Configuring CrowdStrike Falcon Host to Communicate with JSA
To send LEEF events from CrowdStrike Falcon Host to JSA, you must install and configure Falcon SIEM connector.
You must have access with administrator privileges to the Falcon Streaming API. To enable access, contact Crowdstrike support (email@example.com).
- Obtain an API key and UUID to configure SIEM Connector.
Log in to the Falcon user interface.
Select People App, and then click the Customer tab.
The People App option is only visible to admin users.
Click Generate new API key.
Make a copy of the API key and the UUID.
- Install the Falcon SIEM Connector.
The Falcon SIEM Connector needs to be deployed on premise on a system running either CentOS or RHEL 6.x-7.x. Internet connectivity to the CrowdStrike Cloud is also required.
You must have Admin (root) privileges.
Use the provided RPM to install the Falcon SIEM Connector.
rpm -Uhv /path/to/file/cs.falconhoseclient-<build_version>.<OS_version>.rpm
The Falcon SIEM Connector installs in the
/opt/crowdstrike/directory by default.
A service is created in the
- Configure the SIEM Connector to forward LEEF events to JSA.
The configuration files are located in the
cs.falconhoseclient.cfgfor LEEF configuration settings. The SIEM Connector uses
cs.falconhoseclient.cfgconfiguration by default.
The following table describes some of the key parameter values for forwarding LEEF events to JSA.
Table 1: Key Parameter Values
The version of authentication to be used. In this case, it is the API Key Authentication version.
The SIEM connector connects to this endpoint URL.
An arbitrary string identifier for connecting to Falcon Streaming API.
Any string. For example, FHAPI-LEEF
The API key is used as the credential for client verification.
Obtained at step 1
The UUID is used as the credential for client verification.
Obtained at step 1
To enable or disable syslog push to syslog server, set the flag to true or false.
The IP or host name of the SIEM.
The JSA SIEM IP or host name where the Connector is forwarding the LEEF events.
Header prefix and fields are delimited by this value.
The value must be a pipe (|).
The delimiter value that is used to separate key-value pairs.
The value must be a tab (\t).
This datetime field value is converted to specified time format.
The default field is devTime (device time). If a custom LEEF key is used for setting device time, use a different field name .
- Start the SIEM Connector service by typing the following
service cs.falconhoseclientd start
If you want to stop the service, type the following command:
service cs.falconhoseclientd stop
If you want to restart the service, type the following command:
service cs.falconhoseclientd restart
Verify that Falcon SIEM Connector is configured to send events to JSA.