New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CrowdStrike integration #8129
Comments
SIEM connector can also create json output. maybe will be easier to manage json output from decoders/rules. we can also follow as a sample of approach the one from elastic - Crowdstrike module Seems that SIEM connector is just using a few calls to Crowdstrike API, maybe we should consider a deeper integration as we have for AWS and other cloud services. |
Hello team, I received some Crowdstrike log samples. |
Progress UpdateAfter testing one of the logs provided (converting it to line format):
Got the following output from
Searching in the documentation how to work with these fields to create basic rules for Crowdstrike. Rules to create
|
Hello team! Based on the logs samples we have and on these documents:
I've created next ruleset : <group name="crowdstrike">
<rule id="195001" level="0">
<decoded_as>json</decoded_as>
<field name="metadata.customerIDString">\.+</field>
<field name="metadata.offset">\.+</field>
<field name="metadata.eventType">\.+</field>
<field name="metadata.eventCreationTime">\.+</field>
<field name="metadata.version">\.+</field>
<description>Crowdstrike parent alert</description>
</rule>
<rule id="195002" level="0">
<if_sid>195001</if_sid>
<field name="metadata.eventType">DetectionSummaryEvent</field>
<description>Crowdstrike alert - DetectionSummaryEvent:- $(event.DetectDescription)</description>
</rule>
<rule id="195003" level="0">
<if_sid>195001</if_sid>
<field name="metadata.eventType">AuthActivityAuditEvent</field>
<description>Crowdstrike alert - AuthActivityAuditEvent: $(event.DetectDescription)</description>
</rule>
<rule id="195004" level="3">
<if_sid>195001</if_sid>
<field name="metadata.eventType">UserActivityAuditEvent</field>
<description>Crowdstrike alert - UserActivityAuditEvent: $(event.OperationName)</description>
</rule>
<rule id="195005" level="5">
<if_sid>195001</if_sid>
<field name="metadata.eventType">IncidentSummaryEvent</field>
<description>Crowdstrike alert - IncidentSummaryEvent: $(event.DetectDescription)</description>
</rule>
<rule id="195006" level="3">
<if_sid>195002</if_sid>
<field name="event.SeverityName">Low</field>
<description>Crowdstrike alert - Low severity detection: $(event.DetectDescription)</description>
</rule>
<rule id="195007" level="5">
<if_sid>195002</if_sid>
<field name="event.SeverityName">Medium</field>
<description>Crowdstrike alert - Medium severity detection: $(event.DetectDescription)</description>
</rule>
<rule id="195008" level="7">
<if_sid>195002</if_sid>
<field name="event.SeverityName">High</field>
<description>Crowdstrike alert - High severity detection: $(event.DetectDescription)</description>
</rule>
<rule id="195009" level="3">
<if_sid>195003</if_sid>
<field name="event.Success">true</field>
<description>Crowdstrike alert - User authentication success - UserId: $(event.UserId)</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="195010" level="6">
<if_sid>195003</if_sid>
<field name="event.Success">false</field>
<description>Crowdstrike alert - User authentication failed - UserId: $(event.UserId)</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
I still need to assign them proper groups for the resulting alerts to be part of adequate dashboards. |
I've just updated this comment to update the rules with recent improvements. |
Hi, It seem that crowdstrike siem connector json logs are send multines, it don't seem to be supported by wazuh currently I don't have found an option in crowdstrike to enable single line json. How do you handle this ? |
Hi @aderumier, You may collect multiline Crowdstrike logs with the following configuration:
Variable multiline log collection was added on Wazuh 4.2.0 and in this configuration I'm looking to start every log with lines that begin with the opening |
Hello everyone, nice content, I'm looking for the same integration, but I'm not able to use the connector, there's a way to create this integration using for example a python script, any ideas? My Wazuh runs behind a Kubernetes cluster. |
Hello everyone, any news? I'm also looking for the same integration ;) |
Hello guys, I found a "Workaround"! |
@eltonpadilha :- Please share me the this Lambda function on vslknsgr@yahoo.com |
@eltonpadilha can you ping me the solution too for Crowdstrike |
Hello,
The idea for this integration is to be able to ingest CrowdStrike logs into Wazuh.
It looks like the Falcon SIEM connector can create a data stream in a Syslog format.
We need to test this approach and create rules/decoders for these events.
Useful links:
Regards,
Javier.
The text was updated successfully, but these errors were encountered: