Skip to content

SigmaHQ/pySigma-backend-crowdstrike

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
.github
.github
 
 
sigma
sigma
 
 
tests
tests
 
 
.git-blame-ignore-revs
.git-blame-ignore-revs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
print-coverage.py
print-coverage.py
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Tests Coverage Badge Status

pySigma CrowdStrike Backend

This is the CrowdStrike backend for pySigma. It provides the package sigma.backends.crowdstrike with the LogScaleBackend class.

Further it contains the following processing pipelines under sigma.pipelines.crowdstrike:

  • crowdstrike_fdr_pipeline which was mainly written for the Falcon Data Replicator data but Splunk queries should work in the legacy CrowdStrike Splunk. The pipeline can also be used with other backends in case you ingest Falcon data to a different SIEM.
  • crowdstrike_falcon_pipeline which was written for data collected by the CrowdStrike Falcon Agent stored natively in CrowdStrike Logscale. It effectively translates rules to the CrowdStrike Query Language used by LogScale. This is designed to be used with the LogScaleBackend.

Supported Rules

Falcon Pipeline

The following categories and products are supported by the pipelines:

category product CrowdStrike event_simpleName
process_creation windows, linux ProcessRollup2, SyntheticProcessRollup2
network_connection windows NetworkConnectIP4, NetworkReceiveAcceptIP4
dns_query windows DnsRequest
image_load windows ClassifiedModuleLoad
driver_load windows DriverLoad
ps_script windows CommandHistory, ScriptControlScanTelemetry

There's likely more windows categories that can be supported by the pipelines; We will be adding support gradually as availability allows.

Limitations and caveats:

  • Full Paths: Falcon agents do not capture drive names when logging paths. Instead, when drive letters are expected the device path is used. For example, C:\Windows results to \Device\HarddiskVolume3\Windows in the logs. To account for this, the pipeline replaces any drive letters in fields containing full path with \Device\HarddiskVolume?\ (where '?' can be any single character).

  • Parent Name: Falcon process_creation events do not capture the full path of the parent. Hence, in such cases the transformation is configured to fail.

  • DNS Query Results: Falcon dns_query events return the IP records of a successful query in semicolon-separated string. The pipeline handles this by enforcing a "contains" expression on the QueryResults field

  • Unsupported fields: Falcon does not always capture the same fields as sysmon for the categories supported. In cases where the rule requires unsupported fields, the transformation fails.

  • PS Script Logging: There is not a clean equivelant between the events Falcon generates and PowerShell Script Logging. Our transformation is a best-effort approach that contains multiple fields that might contain the value in the field.

References

This backend is currently maintained by:

About

SigmaHQ pySigma CrowdStrike processing pipeline

Resources

Readme

License

LGPL-2.1 license
Activity
Custom properties

Stars

15 stars

Watchers

6 watching

Forks

10 forks
Report repository

Releases 13

v1.0.3 Latest
Feb 9, 2024
+ 12 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors 4

  •  
  •  
  •  
  •  

Languages