CrowdStrike Falcon NG SIEM

1\ introduction this guide explains how to integrate nile with crowdstrike falcon ng siem so that nile security and network events are streamed into falcon for centralised monitoring, detection, and investigation 2\ audience and prerequisites 2 1 intended audience this document is intended for nile tenant administrators responsible for integrations security / siem engineers managing crowdstrike falcon ng siem network and security operations teams consuming siem data 2 2 prerequisites before you start, ensure the following an active nile tenant with siem integration enabled access to the nile portal (cleo) with permissions to configure global settings → integrations a crowdstrike falcon environment with the ng siem / falcon logscale data connector capability, and permissions to create data connectors (nile access service data connector) 3\ configuring crowdstrike falcon ng siem this section focuses on setting up the data connector in falcon so nile can send events to it 3 1 create and configure a data connector log in to your crowdstrike falcon console as an administrator navigate to data connectors (ng siem / falcon logscale) create a new data connection for nile (e g , name it “ nile data connector” ) click on “filter by connector name”, search for “nile”, and apply the filter select the connector type as “nile access service data connector” and click “configure” in the “new connection details” window provide a connection name and description (optional) select a timezone for your data this will be applied to event data that does not include timezone information host enrichment is enabled by default (optional) if needed, you can disable it by clearing the checkbox accept the terms and conditions, then click “create connection” a banner message appears in the falcon console indicating that the connector setup is in progress click close a notification message appears at the top of the screen indicating that the connector is ready to receive data click “generate api key” to create the api key this step generates the api key and api url as shown below copy and securely store the api key now , as it is displayed only once and cannot be retrieved later click close to exit the window 4\ configuring nile to send data to crowdstrike 4 1 login to nile portal log in to the nile portal with an admin account from the left navigation, go to network setup , then open global settings click the integrations tab 4 2 add the crowdstrike siem integration click setup integration or the “+” (add) button in the list of siem options, select falcon siem on the crowdstrike integration form in nile name set the name to default nile uses the siem connection named “default” as the primary path for sending events out api url paste the api url exactly as shown in the falcon data connector page (nile access service data connector) this must match the url crowdstrike shows in its data connector configuration api key paste the api key generated for the falcon data connector click next to proceed to the event selection select nile event categories to send to crowdstrike enable the toggle for audit, user device events, and alerts as required click save to create the integration after saving, you should see a crowdstrike tile in the integrations page 4 3 test the integration from nile on the crowdstrike tile, click the test icon < > wait for the test to complete green status means nile can reach the falcon data connector, and the credentials/url are valid red or failure means you should confirm the falcon data connection is enabled and running in the falcon console (data connector page) double check the api url and api key in nile exactly match what’s shown in falcon ensure the integration name is the default if this is your primary siem stream if the test is successful, the test message will appear in the crowdstrike event console search for vendor eventtype="test" to locate and verify the test message the test event was successfully received and processed by the system