Ingest alerts and metadata from CrowdStrike APIs - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Ingest CrowdStrike API real-time alerts and metadata for use in Cortex XSIAM stories.

Note

To enable some of the APIs, you may need to reach out to CrowdStrike support.

To receive CrowdStrike API real-time alerts and logs, you must first configure data collection from CrowdStrike APIs. You can then configure the Data Sources settings in Cortex XSIAM for the CrowdStrike APIs.

Note

For more information on configuring data collection from CrowdStrike APIs, see the CrowdStrike Documentation.

When Cortex XSIAM begins receiving alerts and logs, it automatically creates a CrowdStrike API XQL dataset (crowdstrike_falcon_incident_raw). You can use the alerts in rules, and search the logs using XQL Search. For example queries, refer to the in-app XQL Library.

  1. Configure data collection from CrowdStrike APIs.

    1. In the CrowdStrike Falcon application, select cs-logo.png SupportAPI Clients and Keys.

    2. Under the OAuth2 API Clients section, Add new API client.

    3. Configure your new API client with these settings:

      cs-add-new-api-client.png
      • CLIENT NAME: Specify a name for the new API client.

      • DESCRIPTION: (Optional) Specify a description for the new API client.

      • API SCOPESEvent streams: Select the Read permissions check box.

    4. Click ADD.

    5. Copy the values for the CLIENT ID, SECRET, and BASE URL, and save them, because you will need them when you configure the Data Collection settings in Cortex XSIAM.

      Note

      Ensure that you save the SECRET value because this is the only time that it is displayed.

      cs-api-client-created.png
    6. Click DONE.

  2. Configure the CrowdStrike Platform collection in Cortex XSIAM.

    1. In Cortex XSIAM, select SettingsData Sources.

    2. On the Data Sources page, click Add Data Source, search for and select CrowdStrike Platform, and click Connect.

    3. Set these parameters:

      • Name: Specify a descriptive name for your log collection configuration, preferably the same CLIENT NAME used when adding a new client API in the CrowdStrike Falcon application, as explained above.

      • Base URL: Specify the BASE URL you received when you created the client API in the CrowdStrike Falcon application, as explained above.

      • Client ID: Specify the CLIENT ID you received when you created the client API in the CrowdStrike Falcon application, as explained above.

      • Secret: Specify the SECRET you received when you created the client API in the CrowdStrike Falcon application, as explained above.

      • Collect: Select the items that you want to collect (Alerts, Hosts).

    4. Click Test to validate access, and then click Enable.

    When events start to come in, a green check mark appears below the CrowdStrike Platform configuration, along with the amount of data received.