Configuring CrowdStrike Falcon to communicate with QRadar

To send LEEF events from CrowdStrike Falcon to IBM QRadar, you must install and configure Falcon SIEM connector.
Tip: To obtain CrowdStrike event data, you can also use the CrowdStrike app extension from the IBM Security App Exchange. For more information, see How to Use CrowdStrike with IBM’s QRadar (https://www.crowdstrike.com/blog/tech-center/crowdstrike-qradar/).

Before you begin

You must have Falcon Administrator privileges to generate API credentials.

Procedure

  1. Obtain a Client ID, Client Secret key and Base URL to configure Falcon SIEM Connector.
    1. Log in to your CrowdStrike Falcon.
    2. From the Falcon menu, in the Support pane, click API Clients and KeysSelect.
    3. Click Add new API client.
    4. In the API SCOPES pane, select Event streams and then enable the Read option.
    5. To save your changes, click Add.
    6. Record the Client ID, Client Secret and Base URL values.
  2. Install the Falcon SIEM Connector. You must have Admin (root) privileges.
    Note: The SIEM Connector must be deployed on premise, on a system that has one the following operating systems:
    • CentOS/RHEL 6.x - 7.x (64 bit)
    • Ubuntu 14.x (64 bit)
    • Ubuntu 16.04 (64-bit)
    • Ubuntu 18.04 (64-bit)
    1. Download the RPM installer package for your operating system to your Linux server.
    2. To install the package, type one of the following commands:
      • If you have a CentOS operating system, type the sudo rpm -Uvh <installer package> command.
      • If you have a Ubuntu operating system, type the sudo dpkg -i <installer package> command.

    The Falcon SIEM Connector installs in the /opt/crowdstrike/ directory by default.

    A service is created in the /etc/init.d/cs.falconhoseclientd/ directory.

  3. Configure the SIEM Connector to forward LEEF events to QRadar.
    The configuration files are located in the /opt/crowdstrike/etc/ directory.
    • Rename cs.falconhoseclient.leef.cfg to cs.falconhoseclient.cfg for LEEF configuration settings. The SIEM Connector uses cs.falconhoseclient.cfg configuration by default.

    The following table describes some of the key parameter values for forwarding LEEF events to QRadar.

    Table 1. Key parameter values
    Key Description Value
    version The version of authentication to be used. In this case, it is the API Key Authentication version. 2
    api_url The SIEM connector connects to this endpoint URL.
    Specify one of the following values based on your Cloud.
    • https://api.crowdstrike.com/sensors/entities/datafeed/v2(US-1)
    • https://api.us-2.crowdstrike.com/sensors/entities/datafeed/v2 (US-2)
    • https://api.eu-1.crowdstrike.com/sensors/entities/datafeed/v2 (EU-1)
    • https://api.laggar.gcw.crowdstrike.com/sensors/entities/datafeed/v2 (US-GOV-1)
    app_id An arbitrary string identifier for connecting to Falcon Streaming API. Any string. For example, FHAPI-LEEF
    client_id The client_id value is used as the credential for client verification. Obtained at Step 1
    client_secret The client_secret value is used as the credential for client verification. Obtained at Step 1
    send_to_syslog_ server To enable or disable Syslog push to Syslog server, set the flag to true or false. True
    host The IP or host name of the SIEM. The QRadar SIEM IP or host name where the Connector is forwarding the LEEF events.
    header_delim Header prefix and fields are delimited by this value. The value must be a pipe (|).
    field_delim The delimiter value that is used to separate key-value pairs. The value must be a tab (\t).
    time_fields This datetime field value is converted to a specified time format. The default field is devTime (device time). If a custom LEEF key is used for setting the device time, use a different field name .
  4. To start the SIEM Connector service, type one of the following one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd start command.
    • If you have a Ubunto 14.x operating system, type the sudo start cs.falconhoseclientd command.
    • If you have a Ubuntu 16.04 or later operating system, type the sudo systemctl start cs.falconhoseclientd.service command.
  5. Optional: If you want to stop the SIEM Connector service, type one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd stop command.
    • If you have a Ubunto 14.x operating system, type the sudo stop cs.falconhoseclientd command.
    • If you have a Ubuntu 16.04 or later operating system, type the sudo systemctl stop cs.falconhoseclientd.service command.
  6. Optional: If you want to restart the SIEM Connector service, type one of the following commands:
    • If you have a CentOS operating system, type the sudo service cs.falconhoseclientd restart command.
    • If you have a Ubunto 14.x operating system, type the sudo restart cs.falconhoseclientd command.
    • If you have an Ubuntu 16.04 or later operating system, type the sudo systemctl restart cs.falconhoseclientd.service command.

What to do next

Add a Syslog log source in QRadar. For more information, see Syslog log source parameters for CrowdStrike Falcon.