Crowdstrike¶
About¶
Traditional endpoint security tools have blind spots, making them unable to see and stop advanced threats. CrowdStrike Falcon Insight solves this by delivering complete endpoint visibility across your organization. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.
Product Details¶
Vendor URL: Crowdstrike
Product Type: EDR
Product Tier: Tier I
Integration Method: Chronicle
Integration URL: Crowdstrike - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: CS_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
AgentIdString | principal.asset_id |
ActivityId | metadata.product_log_id |
AgentVersion | principal.asset.attribute.labels |
aid | principal.asset.asset_id |
aid | target.asset_id |
aip | principal.nat_ip |
aip | target.nat_ip |
ApplicationName | target.application |
AppPath | target.file.full_path |
AuthenticationId | target.user.product_object_id |
cid | metadata.product_deployment_id |
ClientComputerName | principal.hostname |
CommandHistory | target.process.command_line_history |
CommandLine | principal.process.command_line |
CommandLine | target.process.command_line |
ContextProcessId | principal.process.product_specific_process_id |
ContextProcessId | target.process.product_specific_process_id |
DetectDescription | security_result.description |
DetectId | security_result.threat_id |
DetectName | security_result.summary |
DeviceInstanceId | about.asset.product_object_id |
DeviceManufacturer | about.asset.hardware.manufacturer |
DeviceProduct | about.asset.hardware.model |
DeviceProductId | about.labels0.value |
DevicePropertyDeviceDescription | about.labels1.value |
DeviceSerialNumber | about.hardware.serial_number |
DiskParentDeviceInstanceId | about.labels2.value |
DiskParentDeviceInstanceId | target.resource.id |
DomainName | network.dns.questions.name |
DomainName | target.administrative_domain |
DownloadServer | target.hostname |
EndTime | security_result.detection_fields.value |
event_platform | target.platform |
event_simplename | metadata.product_event_type |
FalconHostLink | security_result.url_back_to_product |
FileName | target.file.full_path |
FilePath | target.file.full_path |
FineScore | security_result.priority_details |
FirewallOption | additional.fields.value.string_value |
FirewallRuleId | security_result.rule_id |
FontFileName | target.file.full_path |
GID | target.group.product_object_id |
GroupRid | target.group.product_object_id |
id | target.resource.id |
ImageFileName | target.file.full_path |
ImageFileName | target.process.file.full_path |
ImpersonatedUserName | target.user.userid |
InjectedDll | target.file.full_path |
LocalAddressIP4 | principal.ip |
LocalAddressIP6 | principal.ip |
LocalIpAddressIP6MacV1 | principal.mac |
LocalPort | principal.port |
LocalPort | target.port |
LogonDomain | target.administrative_domain |
LogonServer | intermediary.hostname |
LogonServer | target.hostname |
LogonType | extensions.auth.mechanism |
MD5HashData | target.file.md5 |
MD5String | target.file.md5 |
ModuleSummaryInfoEvent | metadata.product_event_type |
name | metadata.description |
OriginalFileName | principal.file.full_path |
OriginalUserName | principal.user.userid |
OriginalUserSid | principal.user.windows_sid |
ParentBaseFileName | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
ParentHubInstanceId | about.labels3.value |
ParentImageFileName | principal.process.file.full_path |
