Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring CrowdStrike Falcon to Communicate with JSA

You must have Falcon Administrator privileges to generate API credentials.

To send LEEF events from CrowdStrike Falcon to JSA, you must install and configure Falcon SIEM connector.

  1. Obtain a Client ID, Client Secret key and Base URL to configure Falcon SIEM Connector.
    1. Log in to your CrowdStrike Falcon.

    2. From the Falcon menu, in the Support pane, click API Clients and KeysSelect.

    3. Click Add new API client.

    4. In the API SCOPES pane, select Event streams and then enable the Read option.

    5. To save your changes, click Add.

    6. Record the Client ID, Client Secret and Base URL values.

  2. Install the Falcon SIEM Connector. You must have Admin (root) privileges.
    Note:

    The SIEM Connector must be deployed on premise, on a system that has one the following operating systems:

    • CentOS/RHEL 6.x - 7.x (64 bit)

    • Ubuntu 14.x (64 bit)

    • Ubuntu 16.04 (64-bit)

    • Ubuntu 18.04 (64-bit)

    1. Download the RPM installer package for your operating system to your Linux server.

    2. To install the package, type one of the following commands:

      • If you have a CentOS operating system, type the sudo rpm -Uvh <installer package> command.

      • If you have a Ubuntu operating system, type the sudo dpkg -i <installer package> command.

    The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default.

    A service is created in the /etc/init.d/cs.falconhoseclientd/ directory.

  3. Configure the SIEM Connector to forward LEEF events to JSA.

    The configuration files are located in the /opt/crowdstrike/etc/ directory.

    • Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg for LEEF configuration settings. The SIEM Connector uses cs.falconhoseclient.cfg configuration by default.

    The following table describes some of the key parameter values for forwarding LEEF events to JSA.

    Table 1: Key Parameter Values

    Key

    Description

    Value

    version

    The version of authentication to be used. In this case, it is the API Key Authentication version.

    2

    api_url

    The SIEM connector connects to this endpoint URL.

    Specify one of the following values based on your Cloud.

    • https://api.crowdstrike.com/sensors/ entities/datafeed/v2 (US-1)

    • https://api.us-2.crowdstrike.com/sensors/ entities/datafeed/v2 (US-2)

    • https://api.eu-1.crowdstrike.com/sensors/ entities/datafeed/v2 (EU-1)

    • https://api.laggar.gcw.crowdstrike.com/ sensors/entities/datafeed/v2 (US-GOV-1)

    app_id

    An arbitrary string identifier for connecting to Falcon Streaming API.

    Any string. For example, FHAPI-LEEF

    client_id

    The client_id value is used as the credential for client verification.

    Obtained at Step 1

    client_secret

    The client_secret value is used as the credential for client verification.

    Obtained at Step 1

    send_to_syslog_server

    To enable or disable Syslog push to Syslog server, set the flag to true or false.

    True

    host

    The IP or host name of the SIEM.

    The JSA SIEM IP or host name where the Connector is forwarding the LEEF events.

    header_delim

    Header prefix and fields are delimited by this value.

    The value must be a pipe (|).

    field_delim

    The delimiter value that is used to separate key-value pairs.

    The value must be a tab (\t).

    time_fields

    This datetime field value is converted to specified time format.

    The default field is devTime (device time). If a custom LEEF key is used for setting the device time, use a different field name .

  4. To start the SIEM Connector service, type one of the following one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd start command.

    • If you have a Ubunto 14.x operating system, type the sudo start cs.falconhoseclientd command.

    • If you have a Ubuntu 16.04 or later operating system, type the sudo systemctl start cs.falconhoseclientd.service command.

  5. Optional: If you want to stop the SIEM Connector service, type one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd stop command.

    • If you have a Ubunto 14.x operating system, type the sudo stop cs.falconhoseclientd command.

    • If you have a Ubuntu 16.04 or later operating system, type the sudo systemctl stop cs.falconhoseclientd.service command.

  6. Optional: If you want to restart the SIEM Connector service, type one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd restart command.

    • If you have a Ubunto 14.x operating system, type the sudo restart cs.falconhoseclientd command.

    • If you have an Ubuntu 16.04 or later operating system, type the sudo systemctl restart cs.falconhoseclientd.service command.

Add a Syslog log source in JSA. For more information, see Syslog Log Source Parameters for CrowdStrike Falcon.