Utiliza el destino CrowdStrike Next-Gen SIEM de Observability Pipelines para enviar logs a CrowdStrike Next-Gen SIEM.

Configuración

Define el destino CrowdStrike NG-SIEM y sus variables de entorno cuando configures un pipeline. La información a continuación se configura en la interfaz de usuario de los pipelines.

Configurar el destino

To use the CrowdStrike NG-SIEM destination, you need to set up a CrowdStrike data connector using the HEC/HTTP Event Connector. See Step 1: Set up the HEC/HTTP event data connector for instructions. When you set up the data connector, you are given a HEC API key and URL, which you use when you configure the Observability Pipelines Worker later on.

1. Select JSON or Raw encoding in the dropdown menu.
2. Optionally, enable compressions and select an algorithm (gzip or zlib) in the dropdown menu.
3. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.
   Note: All file paths are made relative to the configuration data directory, which is /var/lib/observability-pipelines-worker/config/ by default. See Advanced Configurations for more information. The file must be owned by the observability-pipelines-worker group and observability-pipelines-worker user, or at least readable by the group or user.
   • Server Certificate Path: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
   • CA Certificate Path: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
   • Private Key Path: The path to the .key private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
4. Optionally, toggle the switch to enable Buffering Options.
   Note: Buffering options is in Preview. Contact your account manager to request access.
   • If left disabled, the maximum size for buffering is 500 events.
   • If enabled:
     1. Select the buffer type you want to set (Memory or Disk).
     2. Enter the buffer size and select the unit.

Configurar las variables de entorno

• CrowdStrike HEC ingestion URL:

  • Note: Do not include the suffix /services/collector in the URL. The URL must follow this format: https://<your_instance_id>.ingest.us-1.crowdstrike.com.
  • Stored in the environment variable DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_ENDPOINT_URL.

• CrowdStrike HEC API token:

  • Stored in the environment variable DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_TOKEN.

Cómo funciona el destino

Colocación de eventos en lotes

Un lote de eventos se descarga cuando se cumple uno de estos parámetros. Consulta los eventos por lotes para obtener más información.