Skip to content

Crowdstrike Event Streams

Crowdstrike Event Streams

About

This technical add-on enables customers to create a persistent connect to CrowdStrike's Event Streams API so that the available detection, event, incident and audit data can be continually streamed to their Splunk environment.

Product Details

Vendor URL: Crowdstrike

Product Type: EDR

Product Tier: Tier I

Integration Method: Chronicle

Integration URL: Crowdstrike Event Streams Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 90%

Data Label: CS_STREAM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
[REDACTED]

Product Event Types

Event UDM Event Classification
[REDACTED]

Log Sample

{"metadata":{"customerIDString":"123456789abcdef123456789abcdef","eventType":"IdentityProtectionEvent","offset":150065,"eventCreationTime":1676088286477},"event":{"Category":"Incidents","EndTime":1676088286464,"EndpointIp":"","EndpointName":"","FalconHostLink":"https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345","IdentityProtectionIncidentId":"INC-12345","IncidentDescription":"User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary.","IncidentType":"UNUSUAL_ACTIVITY","NumberOfCompromisedEntities":1,"NumbersOfAlerts":1,"Severity":1,"SeverityName":"INFO","StartTime":1676088286116,"State":"NEW","UserName":"COMPANY.NAME.COM\\a1_sample_user"}}

Sample Parsing

metadata.event_timestamp.seconds = 1676088447
metadata.event_timestamp.nanos = 59665000
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon Stream API"
metadata.product_event_type = "IdentityProtectionEvent"
metadata.url_back_to_product = "https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345"
principal.user.userid = "COMPANY.NAME.COM\a1_sample_user"
extensions.vulns.vulnerabilities.scan_end_time = "2023-02-11T4:04:46.464Z"
extensions.vulns.vulnerabilities.scan_start_time = "2023-02-11T4:04:46.116Z"
security_result.action_details = "NEW"
security_result.category_details = "Incidents"
security_result.description = "User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary."
security_result.detection_fields.key = "IncidentType"
security_result.detection_fields.value = "UNUSUAL_ACTIVITY"
security_result.rule_id = "INC-12345"
security_result.severity = "INFORMATIONAL"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "1"