ParentImageFileName | principal.process.parent_process.file.full_path |
ParentProcessId | principal.process.parent_process.product_specific_process_id |
ParentProcessId | principal.process.product_specific_process_id |
PatternId | security_result.detection_fields.value |
PhysicalAddress | principal.mac |
ProcessId | principal.process.product_specific_process_id |
Protocol | network.ip_protocol |
RawProcessId | target.process.pid |
RegObjectName | target.registry.registry_key |
RegOperationType | security_result.rule_id |
RegStringValue | target.registry.registry_value_data |
RegValueName | target.registry.registry_value_name |
RemoteAddress | target.ip |
RemoteAddressIP4 | target.ip |
RemoteAddressIP6 | target.ip |
RemotePort | principal.port |
RemotePort | target.port |
ServiceDisplayName | target.application |
ServiceGroup | target.application |
ServiceImagePath | target.process.file.full_path |
Severity | security_result.severity_details |
SeverityName | security_result.severity |
SHA1HashData | target.file.sha1 |
SHA1HashData | target.process.file.sha1 |
SHA256HashData | src.file.sha256 |
SHA256HashData | target.file.sha256 |
SHA256HashData | target.process.file.sha256 |
SHA256String | target.file.sha256 |
ShareData | target.file.full_path |
ShareName | target.file.full_path |
Size | about.labels4.value |
Size | src.file.size |
Size | target.file.size |
SmbShareName | target.file.full_path |
SourceAccountName | principal.user.userid |
SourceEndpointHostname | principal.hostname |
SourceFileName | src.file.full_path |
SourceProcessId | principal.process.product_specific_process_id |
StartTime | security_result.detection_field.value |
SystemManufacturer | principal.asset.hardware.manufacturer |
SystemProductName | principal.asset.hardware.model |
SystemSerialNumber | principal.asset.hardware.serial_number |
TargetEndpointHostname | target.hostname |
TargetFileName | target.file.full_path |
TargetProcessId | target.process.product_specific_process_id |
TaskExecArguments | target.process.command_line |
TaskExecCommand | target.process.command_line |
TaskName | target.resource.name |
Technique | metadata.product_event_type |
timestamp | metadata.timestamp |
UACCommandLineToValidate | principal.process.command_line |
UACExeToValidate | target.process.file.full_path |
UserName | principal.user.userid |
UserName | target.user.user_display_name |
UserName | target.user.userid |
UserPrincipal | target.user.email_addresses |
UserPrincipal | target.user.user_display_name |
UserRid | principal.user.product_object_id |
UserRid | target.user.userid |
UserSid | target.user.windows_sid |
VolumeMountPoint | target.labels |
VolumeSnapshotName | target.file.full_path |
Product Event Types¶
Event | UDM Event Classification | alerting enabled |
---|---|---|
.*FileWritten | FILE_CREATION | |
AcUnloadConfirmation | STATUS_SHUTDOWN | |
AgentConnect | STATUS_STARTUP | |
AgentOnline | STATUS_STARTUP | |
AsepFileChange | FILE_MODIFICATION | |
AsepKeyUpdate | REGISTRY_MODIFICATION | |
AsepValueUpdate | REGISTRY_MODIFICATION | |
BehaviorWhitelisted | SETTING_MODIFICATION | |
BITSJobCreated | SETTING_CREATION | |
BrowserInjectedThread | PROCESS_INJECTION | |
ChannelDataDownloadComplete | FILE_CREATION | |
ChannelVersionRequired | STATUS_UPDATE | |
CommandHistory | PROCESS_TERMINATION | |
ConfigStateUpdate | STATUS_HEARTBEAT | |
CrashNotification | STATUS_SHUTDOWN | |
CreateProcessArgs | PROCESS_LAUNCH | |
