Hello everyone,

I want to integrate crowdstrike on my siem, the kibana interface.
I have already preconfigured the following:

• Generation id and secret: https://api.eu-1.crowdstrike.com.

• Integration and preconfiguration of the CrowdStrike and CrowdStrike Falcon Intelligence module with the Crowdstrike id and secret generated before.

• On CrowdStrike: Alerts: Yes (read only) and Hosts: Yes (also read), as requested in the documentation.

• API testing on powershell:
  $uri = "https://api.eu-1.crowdstrike.com/oauth2/token"
  $headers = @{
  "accept" = "application/json"
  "Content-Type" = "application/x-www-form-urlencoded"
  }
  $body = @{
  “client_id” = “…”
  “client_secret” = “…”
  }
  $response = Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $body
  $response > OK

No dashboard works and everything remains empty.

Annotation 2024-08-19 1550101901×671 56.3 KB

Thanks for your help

Clarification: my elastic instance is local on a Linux server, not in the cloud.

From Elastic Search to SIEM

Hi,

I had similar issue. I'm on ELK stack 18.14.2. crowdstrike integration version 1.39.0, and crowdstrike falcon intelligence 1.1.3.

I use the falcon siem connector, and see logs in /var/log/crowdstrike/falconhoseclient/output and alerts coming in. As well as collecting crowdstrike logs via API.
For the API collector, having "Alerts" and "Hosts" scopes enabled. For the SIEM connector, I have API client with: "Alerts", "Hosts", "Detections" and "Falcon Data Replicator" and "Event Streams" enabled. I think the "Event Streams" should just be enough for that.

went to the host running elastic-agent where the integration is installed, and did a "systemctl restart elastic-agent". That seems to have fixed the issue.

However, the falcon intelligence seems to be "more" broken to me.
The ti_crowdstrike.ioc seems to have this issue: [ti_crowdstrike.ioc]: field [original] not present as part of path [event.original]] · Issue #10575 · elastic/integrations · GitHub and the ti_crowdstrike.intel kind of stopped ingesting for me a couple of weeks ago. Still investigating.

Sebastian

Hi, Thanks for your response, Sebastian

'I went to the host running the elastic-agent where the integration is installed and did a "systemctl restart elastic-agent". That seems to have fixed the issue.'

I can’t do that on CrowdStrike, can I? I don't have an elastic-agent on CrowdStrike since it's a web-based service. Or do I need to install the agent on the Elastic server itself?

'/var/log/crowdstrike/falconhoseclient/output'
Is it normal that I don’t have this log file at all on my Linux server where Elastic is running?

Also, I found the file on the Linux server that was disabled: /etc/filebeat/modules.d/crowdstrike.yml.disabled.
I activated it and modified it like this:

cat /etc/filebeat/modules.d/crowdstrike.yml

• module: crowdstrike
  falcon:
  enabled: true

  Set custom paths for the log files. If left empty,

  Filebeat will choose the paths depending on your OS.

  #var.paths:

Thanks you

Oh, you're with Filebeat, then YMMV

I assume filebeat would support same functionality like the agent integration.
With that, you have 3 options:
get info about events/alerts/hosts from Falcon Siem connector:

use the FDR and fetch logs from i.e. S3, or query CS Rest API.

I have the first installed on a VM, where Agent is running, and parses previously mentioned log file which is created and filled by the Falcon SIEM Connector.
Additionally have it querying the Rest API.

Sebastian

I downloaded the SIEM connector: crowdstrike-cs-falconhoseclient_2.26.0_amd64.deb from CrowdStrike.

I configured it as follows:

conf837×615 16.9 KB

No other logs.

Where can I find the information? No dashboard contains any information.

Thanks again for your help.

so the siem connectors log file is filling fetching events and pushing it here: /var/log/crowdstrike/falconhoseclient/output ?

When you search in discover for log.file.path: /var/log/crowdstrike/falconhoseclient/output

you see anything?

The filebeat module docs don't mention these dashboards: CrowdStrike module | Filebeat Reference [8.15] | Elastic

so might only be visible in the SIEM as shown there.

Sebastian

empty

up

From what you shared, your issue seems to be with the Falcon SIEM Connector.

If it is not writing anything to the file, then Filebeat has nothing to read, you need to fix this first.

Have you contacted your CrowdStrike support?

Since it was Elastic who implemented the solution, it was Elastic who blocked it according to crowdstrike.
With or without the crowdstrike siem connector, the solution does not work basicly (i.e. you just need to enter the url, id and secret password generated with crowdstrike to connect it to the elastic).

What solution? The Falcon SIEM Connector is a CrowdStrike tool, it has nothing to do with Elastic, any issue in this tool you need to check with CrowdStrike not Elastic.

On Elastic side you have a CrowdStrike integration that can get the logs from CrowdStrike in some ways.

One is using the Falcon SIEM Connector, this requires you to configure the Elastic Agent to read the file created by the Falcon SIEM connector.

If your Falcon SIEM Connector is not writing anything to an output file, then the Elastic integration has nothing to read.

You need to troubleshoot why the Falcon SIEM Connector is not working, and this is done with Crowdstrike, not Elastic.

How did you configure your Elastic Agent? You didn't share how it is configured, the CrowdStrike integration.

Annotation 2024-09-17 102747783×199 4.71 KB

conf837×615 16.9 KB

Here is the current configuration on the crowdstrike agent side and on the elastic filebeat module side.

Do you have any logs being collected by the Falcon SIEM Connector?

If you do not have any logs being collected by it, you need to check with Crowdstrike to solve this.

FIlebeat will read the log file once it start collecting data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.