This article describes how to integrate Authentication Manager (AM) with CrowdStrike Falcon Next-Gen SIEM.
Configure CrowdStrike Falcon Next-Gen
Configure and Activate the HEC/HTTP Data Connector
Perform these steps to configure and activate the HEC/HTTP Data Connector.
Procedure
- In the Falcon console, go to Data connectors > Data connectors > Data connections.
- Click + Add connection.
- On the Data Connectors page, filter by connector name to find and select the HEC / HTTP Event Connector.
- On the New connection page, review the connector metadata, version, and description.
- Click Configure.
Note: For connectors that are in a pre-production state, a warning appears. Click Accept to continue configuration.
- On the Add new connector page, provide the following details:
- Data source: Name for the data source to display on the connection's Details page.
- Connector name: Name to identify the connector. This name is displayed in the Connections list.
- (Optional) Description: Description of the connector.
- Parsers: A parser to use for this connection. In the Parsers drop-down list, select rsa-authenticationmanager.
- Select the Terms and Conditions check box and click Save.
A banner message appears in the Falcon console when your API key and API URL are ready to be generated. - To generate the API key, go to Data connectors > Data connectors > Data connections, click the Open menu for the data connector, and click Generate API key.
- Copy and safely store the API key and API URL to use during connector configuration.
Important: Save your API key, which is displayed only once during connector setup.
Configure Your Data Shipper
Perform these steps to configure your data chipper.
You can use any data shipper that supports the HEC API to complete this step. We recommend using the Falcon LogScale Collector.
Procedure
- In the Falcon console, go to Next-Gen SIEM > Log management > Data onboarding and click the Fleet Management tab.
- On the Fleet overview tab, click Get LogScale Collector.
We recommend following the Full install instructions.
Note: Full install allows for configuring and updating the Falcon LogScale Collector within the Falcon user interface and a robust fleet management system with metrics. Custom install requires local updates through a systems package manager.
-
- Select your operating system: macOS/Linux or Windows.
- Select an enrollment token: An enrollment token associates instances of the Falcon Log Collector with the config file. A Default Collector install token is provided and selected. No additional action is required.
- Run the provided curl or PowerShell command in your terminal to download and install the Falcon LogScale Collector.
- Close the Get Falcon LogScale Collector window. On the Fleet overview, confirm if your Falcon LogSale Collector is now available.
- On the Config overview tab, click + New config.
- Enter a name for the configuration and select Empty config.
- Click Create new.
The Draft editor appears. - Edit the config based on your environment.
The following is an example of a basic config when using the Falcon LogScale Collector with a data connector.
Important: This example includes the default listening port of the Falcon LogScale Collector. If you use this port, make sure other services are not listening on port 514. If you add additional sources, each source must have a distinct port. Before saving your config, check your local firewall to confirm that the configured port is not blocked and your traffic allowlist includes the Falcon LogScale Collector.
# Example config using default listening port 514
sources:
syslog_udp_514:
type: syslog
mode: udp
port: 514 15. sink: ngsiem
sinks:
ngsiem:
type: hec
proxy: none
token: <API_key_generated_during_data_connector_setup>
url: <API_URL_generated_during_data_connector_setup>
- On the Fleet overview tab, assign the config you created to the instance of the Falcon LogScale Collector you installed.
Tip: If you need to associate a config file with multiple instances of the Falcon LogScale Collector, you can create Groups in Fleet Management.
- In the row of the Falcon LogScale Collector you installed, click the Open menu and select Extend config.
The Extend configuration window appears. - Select the config you created.
- Click Save.
Configure AM
Perform these steps to configure AM.
Procedure
- Log in to the AM Security Console.
- Go to Setup > System Settings.
- Click Logging.
- Select an instance.
- Click Next.
- Configure the Log Levels:
- Trace Log: Select Information.
- Administrative Audit Log: Select Success.
- Runtime Audit Log: Select Success.
- System Log: Select Success.
- Configure the Log Data Destinations:
- For Administrative Audit Log Data, Runtime Audit Log Data, Trace Log, and System Log Data: Select Save to internal database and remote syslog at the following hostname or IP address.
- Enter the IP address of the Falcon LogScale Collector for each destination.
Note: If you update the IP address or hostname for a remote syslog server, you must restart AM services to apply the change.
-
(Optional) To apply these settings to replica instances, select Apply the above settings to the replica instance(s) upon save.
-
Click Save.
-
After saving the configuration, restart the AM services:
-
Log in to the appliance operating system as rsaadmin.
-
Navigate to the server directory:
-
cd /opt/rsa/am/server
-
-
Restart all services:
-
./rsaserv restart all
Verify Data Ingestion
Perform these steps to verify that data ingestion is successful.
Procedure
Important: Before verifying successful data ingestion, wait for at least 15 minutes after the setup to allow initial event data to be generated. Search results are not generated until an applicable event occurs. If an event timestamp is greater than the retention period, the data is not visible in search. If you do not see the raw data after 15 minutes, the product may need more time.
Verify that data is being ingested and appears in Next-Gen SIEM search results:
- In the Falcon console, go to Data connectors > Data connectors > Data connections.
- In the Status column, verify that the data connection status is Active.
- In the Actions column, click the Open menu and select Show events to see all events related to this data connection in Advanced Event Search. Confirm that at least one match is generated.
If you need to manually verify data ingestion, run this query and confirm that at least one match is generated:
#Vendor="rsa" | #event.module="authenticationmanager"
Related Articles
CrowdStrike Falcon Next-Gen SIEM – RSA Ready Implementation Guide Number of Views RSA SecurID WebExpress and ACE/Server QuickAdmin: Protecting JRun functionality from IIS Lockdown Tool Number of Views RSA ACE/Server Remote Administration functionality on Windows 2000 Number of Views Microsoft Sentinel as SIEM for RSA Admin Logs Using Logic Apps - RSA Ready Implementation Guide Number of Views How to test EFN Functionality Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.4.3 for Microsoft Windows Group Policy Object Template Guide
