Skip to content

Crowdstrike

Crowdstrike

About

Traditional endpoint security tools have blind spots, making them unable to see and stop advanced threats. CrowdStrike Falcon Insight solves this by delivering complete endpoint visibility across your organization. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.

Product Details

Vendor URL: Crowdstrike

Product Type: EDR

Product Tier: Tier I

Integration Method: Chronicle

Integration URL: Crowdstrike - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: CS_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AgentIdString principal.asset_id
AgentVersion principal.asset.attribute.labels
aid principal.asset.asset_id
aid target.asset_id
aip principal.nat_ip
aip target.nat_ip
ApplicationName target.application
AppPath target.file.full_path
AuthenticationId target.user.product_object_id
cid metadata.product_deployment_id
ClientComputerName principal.hostname
CommandHistory target.process.command_line_history
CommandLine principal.process.command_line
CommandLine target.process.command_line
ContextProcessId principal.process.product_specific_process_id
ContextProcessId target.process.product_specific_process_id
DetectDescription security_result.description
DetectName security_result.summary
DeviceInstanceId about.asset.product_object_id
DeviceManufacturer about.asset.hardware.manufacturer
DeviceProduct about.asset.hardware.model
DeviceProductId about.labels0.value
DevicePropertyDeviceDescription about.labels1.value
DeviceSerialNumber about.hardware.serial_number
DiskParentDeviceInstanceId about.labels2.value
DiskParentDeviceInstanceId target.resource.id
DomainName network.dns.questions.name
DomainName target.administrative_domain
DownloadServer target.hostname
event_platform target.platform
event_simplename metadata.product_event_type
FileName target.file.full_path
FilePath target.file.full_path
FineScore security_result.priority_details
FirewallOption additional.fields.value.string_value
FirewallRuleId security_result.rule_id
FontFileName target.file.full_path
GID target.group.product_object_id
GroupRid target.group.product_object_id
id target.resource.id
ImageFileName target.file.full_path
ImageFileName target.process.file.full_path
ImpersonatedUserName target.user.userid
InjectedDll target.file.full_path
LocalAddressIP4 principal.ip
LocalAddressIP6 principal.ip
LocalIpAddressIP6MacV1 principal.mac
LocalPort principal.port
LocalPort target.port
LogonDomain target.administrative_domain
LogonServer intermediary.hostname
LogonServer target.hostname
LogonType extensions.auth.mechanism
MD5HashData target.file.md5
MD5String target.file.md5
ModuleSummaryInfoEvent metadata.product_event_type
name metadata.description
OriginalFileName principal.file.full_path
OriginalUserName principal.user.userid
OriginalUserSid principal.user.windows_sid
ParentBaseFileName principal.process.file.full_path
ParentCommandLine principal.process.command_line
ParentHubInstanceId about.labels3.value
ParentImageFileName principal.process.file.full_path
ParentImageFileName principal.process.parent_process.file.full_path
ParentProcessId principal.process.parent_process.product_specific_process_id
ParentProcessId principal.process.product_specific_process_id
PhysicalAddress principal.mac
ProcessId principal.process.product_specific_process_id
Protocol network.ip_protocol
RawProcessId target.process.pid
RegObjectName target.registry.registry_key
RegOperationType security_result.rule_id
RegStringValue target.registry.registry_value_data
RegValueName target.registry.registry_value_name
RemoteAddress target.ip
RemoteAddressIP4 target.ip
RemoteAddressIP6 target.ip
RemotePort principal.port
RemotePort target.port
ServiceDisplayName target.application
ServiceGroup target.application
ServiceImagePath target.process.file.full_path
SeverityName security_result.severity
SHA1HashData target.file.sha1
SHA1HashData target.process.file.sha1
SHA256HashData src.file.sha256
SHA256HashData target.file.sha256
SHA256HashData target.process.file.sha256
SHA256String target.file.sha256
ShareData target.file.full_path
ShareName target.file.full_path
Size about.labels4.value
Size src.file.size
Size target.file.size
SmbShareName target.file.full_path
SourceFileName src.file.full_path
SourceProcessId principal.process.product_specific_process_id
SystemManufacturer principal.asset.hardware.manufacturer
SystemProductName principal.asset.hardware.model
SystemSerialNumber principal.asset.hardware.serial_number
TargetFileName target.file.full_path
TargetProcessId target.process.product_specific_process_id
TaskExecArguments target.process.command_line
TaskExecCommand target.process.command_line
TaskName target.resource.name
Technique metadata.product_event_type
timestamp metadata.timestamp
UACCommandLineToValidate principal.process.command_line
UACExeToValidate target.process.file.full_path
UserName principal.user.userid
UserName target.user.user_display_name
UserName target.user.userid
UserPrincipal target.user.email_addresses
UserPrincipal target.user.user_display_name
UserRid principal.user.product_object_id
UserRid target.user.userid
UserSid target.user.windows_sid
VolumeMountPoint target.labels
VolumeSnapshotName target.file.full_path

