Crowdstrike¶
About¶
Traditional endpoint security tools have blind spots, making them unable to see and stop advanced threats. CrowdStrike Falcon Insight solves this by delivering complete endpoint visibility across your organization. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.
Product Details¶
Vendor URL: Crowdstrike
Product Type: EDR
Product Tier: Tier I
Integration Method: Chronicle
Integration URL: Crowdstrike - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: CS_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AgentIdString | principal.asset_id |
| ActivityId | metadata.product_log_id |
| AgentVersion | principal.asset.attribute.labels |
| aid | principal.asset.asset_id |
| aid | target.asset_id |
| aip | principal.nat_ip |
| aip | target.nat_ip |
| ApplicationName | target.application |
| AppPath | target.file.full_path |
| AuthenticationId | target.user.product_object_id |
| cid | metadata.product_deployment_id |
| ClientComputerName | principal.hostname |
| CommandHistory | target.process.command_line_history |
| CommandLine | principal.process.command_line |
| CommandLine | target.process.command_line |
| ContextProcessId | principal.process.product_specific_process_id |
| ContextProcessId | target.process.product_specific_process_id |
| DetectDescription | security_result.description |
| DetectId | security_result.threat_id |
| DetectName | security_result.summary |
| DeviceInstanceId | about.asset.product_object_id |
| DeviceManufacturer | about.asset.hardware.manufacturer |
| DeviceProduct | about.asset.hardware.model |
| DeviceProductId | about.labels0.value |
| DevicePropertyDeviceDescription | about.labels1.value |
| DeviceSerialNumber | about.hardware.serial_number |
| DiskParentDeviceInstanceId | about.labels2.value |
| DiskParentDeviceInstanceId | target.resource.id |
| DomainName | network.dns.questions.name |
| DomainName | target.administrative_domain |
| DownloadServer | target.hostname |
| EndTime | security_result.detection_fields.value |
| event_platform | target.platform |
| event_simplename | metadata.product_event_type |
| FalconHostLink | security_result.url_back_to_product |
| FileName | target.file.full_path |
| FilePath | target.file.full_path |
| FineScore | security_result.priority_details |
| FirewallOption | additional.fields.value.string_value |
| FirewallRuleId | security_result.rule_id |
| FontFileName | target.file.full_path |
| GID | target.group.product_object_id |
| GroupRid | target.group.product_object_id |
| id | target.resource.id |
| ImageFileName | target.file.full_path |
| ImageFileName | target.process.file.full_path |
| ImpersonatedUserName | target.user.userid |
| InjectedDll | target.file.full_path |
| LocalAddressIP4 | principal.ip |
| LocalAddressIP6 | principal.ip |
| LocalIpAddressIP6MacV1 | principal.mac |
| LocalPort | principal.port |
| LocalPort | target.port |
| LogonDomain | target.administrative_domain |
| LogonServer | intermediary.hostname |
| LogonServer | target.hostname |
| LogonType | extensions.auth.mechanism |
| MD5HashData | target.file.md5 |
| MD5String | target.file.md5 |
| ModuleSummaryInfoEvent | metadata.product_event_type |
| name | metadata.description |
| OriginalFileName | principal.file.full_path |
| OriginalUserName | principal.user.userid |
| OriginalUserSid | principal.user.windows_sid |
| ParentBaseFileName | principal.process.file.full_path |
| ParentCommandLine | principal.process.command_line |
| ParentHubInstanceId | about.labels3.value |
| ParentImageFileName | principal.process.file.full_path |
