CROWDSTRIKE
[printfriendly]
Instructions for forwarding CrowdStrike logs to your Log Management device
PREREQUISITES
CrowdStrike- CrowdStrike Falcon Platform
- The IP Address for the Clone Systems Log Management device
1. There are a number of different types of APIs in the CrowdStrike Falcon Platform. The two APIs we recommend for the SIEM integration are: Query API (which is an “on demand” API) and Streaming API (which provides event data as a continuous stream of data and is a “push based” API). Both of these APIs require their own set of credentials. Contact CrowdStrike to get access to both APIs.
Contact support@crowdstrike.com to get access to both of the CrowdStrike Falcon Platform APIs:
CrowdStrike Falcon Streaming API
CrowdStrike Falcon Query API
Note: Each of these APIs require a different set of credentials.
2. Once CrowdStrike support enables the Falcon Streaming API, you need to obtain a UUID and API key which will be used during your API Authentication.
Navigate your browser to https://falcon.crowdstrike.com/login/
Enter your Email address: Your Email Address
Click Continue.
Enter your Password: Your Administrator password
Click Log In.
3. Navigate to the People App and then select the Customer tab.
Navigate to the People App > Customer tab.
Note: The People App is only visible to admins.
4. Click Reset API Key and then record the assigned API key and the UUID.
Note: Any previous API key will be invalidated by following these steps.
Click Reset API Key.
Record the assigned API Key and UUID.
5. Please provide the following values to Clone Systems to complete the configuration for forwarding CrowdStrike logs to your Log Management device:
For the CrowdStrike Falcon Streaming API:
- Username
- Password
- UUID
- API Key
For the CrowdStrike Falcon Query API:
- Username
- Password
Note:
For the CrowdStrike Falcon Streaming API:
– The URL is https://firehose.crowdstrike.com/sensors/entities/datafeed/v1
For the CrowdStrike Falcon Query API:
– The URL is https://falconapi.crowdstrike.com/
