--- title: CrowdStrike Next-Gen SIEM Destination description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Observability Pipelines > Destinations > CrowdStrike Next-Gen SIEM Destination --- # CrowdStrike Next-Gen SIEM Destination {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} Available for: {% icon name="icon-logs" /%} Logs Use Observability Pipelines' CrowdStrike Next-Gen SIEM destination to send logs to CrowdStrike Next-Gen SIEM. ## Setup{% #setup %} Set up the CrowdStrike NG-SIEM destination and its environment variables when you [set up a pipeline](https://app.datadoghq.com/observability-pipelines). The information below is configured in the pipelines UI. ### Set up the destination{% #set-up-the-destination %} To use the CrowdStrike NG-SIEM destination, you need to set up a CrowdStrike data connector using the HEC/HTTP Event Connector. See [Step 1: Set up the HEC/HTTP event data connector](https://falcon.us-2.crowdstrike.com/documentation/page/bdded008/hec-http-event-connector-guide) for instructions. When you set up the data connector, you are given a HEC API key and URL, which you use when you configure the Observability Pipelines Worker later on. {% alert level="danger" %} Only enter the identifiers for the CrowdStrike NG-SIEM endpoint URL, token, and if applicable, the TLS pass key. Do not enter the actual values. {% /alert %} 1. Enter the identifier for your CrowdStrike NG-SIEM endpoint URL. If you leave it blank, the default is used. 1. Enter the identifier for your CrowdStrike NG-SIEM token. If you leave it blank, the default is used. 1. Select **JSON** or **Raw** encoding in the dropdown menu. #### Optional settings{% #optional-settings %} ##### Enable compressions{% #enable-compressions %} 1. Toggle the switch to **Enable compressions**. 1. Select an algorithm (**gzip** or **zlib**) in the dropdown menu. ##### Enable TLS{% #enable-tls %} Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required. **Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations](https://docs.datadoghq.com/observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/) for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user. - Enter the identifier for your CrowdStrike NG-SIEM key pass. If you leave it blank, the default is used. - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509). - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509). - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format. ##### Buffering{% #buffering %} Toggle the switch to enable **Buffering Options**. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn't create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing data to disk, ensuring buffered data persists through a Worker restart. See [Destination buffers](https://docs.datadoghq.com/observability_pipelines/scaling_and_performance/buffering_and_backpressure/#destination-buffers) for more information. - If left unconfigured, your destination uses a memory buffer with a capacity of 500 events. - To configure a buffer on your destination: 1. Select the buffer type you want to set (**Memory** or **Disk**). 1. Enter the buffer size and select the unit. 1. Maximum memory buffer size is 128 GB. 1. Maximum disk buffer size is 500 GB. 1. In the **Behavior on full buffer** dropdown menu, select whether you want to **block** events or **drop new events** when the buffer is full. ### Set secrets{% #set-secrets %} These are the defaults used for secret identifiers and environment variables. **Note**: If you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`. {% tab title="Secrets Management" %} - CrowdStrike NG-SIEM endpoint URL identifier: - In your secrets manager, do **not** include the suffix `/services/collector` in the URL. The URL must follow this format: `https://.ingest.us-1.crowdstrike.com`. - The default identifier is `DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_ENDPOINT_URL`. - CrowdStrike NG-SIEM token identifier: - The default identifier is `DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_TOKEN`. - CrowdStrike NG-SIEM TLS passphrase identifier (when TLS is enabled): - The default identifier is `DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_KEY_PASS`. {% /tab %} {% tab title="Environment Variables" %} - CrowdStrike HEC ingestion URL: - **Note**: Do **not** include the suffix `/services/collector` in the URL. The URL must follow this format: `https://.ingest.us-1.crowdstrike.com`. - The default environment variable is `DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_ENDPOINT_URL`. - CrowdStrike HEC API token: - The default environment variable is `DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_TOKEN`. - CrowdStrike Next-Gen SIEM HEC TLS passphrase: - The default environment variable is `DD_OP_DESTINATION_CROWDSTRIKE_NEXT_GEN_SIEM_KEY_PASS`. {% /tab %} ## How the destination works{% #how-the-destination-works %} ### Event batching{% #event-batching %} A batch of events is flushed when one of these parameters is met. See [event batching](https://docs.datadoghq.com/observability_pipelines/destinations/#event-batching) for more information. | Maximum Events | Maximum Size (MB) | Timeout (seconds) | | -------------- | ----------------- | ----------------- | | None | 1 | 1 |