Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

CrowdStrike

Integration points

Protocol Information Discovered Used For
Falcon Streaming API Detection Summary, Authentication Log, Detection Status Update, Indicators of Compromise, Containment Audit Events, IP White-listing events, Sensor Grouping Events. Security and Compliance

Falcon Streaming API Integration

FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API:

  • Detection Summary
  • Authentication Log
  • Detection Status Update
  • Customer Indicators of Compromise
  • Containment Audit Events
  • IP White-listing Events
  • Sensor Grouping Events

CrowdStrike provides details about Falcon Streaming API here.

Configuring CrowdStrike Service for Falcon Streaming API

Create an account to be used for FortiSIEM communication:

  1. Login to CrowdStrike as Falcon Customer Admin.
  2. Go to Support App > Key page.
  3. Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting existing applications in your environment.

Configuring FortiSIEM for Falcon Streaming API based access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create CrowdStrike Falcon credential.
    1. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
    2. Choose Access Protocol = Falcon Streaming API.
    3. Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for Falcon Streaming API.
    4. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    5. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Set Hostname to firehose.crowdstrike.com.
    2. Select the Credential created in step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.

To test for events received via CrowdStrike Streaming API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CrowdStrike Streaming API entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.

Falcon Data Replicator Integration

FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method:

  • Detection Summary Events
  • User Activity Audit Events
  • Auth Activity Audit Events

CrowdStrike provides details about data Replicator method here.

Obtaining AWS credentials from CrowdStrike

Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS.

  1. Generate a GPG key pair in ASCII format.
  2. Send the public part of the GPG key to support@crowdstrike.com.
  3. CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt using your private GPG key.
  4. CrowdStrike Support will also provide you an SQS Queue URL.

Credentials obtained in steps 3 and 4 above will be used in the next step.

Configuring FortiSIEM for Falcon Data Replicator

Use the credentials in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create CrowdStrike Falcon Data Replicator credential.
    1. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
    2. Choose Access Protocol = CrowdStrike Falcon Data Replicator.
    3. Enter the Region where the instance is located.
    4. Enter SQS Queue URL from here.
    5. Password Config: see Password Configuration.
    6. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    7. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Get the Hostname from the SQL Queue URL. For example, for Queue URL: https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queue-d5836cd3792ece8f, set host name to us-west-1.queue.amazonaws.com.
    2. Select the Credential created in step 3 above.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. If the test succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.

To test for events received via CrowdStrike Falcon Data Replicator:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CrowdStrike Falcon Data Replicator entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.

CrowdStrike

Integration points

Protocol Information Discovered Used For
Falcon Streaming API Detection Summary, Authentication Log, Detection Status Update, Indicators of Compromise, Containment Audit Events, IP White-listing events, Sensor Grouping Events. Security and Compliance

Falcon Streaming API Integration

FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API:

  • Detection Summary
  • Authentication Log
  • Detection Status Update
  • Customer Indicators of Compromise
  • Containment Audit Events
  • IP White-listing Events
  • Sensor Grouping Events

CrowdStrike provides details about Falcon Streaming API here.

Configuring CrowdStrike Service for Falcon Streaming API

Create an account to be used for FortiSIEM communication:

  1. Login to CrowdStrike as Falcon Customer Admin.
  2. Go to Support App > Key page.
  3. Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting existing applications in your environment.

Configuring FortiSIEM for Falcon Streaming API based access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create CrowdStrike Falcon credential.
    1. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
    2. Choose Access Protocol = Falcon Streaming API.
    3. Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for Falcon Streaming API.
    4. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    5. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Set Hostname to firehose.crowdstrike.com.
    2. Select the Credential created in step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.

To test for events received via CrowdStrike Streaming API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CrowdStrike Streaming API entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.

Falcon Data Replicator Integration

FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method:

  • Detection Summary Events
  • User Activity Audit Events
  • Auth Activity Audit Events

CrowdStrike provides details about data Replicator method here.

Obtaining AWS credentials from CrowdStrike

Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS.

  1. Generate a GPG key pair in ASCII format.
  2. Send the public part of the GPG key to support@crowdstrike.com.
  3. CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt using your private GPG key.
  4. CrowdStrike Support will also provide you an SQS Queue URL.

Credentials obtained in steps 3 and 4 above will be used in the next step.

Configuring FortiSIEM for Falcon Data Replicator

Use the credentials in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create CrowdStrike Falcon Data Replicator credential.
    1. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
    2. Choose Access Protocol = CrowdStrike Falcon Data Replicator.
    3. Enter the Region where the instance is located.
    4. Enter SQS Queue URL from here.
    5. Password Config: see Password Configuration.
    6. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    7. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Get the Hostname from the SQL Queue URL. For example, for Queue URL: https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queue-d5836cd3792ece8f, set host name to us-west-1.queue.amazonaws.com.
    2. Select the Credential created in step 3 above.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. If the test succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.

To test for events received via CrowdStrike Falcon Data Replicator:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CrowdStrike Falcon Data Replicator entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.