| ParentImageFileName | principal.process.parent_process.file.full_path |
| ParentProcessId | principal.process.parent_process.product_specific_process_id |
| ParentProcessId | principal.process.product_specific_process_id |
| PatternId | security_result.detection_fields.value |
| PhysicalAddress | principal.mac |
| ProcessId | principal.process.product_specific_process_id |
| Protocol | network.ip_protocol |
| RawProcessId | target.process.pid |
| RegObjectName | target.registry.registry_key |
| RegOperationType | security_result.rule_id |
| RegStringValue | target.registry.registry_value_data |
| RegValueName | target.registry.registry_value_name |
| RemoteAddress | target.ip |
| RemoteAddressIP4 | target.ip |
| RemoteAddressIP6 | target.ip |
| RemotePort | principal.port |
| RemotePort | target.port |
| ServiceDisplayName | target.application |
| ServiceGroup | target.application |
| ServiceImagePath | target.process.file.full_path |
| Severity | security_result.severity_details |
| SeverityName | security_result.severity |
| SHA1HashData | target.file.sha1 |
| SHA1HashData | target.process.file.sha1 |
| SHA256HashData | src.file.sha256 |
| SHA256HashData | target.file.sha256 |
| SHA256HashData | target.process.file.sha256 |
| SHA256String | target.file.sha256 |
| ShareData | target.file.full_path |
| ShareName | target.file.full_path |
| Size | about.labels4.value |
| Size | src.file.size |
| Size | target.file.size |
| SmbShareName | target.file.full_path |
| SourceAccountName | principal.user.userid |
| SourceEndpointHostname | principal.hostname |
| SourceFileName | src.file.full_path |
| SourceProcessId | principal.process.product_specific_process_id |
| StartTime | security_result.detection_field.value |
| SystemManufacturer | principal.asset.hardware.manufacturer |
| SystemProductName | principal.asset.hardware.model |
| SystemSerialNumber | principal.asset.hardware.serial_number |
| TargetEndpointHostname | target.hostname |
| TargetFileName | target.file.full_path |
| TargetProcessId | target.process.product_specific_process_id |
| TaskExecArguments | target.process.command_line |
| TaskExecCommand | target.process.command_line |
| TaskName | target.resource.name |
| Technique | metadata.product_event_type |
| timestamp | metadata.timestamp |
| UACCommandLineToValidate | principal.process.command_line |
| UACExeToValidate | target.process.file.full_path |
| UserName | principal.user.userid |
| UserName | target.user.user_display_name |
| UserName | target.user.userid |
| UserPrincipal | target.user.email_addresses |
| UserPrincipal | target.user.user_display_name |
| UserRid | principal.user.product_object_id |
| UserRid | target.user.userid |
| UserSid | target.user.windows_sid |
| VolumeMountPoint | target.labels |
| VolumeSnapshotName | target.file.full_path |
Product Event Types¶
| Event | UDM Event Classification | alerting enabled |
|---|---|---|
| .*FileWritten | FILE_CREATION | |
| AcUnloadConfirmation | STATUS_SHUTDOWN | |
| AgentConnect | STATUS_STARTUP | |
| AgentOnline | STATUS_STARTUP | |
| AsepFileChange | FILE_MODIFICATION | |
| AsepKeyUpdate | REGISTRY_MODIFICATION | |
| AsepValueUpdate | REGISTRY_MODIFICATION | |
| BehaviorWhitelisted | SETTING_MODIFICATION | |
| BITSJobCreated | SETTING_CREATION | |
| BrowserInjectedThread | PROCESS_INJECTION | |
| ChannelDataDownloadComplete | FILE_CREATION | |
| ChannelVersionRequired | STATUS_UPDATE | |
| CommandHistory | PROCESS_TERMINATION | |
| ConfigStateUpdate | STATUS_HEARTBEAT | |
| CrashNotification | STATUS_SHUTDOWN | |