Product Event Types

Event UDM Event Classification alerting enabled
.*FileWritten FILE_CREATION
AcUnloadConfirmation STATUS_SHUTDOWN
AgentConnect STATUS_STARTUP
AgentOnline STATUS_STARTUP
AsepFileChange FILE_MODIFICATION
AsepKeyUpdate REGISTRY_MODIFICATION
AsepValueUpdate REGISTRY_MODIFICATION
BehaviorWhitelisted SETTING_MODIFICATION
BITSJobCreated SETTING_CREATION
BrowserInjectedThread PROCESS_INJECTION
ChannelDataDownloadComplete FILE_CREATION
ChannelVersionRequired STATUS_UPDATE
CommandHistory PROCESS_TERMINATION
ConfigStateUpdate STATUS_HEARTBEAT
CrashNotification STATUS_SHUTDOWN
CreateProcessArgs PROCESS_LAUNCH
CreateService SERVICE_CREATION
CriticalFileAccessed FILE_READ
CriticalFileModified FILE_MODIFICATION
DeliverLocalFXToCloud STATUS_UPDATE
DetectionSummaryEvent TRUE
DirectoryCreate FILE_CREATION
DllInjection PROCESS_INJECTION
DnsRequest NETWORK_DNS
DriverLoad FILE_OPEN
EndOfProcess PROCESS_TERMINATION
EtwErrorEvent STATUS_UPDATE
ExecutableDeleted FILE_DELETION
FalconHostFileTamperingInfo GENERIC_EVENT
FalconHostRegTamperingInfo GENERIC_EVENT
FalconServiceStatus STATUS_HEARTBEAT
FileCreateInfo FILE_CREATION
FileDeleteInfo FILE_DELETION
FileOpenInfo FILE_OPEN
FileRenameInfo FILE_MODIFICATION
FirewallChangeOption SETTING_MODIFICATION
FirewallDeleteRule SETTING_DELETION
FirewallDeleteRuleIP4 SETTING_DELETION
FirewallDeleteRuleIP6 SETTING_DELETION
FirewallDisabled SETTING_MODIFICATION
FirewallEnabled SETTING_MODIFICATION
FirewallSetRule SETTING_MODIFICATION
FirewallSetRuleIP4 SETTING_MODIFICATION
FirewallSetRuleIP6 SETTING_MODIFICATION
FsPostOpenSnapshotFile FILE_OPEN
GroupIdentity USER_STATS
HostedServiceStarted SERVICE_START
HostedServiceStopped SERVICE_STOP
HostInfo STATUS_STARTUP
ImageHash PROCESS_MODULE_LOAD
InjectedThread PROCESS_INJECTION
InstalledApplication FILE_CREATION
JavaInjectedThread PROCESS_INJECTION
KernelModeLoadImage PROCESS_MODULE_LOAD
KextUnload PROCESS_TERMINATION
LFODownloadConfirmation FILE_CREATION
LightningLatencyInfo STATUS_UPDATE
LocalIpAddressIP4 STATUS_HEARTBEAT
LocalIpAddressIP6 STATUS_HEARTBEAT
LocalIpAddressRemovedIP4 SETTING_MODIFICATION
LocalIpAddressRemovedIP6 SETTING_MODIFICATION
LsassHandleFromUnsignedModule PROCESS_OPEN
ModifyServiceBinary SERVICE_MODIFICATION
ModuleDetectInfo FILE_UNCATEGORIZED
NetShareAdd FILE_MODIFICATION
NetShareDelete FILE_MODIFICATION
NetShareSecurityModify FILE_MODIFICATION
NetworkCloseIP4 NETWORK_CONNECTION
NetworkCloseIP6 NETWORK_CONNECTION
NetworkConnectIP4 NETWORK_CONNECTION
NetworkConnectIP6 NETWORK_CONNECTION
NetworkListenIP4 NETWORK_CONNECTION
NetworkListenIP6 NETWORK_CONNECTION
NetworkReceiveAcceptIP4 NETWORK_CONNECTION
NetworkReceiveAcceptIP6 NETWORK_CONNECTION
NewExecutableRenamed FILE_MOVE
NewExecutableWritten FILE_CREATION
NewScriptWritten FILE_CREATION
OsfmDownloadComplete FILE_CREATION
PackedExecutableWritten FILE_CREATION
PeVersionInfo PROCESS_UNCATEGORIZED
PrivilegedProcessHandleFromUnsignedModule PROCESS_MODULE_LOAD
ProcessExecOnPackedExecutable PROCESS_LAUNCH
ProcessHandleOpDetectInfo PROCESS_LAUNCH
ProcessInjection PROCESS_INJECTION
ProcessRollup2 PROCESS_LAUNCH
ProcessRollup2Stats PROCESS_UNCATEGORIZED
ProcessSelfDeleted FILE_DELETION
PromiscuousBindIP4 NETWORK_UNCATEGORIZED
RansomwareCreateFile FILE_CREATION
RansomwareFileAccessPattern FILE_READ
RansomwareOpenFile FILE_OPEN
RansomwareRenameFile FILE_MOVE
RawBindIP4 NETWORK_UNCATEGORIZED
RawBindIP6 NETWORK_UNCATEGORIZED
RegGenericValueUpdate REGISTRY_CREATION TRUE
RegGenericValueUpdate REGISTRY_DELETION TRUE
RegGenericValueUpdate REGISTRY_MODIFICATION TRUE
RegGenericValueUpdate REGISTRY_UNCATEGORIZED TRUE
RegistryOperationDetectInfo REGISTRY_UNCATEGORIZED
RegSystemConfigValueUpdate REGISTRY_MODIFICATION
RemoteBruteForceDetectInfo USER_LOGIN TRUE
ScheduledTaskDeleted SCHEDULED_TASK_DELETION
ScheduledTaskModified SCHEDULED_TASK_MODIFICATION
ScheduledTaskRegistered SCHEDULED_TASK_MODIFICATION
ScriptControlDetectInfo FILE_READ
ScriptControlScanInfo SCAN_UNCATEGORIZED
ScriptControlScanTelemetry SCAN_UNCATEGORIZED
SensorHeartbeat STATUS_HEARTBEAT
ServiceStarted SERVICE_START
SignInfoError FILE_UNCATEGORIZED
SignInfoWithCertAndContext FILE_UNCATEGORIZED
SmbServerShareOpenedEtw FILE_UNCATEGORIZED
SuspiciousCreateSymbolicLink FILE_UNCATEGORIZED
SuspiciousDnsRequest NETWORK_DNS TRUE
SuspiciousRegAsepUpdate REGISTRY_MODIFICATION TRUE
SyntheticProcessRollup2 PROCESS_LAUNCH
TerminateProcess USER_UNCATEGORIZED
UACExeElevation GENERIC_EVENT
UnsignedModuleLoad PROCESS_MODULE_LOAD
UpdateManifestDownloadComplete FILE_CREATION
UserAccountAddedToGroup GENERIC_EVENT
UserAccountCreated USER_UNCATEGORIZED
UserFontLoad FILE_OPEN
UserIdentity USER_LOGIN
UserLogoff USER_LOGOUT
UserLogon USER_LOGIN
UserLogonFailed USER_LOGIN
VolumeSnapshotCreated FILE_UNCATEGORIZED
VolumeSnapshotDeleted FILE_UNCATEGORIZED
WfpFilterTamperingFilterAdded SETTING_CREATION
WfpFilterTamperingFilterDeleted SETTING_DELETION
WmiCreateProcess PROCESS_LAUNCH
WmiFilterConsumerBindingEtw GENERIC_EVENT
WmiProviderRegistrationEtw GENERIC_EVENT

