CrowdStrike Falcon
Overview
CrowdStrike Falcon is an Endpoint Detection and Response solution. This setup guide explains how to forward and collect the detections and activity logs of your CrowdStrike EDR to SEKOIA.IO.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Authentication logs |
activities on the CrowdStrike console is traced including authentication |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | alert , event |
Category | configuration , intrusion_detection , session |
Type | change , info , start , stop |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"@timestamp": "2022-07-12T21:59:06.099000Z",
"crowdstrike": {
"event_type": "AuthActivityAuditEvent",
"operation_name": "twoFactorAuthenticate"
},
"event": {
"category": "configuration",
"kind": "event",
"type": "change",
"outcome": "success"
},
"service": {
"name": "CrowdStrike Authentication"
},
"related": {
"ip": [
"83.199.26.17"
]
},
"source": {
"address": "83.199.26.17",
"ip": "83.199.26.17"
},
"user": {
"id": "foo.bar@sekoia.fr"
}
}
{
"@timestamp": "2022-07-07T06:15:38.000000Z",
"crowdstrike": {
"detect_description": "Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.",
"event_type": "DetectionSummaryEvent"
},
"event": {
"category": "intrusion_detection",
"kind": "alert",
"outcome": "success",
"type": "info"
},
"file": {
"hash": {
"md5": "d45bd7c7b7bf977246e9409d63435231"
},
"name": "explorer.exe",
"path": "\\Device\\HarddiskVolume2\\Windows"
},
"host": {
"name": "nsewmkzevukn-vm"
},
"log": {
"hostname": "nsewmkzevukn-vm"
},
"process": {
"command_line": "C:\\Windows\\Explorer.EXE",
"hash": {
"sha256": "249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3"
},
"parent": {
"pid": 22163465296
},
"pid": 22164474048
},
"related": {
"hash": [
"249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3",
"d45bd7c7b7bf977246e9409d63435231"
]
}
}
{
"@timestamp": "2022-07-12T08:35:40.000000Z",
"crowdstrike": {
"event_type": "UserActivityAuditEvent",
"operation_name": "detection_update"
},
"ecs": {
"version": "1.10.0"
},
"event": {
"category": "configuration",
"kind": "event",
"type": "change"
},
"related": {
"ip": [
"185.162.177.26"
]
},
"service": {
"name": "detections"
},
"source": {
"address": "185.162.177.26",
"ip": "185.162.177.26"
},
"user": {
"id": "foo.bar@sekoia.fr"
}
}
{
"@timestamp": "2022-07-06T12:34:25.303000Z",
"crowdstrike": {
"event_type": "AuthActivityAuditEvent",
"operation_name": "streamStarted"
},
"event": {
"category": "session",
"kind": "event",
"outcome": "success",
"type": "start"
},
"related": {
"ip": [
"185.162.177.26"
]
},
"service": {
"name": "Crowdstrike Streaming API"
},
"source": {
"address": "185.162.177.26",
"ip": "185.162.177.26"
},
"user": {
"id": "api-client-id:00000000000000000000000000000000"
}
}
{
"@timestamp": "2022-07-07T14:25:17.516000Z",
"crowdstrike": {
"event_type": "AuthActivityAuditEvent",
"operation_name": "streamStopped"
},
"event": {
"category": "session",
"kind": "event",
"outcome": "success",
"type": "start"
},
"related": {
"ip": [
"185.162.177.26"
]
},
"service": {
"name": "Crowdstrike Streaming API"
},
"source": {
"address": "185.162.177.26",
"ip": "185.162.177.26"
},
"user": {
"id": "api-client-id:00000000000000000000000000000000"
}
}
{
"event": {
"kind": "event",
"category": "configuration",
"type": "change"
},
"@timestamp": "2022-07-12T08:35:40.000000Z",
"crowdstrike": {
"event_type": "UserActivityAuditEvent",
"operation_name": "detection_update"
},
"related": {
"ip": [
"185.162.177.26"
]
},
"service": {
"name": "detections"
},
"source": {
"address": "185.162.177.26",
"ip": "185.162.177.26"
},
"user": {
"id": "foo.bar@sekoia.fr"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
agent.id |
keyword |
Unique identifier of this agent. |
crowdstrike.customer_id |
keyword |
None |
crowdstrike.detect_description |
keyword |
None |
crowdstrike.detect_id |
keyword |
None |
crowdstrike.event_type |
keyword |
None |
crowdstrike.host_id |
keyword |
None |
crowdstrike.incident_end |
date |
None |
crowdstrike.incident_id |
keyword |
None |
crowdstrike.incident_start |
date |
None |
crowdstrike.operation_name |
keyword |
None |
crowdstrike.state |
keyword |
None |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.hash.md5 |
keyword |
MD5 hash. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.ip |
ip |
Host ip addresses. |
host.mac |
keyword |
Host MAC addresses. |
host.name |
keyword |
Name of the host. |
process.command_line |
wildcard |
Full command line that started the process. |
process.end |
date |
The time the process ended. |
process.hash.sha256 |
keyword |
SHA256 hash. |
process.parent.command_line |
wildcard |
Full command line that started the process. |
process.parent.executable |
keyword |
Absolute path to the process executable. |
process.parent.pid |
long |
Process id. |
process.pid |
long |
Process id. |
process.start |
date |
The time the process started. |
service.name |
keyword |
Name of the service. |
source.ip |
ip |
IP address of the source. |
threat.tactic.name |
keyword |
Threat tactic. |
threat.technique.name |
keyword |
Threat technique name. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
Configure
To retrieve the events produced by your Falcon instance, a playbook must be configured with the dedicated trigger "Trigger on Falcon Events". This trigger requires the following API information to connect on the Event Stream of CrowdStrike:
- the base URL of the API (e.g. https://api.eu-1.crowdstrike.com)
- a client identifier
- a client secret
Use the "API Client & Keys" CrowdStrike configuration panel to create an OAuth2 API client with the Read
permission on scope Event Stream
.