This guide covers how to set up CrowdStrike Falcon Next-Gen SIEM with Workbench.

Prerequisites

1. You must have admin access in Workbench to set up this integration.
2. You must have one or more of the following CrowdStrike subscriptions:
   • Falcon Next-Gen SIEM 10GB
     • Falcon Next-Gen SIEM 10GB with 7 days of data retention is included.
   • Falcon Next-Gen SIEM, or Falcon Complete powered by Next-Gen SIEM
     • Includes additional third-party data ingestion and data retention capabilities.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Enable API access for Expel
2. Add CrowdStrike Falcon Next-Gen SIEM as a Security Device in Workbench

Step 1: Enable API Access for Expel

First you must create API client credentials in CrowdStrike to later provide in Workbench.

1. Log in to CrowdStrike Falcon.
2. Using the top-left menu, navigate to Support and resources > Resources and tools > API clients and keys.
3. Select Create API client.
4. Configure the API client as follows:
   • Client Name - enter "Expel".
   • Description - enter "Expel API access".
5. Grant the following required permissions for these scopes:
   • Alerts
     • Read
     • Read and Write (required for Falcon Status Syncing)
   • Correlation Rules
     • Read
   • NGSIEM
     • Read and Write
6. Select Create.
7. A confirmation screen displays, stating that your API client has been created. Be sure to copy your Client ID, Secret, and Base URL to a safe place before closing the window, as you will need these in the next section.

Step 2: Add CrowdStrike Falcon Next-Gen SIEM as a Security Device in Workbench

Now that you have the API key, you can add and configure the CrowdStrike Falcon Next-Gen SIEM integration in Expel Workbench.

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > Security Devices.
3. Select Add Security Device.
4. In the search box, type “CrowdStrike” and then select the CrowdStrike Falcon Next-Gen SIEM integration.
   
5. A configuration pane displays. Complete the fields as follows:
   • Name - enter a name that might help you more easily identify this integration, such as “CompanyName CrowdStrike NGSIEM”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
   • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
   • Client ID - enter the Client ID you saved in Step 1.
   • Client secret - enter the Secret you saved in Step 1.
   • CloudStrike API address - select the Base URL you saved in Step 1.
   • Repository (optional) - enter the name of the repository where you want Expel to search against.
6. Select Save.
7. On the console access screen, select No thanks, I will not provide console access from the dropdown.
8. Select Save.
9. Your device should be created successfully within a few seconds. A few reminders:
   • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
   • To check on the status, select the downward arrow for your device in the first column and choose View details.
   • Polling will happen first; data will be received after that. You must refresh the page to see updates.
   • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
   • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.