How to Integrate Dell Trusted Device Data into CrowdStrike Next-Gen SIEM

Affected Products:

• Dell Trusted Device
• CrowdStrike

Dell Trusted Device collects telemetry data from below the operating system, providing valuable insights for various actionable tasks. By uploading this telemetry to CrowdStrike Next-Gen SIEM, IT professionals can enhance their ability to detect and respond to advanced threats. This integration offers a comprehensive view of device health and security, enabling more effective monitoring and incident response. The following sections guide you through the complete setup process, which should be followed in the order presented.

Table of Contents

• Prerequisites
• Confirm Dell Trusted Device Installation
• Log in to CrowdStrike Falcon
• Configure and activate the HEC/HTTP data connector in CrowdStrike
• Configure the data shipper
• Installing the LogScale Collector

Prerequisites

• CrowdStrike Falcon Next-Gen SIEM

Back to Top

Confirm Dell Trusted Device Installation

Dell Trusted Device must be installed and generating telemetry. These articles help you download and install Dell Trusted Device if needed.

• How to Download Dell Trusted Device
• How to Install Dell Trusted Device

Back to Top

Log in to CrowdStrike Falcon

1. In a Google Chrome or Microsoft Edge browser, go to your Falcon console login URL.
   • Falcon US-1: https://falcon.crowdstrike.com/login/
   • Falcon US-2: https://falcon.us-2.crowdstrike.com/login/
   • Falcon EU-1: https://falcon.eu-1.crowdstrike.com/login/
   • Falcon US-GOV-1: https://falcon.laggar.gcw.crowdstrike.com/login/
2. Log In to the Falcon Console.
   

Back to Top

Configure and activate the HEC/HTTP data connector in CrowdStrike

1. In the left menu pane, Click Next-Gen SIEM and then select Data onboarding.
   
2. In the Connections section, click + Add connection.
   
3. Click Filter by connector name and enter HEC/HTTP Event Connector, then click Apply.
   
   Note: Alternatively, you can browse all connectors and locate HEC/HTTP manually.
4. Click HEC/HTTP Event Connector.
   
5. On the New connection pane, click Configure.
   
6. On the Add new connector page enter the information below, click the checkbox to accept the Terms and Conditions, and click Create connection.
   • Data Source: Customer Created
   • Connector Name: Customer Created
   • Description (Optional): Customer Created
   • Parsers: dell-trusteddevice (Dell Trusted Device)
   
7. On the Connector setup in progress dialog, click Close.
   
8. Click Data connections on the upper left.
   
   Note: Alternatively, you can repeat Step 3 to return to the same area.
9. On the Data Onboarding page, locate the data connection created in Configure and activate the HEC/HTTP data connector in CrowdStrike (Step 6 from above), and select the Connection name.
   
10. Click Generate API key to generate a new API key.
    
    Note: The API key is only displayed once. Copy it and store it safely for use in a future step.
11. Once you have your API key documented, click Close.
    
    Note: If you must regenerate the API key, you can repeat Step 11 and use the Regenerate API Key button from the upper right.
    

Back to Top

Configure the data shipper

1. In the left menu pane, Click Next-Gen SIEM and then select Data onboarding.
   
2. From the Data onboarding page, click Fleet management.
   
3. From the Fleet management page, click Config overview.
   
4. On the Config overview page, click + New config
   
5. In the New Config dialog, enter a Name, select Empty config, then click Create new.
   
6. In the Draft editor, enter the information below. For the Token and URL values, refer to Configure and activate the HEC/HTTP data connector in CrowdStrike (Step 13).

   //unformattedcode
   Example config using default listening port 514
    
   sources:
     windowsEvents:
       type: wineventlog
       sink: logscaleSink
       channels:
         - name: "Dell Trusted Device"
         - name: Dell
   sinks:
     ngsiem:
       type: hec
       proxy: none
       token: <API_key_generated_during_data_connector_setup>
       url: <API_URL_generated_during_data_connector_setup>
   //unformattedcode
   

7. Once you have the information entered from Step 6 click Save, and then click Publish.
   
8. From Fleet management, click Enrollment tokens.
   
9. Click + New token.
   
10. On the new Enrollment token dialog provide a token name, using the assigned config picklist select the configuration name from Step 5, then click Create token.
    

Back to Top

Installing the LogScale Collector

1. In the left menu pane, Click Next-Gen SIEM and then select Data onboarding.
   
2. From the Data onboarding page, click Fleet management.
   
3. Click Get LogScale Collector.
   
4. On the Get Falcon LogScale Collector dialog click Windows, in the Select an enrollment token picklist pick the token created during Configure the data shipper (Step 10), then click the Copy button.
   
5. In Windows Right the Start Button and select Terminal (Admin).
   
   Note: Click Yes if prompted for Windows User Account Control.
6. In the Terminal window paste the command copied from Configure the data shipper (step 6) and press Enter.
   
7. Once the command successfully completes, you see a "Bootstrap complete" message like below.
   

Back to Top