Alert Exports

As an admin user, the Alert Exports integrations page lets you set up alert exports to CrowdStrike Falcon LogScale, Elastic, and Splunk HTTP Event Collector (HEC) as well as a generic HTTP exporter. Admins can configure one or more alert exports, and can export to multiple instances of the same type of exporter.

Analyst users can view the alert exports but cannot make changes.

Exported alerts include a URL to the detection details page within Investigator.

If Suricata is configured with the payload option on the Corelight Sensor, alert exports include the Suricata payload.

Note

If needed, update your firewall rules to allow network traffic from Investigator. The source IP address for Investigator is fixed for a region: the North America (us-west-2) IP address is 35.81.184.144, the EU IP address is 35.157.240.249 (for eu.investigator.com), and the Middle East IP address is 40.172.28.44 (for me.investigator.com). For endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas - AWS General Reference.

Once configured, you can click the name of an exporter to open a side panel where you can edit, disable, or delete it.

Important

If you already configured log export on one or more sensors, exporting alerts from Investigator duplicates some notice and Suricata alerts.

CrowdStrike Falcon LogScale

For alert exports to CrowdStrike, configure a connector in CrowdStrike Falcon and configure an alert export integration in Investigator.

To configure a new connector in CrowdStrike Falcon NG-SIEM

  1. From the Falcon menu, go to Data connectors and select the Data sources tab.

  2. Click the HEC/HTTP Event Connector data source.

  3. On the Add new connector page, add these details:

    • Data source – enter the name for the data source.

    • Data type – choose JSON.

    • Connector name – enter the name for the connector.

    • Parsers – choose json (Generic Source).

  4. Select the affirmation checkbox and click Save.

  5. On the new connector page, click the Generate API key button.

  6. Copy the generated API key and API URL.

    You need these values in the exporter configuration in Investigator.

To configure alert export to Falcon LogScale in Investigator

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click CrowdStrike Falcon LogScale.

  3. Toggle on Enabled.

  4. Provide a name for the exporter.

  5. Provide the following information about your instance:

    • URL – Enter the API URL generated when setting up the new connector in CrowdStrike Falcon.

      For CrowdStrike Falcon NG-SIEM, the hostname part of the API URL has the format: https://<crowdstrike-url-info>.crowdstrike.com/services/collector. Do not to enter the full URL in this field – exclude the /services/collector portion of the URL and only include the host information. (Investigator automatically adds /services/collector to the URL when exporting.) For example, https://<crowdstrike-url-info>.crowdstrike.com would be a valid entry.

      For a non NG-SIEM, the API URL does not include the /services/collector portion. The URL will be in the format similar to: https://<logscale host>/api/v1/ingest/hec

    • Token – enter the API key generated when creating the new connector in CrowdStrike Falcon.

    • Index – enter any value for the index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

When configured, a new alert received by Investigator updates the Last Ingested date and time in CrowdStrike Falcon for your connector.

For more information, see the Falcon LogScale documentation.

Elastic

For Elastic alert exports, configure a connector in Elastic and configure an alert export integration in Investigator.

To configure alert export to Elastic in Investigator

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click Elastic.

  3. Toggle on Enabled.

  4. Provide a name for the exporter.

  5. Provide information about your Elastic instance, including the URL, the username and password, and the index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

For more information about Elastic HTTP exporter, see the Elastic documentation.

Splunk HEC

For Splunk HEC alert exports, configure a HEC instance in Splunk and configure an alert export integration in Investigator.

To configure alert export to Splunk HEC in Investigator

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click Splunk HEC.

  3. Toggle on Enabled.

  4. Provide a name for the exporter.

  5. Provide information about your HEC instance, including the URL, the token, and the Splunk index.

  6. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  7. Click Save.

For more information about Splunk HEC, see the Splunk documentation.

Generic HTTP exporter

To configure alert export to a generic HTTP exporter in Investigator

  1. From System Settings in the left navigation, choose Integrations and click the Alert Exports tab.

  2. Click HTTP Exporter.

  3. Toggle on Enabled.

  4. Provide a name for the exporter.

  5. Provide the URL for your exporter.

  6. Specify the authentication type.

    • None.

    • Basic. Provide a username and password for authentication.

    • Bearer. Provide a token value for authentication.

  7. Optionally, add custom headers in the key/value format.

    You can add one or more custom headers to export additional information. Each header must have a key (without spaces) and a corresponding value.

  8. Optionally, enable Verify SSL to verify the certificate and hostname provided by the exporter.

    If you enable this option, the certificates must be current and not expired and must be issued by a trusted issuer. Additionally, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

  9. Click Save.