Guides
/
Provider Configuration
/
CrowdStrike Next-Gen SIEM Configuration Guide for SIEM

This guide walks you through creating a CrowdStrike OAuth client, and gathering the configuration needed to create a CrowdStrike NextGen SIEM integration.

Create a CrowdStrike OAuth Client

1. Log in to the console

Log in to your CrowdStrike Console instance with administrative privileges. Without administrative privileges you will not have access to create the client.

2. Create the client

Open the main menu and navigate to the Support and resources > Resources and tools > API clients and keys. Click the 'Create API client' button.

In the modal that pops up, give the client a name and select the following scopes:

  • NGSIEM
    • Read
    • Write

After selecting the scopes, click the Create button. The modal will present you with your new Client ID, Client Secret and Base URL. Copy these values down to a safe location.

The SIEM client does need both Read and Write scopes. The Write scope is required to create a search query, and the Read scope is required to read the query results. Note if you need to adjust the scopes later, you can click the three dots to the right of client listing on the main API clients and keys pages.

3. Generate HEC credentials for Ingestion

This step is necessary only if you are ingesting events into CrowdStrike Next-Gen SIEM.

Open the main menu and navigate to the Data connectors > Data connections. In the Connections section click the '+ Add connection' button.

Click the 'Filter by connector name' dropdown, type in "HTTP" and click 'Apply'. You should now see the "HEC / HTTP Event Connector" in the list. Select this connector by clicking on it and then click the 'Configure' button.

Fill in the form with the following values:

  • Data source: your desired data source value
  • Data Type: JSON
  • Connector Name: your desired connector name
  • Parsers: json (Generic Source)

Affirm your adherence to the CrowdStrike Terms and Conditions by checking the box and then click Save.

A modal will appear indicating the connector is being set up. Close the modal and wait for the connector setup to finish. Once the connector is ready to receive data, you will see a notification bar at the top of the connector page. On the right hand side click the Generate API Key button.

A new modal will appear with your API URL and API Key values. Copy these to a safe location.

Configure the Integration

Create your integration by supplying all of the required values.

URL

This is the Base URL of you Falcon instance gathered in step 2.

ClientId

This is the Client Id gathered in step 2

ClientSecret

This is the Client Secret gathered in step 2

HEC URL

This is the API URL generated by CrowdStrike gathered in step 3.

HEC Credential Secret

The API Key for connecting to the CrowdStrike HEC service gathered in step 3.

Previous page
Next page