CrowdStrike to SIEM alerts and ruling

Introduction

This guide explains how to send security alerts from CrowdStrike Falcon to your Security Information and Event Management (SIEM) system and how to create rules for alert filtering and correlation (ruling). This helps detect threats faster and reduces alert noise.

What You Need Before Starting
Step 1: Create an API Client in CrowdStrike Falcon
  1. Log in to the CrowdStrike Falcon Console at https://falcon.crowdstrike.com

  2. Go to Support → API Clients and Keys

  3. Click Add new API client

  4. Give the client a name like “SIEM Integration”

  5. Select the following API scopes/permissions:

    • Event streams: Read

    • Detections: Read

  6. Save the client and note the Client ID and Client Secret — you’ll need them later

Step 2: Choose Your Integration Method

There are three main ways to forward CrowdStrike data to your SIEM:

Step 3: Download and Install Falcon SIEM Connector

For Windows

  1. Download the SIEM Connector installer from CrowdStrike Support or Falcon Portal

  2. Run the installer .exe file

  3. Follow the installation wizard to complete setup

For Linux

  1. Download the SIEM Connector package(.tar.gz)

  2. Extract the package and run install script:
    tar -xzf crowdstrike-siem-connector.tar.gz
    cd crowdstrike-siem-connector
    sudo ./install.sh

    image.png

Step 4: Configure the SIEM Connector

1. Open the connector configuration file in a text editor:

Step 5: Start the SIEM Connector Service

Windows:
Open Command Prompt as Administrator and run: "net start CrowdStrikeSIEMConnector"

Linux:
Run the following commands: "sudo systemctl start crowdstrike-siem"
"sudo systemctl enable crowdstrike-siem"

image.png

Step 6: Verify Data Flow

Check the connector logs to make sure it is running without errors:

Step 7: Create Alert Rules and Ruling in SIEM

Use your SIEM’s alerting and correlation features to build rules that:

 Example in Splunk: index=crowdstrike severity>=high

image.png

Step 8: Best Practices and Tips

Additional Resources:

 


Revision #8
Created 18 June 2025 08:44:15 by Albert Alombro
Updated 19 June 2025 02:48:44 by Albert Alombro