Skip to main content

Crowdstrike Next-Gen SIEM

You can configure audit logs to be forwarded to CrowdStrike Next-Gen SIEM using the HTTP Event Collector (HEC) protocol. This allows you to centralize Pangea logs alongside other CrowdStrike telemetry for unified threat detection, monitoring, and response.

Configure a connector

In your Crowdstrike Falcon console, follow the instructions in Step 1: Configure and activate the Pangea AI Guard data connector in the HEC/HTTP Event Connector guide.

For example:

  1. Navigate to the Data connections page under Next-Gen SIEM >> Data onboarding in your Crowdstrike Falcon console.

  2. Click Add connection in the list of connections.

  3. In the Product filter, select HEC.

  4. Click HEC / HTTP Event Connector in the list.

  5. Click Configure.

  6. On the Add new connector page, enter Data source, Connector name, and Description.

  7. Under Parser details, select a parser.

    Pangea offers a Crowdstrike Next-Gen SIEM parser designed to process events from the AI Guard Activity Log , which is enabled by default when the AI Guard service is activated.

    Select PangeaAIGuardParser if you're forwarding AI Guard activity logs to Crowdstrike.

  8. Accept the terms and conditions, then click Save.

  9. On the connector details page, click Generate API key.

  10. Copy the API key and API URL. You will use these values to configure log forwarding in the Secure Audit Log service.

Set up log forwarding

  1. Select an audit schema.

    On the Secure Audit Log service page in your Pangea User Console , use the schema selector in the top-left to choose the configuration that matches your Crowdstrike parser.

    To forward AI Guard activity logs, select AI Activity Audit Log Schema.

  2. Click General in the sidebar to open the settings for the selected schema.

  3. Under Audit Log Forwarding, toggle the control in the top-right to Enabled.

  4. Set Logging Service to Crowdstrike Next-Gen SIEM.

  5. For Event URL, enter the API URL from your Crowdstrike connector.

  6. Click the Store HEC Token button.

  7. In the New Secret dialog, enter the API key from your Crowdstrike connector in the Secret field.

  8. Click Done.

  9. Click Save to apply the configuration.

  10. Click Test forwarding configuration to validate the setup.

    Successfully tested log forwarding configuration on the Audit Log Forwarding settings page in the Pangea User Console

    A failed test displays an error message, for example:

    Error shown for a failed log forwarding test on the Audit Log Forwarding settings page in the Pangea User Console

To generate real events, return to the service list, open the AI Guard service page, and under Recipes, use the Sandbox feature to send a sample input.

After a few minutes, you should see the forwarded events in your Crowdstrike Falcon console under Next-Gen SIEM >> Advanced event search.

note

The following optional fields are not applicable when using the Crowdstrike Next-Gen SIEM connector:

  • Index
  • Indexer Acknowledgment
  • Provider certificate to use self-signed TLS

Next steps

To visualize log data forwarded from Pangea to Crowdstrike Next-Gen SIEM, use the prebuilt Pangea dashboards available on GitHub . You can import these dashboards into your Crowdstrike Falcon console by following the instructions in the repository README.

Pangea AI Guard Dashboard populated with blocked and allowed events in the Crowdstrike Falcon console

Was this article helpful?

Contact us