| CreateProcessArgs | PROCESS_LAUNCH | |
| CreateService | SERVICE_CREATION | |
| CriticalFileAccessed | FILE_READ | |
| CriticalFileModified | FILE_MODIFICATION | |
| DeliverLocalFXToCloud | STATUS_UPDATE | |
| DetectionSummaryEvent | TRUE | |
| DirectoryCreate | FILE_CREATION | |
| DllInjection | PROCESS_INJECTION | |
| DnsRequest | NETWORK_DNS | |
| DriverLoad | FILE_OPEN | |
| EndOfProcess | PROCESS_TERMINATION | |
| EtwErrorEvent | STATUS_UPDATE | |
| ExecutableDeleted | FILE_DELETION | |
| Event_ExternalApiEvent | GENERIC_EVENT | |
| FalconHostFileTamperingInfo | GENERIC_EVENT | |
| FalconHostRegTamperingInfo | GENERIC_EVENT | |
| FalconServiceStatus | STATUS_HEARTBEAT | |
| FileCreateInfo | FILE_CREATION | |
| FileDeleteInfo | FILE_DELETION | |
| FileOpenInfo | FILE_OPEN | |
| FileRenameInfo | FILE_MODIFICATION | |
| FirewallChangeOption | SETTING_MODIFICATION | |
| FirewallDeleteRule | SETTING_DELETION | |
| FirewallDeleteRuleIP4 | SETTING_DELETION | |
| FirewallDeleteRuleIP6 | SETTING_DELETION | |
| FirewallDisabled | SETTING_MODIFICATION | |
| FirewallEnabled | SETTING_MODIFICATION | |
| FirewallSetRule | SETTING_MODIFICATION | |
| FirewallSetRuleIP4 | SETTING_MODIFICATION | |
| FirewallSetRuleIP6 | SETTING_MODIFICATION | |
| FsPostOpenSnapshotFile | FILE_OPEN | |
| GroupIdentity | USER_STATS | |
| HostedServiceStarted | SERVICE_START | |
| HostedServiceStopped | SERVICE_STOP | |
| HostInfo | STATUS_STARTUP | |
| ImageHash | PROCESS_MODULE_LOAD | |
| InjectedThread | PROCESS_INJECTION | |
| InstalledApplication | FILE_CREATION | |
| JavaInjectedThread | PROCESS_INJECTION | |
| KernelModeLoadImage | PROCESS_MODULE_LOAD | |
| KextUnload | PROCESS_TERMINATION | |
| LFODownloadConfirmation | FILE_CREATION | |
| LightningLatencyInfo | STATUS_UPDATE | |
| LocalIpAddressIP4 | STATUS_HEARTBEAT | |
| LocalIpAddressIP6 | STATUS_HEARTBEAT | |
| LocalIpAddressRemovedIP4 | SETTING_MODIFICATION | |
| LocalIpAddressRemovedIP6 | SETTING_MODIFICATION | |
| LsassHandleFromUnsignedModule | PROCESS_OPEN | |
| ModifyServiceBinary | SERVICE_MODIFICATION | |
| ModuleDetectInfo | FILE_UNCATEGORIZED | |
| NetShareAdd | FILE_MODIFICATION | |
| NetShareDelete | FILE_MODIFICATION | |
| NetShareSecurityModify | FILE_MODIFICATION | |
| NetworkCloseIP4 | NETWORK_CONNECTION | |
| NetworkCloseIP6 | NETWORK_CONNECTION | |
| NetworkConnectIP4 | NETWORK_CONNECTION | |
| NetworkConnectIP6 | NETWORK_CONNECTION | |
| NetworkListenIP4 | NETWORK_CONNECTION | |
| NetworkListenIP6 | NETWORK_CONNECTION | |
| NetworkReceiveAcceptIP4 | NETWORK_CONNECTION | |
| NetworkReceiveAcceptIP6 | NETWORK_CONNECTION | |
| NewExecutableRenamed | FILE_MOVE | |
| NewExecutableWritten | FILE_CREATION | |
| NewScriptWritten | FILE_CREATION | |
| OsfmDownloadComplete | FILE_CREATION | |
| PackedExecutableWritten | FILE_CREATION | |
| PeVersionInfo | PROCESS_UNCATEGORIZED | |
| PrivilegedProcessHandleFromUnsignedModule | PROCESS_MODULE_LOAD | |
| ProcessExecOnPackedExecutable | PROCESS_LAUNCH | |
| ProcessHandleOpDetectInfo | PROCESS_LAUNCH | |
| ProcessInjection | PROCESS_INJECTION | |
| ProcessRollup2 | PROCESS_LAUNCH | |
| ProcessRollup2Stats | PROCESS_UNCATEGORIZED | |
| ProcessSelfDeleted | FILE_DELETION | |
| PromiscuousBindIP4 | NETWORK_UNCATEGORIZED | |
| RansomwareCreateFile | FILE_CREATION | |
| RansomwareFileAccessPattern | FILE_READ | |
| RansomwareOpenFile | FILE_OPEN | |
| RansomwareRenameFile | FILE_MOVE | |
| RawBindIP4 | NETWORK_UNCATEGORIZED | |
| RawBindIP6 | NETWORK_UNCATEGORIZED | |
| RegGenericValueUpdate | REGISTRY_CREATION | TRUE |
