This is the CrowdStrike backend for pySigma. It provides the package sigma.backends.crowdstrike
with the LogScaleBackend
class.
Further it contains the following processing pipelines:
crowdstrike_fdr_pipeline
which was mainly written for the Falcon data Replicator data but Splunk queries should work in the legacy CrowdStrike Splunkcrowdstrike_falcon_pipeline
which was written for data collected by the CrowdStrike Falcon Agent stored in CrowdStrike Logscale. It effectively translates rules to the CrowdStrike Query Language used by LogScale.
The following categories and products are supported by the crowdstrike_falcon_pipeline
pipeline:
category | product | CrowdStrike event_simpleName |
---|---|---|
process_creation |
windows , linux |
ProcessRollup2 |
network_connection |
windows |
NetworkConnectIP4, NetworkReceiveAcceptIP4 |
dns_query |
windows |
DnsRequest |
image_load |
windows |
ClassifiedModuleLoad |
driver_load |
windows |
DriverLoad |
ps_script |
windows |
CommandHistory, ScriptControlScanTelemetry |
The following categories and products are supported by the crowdstrike_fdr_pipeline
pipeline:
category | product | CrowdStrike event_simpleName |
---|---|---|
process_creation |
windows |
ProcessRollup2 |
network_connection |
windows |
NetworkConnectIP4, NetworkReceiveAcceptIP4 |
There's likely more windows categories that can be supported by the pipelines; We will be adding support gradually as availability allows.
-
Full Paths: Falcon agents do not capture drive names when logging paths. Instead, when drive letters are expected the device path is used. For example,
C:\Windows
results to\Device\HarddiskVolume3\Windows
in the logs. To account for this, the pipeline replaces any drive letters in fields containing full path with\Device\HarddiskVolume?\
(where '?' can be any single character). -
Parent Name: Falcon
process_creation
events do not capture the full path of the parent. Hence, in such cases the transformation is configured to fail. -
DNS Query Results: Falcon
dns_query
events return the IP records of a successful query in semicolon-separated string. The pipeline handles this by enforcing a "contains" expression on theQueryResults
field -
Unsupported fields: Falcon does not always capture the same fields as sysmon for the categories supported. In cases where the rule requires unsupported fields, the transformation fails.
This backend is currently maintained by: