A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

CrowdStrike Next-Gen SIEM and FortiGate Connector

, ,

So I’m working on getting all of our external systems connected into the CrowdStrike Next-Gen SIEM as part of our internal Falcon Complete tenancy. Following the documentation in the CrowdStrike portal, getting and installing the Log Collector and setting up the connector were a pretty straightforward affair.

I’ve got a Windows VM setup as a collector with the following basic YAML configuration based on the token and URL generated in the connector’s dashboard for the FortiGate connector. It’s important to note that you need to make sure to remove /services/collector from the end of the URL that is generated for you.

dataDirectory: C:\ProgramData\LogScale Collector\
sources:
  syslog_port_514:
    type: syslog
    mode: udp
    port: 514
    sink: humio
sinks:
  humio:
    type: hec
    proxy: none
    token: <your_token>
    url: https://ingest.us-2.crowdstrike.com/<url>

Once the configuration file is saved under Program Files, go into the Services Console and Start the Humio Log Collector service, you should also set this to Automatic (Delayed Start) while you’re there. We can now start getting the devices configured to forward logs.

I’ve deviated from the documentation and instead of configuring the FortiGate device, I’ve cheated a little instead using our FortiAnalyzer as a forwarder.

Logging into the FortiAnalzyer, go into System Settings > Log Forwarding and created a Log Forwarding entry, with the Server IP pointing to the Windows Server running the CrowdStrike Humio Log Collector service and selected the devices I wanted to forward (in this case, everything in our Root ADOM) and hit Save.

I could tell this was working as the network adaptor on the log collector box starting sending and receiving traffic at a much larger rate than it was before. Within a few minutes the connector under the My connectors dashboard showed as active.

With all the pieces working and data being sent to CrowdStrike, we ca finally interrogate the SIEM for FortiGate events with the following query.

#Vendor=fortinet | #event.module=fortigate

Results should come through similar to the below – if you’re not seeing anything you can double-check to see if the connector is running correctly and that the URL you’ve got is right (again, make sure to remove /services/collector from the end of the URL).

Hope that helps as a shortcut if you have a fleet of devices you need to onboard onto the SIEM.

2 responses to “CrowdStrike Next-Gen SIEM and FortiGate Connector”

  1. Mike Siepmann Avatar
    Mike Siepmann

    Thank you for this helpful guide, did you use the fortinet parser that is supplied by crowdstrike?

    Your guide is how we have our logs setup to be shipped, but so far no luck getting into NG Siem. Did you have to modify anything else?

    Reply
    1. John Avatar
      John

      Hi Mike, nope. I just enabled the connector, installed the collected, created the connection on the FAZ and data began to show up in the SIEM.

      From memory it did take a little while before it showed up in the NG SIEM.

      Reply

Leave a Reply

More Posts

RDP to Windows Login Screen

I was recently resurrecting an old demo environment in AWS which consisted of a few EC2 virtual machines, however upon trying to login, I quickly realised that the account password had expired and by default Windows Remote Desktop doesn’t have an ability to change passwords since you’re not presented with the logon screen.  We didn’t […]

FortiAnalyzer shows xx of xx database tables need to be upgraded

So I was recently presented with a message after a firmware upgrade that a number of database tables needed to be upgraded.  I searched the Fortinet knowledge base but found nothing. After a discussion with a Support Rep from Fortinet we quickly found the solution and being that it is a very common issue I […]

Changing the recovery mode doesn’t shrink an SQL Database log file, how to shrink logs manually.

So I found out recently that one of our servers was running out of space.  It’s our AV server so I was like what the hell, why is it running out.  Turns out it had an instance of SQL Server on there as a quarantine and configuration database.  The Virtual Machine was being backed up […]