Configuring CrowdStrike Falcon to Communicate with JSA
You must have Falcon Administrator privileges to generate API credentials.
To send LEEF events from CrowdStrike Falcon to JSA, you must install and configure Falcon SIEM connector.
- Obtain a Client ID, Client Secret key and Base URL to
configure Falcon SIEM Connector.
-
Log in to your CrowdStrike Falcon.
From the Falcon menu, in the Support pane, click API Clients and KeysSelect.
Click Add new API client.
In the API SCOPES pane, select Event streams and then enable the Read option.
To save your changes, click Add.
Record the Client ID, Client Secret and Base URL values.
-
- Install the Falcon SIEM Connector. You must have Admin (root) privileges.Note:
The SIEM Connector must be deployed on premise, on a system that has one the following operating systems:
CentOS/RHEL 6.x - 7.x (64 bit)
Ubuntu 14.x (64 bit)
Ubuntu 16.04 (64-bit)
Ubuntu 18.04 (64-bit)
Download the RPM installer package for your operating system to your Linux server.
To install the package, type one of the following commands:
If you have a CentOS operating system, type the sudo
rpm -Uvh <installer package>
command.If you have a Ubuntu operating system, type the sudo
dpkg -i <installer package>
command.
The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default.
A service is created in the /etc/init.d/cs.falconhoseclientd/ directory.
- Configure the SIEM Connector to forward LEEF events to JSA.
The configuration files are located in the /opt/crowdstrike/etc/ directory.
Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg for LEEF configuration settings. The SIEM Connector uses cs.falconhoseclient.cfg configuration by default.
The following table describes some of the key parameter values for forwarding LEEF events to JSA.
Table 1: Key Parameter Values Key
Description
Value
version
The version of authentication to be used. In this case, it is the API Key Authentication version.
2
api_url
The SIEM connector connects to this endpoint URL.
Specify one of the following values based on your Cloud.
https://api.crowdstrike.com/sensors/ entities/datafeed/v2 (US-1)
https://api.us-2.crowdstrike.com/sensors/ entities/datafeed/v2 (US-2)
https://api.eu-1.crowdstrike.com/sensors/ entities/datafeed/v2 (EU-1)
https://api.laggar.gcw.crowdstrike.com/ sensors/entities/datafeed/v2 (US-GOV-1)
app_id
An arbitrary string identifier for connecting to Falcon Streaming API.
Any string. For example, FHAPI-LEEF
client_id
The client_id value is used as the credential for client verification.
Obtained at Step 1
client_secret
The client_secret value is used as the credential for client verification.
Obtained at Step 1
send_to_syslog_server
To enable or disable Syslog push to Syslog server, set the flag to true or false.
True
host
The IP or host name of the SIEM.
The JSA SIEM IP or host name where the Connector is forwarding the LEEF events.
header_delim
Header prefix and fields are delimited by this value.
The value must be a pipe (|).
field_delim
The delimiter value that is used to separate key-value pairs.
The value must be a tab (\t).
time_fields
This datetime field value is converted to specified time format.
The default field is devTime (device time). If a custom LEEF key is used for setting the device time, use a different field name .
- To start the SIEM Connector service, type one of the following
one of the following commands:
If you have a CentOS operating system, type the sudo
service cs.falconhoseclientd start
command.If you have a Ubunto 14.x operating system, type the sudo
start cs.falconhoseclientd
command.If you have a Ubuntu 16.04 or later operating system, type the sudo
systemctl start cs.falconhoseclientd.service
command.
- Optional: If you want to stop the SIEM Connector service,
type one of the following commands:
If you have a CentOS operating system, type the sudo
service cs.falconhoseclientd stop
command.If you have a Ubunto 14.x operating system, type the sudo
stop cs.falconhoseclientd
command.If you have a Ubuntu 16.04 or later operating system, type the sudo
systemctl stop cs.falconhoseclientd.service
command.
- Optional: If you want to restart the SIEM Connector service,
type one of the following commands:
If you have a CentOS operating system, type the sudo
service cs.falconhoseclientd restart
command.If you have a Ubunto 14.x operating system, type the sudo
restart cs.falconhoseclientd
command.If you have an Ubuntu 16.04 or later operating system, type the sudo
systemctl restart cs.falconhoseclientd.service
command.
Add a Syslog log source in JSA. For more information, see Syslog Log Source Parameters for CrowdStrike Falcon.