Introduction

This document provides a step-by-step guide on integrating CrowdStrike's Falcon platform with Wazuh SIEM to enable centralized security event management. This integration allows organizations to leverage CrowdStrike's advanced threat detection capabilities within the Wazuh platform for comprehensive cybersecurity analysis.

Prerequisites

·        Administrative access to the CrowdStrike Falcon Console.

·        Wazuh SIEM installation with network connectivity to CrowdStrike.

·        Credentials for the CrowdStrike API.

·        Sufficient permissions to install and configure services on the host machine.

CrowdStrike API Client Configuration

To integrate Wazuh with CrowdStrike, an API client must be configured within the CrowdStrike platform. This allows Wazuh to communicate with CrowdStrike and retrieve event data.

Follow these detailed steps to set up the API client:

1. Access the CrowdStrike API Clients and Keys:
• Log in to the CrowdStrike Falcon Console.
• Navigate to the API Clients and Keys section under the Support/Account menu
  

2. Create a New API Client:
• Click on the 'Add new API client' button.
• Assign a descriptive name to your API client, such as "Wazuh Integration Client" to easily identify its purpose.
• In the 'Description' field, provide details that will help understand the scope and use of the API client, for instance, "API client for Wazuh SIEM integration".
3. Set the Required Permissions:
• Under the 'API Scopes' section, select the permissions required for integration. At a minimum, you should enable read access for 'Detections' and 'Hosts' scopes, which allows Wazuh to pull in alerts and host information.
• Consider the principle of least privilege when assigning permissions to ensure the API client has no more access than is required for the integration to function.
4. Obtain API Credentials:
• Upon saving the new API client, you will receive a unique client_id and a client_secret. Securely store these credentials as they will not be displayed again and are necessary for authenticating API requests from Wazuh to CrowdStrike.
5. Review and Confirm Settings:
• Ensure that all settings are correct, and that the API client is active.
• Review the permissions to confirm that they match the integration requirements.

For additional guidance on creating and managing API clients within the CrowdStrike Falcon platform, refer to the official documentation and tutorial available at CrowdStrike Tech Center: Access Falcon APIs.

Installing Falcon SIEM Connector

The Falcon SIEM Connector is crucial for ingesting security events from the CrowdStrike platform into Wazuh.

Below are the steps to install and configure the SIEM Connector, specifically for using syslog messages:

Preparing API Client and Scope

• Before installing the Falcon SIEM Connector, define an API client within the CrowdStrike platform.
• Ensure the API client has read access for Event streams, as this will be necessary for the SIEM Connector to ingest security events.
• Follow the guide on CrowdStrike's blog to access the Falcon APIs and set up a new API client key.

Download and Installation

• Download the crowdstrike-cs-falconhoseclient_2.11.0_amd64.deb package from the CrowdStrike support portal, which is designed to reach out to the CrowdStrike console to ingest syslog messages.[ https://www.crowdstrike.com/support/tool-downloads ]
• Install the package on your system using the following command:

sudo dpkg -i crowdstrike-cs-falconhoseclient_2.11.0_amd64.deb

 

• After installation, the cs.falconhoseclientd.service will be available, which is responsible for connecting to the CrowdStrike console to ingest events.

Configuration for Syslog Forwarding

• Configure the cs.falconhoseclientd.service to forward syslog messages in Common Event Format (CEF) by editing the /opt/crowdstrike/etc/cs.falconhoseclient.cfg file.
• In the file, set output_format: syslog to specify that syslog messages should be used.
• Ensure to adjust the api_url, client_id, client_secret, and syslog_host parameters within the configuration file to match your environment​​.

Starting the Service as a Systemd Service

• To start the Falcon SIEM Connector as a systemd service, use the following command:

sudo systemctl start cs.falconhoseclientd.service

 

• This will ensure that the SIEM Connector service is running and will continue to run across system reboots.

Verifying the Service

• Once the service is started, verify that it is actively running and properly configured by checking the service status.
• You can also check the syslog destination to ensure that CrowdStrike security events are being forwarded correctly.

By following these detailed steps, the Falcon SIEM Connector will be installed, configured to use syslog messages, and started as a systemd service to continuously ingest CrowdStrike security events into your SIEM environment.

Configuring Wazuh for CrowdStrike Integration

After setting up the Falcon SIEM Connector to forward CrowdStrike events using syslog, the next step is to configure Wazuh to receive and process these events:

1. Wazuh Manager Configuration:
• Access the Wazuh manager’s configuration file (/var/ossec/etc/ossec.conf).
• Configure the syslog listener to receive events from the Falcon SIEM Connector. Add a <remote> block within the <syslog> section:

<remote>         <connection>syslog</connection>         <protocol>udp</protocol>         <port>514</port> </remote>

 

2. Custom Decoders and Rules:
• Create custom decoders in Wazuh to parse the syslog messages from CrowdStrike. These decoders will be placed in the /var/ossec/etc/decoders/ directory.
• Define custom rules in Wazuh to handle the events after they have been decoded. The rules should be placed in the /var/ossec/etc/rules/ directory.
• Ensure that the decoders and rules are correctly ordered and loaded by Wazuh. You may need to adjust the configuration file to include these new files.
3. Restart Wazuh Manager:
• After making changes to the configuration, decoders, or rules, restart the Wazuh manager to apply the changes:

sudo systemctl restart wazuh-manager

 

4. Verification:
• Check the Wazuh manager logs to ensure no errors are present and that syslog messages are being received.
• Use the Wazuh Kibana app to verify that CrowdStrike events are appearing correctly and are actionable.

Testing and Verification

Conduct thorough testing to ensure that the integration between CrowdStrike and Wazuh is functioning as expected:

1. Generate Test Events:
• Trigger a test detection within CrowdStrike to generate a security event.
• Ensure that this event is captured and sent via syslog by the Falcon SIEM Connector.
2. Verify Event Reception in Wazuh:
• Check the Wazuh Alerts dashboard to see if the test event is displayed.
• Confirm that the alert contains all the necessary information and is correctly formatted based on your custom decoders and rules.

Conclusion

This guide has detailed the process for integrating CrowdStrike with Wazuh SIEM, emphasizing the ingestion of security events through syslog messages. By following the instructions for installing the Falcon SIEM Connector, configuring API clients and scopes, and setting up Wazuh to process the events, you can achieve a robust security event monitoring system. It is crucial to test the integration thoroughly to ensure that the security events are accurately captured and displayed within Wazuh, allowing for effective incident response and analysis.

References

• Getting Access to Falcon APIs
• Wazuh Documentation
  
• CrowdStrike Falcon SIEM Connector Documentation