CrowdStrike Falcon

Overview

CrowdStrike Falcon is an Endpoint Detection and Response solution. This setup guide explains how to forward and collect the detections and activity logs of your CrowdStrike EDR to SEKOIA.IO.

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Authentication logs`	activities on the CrowdStrike console is traced including authentication

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	`alert`, `event`
Category	`configuration`, `intrusion_detection`, `session`
Type	`change`, `info`, `start`, `stop`

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

auth_activity_audit.jsondetection_summary_event.jsondetection_update.jsonstream_started.jsonstream_stopped.jsonuser_activity_audit.json

{
    "@timestamp": "2022-07-12T21:59:06.099000Z",
    "crowdstrike": {
        "event_type": "AuthActivityAuditEvent",
        "operation_name": "twoFactorAuthenticate"
    },
    "event": {
        "category": "configuration",
        "kind": "event",
        "type": "change",
        "outcome": "success"
    },
    "service": {
        "name": "CrowdStrike Authentication"
    },
    "related": {
        "ip": [
            "83.199.26.17"
        ]
    },
    "source": {
        "address": "83.199.26.17",
        "ip": "83.199.26.17"
    },
    "user": {
        "id": "foo.bar@sekoia.fr"
    }
}

{
    "@timestamp": "2022-07-07T06:15:38.000000Z",
    "crowdstrike": {
        "detect_description": "Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.",
        "event_type": "DetectionSummaryEvent"
    },
    "event": {
        "category": "intrusion_detection",
        "kind": "alert",
        "outcome": "success",
        "type": "info"
    },
    "file": {
        "hash": {
            "md5": "d45bd7c7b7bf977246e9409d63435231"
        },
        "name": "explorer.exe",
        "path": "\\Device\\HarddiskVolume2\\Windows"
    },
    "host": {
        "name": "nsewmkzevukn-vm"
    },
    "log": {
        "hostname": "nsewmkzevukn-vm"
    },
    "process": {
        "command_line": "C:\\Windows\\Explorer.EXE",
        "hash": {
            "sha256": "249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3"
        },
        "parent": {
            "pid": 22163465296
        },
        "pid": 22164474048
    },
    "related": {
        "hash": [
            "249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3",
            "d45bd7c7b7bf977246e9409d63435231"
        ]
    }
}

{
    "@timestamp": "2022-07-12T08:35:40.000000Z",
    "crowdstrike": {
        "event_type": "UserActivityAuditEvent",
        "operation_name": "detection_update"
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "configuration",
        "kind": "event",
        "type": "change"
    },
    "related": {
        "ip": [
            "185.162.177.26"
        ]
    },
    "service": {
        "name": "detections"
    },
    "source": {
        "address": "185.162.177.26",
        "ip": "185.162.177.26"
    },
    "user": {
        "id": "foo.bar@sekoia.fr"
    }
}

{
    "@timestamp": "2022-07-06T12:34:25.303000Z",
    "crowdstrike": {
        "event_type": "AuthActivityAuditEvent",
        "operation_name": "streamStarted"
    },
    "event": {
        "category": "session",
        "kind": "event",
        "outcome": "success",
        "type": "start"
    },
    "related": {
        "ip": [
            "185.162.177.26"
        ]
    },
    "service": {
        "name": "Crowdstrike Streaming API"
    },
    "source": {
        "address": "185.162.177.26",
        "ip": "185.162.177.26"
    },
    "user": {
        "id": "api-client-id:00000000000000000000000000000000"
    }
}

{
    "@timestamp": "2022-07-07T14:25:17.516000Z",
    "crowdstrike": {
        "event_type": "AuthActivityAuditEvent",
        "operation_name": "streamStopped"
    },
    "event": {
        "category": "session",
        "kind": "event",
        "outcome": "success",
        "type": "start"
    },
    "related": {
        "ip": [
            "185.162.177.26"
        ]
    },
    "service": {
        "name": "Crowdstrike Streaming API"
    },
    "source": {
        "address": "185.162.177.26",
        "ip": "185.162.177.26"
    },
    "user": {
        "id": "api-client-id:00000000000000000000000000000000"
    }
}

{
    "event": {
        "kind": "event",
        "category": "configuration",
        "type": "change"
    },
    "@timestamp": "2022-07-12T08:35:40.000000Z",
    "crowdstrike": {
        "event_type": "UserActivityAuditEvent",
        "operation_name": "detection_update"
    },
    "related": {
        "ip": [
            "185.162.177.26"
        ]
    },
    "service": {
        "name": "detections"
    },
    "source": {
        "address": "185.162.177.26",
        "ip": "185.162.177.26"
    },
    "user": {
        "id": "foo.bar@sekoia.fr"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`@timestamp`	`date`	Date/time when the event originated.
`agent.id`	`keyword`	Unique identifier of this agent.
`crowdstrike.customer_id`	`keyword`	None
`crowdstrike.detect_description`	`keyword`	None
`crowdstrike.detect_id`	`keyword`	None
`crowdstrike.event_type`	`keyword`	None
`crowdstrike.host_id`	`keyword`	None
`crowdstrike.incident_end`	`date`	None
`crowdstrike.incident_id`	`keyword`	None
`crowdstrike.incident_start`	`date`	None
`crowdstrike.operation_name`	`keyword`	None
`crowdstrike.state`	`keyword`	None
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.kind`	`keyword`	The kind of the event. The highest categorization field in the hierarchy.
`event.type`	`keyword`	Event type. The third categorization field in the hierarchy.
`file.hash.md5`	`keyword`	MD5 hash.
`file.name`	`keyword`	Name of the file including the extension, without the directory.
`file.path`	`keyword`	Full path to the file, including the file name.
`host.ip`	`ip`	Host ip addresses.
`host.mac`	`keyword`	Host MAC addresses.
`host.name`	`keyword`	Name of the host.
`process.command_line`	`wildcard`	Full command line that started the process.
`process.end`	`date`	The time the process ended.
`process.hash.sha256`	`keyword`	SHA256 hash.
`process.parent.command_line`	`wildcard`	Full command line that started the process.
`process.parent.executable`	`keyword`	Absolute path to the process executable.
`process.parent.pid`	`long`	Process id.
`process.pid`	`long`	Process id.
`process.start`	`date`	The time the process started.
`service.name`	`keyword`	Name of the service.
`source.ip`	`ip`	IP address of the source.
`threat.tactic.name`	`keyword`	Threat tactic.
`threat.technique.name`	`keyword`	Threat technique name.
`user.id`	`keyword`	Unique identifier of the user.
`user.name`	`keyword`	Short name or login of the user.

Configure

To retrieve the events produced by your Falcon instance, a playbook must be configured with the dedicated trigger "Trigger on Falcon Events". This trigger requires the following API information to connect on the Event Stream of CrowdStrike:

the base URL of the API (e.g. https://api.eu-1.crowdstrike.com)
a client identifier
a client secret

Use the "API Client & Keys" CrowdStrike configuration panel to create an OAuth2 API client with the Read permission on scope Event Stream.