Integrating CrowdStrike Falcon Next-Gen SIEM

CrowdStrike is a cybersecurity company that provides cloud-native endpoint protection. CrowdStrike Falcon Next-Gen SIEM is a security information and event management platform that aggregates and analyzes security data from multiple sources to detect threats and support incident responses.

This integration connects CrowdStrike Falcon Next-Gen SIEM with the Delinea Platform to forward audit logs via webhooks using the HTTP Event Connector (HEC).

By implementing this integration, administrators can centralize Delinea Platform security events in CrowdStrike Falcon for correlation and analysis, providing comprehensive visibility into privileged access activities across the organization.

Prerequisites

The integration of CrowdStrike Falcon Next-Gen SIEM with the Delinea Platform requires that the following requirements be met.

Delinea Platform

  • The Delinea Platform is properly provisioned and configured in your environment.

  • You have administrator permissions for managing webhooks in the Delinea Platform.

CrowdStrike Falcon Requirements

  • A subscription to Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10 GB.

  • CrowdStrike Falcon Administrator or Connector Manager privileges.

  • Access to the CrowdStrike Falcon console.

Network Requirements

Firewall rules allow outbound HTTPS traffic to the CrowdStrike API endpoint.

Configuration

To enable the integration between CrowdStrike Falcon Next-Gen SIEM and the Delinea Platform, complete the following configuration tasks:

Configuring CrowdStrike Falcon Next-Gen SIEM

To configure CrowdStrike Falcon Next-Gen SIEM for the integration with the Delinea Platform, you must create and configure an HTTP Event Collector (HEC) in CrowdStrike Falcon Next-Gen SIEM. HEC allows the Delinea Platform to send data and application events to CrowdStrike Falcon Next-Gen SIEM over HTTP and HTTPS.

You must also generate an API key (an authentication token) for HEC to allow it to authenticate with your CrowdStrike Falcon Next-Gen SIEM instance and securely send event data to it.

To create an HTTP Event Collector and generate an API key:

  1. Sign in to the CrowdStrike Falcon console with an administrator account.

  2. Open the main menu.

  3. Navigate to Next-Gen SIEM > Log Management > Data Onboarding.

  4. In the Connections section, select + Add connection.

    The connector selection page appears.

  5. Select the Filter by connector name drop-down list.

  6. Type HTTP and select Apply.

  7. Select HEC / HTTP Event Connector from the list.

  8. Select Configure.

  9. On the Add new connector panel, provide the following details:

    • Data Source: Delinea Platform.

    • Data Type: JSON.

    • Connector Name: Delinea Platform Connector.

    • Parser Details: Create a new parser (recommended) or select a generic JSON parser.

      If creating a custom parser, note that the JSON templates in Webhook Payload Schema and SIEM Parsing Recommendations show the structure of events generated by the Delinea Platform webhook. Use this schema to configure your CrowdStrike parser for handling nested fields.

      Use the following example as parser syntax in CrowdStrike LogScale to extract and rename fields from Delinea Platform webhook events:

      parseJson(@rawstring)
      | @timestamp := EventDateTime
      | event_id := AuditEventMessageId
      | event_name := Action.Name
      | event_verb := Action.Verb
      | user := Actor.Name| client_ip := ClientIPAddress
      | source_ip := Source.Network.IpAddress
      | secret_name := Target.secretName
      | secret_id := Target.secretId

  10. Save the connection configuration.

  11. After saving the connector configuration, generate the API key:

    1. Check the box to acknowledge the CrowdStrike Terms and Conditions.

    2. Select Save.

    3. Wait for the connector setup to complete.

      A notification bar appears when the connector is ready.

    4. Select Generate API Key on the right side of the notification bar.

    5. Copy and securely store both the API URL and API Key. These values are required for the Delinea Platform configuration.

      The API URL format must be as follows:

      https://cloud-api.<region>.crowdstrike.com/hec/v1/events

      Where <region> corresponds to your CrowdStrike cloud environment:

      • us-1 for US-1 cloud

      • us-2 for US-2 cloud

      • eu-1 for EU cloud

      • us-gov-1 for GovCloud

      The API Key is displayed only once.

  12. Determine the correct HEC endpoint.

    The HEC endpoint URL format depends on how you are sending data. The Delinea Platform sends raw JSON webhook payloads, which requires using the /raw endpoint suffix. The standard HEC endpoint expects data wrapped in a specific JSON structure with fields like event, source, and sourcetype. The Delinea Platform sends raw JSON webhook payloads without this wrapper. The /raw endpoint accepts line-delimited JSON events directly.

Configuring the Delinea Platform

To configure the Delinea Platform for the integration with CrowdStrike Falcon Next-Gen SIEM, you must create a webhook in the platform.

To create a webhook:

  1. Log in to the Delinea Platform with an administrator account.

  2. Search for webhooks.

  3. On the Webhooks page, select Create Webhook.

  4. On the Create Webhook page, complete the following webhook configuration fields:

    • Name: CrowdStrike Falcon SIEM.

