docs Logging to Crowdstrike Next-Gen SIEM
Launch Nametag Get help

Logging to Crowdstrike Next-Gen SIEM

The CrowdStrike Next-Gen SIEM offers a way to ingest with HTTP Event Collector (HEC) that allows you to easily stream webhooks from Nametag directly into your CrowdStrike instance. This doc will guide you step by step on how to configure Crowdstrike and Nametag so that logs from Nametag appear in CrowdStrike.

Prerequisites

  • Subscription to Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB
  • Crowdstrike Falcon Administrator or Connector Manager privileges
  • Nametag Administor privileges

Crowdstrike Connector configuration

Log into your Falcon Crowdstrike console, navigate to your menu, then go to Next-Gen SIEM > Log Management > Data onboarding.

Crowdstrike Next-Gen SIEM data onboarding menu

You will need to add a new Data Connection, to do so. click Add Connection.

Amongst the list of connectors, select HEC / HTTP Event Connector. You should see a display panel at the right (image below). Select Configure.

A new page will show up to configure a new Connector. Input the following

  1. Data Source - Add your Data Source.
  2. Data Type - Select JSON as the Datatype.
  3. Connector Name - Provide the Connector Name.
  4. Parser details - Select which parser you would like to use.

Note: Ensure that the Parser you choose or the Parser you create includes parseJson(field=@rawstring) | @timestamp := ts

  1. Click the Terms and Conditions checkbox then click the Save button.

After clicking Save, a new diolague wiill display, stating Connector Setup in Progress. This will configure your connector to received your data and will take a few minutes to finish.

Next you will need to get your API Key and API URL. To do this, you will need to click the Generate your API Key button at the top right.

Afterwards, a new display will show up showing you connectors API KEY and API URL. Please copy both API Key and API URL and save them within a config file or somewhere safe, as you will need the API Key and API URL to configure your webhook wihtin Nametag later on.

Note: Ensure that your API URL endpoint ends with /services/collector

Nametag Configuration

Now you will need to configure Nametag to send Webhooks to Crowdstrike. To do so, navigate to your Nametag Console and click Configure. Go to the Webhooks tab and click the Add a Webhook button. Within the Configure Webhook panel do the following.

  1. Select Enable to enable the webhook.
  2. Delivery URL - Add in the Crowdstrike API URL that you copied from the Connector configuration steps above.
  3. Authorization Header - Add in your Crowdstrike API KEY from the Connector configuration steps above by typing BEARER then your API KEY. For example BEARER 14935FMGNWLGJJT385.
  4. Events - Select which webhook events you want to enable to send to Crowdstrike.
  5. Click Save configuration

Testing and Logging

Now that you have configured Crowdstrike and Nametag, lets verify that we’re sending data from Nametag to Crowdstrike by testing a verficiation.

Within the Nametag console, go to the Verifications page. Click New Verification. Once a new verficiation has started, a new webhook event request_created will be sent to the Next-GEN SIEM log management.

If you have any questions about this, please contact us at help@nametag.co