Up
Previous Next

Sheriff CSM™

CrowdStrike Falcon

When you configure CrowdStrike Falcon to send log data to Sheriff CSM, you can use the CrowdStrikeas will Falcon plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor CrowdStrike
Device Type Endpoint Security
Connection Type Syslog
Data Source Name crowdstrike
Data Source ID 1889

Integrating CrowdStrike Falcon

Before you configure the CrowdStrike Falcon integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

Additional prerequisites include a host machine running the CentOS or RHEL operating system (64-bit versions 6.x to 7.x) for installation of a SIEM connector that will send syslog messages to the Sheriff CSM Sensor. In addition, the CrowdStrike Falcon integration requires Internet connectivity and the ability to connect to the CrowdStrike Cloud (HTTPS/TCP 443)

Note: The date and time on the host running the CrowdStrike Falcon SIEM Connector must also be current. (You can use NTP to maintain the correct time.)

To configure CrowdStrike Falcon to send log data to Sheriff CSM
  1. Download the rpm install packages for the SIEM Connector from the CrowdStrike Falcon website. You may also want to download the latest documentation package to have the “Falcon SIEM Connector Feature Guide” available as a reference.

  2. Unzip the package and make sure you see the following file1:

    cs.falconhoseclient-x.x.x-x.el7.centos.x86_64.rpm

  3. Using a file transfer tool, transfer the file to your Linux server and place it in /opt.

    Note: One of many options available to use for the transfer is the free WinSCP tool.

  4. Connect to the Linux server through SSH.

    Important: When installing the SIEM Connector, you must login as the root user on the server.

  5. Type the following commands to install the connector:

    cd /opt
    rpm -Uvh cs.falconhoseclient-1.0.32-1.el7.centos.x86_64.rpm2

    The installer creates a new directory, /opt/crowdstrike, with three sub directories:

    • bin/ — holds the binary of the actual service, as well as the api Heroffset file.
    • etc/ — holds the configuration file(s).
    • log/ — holds the log file as well as the default local output file.
  6. Configure the SIEM Connector to send logs in CEF format to Sheriff CSM:

    • Rename /opt/crowdstrike/etc/cs.falconhoseclient.cef.cfg to /opt/crowdstrike/etc/cs.falconhoseclient.cfg.
    • In the cs.falconhoseclient.cfg file, set the following parameters:
      output_format = syslog
      output_to_file = false
      send_to_syslog_server = true
      host = <Sheriff-CSM-Sensor-IP-Address>
      port = 514 prococol = udp 
      Note: For the host entry, the IP address you specify is the IP address of the Sheriff CSM Sensor.
  7. Save your configuration file.

  8. Start the SIEM Connector service with the following command:

    /etc/init.d/cs.falconhoseclientd start

    or

    service cs.falconhoseclientd start

  9. To verify your setup is correct and your connectivity has been established, you can use the following command:

    tail -f /opt/crowdstrike/log/cs.falconhoseclient.log

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.crowdstrike.com/blog/tech-center/setup-crowdstrike-falcon-siem-connector/

For troubleshooting, see the vendor documentation
Topic revision: r23 - 28 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.