Skip to content

Crowdstrike

Crowdstrike

About

Traditional endpoint security tools have blind spots, making them unable to see and stop advanced threats. CrowdStrike Falcon Insight solves this by delivering complete endpoint visibility across your organization. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.

Product Details

Vendor URL: Crowdstrike

Product Type: EDR

Product Tier: Tier I

Integration Method: Chronicle

Integration URL: Crowdstrike - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: CS_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field 
[REDACTED]

Product Event Types

Event UDM Event Classification alerting enabled 
[REDACTED]

Log Sample

{
  "RawTargetProcessId": "targetpid",
  "aip": "10.149.139.64",
  "TargetAddress": "target",
  "event_platform": "Win",
  "id": "id",
  "EffectiveTransmissionClass": "3",
  "ApcContextAddress": "contextaddr",
  "timestamp": "1624308287596",
  "event_simpleName": "QueueApcEtw",
  "RawProcessId": "4",
  "TargetThreadId": "targethread",
  "ContextTimeStamp": "1624308281.188",
  "ConfigStateHash": "hash",
  "ContextProcessId": "processid",
  "ApcArgument1": "argid1",
  "ApcArgument2": "argid2",
  "ConfigBuild": "1007.3.0013806.1",
  "ApcContextFileName": "\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll",
  "TargetProcessId": "targetpid",
  "Entitlements": "15",
  "name": "QueueApcEtwV1",
  "RawThreadId": "11376",
  "aid": "aid",
  "RawTargetThreadId": "4420",
  "cid": "cid",
  "TargetFileName": ""
}

Sample Parsing

metadata.event_timestamp = "2021-06-21T20:44:47.596Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon"
metadata.product_event_type = "QueueApcEtw"
metadata.description = "QueueApcEtwV1"
metadata.ingested_timestamp = "2021-06-21T20:57:45.723Z"
principal.hostname = "hostname1"
principal.asset_id = "CS:aid"
principal.process.pid = "4"
principal.process.product_specific_process_id = "CS:processid"
principal.platform = "WINDOWS"
principal.nat_ip = "10.149.139.64"
target.process.pid = "targetpid"
target.process.file.sha256 = "hash"
target.process.file.md5 = "md5"
target.process.file.sha1 = "sha1"
target.process.file.full_path = "\Device\HarddiskVolume1\Windows\System32\vdsldr.exe"
target.process.command_line = "C:\WINDOWS\System32\vdsldr.exe -Embedding"
target.process.product_specific_process_id = "CS:targetpid"
target.resource.id = "id"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming Soon