Alert Exports

As an admin user, the Alert Exports integrations page lets you set up alert exports to CrowdStrike Falcon LogScale, Elastic, and Splunk HTTP Event Collector (HEC) as well as a generic HTTP exporter. Admins can configure one or more alert exports, and can export to multiple instances of the same type of exporter.

Analyst users can view the alert exports but cannot make changes.

Exported alerts include a URL to the detection details page within Investigator.

Note

If needed, update your firewall rules to allow alerts from Investigator. The source IP address for the alerts is fixed for a region: the North America (us-west-2) IP address is 35.81.184.144 and the EU IP address is 35.157.240.249. For endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas - AWS General Reference.

Once configured, you can click the name of an exporter to open a side panel where you can edit, disable, or delete it.

Important

If you already configured log export on one or more sensors, exporting alerts from Investigator duplicates some notice and Suricata alerts.

CrowdStrike Falcon LogScale

To configure alert export to Falcon LogScale

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click CrowdStrike Falcon LogScale.

  3. Provide a name for the exporter.

  4. Toggle on Enabled.

  5. Provide information about your instance, including the URL, the token, and the LogScale index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

For more information, see the Falcon LogScale documentation.

Elastic

To configure alert export to Elastic

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click Elastic.

  3. Provide a name for the exporter.

  4. Toggle on Enabled.

  5. Provide information about your Elastic instance, including the URL, the username and password, and the index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

For more information about Elastic HTTP exporter, see the Elastic documentation.

Splunk HEC

To configure alert export to Splunk HEC

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click Splunk HEC.

  3. Provide a name for the exporter.

  4. Toggle on Enabled.

  5. Provide information about your HEC instance, including the URL, the token, and the Splunk index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

For more information about Splunk HEC, see the Splunk documentation.

Generic HTTP exporter

To configure alert export to a generic HTTP exporter

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click HTTP Exporter.

  3. Provide a name for the exporter.

  4. Toggle on Enabled.

  5. Provide the URL for your exporter.

  6. Specify the authentication type.

    • None.

    • Basic. Provide a username and password for authentication.

    • Bearer. Provide a token value for authentication.

  7. Optionally, add custom headers in the key/value format.

    You can add one or more custom headers to export additional information. Each header must have a key (without spaces) and a corresponding value.

  8. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  9. Click Save.