The article covers the steps to generate API credentials on CrowdStrike Falcon instance and install the Falcon Chronicle Connector on Forwarder or Linux machine. You can also learn how to configure the Chronicle Connector to forward LEEF events to Chronicle.
Generate API credentials on CrowdStrike Falcon instance
Before configuring Chronicle Connector, we should have the Client ID, Client Secret key, and Base URL to configure Falcon Chronicle Connector.
Use this procedure to generate API credentials on CrowdStrike Falcon Instance.
Prerequisites:
Falcon Administrator privileges to generate API credentials.
Procedure:
Obtain a Client ID, Client Secret key, and Base URL to configure Falcon Chronicle Connector.
-
- Log in to your CrowdStrike Falcon.
- From the Falcon menu, in the Support pane, click API Clients and Keys Select.
- Click Add new API client.
- In the API SCOPES pane, select Event streams and then enable the Read option.
- To save your changes, click Add.
- Record the Client ID, Client Secret and Base URL values. Note: Public access is not required for the S3 bucket to work with the Data Forwarder.
Results
We have Client ID, Client Secret Key, and Base URL details to configure Falcon Chronicle Connector.
Install the Falcon Chronicle Connector on Forwarder or Linux machine
If we have access to the customer Forwarder server, we can install Falcon Chronicle Connector on the Forwarder server. If we don’t have access to Forwarder, we may need to request the customer to install Chronicle Connector or we can install it on AWS Instance which can forward logs to Chronicle.
Prerequisites:
- You need access to CrowdStrike instance to download rpm/dpkg installer package.
- We must have admin privileges on Forwarder machine.
Procedure:
- Download the RPM installer package for your operating system to your Linux server through Web UI of CrowdStrike Instance.
- Log into Forwarder server with root privileges.
- Copy Installer package through SCP or some other way onto Forwarder.
- To install the package, type one of the following commands:
- If you have a CentOS operating system, type the sudo rpm -Uvh <installer package> command.
- If you have an Ubuntu operating system, type the sudo dpkg -i <installer package> command.
Results
The Falcon Chronicle Connector installs in the /opt/crowdstrike/ directory by default
Configure the Chronicle Connector to forward LEEF events to Chronicle
Prerequisites:
We have Client ID, Client Secret Key, and Base URL details.
Procedure:
- Log into Forwarder with root privileges.
- Go to path where service configuration files are available. (e.g. /etc/systemd/system)
- As we already installed Chronicle Connector on host, We could observe one service file with name cs.falconhoseclientd.service
- Copy cs.falconhoseclientd.service and rename as cs.falconhoseclientd.customername.service (Note: customername string can be custom name depending on customer name)
- Open new renamed service file and replace cs.falconhoseclient.cfg text with cs.falconhoseclient.customername.cfg and save the file
- Configuration files will be available in '/opt/crowdstrike/etc/' directory
- Go to /opt/crowdstrike/etc/ directory
- Copy cs.falconhoseclient.leef.cfg and rename as cs.falconhoseclient.customername.cfg
- Open cs.falconhoseclient.customername.cfg, check and modify/set below values wherever required
-
- api_url
- client_id
- client_secret
- output_format: Forwarder
- output_to_file: true
- output_path: /var/log/crowdstrike/falconhoseclient/customername_output
- offset_path: /var/log/crowdstrike/falconhoseclient/customername_stream_offsets
- send_to_Forwarder_ server value to true
- host: The IP or host name of the Forwarder/Chronicle
- port: 11673
10. Check any other parameters needs to be modified and save cfg file
11. Check and confirm Forwarder settings are good to forward CrowdStrike logs to Chronicle
12. To start the Chronicle Connector service, type one of the following commands:
-
- If you have a CentOS operating system, type the sudo service cs.falconhoseclientd.customername start command.
- If you have a Ubunto 14.x operating system, type the sudo start cs.falconhoseclientd.customername command.
- If you have a Ubuntu 16.04 or later operating system, type the sudo systemctl start cs.falconhoseclientd.customername command.
13. We can also stop/restart the Chronicle Connector service in a similar manner
14. To verify that your setup was correct and your connectivity has been established, you can check the log file with the following command:
tail -f/var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log
We should observe a Heartbeat or real-time logs. If you see an error message that mentions the access token, double-check your Crowdstrike API Client ID and Secret.
Note: All metrics and health logs will be available in the below Directory
/var/log/crowdstrike/falconhoseclient
Results
We have configured Falcon Chronicle Connector to pull and forward logs to Forwarder or Chronicle.
Verify CrowdStrike logs on Chronicle
Please check whether a new Log Source has been created in Chronicle for CrowdStrike Falcon Log Source Type.
If a new log source is not created, apply a filter with a payload containing the required string. Check whether logs are being categorized as Unknown or falling under the wrong Log Source.
If required, create/modify the log source to receive unique customer CrowdStrike logs under the unique Log Source.
Please add the below Collector in Forwarder Config File
- syslog:
common:
enabled: true
data_type: CS_STREAM
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11673
udp_address: 0.0.0.0:11673
Sample Logs
The following are the logs that Crowdstrike Falcon sent to Chronicle.
LEEF:1.0|CrowdStrike|FalconHost|1.0|logged|cat=AuthActivityAuditEvent usrName= src=39.139.150.40 serviceName=api_request devTimeFormat=yyyy-MM-dd HH:mm:ss success=true devTime=2023-11-21 05:28:36
Comments
0 comments
Please sign in to leave a comment.