CrowdStrike Integration

This document describes the steps to integrate Email Security with CrowdStrike Falcon Next‑Gen SIEM.

High-Level Procedure

• Step 1 - Create a CrowdStrike Data Connection

• Step 2 - Configure CrowdStrike SIEM Integration

Step 1 - Create a CrowdStrike Data Connection

To create a crowdstrike data connection:

1. Log in to the Falcon portal.

2. Click the Menu icon and go to Next-Gen SIEM > Log management > Data settings.

   

3. Go to the Data connections tab and click Add connection.

   

4. In the Data connections page, enter Check Point in the search bar and filter by connector name.

   

5. Select Check Point Email & Collaboration Security Data Connector.

   The New Connection details page appears.

   

6. In the Connection name field, enter the required connector name.

7. In the Description (Optional) field, enter the required description.

8. In the Parsing and enrichment section:

   1. By default, Check PointEmail Security parser is selected.

   2. Select the Enable host enrichment checkbox.

   3. Select checkbox for terms and conditions.

9. Click Create connection.

   In the Connection Details page, Generate API key banner appears.

   

10. Click Generate API key.

11. In the Connection setup page, copy the API URL and API Key to configure SIEM integration.

    

    Note - Make sure to note down the API URL and API Key, as they will not be available again.

Step 2 - Configure CrowdStrike SIEM Integration

To configure crowdstrike SIEM integration with Email Security:

1. Access the Email Security Administrator Portal.

2. From the left navigation panel, go to Security Settings > Security Engines.

3. Scrolldown to the SIEM Integration and click Configure.

   The Configure SIEM Integration pop-up appears.

   

4. From the Transport dropdown, select Crowdstrike NG-SIEM.

5. In the CrowdStrike Event Collector Host / URL field, enter the API URL copied in Step 1.

6. In the Bearer Token field, enter the API Key copied in Step 1.

7. From the Format dropdown, select JSON (Crowdstrike ECS compatible).

8. To allow SIEM to collect your system logs, select the Collect System logs checkbox.

9. (Optional) If you want to add custom fields to every event forwarded from CrowdStrike to your SIEM platform:

   1. Select the Add custom field checkbox.

   2. In the Custom field name field, enter the required name.

   3. In the Custom field value field, enter the required value.

   Note - You can add only up to five custom fields.

10. Click Save.

After you configured the CrowdStrike SIEM integration, Email Security sends logs to CrowdStrike.