# CrowdStrike to SIEM alerts and ruling

##### **Introduction**

This guide explains how to send security alerts from CrowdStrike Falcon to your Security Information and Event Management (SIEM) system and how to create rules for alert filtering and correlation (ruling). This helps detect threats faster and reduces alert noise.

##### **What You Need Before Starting**

- CrowdStrike Falcon account with admin access
- API Client credentials from CrowdStrike
- Access to your SIEM (Splunk, QRadar, ArcSight, etc.)
- Ability to install/configure software (Windows/Linux)
- Basic knowledge of logs and syslog is helpful but not required

##### <span style="color: rgb(53, 152, 219);">**Step 1: Create an API Client in CrowdStrike Falcon**</span>

1. Log in to the CrowdStrike Falcon Console at [https://falcon.crowdstrike.com/login/](https://falcon.crowdstrike.com/login/ "CrowdStrike")
2. Go to **Support → API Clients and Keys**
3. Click **Add new API client**
4. Give the client a name like “SIEM Integration”
5. Select the following API scopes/permissions:
    
    
    - **Event streams: Read**
    - **Detections: Read**
6. Save the client and note the **Client ID** and **Client Secret** — you’ll need them later

##### <span style="color: rgb(53, 152, 219);">**Step 2: Choose Your Integration Method**</span>

There are three main ways to forward CrowdStrike data to your SIEM:

- **Falcon SIEM Connector** — easiest for most users, sends logs via syslog
- **Falcon Streaming API** — for custom coding and direct API calls
- **Falcon Data Replicator (FDR)** — for bulk data export, stored in AWS S3

##### <span style="color: rgb(53, 152, 219);">**Step 3: Download and Install Falcon SIEM Connector**</span>

**For Windows**

1. Download the SIEM Connector installer from CrowdStrike Support or Falcon Portal
2. Run the installer .exe file
3. Follow the installation wizard to complete setup

**For Linux**

1. Download the SIEM Connector package(.tar.gz)
2. Extract the package and run install script:  
    tar -xzf crowdstrike-siem-connector.tar.gz  
    cd crowdstrike-siem-connector  
    sudo ./install.sh
    
    [![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/gVgtzDUz9QdyCS0V-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/gVgtzDUz9QdyCS0V-image.png)

##### <span style="color: rgb(53, 152, 219);">**Step 4: Configure the SIEM Connector**</span>

1\. Open the connector configuration file in a text editor:

- Windows:  
     C:\\Program Files\\CrowdStrike\\SIEMConnector\\config.json
- Linux:
    
     /etc/crowdstrike-siem/config.json
    
    2\. Add your CrowdStrike API credentials and your SIEM server info. Example config:
    
    {
    
     "falcon\_api": {
    
     "client\_id": "YOUR\_CLIENT\_ID",
    
     "client\_secret": "YOUR\_CLIENT\_SECRET"
    
     },
    
     "output": {
    
     "format": "json",
    
     "destination": "syslog://your.siem.server:514"
    
     }
    
    }
    
    [![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/Y06bIdU8Y8Mul9KP-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/Y06bIdU8Y8Mul9KP-image.png)
    
    3\. Save the file.

##### <span style="color: rgb(53, 152, 219);">**Step 5: Start the SIEM Connector Service**</span>

**Windows**:  
Open Command Prompt as Administrator and run: "net start CrowdStrikeSIEMConnector"

**Linux**:  
Run the following commands: "sudo systemctl start crowdstrike-siem"  
"sudo systemctl enable crowdstrike-siem"

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/By053HZDN73zseh6-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/By053HZDN73zseh6-image.png)

##### <span style="color: rgb(53, 152, 219);">**Step 6: Verify Data Flow**</span>

Check the connector logs to make sure it is running without errors:

- Windows: Logs usually at C:\\Program Files\\CrowdStrike\\SIEMConnector\\logs\\
- Linux: View logs with: tail -f /var/log/crowdstrike-siem.log

In your SIEM, search for CrowdStrike events to verify logs are being received.

##### <span style="color: rgb(53, 152, 219);">**Step 7: Create Alert Rules and Ruling in SIEM**</span>

Use your SIEM’s alerting and correlation features to build rules that:

- Filter out low-severity or false-positive alerts
- Combine multiple alerts related to the same incident for context
- Alert on high-severity or confirmed threats only

<span style="color: rgb(45, 194, 107);"> Example in Splunk**:</span><span style="color: rgb(53, 152, 219);"> </span>index=crowdstrike severity&gt;=high

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/CsSiA2PPmVHgn4TZ-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/CsSiA2PPmVHgn4TZ-image.png)

##### <span style="color: rgb(53, 152, 219);">**Step 8: Best Practices and Tips**</span>

- Always **rotate your API credentials** regularly for security
- Use **TCP or TLS syslog forwarding** for reliable and encrypted log delivery
- Limit forwarded logs to relevant event types to avoid SIEM overload
- Monitor the health of the SIEM connector continuously
- Document all configurations and rules clearly for team collaboration

**Additional Resources:**