Crowdstrike¶
About¶
Traditional endpoint security tools have blind spots, making them unable to see and stop advanced threats. CrowdStrike Falcon Insight solves this by delivering complete endpoint visibility across your organization. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.
Product Details¶
Vendor URL: Crowdstrike
Product Type: EDR
Product Tier: Tier I
Integration Method: Chronicle
Integration URL: Crowdstrike - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: CS_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
[REDACTED]
Product Event Types¶
Event | UDM Event Classification | alerting enabled |
---|---|---|
[REDACTED]
Log Sample¶
{
"RawTargetProcessId": "targetpid",
"aip": "10.149.139.64",
"TargetAddress": "target",
"event_platform": "Win",
"id": "id",
"EffectiveTransmissionClass": "3",
"ApcContextAddress": "contextaddr",
"timestamp": "1624308287596",
"event_simpleName": "QueueApcEtw",
"RawProcessId": "4",
"TargetThreadId": "targethread",
"ContextTimeStamp": "1624308281.188",
"ConfigStateHash": "hash",
"ContextProcessId": "processid",
"ApcArgument1": "argid1",
"ApcArgument2": "argid2",
"ConfigBuild": "1007.3.0013806.1",
"ApcContextFileName": "\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll",
"TargetProcessId": "targetpid",
"Entitlements": "15",
"name": "QueueApcEtwV1",
"RawThreadId": "11376",
"aid": "aid",
"RawTargetThreadId": "4420",
"cid": "cid",
"TargetFileName": ""
}
Sample Parsing¶
metadata.event_timestamp = "2021-06-21T20:44:47.596Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon"
metadata.product_event_type = "QueueApcEtw"
metadata.description = "QueueApcEtwV1"
metadata.ingested_timestamp = "2021-06-21T20:57:45.723Z"
principal.hostname = "hostname1"
principal.asset_id = "CS:aid"
principal.process.pid = "4"
principal.process.product_specific_process_id = "CS:processid"
principal.platform = "WINDOWS"
principal.nat_ip = "10.149.139.64"
target.process.pid = "targetpid"
target.process.file.sha256 = "hash"
target.process.file.md5 = "md5"
target.process.file.sha1 = "sha1"
target.process.file.full_path = "\Device\HarddiskVolume1\Windows\System32\vdsldr.exe"
target.process.command_line = "C:\WINDOWS\System32\vdsldr.exe -Embedding"
target.process.product_specific_process_id = "CS:targetpid"
target.resource.id = "id"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.