| RegGenericValueUpdate | REGISTRY_DELETION | TRUE |
| RegGenericValueUpdate | REGISTRY_MODIFICATION | TRUE |
| RegGenericValueUpdate | REGISTRY_UNCATEGORIZED | TRUE |
| RegistryOperationDetectInfo | REGISTRY_UNCATEGORIZED | |
| RegSystemConfigValueUpdate | REGISTRY_MODIFICATION | |
| RemoteBruteForceDetectInfo | USER_LOGIN | TRUE |
| ScheduledTaskDeleted | SCHEDULED_TASK_DELETION | |
| ScheduledTaskModified | SCHEDULED_TASK_MODIFICATION | |
| ScheduledTaskRegistered | SCHEDULED_TASK_MODIFICATION | |
| ScriptControlDetectInfo | FILE_READ | |
| ScriptControlScanInfo | SCAN_UNCATEGORIZED | |
| ScriptControlScanTelemetry | SCAN_UNCATEGORIZED | |
| SensorHeartbeat | STATUS_HEARTBEAT | |
| ServiceStarted | SERVICE_START | |
| SignInfoError | FILE_UNCATEGORIZED | |
| SignInfoWithCertAndContext | FILE_UNCATEGORIZED | |
| SmbServerShareOpenedEtw | FILE_UNCATEGORIZED | |
| SuspiciousCreateSymbolicLink | FILE_UNCATEGORIZED | |
| SuspiciousDnsRequest | NETWORK_DNS | TRUE |
| SuspiciousRegAsepUpdate | REGISTRY_MODIFICATION | TRUE |
| SyntheticProcessRollup2 | PROCESS_LAUNCH | |
| TerminateProcess | USER_UNCATEGORIZED | |
| UACExeElevation | GENERIC_EVENT | |
| UnsignedModuleLoad | PROCESS_MODULE_LOAD | |
| UpdateManifestDownloadComplete | FILE_CREATION | |
| UserAccountAddedToGroup | GENERIC_EVENT | |
| UserAccountCreated | USER_UNCATEGORIZED | |
| UserFontLoad | FILE_OPEN | |
| UserIdentity | USER_LOGIN | |
| UserLogoff | USER_LOGOUT | |
| UserLogon | USER_LOGIN | |
| UserLogonFailed | USER_LOGIN | |
| VolumeSnapshotCreated | FILE_UNCATEGORIZED | |
| VolumeSnapshotDeleted | FILE_UNCATEGORIZED | |
| WfpFilterTamperingFilterAdded | SETTING_CREATION | |
| WfpFilterTamperingFilterDeleted | SETTING_DELETION | |
| WmiCreateProcess | PROCESS_LAUNCH | |
| WmiFilterConsumerBindingEtw | GENERIC_EVENT | |
| WmiProviderRegistrationEtw | GENERIC_EVENT |
Log Sample¶
{
"RawTargetProcessId": "targetpid",
"aip": "10.149.139.64",
"TargetAddress": "target",
"event_platform": "Win",
"id": "id",
"EffectiveTransmissionClass": "3",
"ApcContextAddress": "contextaddr",
"timestamp": "1624308287596",
"event_simpleName": "QueueApcEtw",
"RawProcessId": "4",
"TargetThreadId": "targethread",
"ContextTimeStamp": "1624308281.188",
"ConfigStateHash": "hash",
"ContextProcessId": "processid",
"ApcArgument1": "argid1",
"ApcArgument2": "argid2",
"ConfigBuild": "1007.3.0013806.1",
"ApcContextFileName": "\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll",
"TargetProcessId": "targetpid",
"Entitlements": "15",
"name": "QueueApcEtwV1",
"RawThreadId": "11376",
"aid": "aid",
"RawTargetThreadId": "4420",
"cid": "cid",
"TargetFileName": ""
}
Sample Parsing¶
metadata.event_timestamp = "2021-06-21T20:44:47.596Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon"
metadata.product_event_type = "QueueApcEtw"
metadata.description = "QueueApcEtwV1"
metadata.ingested_timestamp = "2021-06-21T20:57:45.723Z"
principal.hostname = "hostname1"
principal.asset_id = "CS:aid"
principal.process.pid = "4"
principal.process.product_specific_process_id = "CS:processid"
principal.platform = "WINDOWS"
principal.nat_ip = "10.149.139.64"
target.process.pid = "targetpid"
target.process.file.sha256 = "hash"
target.process.file.md5 = "md5"
target.process.file.sha1 = "sha1"
target.process.file.full_path = "\Device\HarddiskVolume1\Windows\System32\vdsldr.exe"
target.process.command_line = "C:\WINDOWS\System32\vdsldr.exe -Embedding"
target.process.product_specific_process_id = "CS:targetpid"
target.resource.id = "id"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon