Skip to content

Crowdstrike Event Streams

Crowdstrike Event Streams

About

This technical add-on enables customers to create a persistent connect to CrowdStrike's Event Streams API so that the available detection, event, incident and audit data can be continually streamed to their Splunk environment.

Product Details

Vendor URL: Crowdstrike

Product Type: EDR

Product Tier: Tier I

Integration Method: Chronicle

Integration URL: Crowdstrike Event Streams Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 90%

Data Label: CS_STREAM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
CS_STREAM:kv.aid principal.asset_id
kv.aip principal.asset.ip
_IncidentType security_result.detection_fields
additional_bootup_safeguard_flag_data additional.fields
additional_critical_process_flag_data additional.fields
additional_indicator_flag_data additional.fields
additional_kill_action_failed_flag_data additional.fields
additional_kill_parent_flag_data additional.fields
additional_kill_process_flag_data additional.fields
additional_kill_sub_process_flag_data additional.fields
additional_kv.autorun additional.fields
additional_kv.extra_original_FileDescription additional.fields
additional_kv.extra_original_FileName additional.fields
additional_kv.OriginalFilename additional.fields
additional_kv.WindowTitle additional.fields
additional_operation_blocked_flag_data additional.fields
additional_policy_disabled_flag_data additional.fields
additional_process_blocked_flag_data additional.fields
additional_quarantine_file_flag_data additional.fields
additional_quarantine_machine_flag_data additional.fields
additional_registry_operation_blocked_flag_data additional.fields
additional_smb_host additional.fields
additional_smb_stage1 additional.fields
additional_smb_stage1r additional.fields
additional_smb_stage2 additional.fields
additional_smb_stage2r additional.fields
additional_smb_stage3 additional.fields
additional_smb_stage3r additional.fields
additional_smb_uid additional.fields
commandLine target.process.command_line
description metadata.description
domain principal.administrative_domain
eventType metadata.product_event_type
filePath target.process.file.full_path
incidentDescription metadata.description
kv.aaa_executionid target.process.pid
kv.agent_ip observer.ip
kv.cid metadata.product_deployment_id
kv.cmdline target.process.command_line
kv.DeviceType target.asset.category
kv.event_detectiontype security_result.rule_type
kv.image_file_name target.file.full_path
kv.Log4jVersion observer.application
kv.MD5Hash_data target.file.md5
kv.name metadata.description
kv.process_path target.process.file.full_path
kv.report_id target.resource.id
kv.SHA256Hash_data target.file.sha256
kv.src principal.hostname
kv.user target.user.userid
kv.zzz_reportname target.resource.name
mac principal.mac
msg_json_log.additional.0.value principal.hostname
msg_json_log.metadata.description metadata.description
msg_json_log.metadata.product_name metadata.product_name
msg_json_log.metadata.product_version metadata.product_version
msg_json_log.metadata.vendor_name metadata.vendor_name
parsed_msg.event.Category security_result.category_details
parsed_msg.event.CommandLine target.process.command_line
parsed_msg.event.ComputerName principal.hostname
parsed_msg.event.DetectDescription security_result.description
parsed_msg.event.DetectId metadata.product_log_id
parsed_msg.event.DetectName security_result.summary
parsed_msg.event.EndpointName principal.asset.hostname
parsed_msg.event.FalconHostLink metadata.url_back_to_product
parsed_msg.event.FalconHostLink security_result.summary
parsed_msg.event.FileName principal.process.file.full_path
parsed_msg.event.FilePath target.process.file.full_path
parsed_msg.event.GrandparentCommandLine principal.process.parent_process.parent_process.command_line
parsed_msg.event.GrandparentImageFileName principal.process.parent_process.parent_process.file.full_path
parsed_msg.event.HostID principal.user.product_object_id
parsed_msg.event.IdentityProtectionIncidentId security_result.rule_id
parsed_msg.event.IncidentDescription security_result.description
parsed_msg.event.IncidentID metadata.product_log_id
parsed_msg.event.IOARuleGroupName security_result.rule_type
parsed_msg.event.IOARuleName security_result.rule_name
parsed_msg.event.IOCType security_result.about.resource.name
parsed_msg.event.IOCValue security_result.about.process.pid
parsed_msg.event.MachineDomain principal.administrative_domain
parsed_msg.event.MD5String target.file.md5
parsed_msg.event.Objective security_result.about.resource.resource_subtype
parsed_msg.event.ParentCommandLine principal.process.parent_process.command_line
parsed_msg.event.ParentImageFileName principal.process.parent_process.file.full_path
parsed_msg.event.PatternDispositionDescription security_result.about.application
parsed_msg.event.ServiceName metadata.description
parsed_msg.event.ServiceName target.application
parsed_msg.event.SHA256String target.file.sha256
parsed_msg.event.SourceEndpointHostName principal.asset.hostname
parsed_msg.event.State security_result.action_details
parsed_msg.event.Tactic security_result.threat_feed_name
parsed_msg.event.TargetEndpointHostName target.asset.hostname
parsed_msg.event.Technique security_result.threat_id
parsed_msg.event.UserId target.user.userid
parsed_msg.event.UserName principal.user.userid
parsed_msg.metadata.eventType metadata.product_event_type
pid principal.process.pid
ppid principal.process.parent_process.pid
resource target.resource.name
serviceName metadata.description
serviceName target.application
severity_name security_result.severity

Product Event Types

Event UDM Event Classification
delete_group GROUP_DELETION
Incidents USER_UNCATEGORIZED
remove_group, update_group GROUP_MODIFICATION
delete_group GROUP_DELETION
saml2Assert, twoFactorAuthenticate, userAuthenticate USER_LOGIN
All Other Event GENERIC_EVENT

Log Sample

{"metadata":{"customerIDString":"123456789abcdef123456789abcdef","eventType":"IdentityProtectionEvent","offset":150065,"eventCreationTime":1676088286477},"event":{"Category":"Incidents","EndTime":1676088286464,"EndpointIp":"","EndpointName":"","FalconHostLink":"https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345","IdentityProtectionIncidentId":"INC-12345","IncidentDescription":"User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary.","IncidentType":"UNUSUAL_ACTIVITY","NumberOfCompromisedEntities":1,"NumbersOfAlerts":1,"Severity":1,"SeverityName":"INFO","StartTime":1676088286116,"State":"NEW","UserName":"COMPANY.NAME.COM\\a1_sample_user"}}

Sample Parsing

metadata.event_timestamp.seconds = 1676088447
metadata.event_timestamp.nanos = 59665000
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Crowdstrike"
metadata.product_name = "Falcon Stream API"
metadata.product_event_type = "IdentityProtectionEvent"
metadata.url_back_to_product = "https://falcon.crowdstrike.com/identity-protection/incidents/INC-12345"
principal.user.userid = "COMPANY.NAME.COM\a1_sample_user"
extensions.vulns.vulnerabilities.scan_end_time = "2023-02-11T4:04:46.464Z"
extensions.vulns.vulnerabilities.scan_start_time = "2023-02-11T4:04:46.116Z"
security_result.action_details = "NEW"
security_result.category_details = "Incidents"
security_result.description = "User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary."
security_result.detection_fields.key = "IncidentType"
security_result.detection_fields.value = "UNUSUAL_ACTIVITY"
security_result.rule_id = "INC-12345"
security_result.severity = "INFORMATIONAL"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "1"

Rules

Coming Soon