New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crowdstrike: add userinfo enrichment support and map fields to ECS #8742
Conversation
3734c0f
to
38e0dc8
Compare
@@ -2,4 +2,4 @@ | |||
{"AgentLoadFlags":"0","AgentLocalTime":"1697054061","AgentTimeOffset":"12274.197","AgentVersion":"7.01.13921.0","BiosManufacturer":"Iris","BiosVersion":"vG17V.210105623/u64","ChassisType":"Other","City":"Hamilton","ComputerName":"MIVWIN21","ConfigBuild":"1007.3.0017312.1","ConfigIDBuild":"13921","Continent":"Europe","Country":"Iceland","FalconGroupingTags":"'FalconGroupingTags/Iceland'","FirstSeen":"1576097732.0","HostHiddenStatus":"Visible","MachineDomain":"iceland.bigbiz.local","OU":"Infrastructure for CM;Citrix BM","PointerSize":"8","ProductType":"3.0","SensorGroupingTags":"none","ServicePackMajor":"0","SiteName":"Mosfellsbær","SystemManufacturer":"Iris","SystemProductName":"IrOS","Time":"1697992773.787","Timezone":"Europe/Iceland","Version":"Windows Server 2022","aid":"ffffffff3c0846978560dbc0048d6555","aip":"42.7.15.32","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win"} | |||
{"AgentLoadFlags":"0","AgentLocalTime":"1697069182","AgentTimeOffset":"-2275.344","AgentVersion":"7.01.13922.0","BiosManufacturer":"American Megatrends","BiosVersion":"FW29-234098","ChassisType":"Space-Saving","City":"Mumbai","ComputerName":"FEVWSA1-029","ConfigBuild":"1007.3.0017312.1","ConfigIDBuild":"13922","Continent":"Asia","Country":"India","FalconGroupingTags":"'FalconGroupingTags/India'","FirstSeen":"1592645590.0","HostHiddenStatus":"Visible","MachineDomain":"groot.org","OU":"PROD;Win10 Workstations;India;Offices","PointerSize":"8","ProductType":"1.0","SensorGroupingTags":"none","ServicePackMajor":"0","SiteName":"IO","SystemManufacturer":"Dell","SystemProductName":"Dell Note","Time":"1697992701.85","Timezone":"India/Mumbai","Version":"Windows 10","aid":"ffffffffc59c473aa7fcbbe7438082cb","aip":"42.7.16.195","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win"} | |||
{"AgentLoadFlags":"1","AgentLocalTime":"1697735519","AgentTimeOffset":"15963.231","AgentVersion":"6.56.17010.0","BiosManufacturer":"Iris","BiosVersion":"vG17V.210105623/u64","ChassisType":"Other","City":"Chicago","ComputerName":"FEVWSN1-009","ConfigBuild":"1007.3.0017010.1","ConfigIDBuild":"17010","Continent":"North America","Country":"America","FalconGroupingTags":"none","FirstSeen":"1641998107.0","HostHiddenStatus":"Visible","MachineDomain":"groot.org","OU":"UAT;CAA;VDI;Global;Offices","PointerSize":"8","ProductType":"1.0","SensorGroupingTags":"none","ServicePackMajor":"0","SiteName":"BCL","SystemManufacturer":"Iris","SystemProductName":"IrOS","Time":"1697992762.221","Timezone":"America/Chicago","Version":"Windows ME","aid":"ffffffffac4148947ed68497e89f3308","aip":"16.15.12.10","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win"} | |||
{"AgentLoadFlags":"1","AgentLocalTime":"1697775225","AgentTimeOffset":"15889.017","AgentVersion":"7.01.13922.0","BiosManufacturer":"Iris","BiosVersion":"vG17V.21040423/z64","ChassisType":"Other","City":"Chicago","ComputerName":"FEVWSN1-234","ConfigBuild":"1007.3.0017312.1","ConfigIDBuild":"13922","Continent":"North America","Country":"United States of America","FalconGroupingTags":"'FalconGroupingTags/AMERICA'","FirstSeen":"1628678052.0","HostHiddenStatus":"Visible","MachineDomain":"groot.org","OU":"Servers;America;Offices","PointerSize":"8","ProductType":"3.0","SensorGroupingTags":"none","ServicePackMajor":"0","SiteName":"BCL","SystemManufacturer":"Iris","SystemProductName":"IrOS","Time":"1697992719.22","Timezone":"America/Chicago","Version":"Windows Server 2021","aid":"ffffffff8be84591864008eb2e484920","aip":"16.15.12.10","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aid changed to hit an event that has both host and user metadata keys.
@@ -116,7 +116,7 @@ | |||
{"AuthenticationId":"999","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855185.108","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\gpsvc.dll","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"219053851298","RpcClientThreadId":"22047924482692","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"gpsvc","TargetProcessId":"224116976578","TargetThreadId":"22920092479704","TokenType":"1","UserName":"user7","aid":"ffffffff59514ea68b4693ddfb9b6643","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStarted","id":"ffffffff-1111-11eb-860c-0606af112d55","name":"HostedServiceStartedV2","timestamp":"1604855184068"} | |||
{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855299.018","EffectiveTransmissionClass":"3","Entitlements":"15","ServiceDisplayName":"wuauserv","TargetProcessId":"661455186053","TargetThreadId":"24238019995551","aid":"ffffffff2b5a4bf5afc6682595faa016","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStopped","id":"ffffffff-1111-11eb-9b11-0602a5689467","name":"HostedServiceStoppedV1","timestamp":"1604855302512"} | |||
{"AuthenticationId":"3443175","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1091372257857","ContextThreadId":"36855848099771","ContextTimeStamp":"1604855227.625","DiskParentDeviceInstanceId":"PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100","FileObject":"18446603341701082336","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"288041","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\ex.pdf.8e41hf8.partial","TokenType":"1","aid":"ffffffff32cb4abc50bc133b31a69946","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PdfFileWritten","id":"ffffffff-1111-11eb-baea-02dccfbb7779","name":"PdfFileWrittenV11","timestamp":"1604855264313"} | |||
{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1604855182022"} | |||
{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1601546312519"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
timestamp changed to bring it to the front of the queue and become the sample event.
preserve_original_event: true | ||
keep_metadata: true | ||
assert: | ||
hit_count: 131 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
125 events, 5 aidmaster records and 1 userinfo record.
🌐 Coverage report
|
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
- append: | ||
field: related.user | ||
value: "{{{crowdstrike.info.user.User}}}" | ||
ignore_failure: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can ignore_failure
be removed from this processor, since you already have a conditional null check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. Was following the pattern of the appends above.
}, | ||
"user": { | ||
"AccountType": "Domain User", | ||
"LastLoggedOnHost": "COMPUTER1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this also a good candidate for related.hosts
? Not sure, just checking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense. Will do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
Package crowdstrike - 1.28.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
1 similar comment
Package crowdstrike - 1.28.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
* upstream/main: (117 commits) [TI MISP] Add IOC expiration support (#8639) Add CSPM Rules 6.2, 6.3 and 6.4 (#8778) [Infoblox NIOS] Update timestamp parsing logic (#8767) [Rapid7 InsightVM] Split vulnerability categories into array (#8768) [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717) [Buildkite] Update bucket settings (#8765) Remove Jenkins .ci folder (#8766) First part of removal of Jenkins jobs (#8763) misp: parse URIs for URI type threats (#8760) [amazon_security_lake] Added support for all the OCSF Classes (#8579) [Buildkite] Update settings for integrations pipeline (#8758) [TI ThreatQ] Add IOC expiration support (#8691) [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744) [Cribl] Updating setup guidance for Cribl field (#8746) crowdstrike: add userinfo enrichment support and map fields to ECS (#8742) [etcd] Enable TSDB for metrics datastream (#8649) Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749) auditd: relax field_split pattern and handle AVC header (#8748) Update cloud packages codeowner (#8672) [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509) ...
After upgrading 2 days ago, many ProcessRollup2 events are missing the username within the last 24 hours. It looks like the user enrichment isn't working as expected. Here's some metrics which show how the user enrichment is working over the last 24 hours. event.action:ProcessRollup2 and user.id: S-1-5-21* and not user.name:* = 1,678,329 hits event.action:ProcessRollup2 and user.id: S-1-5-21* and user.name:* = 292,066 hits Here's some other events which could improve the enrichment process. Crowdstrike previously told us to use the UserIdentity event for username enrichment. UserIdentity UserIdentity UserLogon UserLogoff UserInformationEtw |
Just a reminder this doesn't work. We have 20 million logs in the last 24 hours with where crowdstrike.AuthenticationId:* 17 million logs have no user.name which means enrichment isn't working for the majority. Another view is ProcessRollup2 crowdstrike.AuthenticationId:* and not user.name:* = 14,092,401 hits where enrichment isn't working crowdstrike.AuthenticationId:* and user.name:* = 1,178,348 hits Crowdstrike told us to use the UserIdentity event for enrichment. |
To add on to @mbudge, that UserInfo dataset only exists if you have Falcon Discover. Additionally the current implementation only "works" for Windows. Seems like it would be feasible to build the cache based on UserLogon event types, which include the Host/AID-->SID/UID-->UserName mapping required for the enrichment to work properly. |
@mbudge @tsqrd I took a try at at improving the user enrichment by modifying the elastic-agent processor that comes in the fdr config to utilize UserIdentity and UserLogon events. I opted to build the userinfo (useridentity_Win/useridentity_Lin) caches with the aid_SID/UID (windows/Linux) with the reported username and then match it up to the aid_SID/UID to other events if those two values exist, but not overwriting events that match but already have a UserName field. Feel free to tweak as necessary. So far it's been working for me using the default ingest pipelines. |
I'm testing the processor now. Another improvement for UserIdentity event caching could be crowdstrike.info.host.MachineDomain as well as host.name, where MachineDomain != "none". Obvs this would cache the user.name the first time it's seen on the domain. |
I did consider adding the domain name information but didn't think it was overly useful in my use cases as you can differentiate a local user from a domain user based on the SID length. But yes it would be useful for others. Also, I'm noticing that when UserID/UserName mapping is not in the cache the enrichment script doesn't add the hostname field. I Need to build some logic around that.... Or reorder it.... Still investigating but I did notice this issue come up with missing host.name enrichment for certain conditions. |
Proposed commit message
See title.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Make the following change:
Then:
(
gsed
is GNUsed
so if on macos you will need to install that, is on linuxs/gsed/sed/
in the command above)Then test with
elastic-package
as normal.Related issues
Screenshots