Skip to main content

What this integration is

This integration ingests CrowdStrike Falcon events into your SOCFortress SIEM stack using the Falcon SIEM Connector (FalconHose). CrowdStrike events are forwarded to your SIEM (typically Graylog) over syslog, where they can be searched, routed, and used for alerting and investigations. Vendor references:

Prerequisites

  • CrowdStrike Falcon console access
  • An API client created with scope that includes read access for Event streams
Important:
  • If you are in CrowdStrike Government cloud, you must open a support ticket with CrowdStrike to enable the Falcon SIEM Connector.
CrowdStrike API Settings

Configuration (Falcon SIEM Connector)

Connector configuration is stored at:
  • /opt/crowdstrike/etc/cs.falconhoseclient.cfg
CoPilot provisioning typically generates this for you, but for reference the key values that must be set include:
  • api_url
  • client_id
  • client_secret
  • syslog_host / syslog_port
Example configuration:

CoPilot provisioning

Once you have saved the CrowdStrike configuration for the customer, you are ready to deploy the integration. In CoPilot, navigate to the Customers section and select the appropriate customer. Provisioning typically creates:
  • Graylog CEF input
  • Graylog stream
  • Graylog index
  • Grafana datasource
  • Grafana dashboards
  • CrowdStrike docker compose file

Deployment (connector container)

The CrowdStrike integration runs via a docker container. During provisioning, a customer directory is created:
  • /opt/CoPilot/data/data/<CUSTOMER_NAME>
Inside you’ll typically find:
  • <CUSTOMER_NAME>_docker-compose.yml
  • cs.falconhoseclient.cfg
Start the container:
You should now see the container running: CrowdStrike Running Container

Success criteria

  • CrowdStrike events are arriving in Graylog
  • Events are routed to the correct customer stream/index
  • Dashboards populate (after a short delay)

Troubleshooting

  • No events:
    • verify Falcon SIEM Connector is enabled for your tenant (GovCloud note above)
    • confirm API client has event stream read scope
    • check connector container logs
  • Events arriving but not routed:
    • confirm Graylog input/stream/index created during provisioning
    • confirm syslog host/port match your Graylog input