When you configure CrowdStrike Falcon to send log data to USM Anywhere, you can use the CrowdStrike Falcon plugin to translate the raw log data into normalized events for analysis.
|Device Type||Endpoint Security|
Integrating CrowdStrike Falcon
Before you configure the CrowdStrike Falcon integration, you must have the IP Address of the USM Anywhere Sensor.
Additional prerequisites include a host machine running the CentOS or RHEL operating system (64-bit versions 6.x to 7.x) for installation of a SIEM connector that will send syslog messages to the USM Anywhere Sensor. In addition, the CrowdStrike Falcon integration requires Internet connectivity and the ability to connect to the CrowdStrike Cloud (HTTPS/TCP 443)
Note: The date and time on the host running the CrowdStrike Falcon SIEM Connector must also be current. (You can use NTP to maintain the correct time.)
To configure CrowdStrike Falcon to send log data to USM Anywhere
- Download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon website. You may also want to download the latest documentation package to have the “Falcon SIEM Connector Feature Guide” available as a reference.
Unzip the package and make sure you see the following file1The name of the file will depend on the rpm install packages that you have downloaded.:
Using a file transfer tool, transfer the file to your Linux server and place it in /opt.
Note: One of many options available to use for the transfer is the free WinSCP tool.
- Connect to the Linux server through SSH.
- Type the following commands to install the connector:
Important: When installing the SIEM Connector, you must login as the
root user on the server.
rpm -Uvh cs.falconhoseclient-1.0.32-1.el7.centos.x86_64.rpm2 You might have to adjust the file name depending on the version of the SIEM Connector you are installing.
The installer creates a new directory,
/opt/crowdstrike, with three sub directories:
bin/— holds the binary of the actual service, as well as the api offset file.
etc/— holds the configuration file(s).
log/— holds the log file as well as the default local output file.
- In the
cs.falconhoseclient.cfgfile, set the following parameters:
output_format = syslog output_to_file = false send_to_syslog_server = true host = <USM-Anywhere-Sensor-IP-Address> port = 514 prococol = udp
Note: For the host entry, the IP address you specify is the IP address of the
Start the SIEM Connector service with the following command:
service cs.falconhoseclientd start
To verify your setup is correct and your connectivity has been established, you can use the following command:
tail -f /opt/crowdstrike/log/cs.falconhoseclient.log
The CrowdStrike Falcon plugin automatically processes all messages when the raw message contains CrowdStrike|FalconHost.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
Additional Resources and Troubleshooting
For troubleshooting, see the vendor documentation.