docs Logging to CrowdStrike
Launch Nametag Get help

Logging to CrowdStrike

This tutorial shows how to configure CrowdStrike Next-Gen SIEM to receive logs from Nametag.

Use CrowdStrike’s HTTP Event Collector (HEC) to push events from Nametag to your CrowdStrike SIEM.

Prerequisites

To complete this tutorial, you need the following:

  • A subscription to Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10 GB
  • CrowdStrike Falcon Administrator or Connector Manager privileges
  • Nametag Administrator privileges

Create a CrowdStrike connector

Sign in to CrowdStrike Falcon console. Go to the main menu, then go to Next-Gen SIEM > Log Management > Data on-boarding.

CrowdStrike Next-Gen SIEM data on-boarding menu

Select Add Connection.

Add connection

Select HEC / HTTP Event Connector from the list of connectors.

Choose HEC connector

Select Configure on the right.

Configure new connector

Provide the following details on the Add new connector panel:

  1. For Data Source type a descriptive name for your data source, for example Nametag.
  2. For Data Type select JSON from the dropdown list.
  3. For Connector Name type a descriptive name for your connector, for example Nametag Connector.
  4. For Parser details choose or create a parser. It must include parseJson(field=@rawstring) | @timestamp := ts.

Select Save and wait for the Connector setup in progress dialog to finish.

Get a CrowdStrike API key

Select Generate API Key at the top right of the Connector configuration page.

Generate key button

Copy both the API Key and API URL that are displayed. These values are needed to configure the Nametag webhook.

Copy API key

Note: Ensure that your API URL endpoint ends with /services/collector

Configure Nametag

The next step is to configure Nametag to send events to CrowdStrike using the collector we just built.

Go to the Nametag console and select Configure.

Select Webhooks from the left menu and select Add a Webhook.

Create a webhook

Configure the webhook:

  1. Select the Enabled toggle
  2. For Delivery URL, provide the CrowdStrike API_URL you saved earlier.
  3. For Authorization Header, provide BEARER *API_KEY* where API_KEY is the CrowdStrike API key you saved earlier. Example: BEARER 14935FMGNWLGJJT385.
  4. For Events, enable the events that are most relevant to you. For the most complete coverage of Nametag events, enable Audit events.
  5. Select Save configuration

Testing and logging

To verify that data is being sent to CrowdStrike, create an interactive verification.

  • Go to the Nametag console and select Verifications.

  • Select New Verification

  • When the verification link is generated, dismiss the dialog.

  • Go to Configure and Webhooks.

  • Check the Recent deliveries section for a record of a webhook being delivered to CrowdStrike.