Integrating Falcon Logscale
1. Log in to your Humio account with your credentials:
https://cloud.community.humio.com/
2. Select your repository from "Repositories and views"
3. From the top right go to Settings>Ingest token>Add token
4. Click on Add token and enter the Safeconsole description (it could be anything unique that you can reference to a particular SafeConsole server) and select json as Assigned parser and click Create token.
5. Click on the eye icon to view your token and then click on the clipboard icon to copy the token. This token will then be added to the SafeConsole server’s SIEM settings.
6. Log into SafeConsole as the owner and navigate to Server Settings>SIEM integration. Follow the prompts below and Save the settings:
Enable SIEM server
Select Falcon Logscale as SIEM type
Enter cloud.comminuty.humio.com in SIEM server name
Enter the API token copied on step 5 above
Select other settings (events upload frequency type, number of events per batch upload, and include debug logs) as needed for the test. These can be changed as needed per test requirements.
Searching for Logs using Falcon Logscale
1. Login to Falcon Logscale and select the K_test from the repository list.
2. You'll be directed to the search area where queries can be entered and searched.
3. Login to the SafeConsole server and create a user with an email address.
4. Now enter the same email address onto the search field in Falcon Logscale and click Run.
5. The search for the query should be listed in the result area:
