Canary supports outgoing Webhooks from your Console to an endpoint of your choice. This event-driven approach ensures that alerts are sent to you as they happen!
In this guide, we’ll send data to your CrowdStrike Next-Gen SIEM instance, using a Thinkst Canary Generic Webhook.
Step 1: Create and Configure the CrowdStrike Data Connection Parser
Within CrowdStrike, navigate to Next-Gen SIEM -> Log Management -> Data onboarding (e.g. https://falcon.us-2.crowdstrike.com/data-connectors/connections).
The URL scheme may differ depending on your crowdstrike tenant region.
Select "Parsers" and click on "Add new parser":
Give the parser a name (.e.g Canary_Parser) and specify `parseJson()` within the parser script:
Step 2: Create and Configure the CrowdStrike Data Connection
Wihin CrowdStrike, navigate to Next-Gen SIEM -> Log Management -> Data onboarding (e.g. https://falcon.us-2.crowdstrike.com/data-connectors/connections).
Select "Data connections" and click "Add connection"
Search for "hec" and click "configure"
Next up, we need to specify following parameters within the data connector:
- Data details
- Data source - Canary Management Console
- Data type - JSON
- Connector details
- Connector name - Canary Management Console
- Parser details
- Parser created in Step1
Fill in the parameters and click "save"
Once the connector is built, you need to click "Generate API key"
Take note of the API key and API URL. We'll use these values to configure our Canary Generic Webhook.
Step 3: Create a webhook on your Canary Console to send data to CrowdStrike
Add the API URL from Step2 to the Webhook URL and append "/raw" to end of it.
Next, click on "Add Header" to a the following custom request header:
Authorization: Bearer <YOUR_API_KEY>
The API Key would have been generated from Step 2 and your configuration should match the below:
Within CrowdStrike, navigate to Next-Gen SIEM -> Advanced event search and observe the ingested alerts: