Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

CrowdStrike Falcon Host

 

The JSA DSM for CrowdStrike Falcon Host collects LEEF events that are forwarded by a Falcon SIEM Connector.

The following table describes the specifications for the CrowdStrike Falcon Host DSM:

Table 1: CrowdStrike Falcon Host DSM Specifications

Specification

Value

Manufacturer

CrowdStrike

DSM name

CrowdStrike Falcon Host

RPM file name

DSM-CrowdStrikeFalconHost-JSA_version-build_number

.noarch.rpm

Supported versions

N/A

Protocol

Syslog

Event format

LEEF

Recorded event types

Falcon Host Detection Summary

Falcon Host Authentication Log

Falcon Host Detect Status Update Logs

Customer IOC Detect Event

Hash Spreading Event

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

CrowdStrike website (https://www.crowdstrike.com/products/falcon-host/

To integrate CrowdStrike Falcon Host with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs in the order that they are listed, on your JSA console:

    • DSMCommon RPM

    • CrowdStrike Falcon Host DSM RPM

  2. Install and configure your Falcon SIEM connector to send events to JSA.

  3. If JSA does not automatically detect the log source, add a CrowdStrike Falcon Host log source on the JSA console. The following table describes the parameters that require specific values for CrowdStrike Falcon Host event collection:

    Table 2: CrowdStrike Falcon Host Log Source Parameters

    Parameter

    Value

    Log Source type

    CrowdStrike Falcon Host

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IP address or host name where the Falcon SIEM Connector is installed.

The following table shows a sample event message from CrowdStrike Falcon Host:

Table 3: CrowdStrike Falcon Host Sample Message

Event name

Low level category

Sample log message

Suspicious Activity

Suspicious Activity

LEEF:1.0|CrowdStrike|FalconHost |1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src=<ipv4> srcPort=49220 dst=<ipv4> domain=INITECH cat=NetworkAccesses usrName=<username> devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=CS-SE-WB-INITEC proto=TCP url=https: //falcon.crowdstrike.com/detects/ -4366619238013284776