CrowdStrike integration

[havidarou]

Hello,

The idea for this integration is to be able to ingest CrowdStrike logs into Wazuh.

It looks like the Falcon SIEM connector can create a data stream in a Syslog format.

We need to test this approach and create rules/decoders for these events.

Useful links:

• https://www.crowdstrike.com/wp-content/brochures/falcon-connector/falcon-SIEM-connector-datasheet.pdf
• https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/
• https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/

Regards,
Javier.

[72nomada]

SIEM connector can also create json output. maybe will be easier to manage json output from decoders/rules.

we can also follow as a sample of approach the one from elastic - Crowdstrike module

Seems that SIEM connector is just using a few calls to Crowdstrike API, maybe we should consider a deeper integration as we have for AWS and other cloud services.

[maumrsms]

Hello team, I received some Crowdstrike log samples.

[jcruzlp]

Progress Update

After testing one of the logs provided (converting it to line format):

{"metadata":{"customerIDString": "----------------------------","offset": 150,"eventType": "DetectionSummaryEvent","eventCreationTime": 1633411055000,"version": "1.0"},"event":{"ProcessStartTime":1628973348,"ProcessEndTime": 0,"ProcessId":152927595828,"ParentProcessId": 146153645106,"ComputerName": "D0041","UserName": "-----","DetectName": "NGAV","DetectDescription": "This file is classified as Adware/PUP based on its SHA256 hash.","Severity": 2,"SeverityName": "Low","FileName": "rlvknlg.exe","FilePath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\RelevantKnowledge","CommandLine": "\"C:\\Program Files (x86)\\RelevantKnowledge\\rlvknlg.exe\" -boot","SHA256String": "b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec","MD5String": "5a623b2a97ef5eeea8aec8655ad8af70","SHA1String": "0000000000000000000000000000000000000000","MachineDomain": "D0041","FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/8f16d32a3b014d189329a7b8aa38daad/107377221620?_cid=g03000cr6rqoaejngljf4hbu362cz4ui","SensorId": "8f16d32a3b014d189329a7b8aa38daad","IOCType": "hash_sha256","IOCValue":"b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec","DetectId":"ldt:8f16d32a3b014d189329a7b8aa38daad:107377221620","LocalIP":"192.168.9.105","MACAddress":"N/A","Tactic":"Malware","Technique":"PUP","Objective":"Falcon Detection Method","PatternDispositionDescription":"Prevention, process was blocked from execution.","PatternDispositionValue":2048,"PatternDispositionFlags":{"Indicator":false,"Detect":false,"InddetMask":false,"SensorOnly":false,"Rooting":false,"KillProcess":false,"KillSubProcess":false,"QuarantineMachine":false,"QuarantineFile":false,"PolicyDisabled":false,"KillParent":false,            "OperationBlocked":false,"ProcessBlocked":true,"RegistryOperationBlocked":false,"CriticalProcessDisabled":false,"BootupSafeguardEnabled":false,"FsOperationBlocked":false,"HandleOperationDowngraded":false,            "KillActionFailed":false,"BlockingUnsupportedOrDisabled":false,"SuspendProcess":false,"SuspendParent":false},"ParentImageFileName":"\\Device\\HarddiskVolume4\\Program Files (x86)\\RelevantKnowledge\\rlservice.exe","ParentCommandLine":"\"C:\\Program Files (x86)\\RelevantKnowledge\\rlservice.exe\" /service","GrandparentImageFileName":"\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe","GrandparentCommandLine":"C:\\WINDOWS\\system32\\services.exe"}}

