How-To: Export your RADIUS Logs to CrowdStrike Falcon

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your RADIUS logs to CrowdStrike Falcon.

Prerequisites

How To Connect Your RADIUS Service To CrowdStrike Falcon LogScale

  1. Go to your EZRADIUS portal.
  2. Click on Settings. EZRADIUS Settings
  3. Scroll to the bottom and enable the “Send Audit Logs” to SIEM option. cloud radius send longs to Sentinel
  4. Select CrowdStrike Falcon LogScale as the SIEM Provider. Set CrowdStrike Falcon LogScale as the SIEM in EZRADIUS
  5. In another tab, go to your CrowdStrike Falcon LogScale instance.
  6. Click on the Settings tab.
  7. Select the “Ingest Tokens” menu.
  8. Click on the “Add Token” button. CrowdStrike Falcon LogScale Tokens
  9. Enter the token name
  10. Assign the json parser and click “Create”. CrowdStrike Falcon LogScale Token for your cloud PKI
  11. Copy the token and the ingest host name. CrowdStrike Falcon LogScale Token for your cloud PKI
  12. Go back to the EZRADIUS tab.
  13. Paste the ingest host name in the “Ingestion Endpoint” field.
  14. Paste the token in the “Ingestion Token” field.
  15. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM. EZRADIUS send radius to crowd strike Settings
  16. If the connection test is successful, click “Save changes” at the top of the subscription. EZRADIUS save RADIUS Settings

How To Create Alerts in CrowdStrike Falcon LogScale to Monitor Your Cloud RADIUS Activity

Using a SIEM enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries for the Administrator events.

LogType = "EZRadiusAdministrator" and Action = "NotAuthorized"