AlienVault® USM Anywhere™

CrowdStrike Falcon

When you configure CrowdStrike Falcon to send log data to USM Anywhere, you can use the CrowdStrike Falcon plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor CrowdStrike
Device Type Endpoint Security
Connection Type Syslog

Integrating CrowdStrike Falcon

Before you configure the CrowdStrike Falcon integration, you must have the IP Address of the USM Anywhere Sensor.

Additional prerequisites include a host machine running the CentOS or RHEL operating system (64-bit versions 6.x to 7.x) for installation of a SIEM connector that will send syslog messages to the USM Anywhere Sensor. In addition, the CrowdStrike Falcon integration requires Internet connectivity and the ability to connect to the CrowdStrike Cloud (HTTPS/TCP 443)

Note: The date and time on the host running the CrowdStrike Falcon SIEM Connector must also be current. (You can use NTP to maintain the correct time.)

To configure CrowdStrike Falcon to send log data to USM Anywhere

  1. Download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon website. You may also want to download the latest documentation package to have the “Falcon SIEM Connector Feature Guide” available as a reference.
  2. Unzip the package and make sure you see the following file1The name of the file will depend on the rpm install packages that you have downloaded.:


  3. Using a file transfer tool, transfer the file to your Linux server and place it in /opt.

    Note: One of many options available to use for the transfer is the free WinSCP tool.

  4. Connect to the Linux server through SSH.
  5. Important: When installing the SIEM Connector, you must login as the root user on the server.

  6. Type the following commands to install the connector:
  7. cd /opt

    rpm -Uvh cs.falconhoseclient-1.0.32-1.el7.centos.x86_64.rpm2 You might have to adjust the file name depending on the version of the SIEM Connector you are installing.

    The installer creates a new directory, /opt/crowdstrike, with three sub directories:

    • bin/ — holds the binary of the actual service, as well as the api offset file.

    • etc/ — holds the configuration file(s).

    • log/ — holds the log file as well as the default local output file.

  8. Configure the SIEM Connector to send logs in CEF format to USM Anywhere:
    • Rename /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
    • In the cs.falconhoseclient.cfg file, set the following parameters:
    • output_format = syslog output_to_file = false send_to_syslog_server = true host = <USM-Anywhere-Sensor-IP-Address> port = 514 prococol = udp

      Note: For the host entry, the IP address you specify is the IP address of the USM Anywhere Sensor.

  9. Save your configuration file.
  10. Start the SIEM Connector service with the following command:

    /etc/init.d/cs.falconhoseclientd start


    service cs.falconhoseclientd start

  11. To verify your setup is correct and your connectivity has been established, you can use the following command:

    tail -f /opt/crowdstrike/log/cs.falconhoseclient.log

Plugin Enablement

The CrowdStrike Falcon plugin automatically processes all messages when the raw message contains CrowdStrike|FalconHost.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_address
  • destination_hostname
  • destination_port
  • device_custom_number_3
  • device_custom_number_3_label
  • event_description_url
  • event_name
  • event_severity
  • file_name
  • file_path
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address
  • source_hostname
  • source_ntdomain
  • source_port
  • source_process_commandline
  • source_process_id
  • source_username

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.