Export alerts to CrowdStrike Next-Gen SIEM

Integrate Corelight Investigator with CrowdStrike Falcon Next-Gen SIEM (Next-Gen SIEM) to stream network alerts directly into the SIEM. The integration automatically populates pre-built Corelight dashboards within Next-Gen SIEM, making network data available for analysis alongside your endpoint data.

The process begins in the Next-Gen SIEM UI by generating an API key and URL from the Corelight Investigator Data Connector. You then use these credentials in the Investigator UI to configure the CrowdStrike alert exporter, which establishes the connection and forwards the alerts.

Prerequisites

Before you begin, ensure you have the following:

  • A subscription to CrowdStrike Falcon Next-Gen SIEM. All license tiers, including plans with specific daily data limits (for example, third party data ingest/all ingest levels 10GB), are supported.

  • An operational Corelight Investigator instance.

  • Firewall configuration: If your firewall restricts inbound traffic, you need to create a rule to allow HTTPS (port 443) traffic from the Corelight Investigator source IP address for your region. This rule allows Investigator to successfully export alerts and data to your systems.

    Add the IP address that corresponds to your region to your firewall’s allowlist:

    • North America (us-west-2): 35.81.184.144

    • Europe (eu-central-1): 35.157.240.249

    • Middle East (me-south-1): 40.172.28.44

    • Asia Pacific (ap-southeast-2): 3.25.53.116

  • Permissions:

    • In CrowdStrike: A user role with rights to create and manage data connectors and view/edit dashboards.

    • In Investigator: Administrator privileges to configure data exporters. Analyst-level users can only view existing configurations.

Important

  • Alert Duplication: Be aware that if you have already configured log export on one or more sensors, exporting alerts from Investigator will duplicate some notice and Suricata alerts.

  • This integration is a cloud-to-cloud configuration. Self-hosted deployments of CrowdStrike Falcon Next-Gen SIEM are not supported at this time.

  • The CrowdStrike Falcon Next-Gen SIEM user interface and configuration steps are subject to change by CrowdStrike. This guide is based on the interface at the time of publication.

Step 1: Configure the data connector in Next-Gen SIEM

Configure the Corelight Investigator Data Connector within the Next-Gen SIEM console to generate the credentials Investigator needs to send data.

  1. In the Falcon menu, go to Data connectors | Data connections to access Next-Gen SIEM.

  2. On the Data connections tab, click Add connection.

  3. On the Data connectors page, click Vendor and search for Corelight. Click Apply.

  4. Click the Corelight Investigator Data Connector in the Connector name list.

  5. Under New connection, click Configure.

  6. On the Add new connector page, in the Connector details section, enter a descriptive name for the connector and an optional description.

  7. Under Parser details, the default parser corelight-investigator is automatically selected.

    1. Do not select the Enable parser selection box. Leave this unchecked. Selecting a parser other than the default may cause ingestion errors.

  8. Check the box to acknowledge Terms and Conditions.

  9. Click Create connection. The Connector setup in progress dialog displays, indicating an API key is being generated. Click Close.

  10. On the next screen, a note displays at the top of the page indicating the connector is ready to receive data. Click the Generate API key button.

  11. The Connection setup dialog displays your credentials. Copy both the API key (Token) and the API URL. Store them securely, as the API key only displays once.

  12. Once you have securely saved the credentials, click Close. The data connector is now ready to receive data.

Step 2: Configure the alert exporter in Investigator

Use the credentials from Next-Gen SIEM to set up the alert exporter in Investigator.

  1. In the Investigator UI, go to System Settings | Integrations.

  2. On the Integrations page, select the Alert Exports tab.

  3. Click the CrowdStrike Falcon LogScale tile to open the CrowdStrike Exporter configuration panel.

  4. Toggle the Enabled switch to the On position.

  5. Provide a unique Name for the exporter (for example, Next-Gen-SIEM-Prod).

  6. For the API URL field, paste the URL you copied from Next-Gen SIEM, but you must remove the /services/collector path from the end of the URL.

    Action required: You must manually shorten the API URL. The URL from Next-Gen SIEM includes a path that Investigator adds automatically. You must delete the /services/collector portion from the end of the URL.

    Example:

    • Full URL from Next-Gen SIEM: https://<customer-id>.ingest.us-2.crowdstrike.com/services/collector

    • URL to paste in Investigator: https://<customer-id>.ingest.us-2.crowdstrike.com

  7. For the Token field, paste the API key you copied from Next-Gen SIEM.

  8. For the Index field, enter a simple name (for example, corelight). This is a required field used for exporter metadata; the token you provided controls the actual data destination in CrowdStrike.

  9. Ensure Verify SSL is enabled (recommended) and click Save.

Step 3: Verify the connection

After configuring the alert exporter, wait for a new alert to be generated to verify that data is flowing correctly from the Investigator to Next-Gen SIEM.

  1. In the Next-Gen SIEM console, navigate back to the Data connectors page.

  2. Check that the Last Ingested timestamp for your Corelight Investigator Data Connector has updated on the Data connections list.

Tip

To test the connection immediately, you can generate a harmless test alert. From a machine that is monitored by Corelight, run the curl command: http://testmyids.com. This will trigger a signature and send an alert from Investigator to Next-Gen SIEM.

Step 4: Access Corelight dashboards in Next-Gen SIEM

Once alert data is flowing from Investigator into Next-Gen SIEM, you can access the Corelight pre-built dashboards for visualization and analysis.

Note

It may take 5-10 minutes for new alert data to appear in the dashboards after the initial setup.

  1. From the Next-Gen SIEM menu, navigate to Next-Gen SIEM | Dashboards.

  2. In the Dashboard search bar, type Corelight to filter for all related dashboards.

  3. Select any Corelight dashboard to begin your analysis.

For more information, see Explore data through Dashboards or refer to the CrowdStrike documentation on exploring data.