Crowdstrike Event Streams¶
About¶
This technical add-on enables customers to create a persistent connect to CrowdStrike's Event Streams API so that the available detection, event, incident and audit data can be continually streamed to their Splunk environment.
Product Details¶
Vendor URL: Crowdstrike
Product Type: EDR
Product Tier: Tier I
Integration Method: Chronicle
Integration URL: Crowdstrike Event Streams Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 90%
Data Label: CS_STREAM
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
[REDACTED]
Product Event Types¶
Event | UDM Event Classification |
---|---|
[REDACTED]
Log Sample¶
{"metadata":{"customerIDString":"123456789abcdef123456789abcdef","eventType":"IdentityProtectionEvent","offset":150065,"eventCreationTime":1676088286477},"event":{"Category":"Incidents","EndTime":1676088286464,"EndpointIp":"","EndpointName":"","FalconHostLink":"https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345","IdentityProtectionIncidentId":"INC-12345","IncidentDescription":"User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary.","IncidentType":"UNUSUAL_ACTIVITY","NumberOfCompromisedEntities":1,"NumbersOfAlerts":1,"Severity":1,"SeverityName":"INFO","StartTime":1676088286116,"State":"NEW","UserName":"COMPANY.NAME.COM\\a1_sample_user"}}
Sample Parsing¶
metadata.event_timestamp.seconds = 1676088447
metadata.event_timestamp.nanos = 59665000
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon Stream API"
metadata.product_event_type = "IdentityProtectionEvent"
metadata.url_back_to_product = "https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345"
principal.user.userid = "COMPANY.NAME.COM\a1_sample_user"
extensions.vulns.vulnerabilities.scan_end_time = "2023-02-11T4:04:46.464Z"
extensions.vulns.vulnerabilities.scan_start_time = "2023-02-11T4:04:46.116Z"
security_result.action_details = "NEW"
security_result.category_details = "Incidents"
security_result.description = "User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary."
security_result.detection_fields.key = "IncidentType"
security_result.detection_fields.value = "UNUSUAL_ACTIVITY"
security_result.rule_id = "INC-12345"
security_result.severity = "INFORMATIONAL"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "1"