Configuring CrowdStrike HEC

Using Kolide
Home / Using Kolide / Log Pipeline / Configuring CrowdStrike HEC

Configuring CrowdStrike HEC

Before you begin:
Please review our Log Pipeline documentation about Log Destinations if you have not already.

The CrowdStrike HTTP Event Collector allows you to easily stream logs from Kolide directly into your CrowdStrike instance in a format suitable for ingestion.

CrowdStrike Prerequisites

Before you get started, you will need to enable HEC and generate an HEC token.

  1. Login to CrowdStrike and navigate to Data Connectors

  1. In the list of data sources, search for “hec” in the top right search bar.

  1. Click on HEC/HTTP Event Connector

On the “Add new connector” screen:

  1. Provide a Data source. This is a name for where the data is coming from.

  2. Select JSON for Data type.

  3. Provide a Connector name.

  4. Optionally, provide a Description.

  5. Select 1password-devicetrust as the Parser.

  6. Accept the terms and conditions.

  7. Click Save.

To view existing connectors you can navigate to My Connectors.

The steps to enable HEC may vary based on your CrowdStrike instance. To enable HEC, read CrowdStrike’s documentation.

How to Configure Kolide

From the Log Destinations list view:

  1. Click Add New Destination
  2. Click CrowdStrike HEC

In the configuration modal that appears:

  1. Provide a Display Name for your HEC. This will help you differentiate it from your other configured log destinations.

  2. Provide the URL endpoint for your CrowdStrike HEC.

  3. Provide the secret token for your CrowdStrike HEC.

  4. Select the log types this Log Destination should receive.

  5. Click Save

Once you click Save, Kolide will send a test event to your CrowdStrike instance. The event should look like this:

{
  "key":"crowdstrike_kolide_testing",
  "ts":1723751668,
  "type":"log_destination_test"
}

If your CrowdStrike instance does not respond successfully, you will see an error message informing you of the failure.