SumoLogic · JV0812 · Sep 20, 2024 · Sep 24, 2024
@@ -182,101 +182,9 @@ _sourceCategory=*Crowdstrike*  UserActivityAuditEvent
 ```
 
 
-## Collecting logs for the CrowdStrike app
+## Set up collection
 
-This section shows you how to configure log collection from CrowdStrike Falcon Endpoint Protection and have them sent to Sumo Logic. CrowdStrike Falcon Endpoint Protection provides endpoint detection and response, next-gen antivirus, and threat intelligence services through the cloud. Multiple security functions are consolidated into a single lightweight agent, for visibility across using central security analytics with Sumo Logic.
-
-:::warning
-The sections below are deprecated for non-FedRAMP Sumo Logic deployments.
-
-If you're using the Sumo Logic FedRAMP deployment, use the sections below to configure the collection for this app.
-
-If you are not using the Sumo Logic FedRAMP deployment, use the [Cloud-to-Cloud Integration for Crowdstrike](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source) to collect logs from CrowdStrike Falcon Endpoint Protection. This allows you to create the source and use the same source category while installing the app.
-:::
-
-
-### Collection process overview
-
-SIEMs (Security Information and Event Management) are used to gather data from a variety of security products to detect, investigate, correlate, and remediate security threats. The [Falcon SIEM Connector](https://www.crowdstrike.com/resources/data-sheets/falcon-connector/) provides a fast and efficient way to optimize collection across an extensive number of endpoints.
-
-:::note
-Sumo Logic recommends installing the SIEM Connector and Sumo Logic Collector on the same machine for best performance.
-:::
-
-To set up log collection for CrowdStrike Falcon, you'll download, install, and configure the CrowdStrike SIEM Connector to send data to Sumo Logic, through performing the following tasks.
-
-
-#### Data collection flow
-
-The following graphic illustrates the Sumo Logic collection of CrowdStrike streaming API events using a SIEM Connector.
-
-
-### Prerequisites
-
-It is important that you complete the following tasks before you start to configure log collection for CrowdStrike Falcon:
-
-* Download the SIEM Connector guide, familiarize yourself with [SIEM Connector](https://falcon.crowdstrike.com/support/documentation/14/siem-connector) and its config settings.
-* [Contact CrowdStrike support](https://supportportal.crowdstrike.com/) to enable the streaming APIs in your environment. You must do this before using the SIEM connector.
-
-
-### Step 1. Download and install CrowdStrike SIEM Connector on a host machine
-
-You perform this procedure from the Falcon console. You must have permission to be able to download and install from Falcon to complete this task.
-
-To install a CrowdStrike SIEM Connector on a host machine, do the following:
-1. Login to your Falcon console and go to [Support > Tool Downloads](https://falcon.crowdstrike.com/support/tool-downloads).
-2. Download the **SIEM Connector** installer for your operating system.
-3. Open a terminal window.
-4. Run the following installation command appropriate for your OS, replacing the `<installer package>` variable with the SIEM installer you downloaded:
-* **CentOS**: `sudo rpm -Uvh <installer package>`
-* **Ubuntu**: `sudo dpkg -i <installer package>`
-
-
-### Step 2. Configure CrowdStrike SIEM Connector
-
-This SIEM connector will stream events data from CrowdStrike Falcon Cloud in JSON format into a local file (output). The default location of the **output** file is `/var/log/crowdstrike/falconhoseclient/output`.
-
-To configure CrowdStrike SIEM Connector, do the following:
-
-1. In the Falcon console go to [Support > API Clients & Keys](https://falcon.crowdstrike.com/support/api-clients-and-keys).
-2. [Create an API client](https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction#auth_apiclient) to use with the SIEM connector, and record its API client ID and API client secret. In the the **Edit API client** dialog, ONLY select the **Event streams** option, and then click **Save**.
-   1. Open the **/opt/crowdstrike/etc/cs.falconhoseclient.cfg** file in a text editor.
-   2. Edit the following lines in the **cs.falconhoseclient.cfg** file:
-   * Change **app_id** to **SIEM-Connector.**
-   * **client_id** - Add your recorded API Client ID
-   * **client_secret** - Add your recorded API Client Secret
-   * Make sure **output_format** is set to **json**
-   * For **EventTypeCollection** section - Enable all events:
-     * DetectionSummaryEvent = true
-     * AuthActivityAuditEvent = true
-     * UserActivityAuditEvent = true
-     * HashSpreadingEvent = true
-     * RemoteResponseSessionStartEvent = true
-     * RemoteResponseSessionEndEvent = true
-   3. Save your changes.
-   4. Restart the SIEM Connector, as appropriate for your OS:
-     * **CentOS:** `sudo service cs.falconhoseclientd start`
-     * **Ubuntu 14.x:** `sudo start cs.falconhoseclientd`
-     * **Ubuntu 16.4:** `sudo systemctl start cs.falconhoseclientd.service`
-
-
-### Step 3. Set up a Sumo Logic installed collector and local file source
-
-You setup a Sumo Logic installed collector on the same host as the SIEM Connector. Then, set up a local file source on the installed collector to read the output file from [Step 2](#step-2-configure-crowdstrike-siem-connector) and send CrowdStrike Falcon Events to Sumo Logic.
-
-To set up an installed collector and local file source, do the following:
-
-1. Install a Sumo Logic collector on the same host as the SIEM Connector. Follow the instructions for your operating system as described in [Installed Collectors](/docs/send-data/installed-collectors).
-2. Add a local file source to the collector for Streaming API Events. Follow the steps on [Local File Source](/docs/send-data/installed-collectors/sources/local-file-source), with these additional changes:
-* Set the **Filepath** to: `/var/log/crowdstrike/falconhoseclient/output`
-* Set the **Source Category** to: `crowdstrike/falcon`
-* Under **Enable Multiline Processing**, check  **Boundary Regex**  and enter the following regex: `^\{.*`.
-3. Click **Save**.
-
-
-:::info
-For more information about the CrowdStrike Falcon SIEM Connector, see the CrowdStrike documentation, or contact CrowdStrike Customer Support at [[email protected]](mailto:[email protected]).
-:::
+To set up [Cloud-to-Cloud Integration CrowdStrike Falcon Endpoint Protection Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source) for the CrowdStrike Falcon Endpoint Protection app, follow the instructions provided. These instructions will guide you through the process of creating a source using the CrowdStrike Falcon Endpoint Protection source category, which you will need to use when installing the app. By following these steps, you can ensure that your CrowdStrike Falcon Endpoint Protection app is properly integrated and configured to collect and analyze your CrowdStrike Falcon Endpoint Protection data.
 
 ## Installing the CrowdStrike Falcon Endpoint Protection app
 
@@ -365,4 +273,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>