CrowdStrike Next-Gen SIEM Destination

Use Observability Pipelines’ CrowdStrike Next-Gen SIEM destination to send logs to CrowdStrike Next-Gen SIEM.

Setup

Set up the CrowdStrike NG-SIEM destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

To use the CrowdStrike NG-SIEM destination, you need to set up a CrowdStrike data connector using the HEC/HTTP Event Connector. See Step 1: Set up the HEC/HTTP event data connector for instructions. When you set up the data connector, you are given a HEC API key and URL, which you use when you configure the Observability Pipelines Worker later on.

  1. Select JSON or Raw encoding in the dropdown menu.
  2. Optionally, enable compressions and select an algorithm (gzip or zlib) in the dropdown menu.
  3. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required:
    • Server Certificate Path: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
    • CA Certificate Path: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
    • Private Key Path: The path to the .key private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.

Set the environment variables

  • CrowdStrike HEC ingestion URL:

    • Stored in the environment variable DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_ENDPOINT_URL.

  • CrowdStrike HEC API token:

    • Stored in the environment variable DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_TOKEN.

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.

Max EventsMax BytesTimeout (seconds)
None1,000,0001