    • Endpoint URL: Paste the API URL from CrowdStrike Falcon Next-Gen SIEM.

    • Description: Enter Forwards audit logs to CrowdStrike Falcon Next-Gen SIEM.

    • Webhook State: Select Enabled.

  5. Under Custom Headers, click to add a new header:

    • Key: Authorization as the header name.

    • Value: Enter Bearer <your-API-key> as the header value. Replace <your-API-key> with the API key from CrowdStrike Falcon Next-Gen SIEM.

      Example: Bearer 14935FMGNWLGJJT385ABC123XYZ

  6. Under Triggers, select the services and event levels to forward to CrowdStrike Falcon Next-Gen SIEM.

  7. To save the webhook, select Save.

The webhook is now active and begins forwarding events to CrowdStrike Falcon Next-Gen SIEM.

Verification

This section provides steps to verify that the integration between CrowdStrike Falcon Next-Gen SIEM and the Delinea Platform works correctly.

Verification in the Delinea Platform

To verify the integration from the Delinea Platform:

  1. In the Delinea Platform, search for webhooks.

  2. On the Webhooks page, select the CrowdStrike Falcon SIEM webhook.

  3. Hover your cursor to the right of the webhook name, select the three dots that appear, and then select Test Webhook.

    The Delinea Platform sends a test payload to the endpoint URL configured for the webhook.

  4. Verify delivery status:

    1. Hover your cursor to the right of the webhook name, select the three dots, and then select View Webhook Logs.

    2. Select a log entry and in the panel on the right, select View Payload.

Verifying in CrowdStrike Falcon Next-Gen SIEM

To verify the integration in CrowdStrike Falcon Next-Gen SIEM:

  1. Log in to the CrowdStrike Falcon console.

  2. Navigate to Next-Gen SIEM > Log Search.

  3. Search for events from the Delinea Platform connector.

  4. Confirm that JSON fields are parsed correctly and that events are searchable.

The integration is successfully configured if:

  • Events are received in CrowdStrike Falcon SIEM.

  • JSON fields, such as event type, user, and timestamp, are parsed correctly.

  • Events are searchable by event name, username, and other relevant fields.

Troubleshooting

This section provides information to help you resolve potential issues when using the integration of CrowdStrike Falcon Next-Gen SIEM with the Delinea Platform.

Issue Description Solution
Events are not appearing in CrowdStrike Next-Gen SIEM  Events from the Delinea Platform are not appearing in CrowdStrike Falcon Next-Gen SIEM.

  1. Verify that the webhook is enabled in the Delinea Platform.

  2. Confirm that the endpoint URL is correct.

  3. Check the webhook logs in the Delinea Platform for delivery errors.

  4. Verify that network connectivity and firewall rules allow outbound HTTPS traffic to the CrowdStrike API endpoint.

Authentication errors (401/403) The webhook returns HTTP 401 (Unauthorized) or 403 (Forbidden) errors.

  1. Verify that the Authorization header format is correct: Bearer <key> .

  2. Confirm that the API key is valid and has not expired.

  3. If needed, regenerate the API key in CrowdStrike Falcon Next-Gen SIEM:

    1. Navigate to Next-Gen SIEM > Log Management > Data Onboarding.

    2. Locate the Delinea Platform Connector.

    3. Generate a new API key.

    4. Update the webhook configuration in the Delinea Platform with the new key.

Events are received but are not parsed Events appear in CrowdStrike Falcon Next-Gen SIEM but are not properly parsed, making fields unsearchable.

  1. Review the parser configuration in CrowdStrike Falcon Next-Gen SIEM.

  2. Ensure that the parser includes parseJson(field=@rawstring) to properly parse JSON payloads.

  3. Verify the parser maps fields correctly:

    • @timestamp := timestamp

    • @event_type := eventType

  4. Test the parser with sample event data.

  5. If needed, update the parser configuration and reprocess recent events.

Connection timeout errors The webhook experiences connection timeout errors when attempting to send events to CrowdStrike Next-Gen SIEM.

  1. Verify network connectivity between the Delinea Platform and the CrowdStrike API endpoint.

  2. Check that firewall rules allow outbound HTTPS traffic to the CrowdStrike API endpoint.

  3. Confirm the correct API URL format for your region: https://cloud-api.<region>.crowdstrike.com/hec/v1/events

  4. Contact your network administrator if firewall rules need to be adjusted.

  5. Contact CrowdStrike support if the API endpoint is experiencing issues.

"failed to decode event” error in CrowdStrike The data connector in CrowdStrike reports the error "failed to decode event: json: cannot unmarshal object into Go struct field hecEventWithMetering.hecEvent.source of type string" if you use the standard HEC endpoint without /raw. Configure your HEC endpoint with /raw.