Crowdstrike Next-Gen SIEM - Sink Integration Guide

This guide walks you through creating a CrowdStrike Next-Gen SIEM Sink integration setup for use as an HTTP event collector.

Configure a New API Client for Integration

1. Log in to the CrowdStrike Next-Gen SIEM UI as an Administrator

Once logged in as an administrator, you'll have the option to create an API client, provided your account has the Falcon Administrator role assigned. If you need to create a separate user to manage only the Vulnerabilities UI, you can do so by creating a new user and assigning them the Falcon Administrator role. To add a user, navigate to Host Setup and Management > Falcon Users > User Management.

2. Create an HTTP Event Connector (HEC) for Service Integration

You need to create a custom connector of type HTTP Event Connector, which will provide you with an ingestion URL and API key once the process is complete.

Navigate to Data Connectors > Data Sources.
Click the HEC/HTTP Event Connector tile. The Add New Connector page will open.
Provide a Data Source value as needed.
Select JSON for the Data Type dropdown.
Provide a Connector Name and any description if necessary.
Search for 'json' and select 'json-for-action' in Parser Details.
Click Save. A modal will appear showing the creation status.
Once the connector is ready to receive data, you will see a bar in the same UI. On the right side, you'll see a Generate API Key button.
After clicking it, a modal will display the API URL and API Key.

Configure the Integration

Create your integration by supplying all the configuration values.

API URL

Provide the value obtained in Step 2.

API Key