Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring CrowdStrike Falcon Host to Communicate with JSA

 

To send LEEF events from CrowdStrike Falcon Host to JSA, you must install and configure Falcon SIEM connector.

You must have access with administrator privileges to the Falcon Streaming API. To enable access, contact Crowdstrike support (support@crowdstrike.com).

  1. Obtain an API key and UUID to configure SIEM Connector.

    1. Log in to the Falcon user interface.

    2. Select People App, and then click the Customer tab.

      The People App option is only visible to admin users.

    3. Click Generate new API key.

    4. Make a copy of the API key and the UUID.

  2. Install the Falcon SIEM Connector. Note

    The Falcon SIEM Connector needs to be deployed on premise on a system running either CentOS or RHEL 6.x-7.x. Internet connectivity to the CrowdStrike Cloud is also required.

    Note

    You must have Admin (root) privileges.

    • Use the provided RPM to install the Falcon SIEM Connector.

      rpm -Uhv /path/to/file/cs.falconhoseclient-<build_version>.<OS_version>.rpm

    The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default.

    A service is created in the /etc/init.d/cs.falconhoseclientd/ directory.

  3. Configure the SIEM Connector to forward LEEF events to JSA.

    The configuration files are located in the /opt/crowdstrike/etc/ directory.

    • Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg for LEEF configuration settings. The SIEM Connector uses cs.falconhoseclient.cfg configuration by default.

    The following table describes some of the key parameter values for forwarding LEEF events to JSA.

    Table 1: Key Parameter Values

    Key

    Description

    Value

    version

    The version of authentication to be used. In this case, it is the API Key Authentication version.

    2

    api_url

    The SIEM connector connects to this endpoint URL.

    https://firehose.crowdstrike.com/

    sensors/entities/datafeed/v1

    app_id

    An arbitrary string identifier for connecting to Falcon Streaming API.

    Any string. For example, FHAPI-LEEF

    api_key

    The API key is used as the credential for client verification.

    Obtained at step 1

    api_uuid

    The UUID is used as the credential for client verification.

    Obtained at step 1

    send_to_syslog_server

    To enable or disable syslog push to syslog server, set the flag to true or false.

    true

    host

    The IP or host name of the SIEM.

    The JSA SIEM IP or host name where the Connector is forwarding the LEEF events.

    header_delim

    Header prefix and fields are delimited by this value.

    The value must be a pipe (|).

    field_delim

    The delimiter value that is used to separate key-value pairs.

    The value must be a tab (\t).

    time_fields

    This datetime field value is converted to specified time format.

    The default field is devTime (device time). If a custom LEEF key is used for setting device time, use a different field name .

  4. Start the SIEM Connector service by typing the following command:

    service cs.falconhoseclientd start

    1. If you want to stop the service, type the following command:

      service cs.falconhoseclientd stop

    2. If you want to restart the service, type the following command:

      service cs.falconhoseclientd restart

Verify that Falcon SIEM Connector is configured to send events to JSA.

Related Documentation