CreateService | SERVICE_CREATION | |
CriticalFileAccessed | FILE_READ | |
CriticalFileModified | FILE_MODIFICATION | |
DeliverLocalFXToCloud | STATUS_UPDATE | |
DetectionSummaryEvent | TRUE | |
DirectoryCreate | FILE_CREATION | |
DllInjection | PROCESS_INJECTION | |
DnsRequest | NETWORK_DNS | |
DriverLoad | FILE_OPEN | |
EndOfProcess | PROCESS_TERMINATION | |
EtwErrorEvent | STATUS_UPDATE | |
ExecutableDeleted | FILE_DELETION | |
Event_ExternalApiEvent | GENERIC_EVENT | |
FalconHostFileTamperingInfo | GENERIC_EVENT | |
FalconHostRegTamperingInfo | GENERIC_EVENT | |
FalconServiceStatus | STATUS_HEARTBEAT | |
FileCreateInfo | FILE_CREATION | |
FileDeleteInfo | FILE_DELETION | |
FileOpenInfo | FILE_OPEN | |
FileRenameInfo | FILE_MODIFICATION | |
FirewallChangeOption | SETTING_MODIFICATION | |
FirewallDeleteRule | SETTING_DELETION | |
FirewallDeleteRuleIP4 | SETTING_DELETION | |
FirewallDeleteRuleIP6 | SETTING_DELETION | |
FirewallDisabled | SETTING_MODIFICATION | |
FirewallEnabled | SETTING_MODIFICATION | |
FirewallSetRule | SETTING_MODIFICATION | |
FirewallSetRuleIP4 | SETTING_MODIFICATION | |
FirewallSetRuleIP6 | SETTING_MODIFICATION | |
FsPostOpenSnapshotFile | FILE_OPEN | |
GroupIdentity | USER_STATS | |
HostedServiceStarted | SERVICE_START | |
HostedServiceStopped | SERVICE_STOP | |
HostInfo | STATUS_STARTUP | |
ImageHash | PROCESS_MODULE_LOAD | |
InjectedThread | PROCESS_INJECTION | |
InstalledApplication | FILE_CREATION | |
JavaInjectedThread | PROCESS_INJECTION | |
KernelModeLoadImage | PROCESS_MODULE_LOAD | |
KextUnload | PROCESS_TERMINATION | |
LFODownloadConfirmation | FILE_CREATION | |
LightningLatencyInfo | STATUS_UPDATE | |
LocalIpAddressIP4 | STATUS_HEARTBEAT | |
LocalIpAddressIP6 | STATUS_HEARTBEAT | |
LocalIpAddressRemovedIP4 | SETTING_MODIFICATION | |
LocalIpAddressRemovedIP6 | SETTING_MODIFICATION | |
LsassHandleFromUnsignedModule | PROCESS_OPEN | |
ModifyServiceBinary | SERVICE_MODIFICATION | |
ModuleDetectInfo | FILE_UNCATEGORIZED | |
NetShareAdd | FILE_MODIFICATION | |
NetShareDelete | FILE_MODIFICATION | |
NetShareSecurityModify | FILE_MODIFICATION | |
NetworkCloseIP4 | NETWORK_CONNECTION | |
NetworkCloseIP6 | NETWORK_CONNECTION | |
NetworkConnectIP4 | NETWORK_CONNECTION | |
NetworkConnectIP6 | NETWORK_CONNECTION | |
NetworkListenIP4 | NETWORK_CONNECTION | |
NetworkListenIP6 | NETWORK_CONNECTION | |
NetworkReceiveAcceptIP4 | NETWORK_CONNECTION | |
NetworkReceiveAcceptIP6 | NETWORK_CONNECTION | |
NewExecutableRenamed | FILE_MOVE | |
NewExecutableWritten | FILE_CREATION | |
NewScriptWritten | FILE_CREATION | |
OsfmDownloadComplete | FILE_CREATION | |
PackedExecutableWritten | FILE_CREATION | |
PeVersionInfo | PROCESS_UNCATEGORIZED | |
PrivilegedProcessHandleFromUnsignedModule | PROCESS_MODULE_LOAD | |
ProcessExecOnPackedExecutable | PROCESS_LAUNCH | |
ProcessHandleOpDetectInfo | PROCESS_LAUNCH | |
ProcessInjection | PROCESS_INJECTION | |
ProcessRollup2 | PROCESS_LAUNCH | |
ProcessRollup2Stats | PROCESS_UNCATEGORIZED | |
ProcessSelfDeleted | FILE_DELETION | |
PromiscuousBindIP4 | NETWORK_UNCATEGORIZED | |
RansomwareCreateFile | FILE_CREATION | |
RansomwareFileAccessPattern | FILE_READ | |
RansomwareOpenFile | FILE_OPEN | |
RansomwareRenameFile | FILE_MOVE | |
RawBindIP4 | NETWORK_UNCATEGORIZED | |
RawBindIP6 | NETWORK_UNCATEGORIZED | |
RegGenericValueUpdate | REGISTRY_CREATION | TRUE |
RegGenericValueUpdate | REGISTRY_DELETION | TRUE |
