CrowdStrike Falcon Next-Gen SIEM Events

In this guide, you will create an API client with credentials for CrowdStrike Falcon Next-Gen SIEM and the Alerts API, and use those to configure a data connector with Radiant Security.

At the end of this configuration, you will provide Radiant Security with the following values:

• Client ID

• Secret

• Base URL

Prerequisites

• Admin access to CrowdStrike Falcon

Create the credentials in CrowdStrike Falcon

1. Sign in to CrowdStrike Falcon with an admin account.

2. Expand the side menu and click Support and resources.

3. Under Resources and tools, click API clients and keys.

4. Click Create API.

5. Enter a Client Name to help identify the credential.

6. Under Scope, select NGSIEM: Read, NGSIEM: Write and Alerts: Read. For correlation rules, also select Correlation Rules: Read.

7. Click Create.

8. Copy and store the Client ID, Secret, and Base URL values.

Add the data connector in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

3. Search for and select the CrowdStrike OAuth2 option from the list and then click Data Feeds.

4. Under Select your data feeds, select Next-Gen SIEM Events and click Credentials.

5. In case you had already created credentials, select them from the drop-down and continue. If you haven’t created credentials yet, create one by giving the credential an identifiable name (e.g. Crowdstrike Falcon Next Gen SIEM Credentials). Then, paste the values (Base URL, Client ID, and Client Secret Key) that you copied from the Create the credentials in CrowdStrike Falcon section. Leave the Prefix field empty.

6. Click Add Connector to save the changes.

Verify ingestion

After CrowdStrike Falcon Next-Gen SIEM begins forwarding, confirm events are reaching Radiant.

1. In Radiant, navigate to Log Management.

2. Filter by crowdstrike_ngsiem_events.

3. Confirm recent events appear.