Data Ingestion (HEC)
The HEC/HTTP Event Data Connector enables ingestion of data from any source using the HTTP or HTTPS protocol. Use it to send structured or raw event data to Next-Gen SIEM programmatically.
Requirements
Section titled “Requirements”| Requirement | Detail |
|---|---|
| Subscription | Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB |
| CrowdStrike clouds | US-1, US-2, EU-1, US-GOV-1 |
| Permissions | Administrator or Connector Manager access to the Falcon console |
Step 1: Create the HEC Data Connector
Section titled “Step 1: Create the HEC Data Connector”- In the Falcon console, go to Next-Gen SIEM > Data ingestion > Data connectors.
- Click Add data connector.
- Find and select the HEC/HTTP Event Data Connector.
- In the New connection dialog, review the connector metadata and click Configure.
- Configure:
- Connector name — identifier for the connection
- Description — optional
- Parsers — select an existing parser or create a custom one. For custom parser requirements, see the CrowdStrike Parsing Standard.
- Accept the Terms and Conditions and click Save.
- The API key and URL are displayed on the connector’s detail page after creation. Copy and store them securely.
Record your API key immediately — it displays only once during setup.
Step 2: Configure your data shipper
Section titled “Step 2: Configure your data shipper”Use any data shipper that supports the HEC API. CrowdStrike recommends the Falcon LogScale Collector.
To configure the LogScale Collector with HEC:
# Example config using default listening port 514sources: syslog_udp_514: type: syslog mode: udp port: 514 sink: ngsiemsinks: ngsiem: type: hec proxy: none token: <API_key_generated_during_data_connector_setup> url: <API_URL_generated_during_data_connector_setup>Step 3: Verify successful data ingestion
Section titled “Step 3: Verify successful data ingestion”- In the Falcon console, go to Next-Gen SIEM > Data ingestion > Data connectors.
- Verify the Status column shows Active.
- Click the connector name and select Show events to see events in Advanced Event Search.
You can also verify by filtering events using the #connector tag associated with your data connector in Advanced Event Search.
Programmatic ingestion with FalconPy
Section titled “Programmatic ingestion with FalconPy”For Python developers, FalconPy provides the HEC helper class for programmatic data ingestion. The helper supports single events, event lists, and raw file imports with built-in threading for high-throughput scenarios.
from falconpy import HEC
hec = HEC(api_key=NGSIEM_API_KEY, api_url_key=NGSIEM_URL_KEY )hec.send_event({"host": "sample-host", "message": "Sample event"})For the complete API reference including all keywords, properties, and methods, see HTTP Event Collector (FalconPy Helper).