings. For optimal performance, we strongly recommend enabling **Bulk configuration** and enter these settings to significantly improve performance and reduce system load: * **Event time limit** - `2` * **Number of events** - `1500` * **Batch size (bytes)** - `5000000` \ Depending on your Pipelines ingestion level, you may need to adjust these values to optimize performance and prevent prolonged waiting periods that could contribute to back pressure. {% hint style="warning" %} Only enable **Bulk configuration** after completing Pipeline debugging. If you need to use debug mode, temporarily disable bulk configuration, then re-enable it once debugging is complete. {% endhint %} {% endstep %} {% step %} Enable **Proxy configuration** if needed and click **Finish** once you're done. {% endstep %} {% endstepper %} ### 2.2 Create a **Falcon LogScale Collector** Listener {% stepper %} {% step %} In Onum, go to the **Listeners** area and click **New listener**. Select the [**Falcon LogScale Collector** Listener](/the-workspace/data-sinks/data-sink-integrations/send-data-to-crowdstrike-products/send-data-to-falcon-logscale.md) from the list. {% endstep %} {% step %} Enter a **Name** for the Listener. Optionally, add a **Description** and some **Tags** to identify the Listener. {% endstep %} {% step %} For most cloud-based Onum installations, the **Socket** section **is not visible**, and port `443` is used by default. If you see it, enter the required port in the **Port** field. At this time, all TCP ports from `1024` to `10000` are open. {% endstep %} {% step %} Now you need to generate a token that will be used to connect your Falcon LogScale Collector instance to Onum. You can use an [online UUID generator tool](https://www.uuidgenerator.net/) to get it. {% hint style="warning" %} Note that the Falcon LogScale Collector won’t allow for token values that are just numeric. {% endhint %} Back to Onum, go to the **Authentication** section, click the **Select an** **API Key** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the token you generated. Click **Save** when you're done. You'll later use this token in the Falcon LogScale Collector configuration. {% hint style="info" %} Learn more about secrets in [this article](/administration/global-settings/organization-settings/secrets-management.md). {% endhint %} {% endstep %} {% step %} Now, select the token you've just created. {% endstep %} {% step %} In most cloud-based Onum installations, the **TLS configuration** section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain**. Learn how to generate these self-signed certificates in [this article](/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation.md). Once you have them, click **New secret** in each field and add the corresponding values. {% endstep %} {% step %} Now there are two possible scenarios: * If you didn't enter your TLS certificates, click **Create listener** and you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. You can also download the certificate in case you need it. {% hint style="info" %} You can access all this information in the Listener details after creation, so don't worry. {% endhint %} * If you entered the TLS certificates, you'll go directly to the next step to create the Listener labels. {% endstep %} {% step %} Finally, click **Create labels**. Create any required [labels](/the-workspace/listeners/labels.md) if you need to break down your data and then click **Create listener**. {% endstep %} {% endstepper %} ## 3. Define the data to send over in the Falcon LogScale Collector Next you have to configure the data you want to send in Falcon LogScale Collector: {% stepper %} {% step %} In Falcon NG-SIEM, click **Data connectors > Data connections** from the left menu, then select the **Fleet management** tab. {% endstep %} {% step %} Access the relevant Falcon LogScale Collector instance's config and add the following information under the `sinks` section: * The token value you added in the **Falcon LogScale Collector** Listener setup in Onum. This will go into the `token` field of the configuration. * The Onum URL, with the following format: `https://`. * If you are working in a cloud tenant, you will find this URL in the Listener settings under **Address**. Click your Listener in the **Listeners** area to access its details. * Add the port you entered in the Onum configuration and include it in the `url` field of the configuration. If you are working in a cloud tenant, you can also see the **Port** in the Listener settings. {% hint style="warning" %} If you cannot get this information, contact the [Onum team](/support/support.md). {% endhint %} Check below a Falcon LogScale Collector sample config file: {% code title="FLC config file" %} ```yaml sinks: flc-to-onum: type: hec token: # Replace with generated token entered in Onum. url: https:// # Replace with Onum distributor URL & port. Must include the "https://" at the beginning. ``` {% endcode %} {% hint style="warning" %} If you manually entered the TLS certificates in the Listener configuration, you must add the following `tls` section at the end of the config file. Enter the path to the CA certificate file you generated before. Add the file in a directory that the Falcon LogScale Collector can read. ```yaml tls: caFile: "" # Replace with full file path to CA certificate. ``` If you're using Windows, you need to escape backslashes (`\`) with an extra backslash in your CA file path. {% endhint %} {% endstep %} {% step %} Click **Publish > Publish draft** to publish your FLC config. {% endstep %} {% step %} Finally, check your the **Fleet Management** page to verify the FLC status shows as **Okay**. You may find the status shows **Error** if, for example, you did not enter the right matching port you chose in Onum. {% endstep %} {% endstepper %} ## 4. Create the Pipeline in **Falcon** Onum Now we've got all the required pieces, so it's time to put them all together in a Pipeline: {% stepper %} {% step %} Access your Falcon Onum tenant and click **Pipelines > New pipeline**. {% endstep %} {% step %} At the left menu, select the **Falcon LogScale Collector** Listener we've just created in the **Listener** tab and drag it into the canvas. Then, go to the **Data sinks** tab and do the same with your **Falcon NG-SIEM** Data Sink. {% endstep %} {% step %} Link the Listener with the Data Sink. {% endstep %} {% step %} Double-click the Data Sink. In the **Ouput configuration** section, choose the `msg` field as **Raw message**, which is the one we want to be sent out. Click **Save**. {% endstep %} {% step %} Finally, click **Publish**, choose the required cluster(s) and click **Publish** again. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onum.com/usecases/routing/crowdstrike-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.