Log Sample

{
  "RawTargetProcessId": "targetpid",
  "aip": "10.149.139.64",
  "TargetAddress": "target",
  "event_platform": "Win",
  "id": "id",
  "EffectiveTransmissionClass": "3",
  "ApcContextAddress": "contextaddr",
  "timestamp": "1624308287596",
  "event_simpleName": "QueueApcEtw",
  "RawProcessId": "4",
  "TargetThreadId": "targethread",
  "ContextTimeStamp": "1624308281.188",
  "ConfigStateHash": "hash",
  "ContextProcessId": "processid",
  "ApcArgument1": "argid1",
  "ApcArgument2": "argid2",
  "ConfigBuild": "1007.3.0013806.1",
  "ApcContextFileName": "\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll",
  "TargetProcessId": "targetpid",
  "Entitlements": "15",
  "name": "QueueApcEtwV1",
  "RawThreadId": "11376",
  "aid": "aid",
  "RawTargetThreadId": "4420",
  "cid": "cid",
  "TargetFileName": ""
}

Sample Parsing

metadata.event_timestamp = "2021-06-21T20:44:47.596Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon"
metadata.product_event_type = "QueueApcEtw"
metadata.description = "QueueApcEtwV1"
metadata.ingested_timestamp = "2021-06-21T20:57:45.723Z"
principal.hostname = "hostname1"
principal.asset_id = "CS:aid"
principal.process.pid = "4"
principal.process.product_specific_process_id = "CS:processid"
principal.platform = "WINDOWS"
principal.nat_ip = "10.149.139.64"
target.process.pid = "targetpid"
target.process.file.sha256 = "hash"
target.process.file.md5 = "md5"
target.process.file.sha1 = "sha1"
target.process.file.full_path = "\Device\HarddiskVolume1\Windows\System32\vdsldr.exe"
target.process.command_line = "C:\WINDOWS\System32\vdsldr.exe -Embedding"
target.process.product_specific_process_id = "CS:targetpid"
target.resource.id = "id"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming Soon