# CROWDSTRIKE

#### Introduction:

The Falcon[ SIEM Connector](https://www.crowdstrike.com/resources/data-sheets/falcon-connector/) provides users a turnkey, SIEM-consumable data stream. The Falcon SIEM Connector:

· Transforms Crowdstrike API data into a format that[ a SIEM](https://www.crowdstrike.com/epp-101/what-is-siem-in-cybersecurity/) can consume

· Maintains the connection to the CrowdStrike Event Streaming API and your SIEM

· Manages the data-stream pointer to prevent data loss

![](/files/-Mfr1dFAAN1711VyVR2b)

\
Prerequisites:

Before using the Falcon SIEM Connector, you’ll want to first define the API client and set its scope. Refer to this[ guide to getting access to the CrowdStrike API](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) for setting up a new API client key. For the new API client, make sure the scope includes read access for Event streams.

![](/files/-Mfr2A3sHcxpsYMoMzxJ)

\
The CrowdStrike Falcon SIEM Connector (SIEM Connector) runs as a service on a local Linux server.

The resource requirements (CPU/Memory/Hard drive) are minimal and the system can be a VM.

·         Supported OS (64-bit only):

o    CentOS/RHEL 6.x-7.x

o    Ubuntu 14.x

o    Ubuntu 16.04

o    Ubuntu 18.04

·         Connectivity: Internet connectivity and ability to connect the CrowdStrike Cloud (HTTPS/TCP 443)

·         Authorization: Crowdstrike API Event Streaming scope access

·         Time: The date and time on the host running the Falcon SIEM Connector must be current (NTP is recommended)

\
Installation and Configuration:

To get started, you need to download the rpm install packages for the SIEM Connector from the [CrowdStrike Falcon UI](https://falcon.crowdstrike.com/support/tool-downloads). For a more comprehensive guide, please visit the [SIEM Connector Feature Guide](https://falcon.crowdstrike.com/support/documentation/14/siem-connector)<br>

![](/files/-Mfr2yWMMJx9bZqikTYh)

Download the package for your operating system to the Linux server you’d like to use.

Open a terminal and run the installation command where \<installer package> is the installer that you had downloaded :

· CentOS:\
&#x20;sudo rpm -Uvh \<installer package>

· Ubuntu:\
&#x20;sudo dpkg -i \<installer package>

The last step before starting the SIEM Connector is to pick a configuration. There are a couple of decisions to make. The SIEM connector can:

· Output to a local file (your SIEM or other tools would have to actively read from that file)

· Output to a syslog server (most modern SIEMs have a build in syslog receiver)

· Output to a format such as CEF or LEEF for your SIEM

Here is a flow diagram of how to pick the right configuration file:

![](/files/-Mfr3YAQIIr0fHSZ0DSa)

To get you started, we’ll use the default output to a JSON file and only change the Client ID and Client Secret. Since we’re just going to be testing with a single SIEM Connector, the app\_id can stay as the default.&#x20;

Open the SIEM Connector config file with sudo and your favorite editor and change the client\_id and client\_secret options:

/opt/crowdstrike/etc/cs.falconhoseclient.cfg

![](/files/-Mfr3en9rWdVQ2s3puws)

Once you save the configuration file you can start the SIEM connector service with one of the following commands:

·         CentOS:\
&#x20;sudo service cs.falconhoseclientd start

·         Ubuntu 14.x:\
&#x20;sudo start cs.falconhoseclientd

·         Ubuntu 16.04 and later:\
&#x20;sudo systemctl start cs.falconhoseclientd.service

To verify that your setup was correct and your connectivity has been established, you can check the log file with the following command:

tail -f /var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log

You should see a Heartbeat. If you see an error message that mentions the access token, double check your Crowdstrike API Client ID and Secret.

![](/files/-Mfr3ilYtn9m9dF8ureN)

#### Conclusion:

The process above shows how to get started with the CrowdStrike Falcon SIEM Connector. There are many more options for this connector (using a proxy to reach the streaming API, custom log formats and syslog configurations, etc.) that can be found in the “[SIEM Connector Feature Guide](https://falcon.crowdstrike.com/support/documentation/14/siem-connector)” as part of the Documentation package in the Falcon UI.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/cloud-log-forwarding/crowdstrike/crowdstrike.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.