Configuring CrowdStrike HEC
The CrowdStrike HTTP Event Collector(HEC) allows you to easily stream logs from Kolide directly into your CrowdStrike instance in a format suitable for ingestion.
CrowdStrike Prerequisites
Before you get started, you will need to enable HEC and generate an HEC token.
- Login to CrowdStrike and navigate to Data Sources
- In the list of data sources, click “1Password Device Trust for CrowdStrike Falcon Next-Gen SIEM”. You may need to search for it in the top right corner.
- On the “Add new connector” screen:
Provide a Connector name.
Optionally, provide a Description.
Accept the terms and conditions.
Click Save.
To view existing connectors you can navigate to My Connectors.
The steps to enable HEC may vary based on your CrowdStrike instance. To enable HEC, read CrowdStrike’s documentation.
How to Configure Kolide
From the Log Destinations list view:
- Click Add New Destination
- Click CrowdStrike HEC
- In the configuration modal that appears:
Provide a Display Name for your HEC. This will help you differentiate it from your other configured log destinations.
Provide the URL endpoint for your CrowdStrike HEC.
Provide the secret token for your CrowdStrike HEC.
Select the log types this Log Destination should receive.
Click Save
Once you click Save, Kolide will send a test event to your CrowdStrike instance. The event should look like this:
{
"key":"crowdstrike_kolide_testing",
"ts":1723751668,
"type":"log_destination_test"
}
If your CrowdStrike instance does not respond successfully, you will see an error message informing you of the failure.