web analytics

CROWDSTRIKE

Log Management Logo

Log Forwarding > Cloud Solutions > CrowdStrike

Instructions for forwarding CrowdStrike logs to your Log Management device

PREREQUISITES

CrowdStrike

  • CrowdStrike Falcon Platform

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

There are a number of different types of APIs in the CrowdStrike Falcon Platform. The two APIs we recommend for the SIEM integration are: Query API (which is an “on demand” API) and Streaming API (which provides event data as a continuous stream of data and is a “push based” API). Both of these APIs require their own set of credentials. Contact CrowdStrike to get access to both APIs.

Contact support@crowdstrike.com to get access to both of the CrowdStrike Falcon Platform APIs:

  1. CrowdStrike Falcon Streaming API
  2. CrowdStrike Falcon Query API

Note: Each of these APIs require a different set of credentials.

2

Once CrowdStrike support enables the Falcon Streaming API, you need to obtain a UUID and API key which will be used during your API Authentication.

Navigate your browser to https://falcon.crowdstrike.com/login/

Enter your Email address: Your Email Address

Click Continue.

Enter your Password: Your Administrator password

Click Log In.

3

Navigate to the People App and then select the Customer tab.

Navigate to the People App > Customer tab.

Note: The People App is only visible to admins.

4

Click Reset API Key and then record the assigned API key and the UUID.

Note: Any previous API key will be invalidated by following these steps.

Click Reset API Key.

Record the assigned API Key and UUID.

5

Please provide the following values to Clone Systems to complete the configuration for forwarding CrowdStrike logs to your Log Management device:

For the CrowdStrike Falcon Streaming API:

  • Username
  • Password
  • UUID
  • API Key

For the CrowdStrike Falcon Query API:

  • Username
  • Password

Note:

For the CrowdStrike Falcon Streaming API:

  • The URL is https://firehose.crowdstrike.com/sensors/entities/datafeed/v1

For the CrowdStrike Falcon Query API:

  • The URL is https://falconapi.crowdstrike.com/