RegGenericValueUpdate | REGISTRY_MODIFICATION | TRUE |
RegGenericValueUpdate | REGISTRY_UNCATEGORIZED | TRUE |
RegistryOperationDetectInfo | REGISTRY_UNCATEGORIZED | |
RegSystemConfigValueUpdate | REGISTRY_MODIFICATION | |
RemoteBruteForceDetectInfo | USER_LOGIN | TRUE |
ScheduledTaskDeleted | SCHEDULED_TASK_DELETION | |
ScheduledTaskModified | SCHEDULED_TASK_MODIFICATION | |
ScheduledTaskRegistered | SCHEDULED_TASK_MODIFICATION | |
ScriptControlDetectInfo | FILE_READ | |
ScriptControlScanInfo | SCAN_UNCATEGORIZED | |
ScriptControlScanTelemetry | SCAN_UNCATEGORIZED | |
SensorHeartbeat | STATUS_HEARTBEAT | |
ServiceStarted | SERVICE_START | |
SignInfoError | FILE_UNCATEGORIZED | |
SignInfoWithCertAndContext | FILE_UNCATEGORIZED | |
SmbServerShareOpenedEtw | FILE_UNCATEGORIZED | |
SuspiciousCreateSymbolicLink | FILE_UNCATEGORIZED | |
SuspiciousDnsRequest | NETWORK_DNS | TRUE |
SuspiciousRegAsepUpdate | REGISTRY_MODIFICATION | TRUE |
SyntheticProcessRollup2 | PROCESS_LAUNCH | |
TerminateProcess | USER_UNCATEGORIZED | |
UACExeElevation | GENERIC_EVENT | |
UnsignedModuleLoad | PROCESS_MODULE_LOAD | |
UpdateManifestDownloadComplete | FILE_CREATION | |
UserAccountAddedToGroup | GENERIC_EVENT | |
UserAccountCreated | USER_UNCATEGORIZED | |
UserFontLoad | FILE_OPEN | |
UserIdentity | USER_LOGIN | |
UserLogoff | USER_LOGOUT | |
UserLogon | USER_LOGIN | |
UserLogonFailed | USER_LOGIN | |
VolumeSnapshotCreated | FILE_UNCATEGORIZED | |
VolumeSnapshotDeleted | FILE_UNCATEGORIZED | |
WfpFilterTamperingFilterAdded | SETTING_CREATION | |
WfpFilterTamperingFilterDeleted | SETTING_DELETION | |
WmiCreateProcess | PROCESS_LAUNCH | |
WmiFilterConsumerBindingEtw | GENERIC_EVENT | |
WmiProviderRegistrationEtw | GENERIC_EVENT |
Log Sample¶
{
"RawTargetProcessId": "targetpid",
"aip": "10.149.139.64",
"TargetAddress": "target",
"event_platform": "Win",
"id": "id",
"EffectiveTransmissionClass": "3",
"ApcContextAddress": "contextaddr",
"timestamp": "1624308287596",
"event_simpleName": "QueueApcEtw",
"RawProcessId": "4",
"TargetThreadId": "targethread",
"ContextTimeStamp": "1624308281.188",
"ConfigStateHash": "hash",
"ContextProcessId": "processid",
"ApcArgument1": "argid1",
"ApcArgument2": "argid2",
"ConfigBuild": "1007.3.0013806.1",
"ApcContextFileName": "\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll",
"TargetProcessId": "targetpid",
"Entitlements": "15",
"name": "QueueApcEtwV1",
"RawThreadId": "11376",
"aid": "aid",
"RawTargetThreadId": "4420",
"cid": "cid",
"TargetFileName": ""
}
Sample Parsing¶
metadata.event_timestamp = "2021-06-21T20:44:47.596Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon"
metadata.product_event_type = "QueueApcEtw"
metadata.description = "QueueApcEtwV1"
metadata.ingested_timestamp = "2021-06-21T20:57:45.723Z"
principal.hostname = "hostname1"
principal.asset_id = "CS:aid"
principal.process.pid = "4"
principal.process.product_specific_process_id = "CS:processid"
principal.platform = "WINDOWS"
principal.nat_ip = "10.149.139.64"
target.process.pid = "targetpid"
target.process.file.sha256 = "hash"
target.process.file.md5 = "md5"
target.process.file.sha1 = "sha1"
target.process.file.full_path = "\Device\HarddiskVolume1\Windows\System32\vdsldr.exe"
target.process.command_line = "C:\WINDOWS\System32\vdsldr.exe -Embedding"
target.process.product_specific_process_id = "CS:targetpid"
target.resource.id = "id"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon