This is the CrowdStrike LogScale backend for pySigma. It provides the package sigma.backends.logscale with the LogScaleBackend class.
Further, it contains the falcon_pipeline processing pipeline in sigma.pipelines.falcon which adds field and value mappings for logs collected via the CrowdStrike Falcon Agent.
Only a single output format is supported which is the default output format for LogScale queries.
This backend is currently maintained by:
The following categories and products are supported:
| category | product |
|---|---|
process_creation |
windows, linux |
network_connection |
windows |
dns_query |
windows |
image_load |
windows |
driver_load |
windows |
ps_script |
windows |
There's likely more windows categories that can be supported by the falcon pipeline; I will be adding support gradually as availability allows.
The backend transforms rules into LogScale queries. Due to the LogScale being case-sensitive, the backend heavily utilizes regex delimeters.
The only currently supported pipeline is falcon_pipepline which adds fields and value mappings for events collected through the CrowdStrike agent.
-
Full Paths: Falcon agents do not capture drive names when logging paths. Instead, when drive letters are expected the device path is used. For example,
C:\Windowsresults to\Device\HarddiskVolume3\Windowsin the logs. To account for this, the pipeline replaces any drive letters in fields containing full path with\Device\HarddiskVolume?\(where '?' can be any single character). -
Parent Name: Falcon
process_creationevents do not capture the full path of the parent. Hence, in such cases the transformation is configured to fail. -
DNS Query Results: Falcon
dns_queryevents return the IP records of a successful query in semicolon-seperated string. The pipeline handles this by enforcing a "contains" expression on theQueryResultsfield -
Unsupported fields: Falcon does not always capture the same fields as sysmon for the categories supported. In cases where the rule requires unsupported fields, the transformation fails.