Deployment & Configuration

To stream enriched network telemetry into CrowdStrike Falcon LogScale, you must configure a LogScale HEC (HTTP Event Collector) and set NFO to deliver data to that endpoint.

1. LogScale Preparation

Before configuring NFO, you must generate an Ingest Token in LogScale. This token determines which repository the NFO data will be stored in.

1. Log in to your Falcon LogScale user interface.
2. Select the Repository where you want to store network flow data.
3. Navigate to Settings > Ingest Tokens.
4. Click + Add Token, give it a name (e.g., NFO-Network-Data), and assign it a parser.

• Note: We recommend using a JSON parser as NFO delivers structured JSON logs.

5. Copy the generated Token Value.

---

2. Configuring NFO Output

With your Ingest Token ready, establish the connection in the NFO web interface.

1. In the NFO GUI, select Data Outputs and click the plus sign (+) to add a new output.
2. Type: Select HTTP Event Collector (HEC).
3. Protocol: HTTP or HTTPS.
4. Address: Enter your CrowdStrike LogScale HEC endpoint (e.g., cloud.crowdstrike.com).
5. Port: Typically 443 for HTTPS ingestion.
6. Token: Paste the Ingest Token obtained in the previous step.
7. Formatting: Ensure the output format is set to JSON. This allows
8. Click Save

---

3. Data Verification in LogScale

Once the output is saved and started, verify the data flow using a "Live Search" in the LogScale repository.

Use the following LogScale Query Language (LQL) snippet to see your enriched data:

#repo = "your_repo_name" | nfc_id = "*"

What to look for:

• src_ip and src_host: These fields should contain the source IP and src hostname (DNS name) of your source host or VM.