Got the following output from wazuh-logtest In version 4.2.4

**Phase 1: Completed pre-decoding.
	full event: '{"metadata":{"customerIDString": "--------------------------------------","offset": 150,"eventType": "DetectionSummaryEvent","eventCreationTime": 1633411055000,"version": "1.0"},"event":{"ProcessStartTime":1628973348,"ProcessEndTime": 0,"ProcessId":152927595828,"ParentProcessId": 146153645106,"ComputerName": "D0041","UserName": "-----","DetectName": "NGAV","DetectDescription": "This file is classified as Adware/PUP based on its SHA256 hash.","Severity": 2,"SeverityName": "Low","FileName": "rlvknlg.exe","FilePath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\RelevantKnowledge","CommandLine": "\"C:\\Program Files (x86)\\RelevantKnowledge\\rlvknlg.exe\" -boot","SHA256String": "b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec","MD5String": "5a623b2a97ef5eeea8aec8655ad8af70","SHA1String": "0000000000000000000000000000000000000000","MachineDomain": "D0041","FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/8f16d32a3b014d189329a7b8aa38daad/107377221620?_cid=g03000cr6rqoaejngljf4hbu362cz4ui","SensorId": "8f16d32a3b014d189329a7b8aa38daad","IOCType": "hash_sha256","IOCValue":"b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec","DetectId":"ldt:8f16d32a3b014d189329a7b8aa38daad:107377221620","LocalIP":"192.168.9.105","MACAddress":"N/A","Tactic":"Malware","Technique":"PUP","Objective":"Falcon Detection Method","PatternDispositionDescription":"Prevention, process was blocked from execution.","PatternDispositionValue":2048,"PatternDispositionFlags":{"Indicator":false,"Detect":false,"InddetMask":false,"SensorOnly":false,"Rooting":false,"KillProcess":false,"KillSubProcess":false,"QuarantineMachine":false,"QuarantineFile":false,"PolicyDisabled":false,"KillParent":false,            "OperationBlocked":false,"ProcessBlocked":true,"RegistryOperationBlocked":false,"CriticalProcessDisabled":false,"BootupSafeguardEnabled":false,"FsOperationBlocked":false,"HandleOperationDowngraded":false,            "KillActionFailed":false,"BlockingUnsupportedOrDisabled":false,"SuspendProcess":false,"SuspendParent":false},"ParentImageFileName":"\\Device\\HarddiskVolume4\\Program Files (x86)\\RelevantKnowledge\\rlservice.exe","ParentCommandLine":"\"C:\\Program Files (x86)\\RelevantKnowledge\\rlservice.exe\" /service","GrandparentImageFileName":"\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe","GrandparentCommandLine":"C:\\WINDOWS\\system32\\services.exe"}}'

**Phase 2: Completed decoding.
	name: 'json'
	event.CommandLine: '"C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe" -boot'
	event.ComputerName: 'D0041'
	event.DetectDescription: 'This file is classified as Adware/PUP based on its SHA256 hash.'
	event.DetectId: 'ldt:8f16d32a3b014d189329a7b8aa38daad:107377221620'
	event.DetectName: 'NGAV'
	event.FalconHostLink: 'https://falcon.crowdstrike.com/activity/detections/detail/8f16d32a3b014d189329a7b8aa38daad/107377221620?_cid=g03000cr6rqoaejngljf4hbu362cz4ui'
	event.FileName: 'rlvknlg.exe'
	event.FilePath: '\Device\HarddiskVolume4\Program Files (x86)\RelevantKnowledge'
	event.GrandparentCommandLine: 'C:\WINDOWS\system32\services.exe'
	event.GrandparentImageFileName: '\Device\HarddiskVolume4\Windows\System32\services.exe'
	event.IOCType: 'hash_sha256'
	event.IOCValue: 'b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec'
	event.LocalIP: '192.168.9.105'
	event.MACAddress: 'N/A'
	event.MD5String: '5a623b2a97ef5eeea8aec8655ad8af70'
	event.MachineDomain: 'D0041'
	event.Objective: 'Falcon Detection Method'
	event.ParentCommandLine: '"C:\Program Files (x86)\RelevantKnowledge\rlservice.exe" /service'
	event.ParentImageFileName: '\Device\HarddiskVolume4\Program Files (x86)\RelevantKnowledge\rlservice.exe'
	event.ParentProcessId: '146153645106.000000'
	event.PatternDispositionDescription: 'Prevention, process was blocked from execution.'
	event.PatternDispositionFlags.BlockingUnsupportedOrDisabled: 'false'
	event.PatternDispositionFlags.BootupSafeguardEnabled: 'false'
	event.PatternDispositionFlags.CriticalProcessDisabled: 'false'
	event.PatternDispositionFlags.Detect: 'false'
	event.PatternDispositionFlags.FsOperationBlocked: 'false'
	event.PatternDispositionFlags.HandleOperationDowngraded: 'false'
	event.PatternDispositionFlags.InddetMask: 'false'
	event.PatternDispositionFlags.Indicator: 'false'
	event.PatternDispositionFlags.KillActionFailed: 'false'
	event.PatternDispositionFlags.KillParent: 'false'
	event.PatternDispositionFlags.KillProcess: 'false'
	event.PatternDispositionFlags.KillSubProcess: 'false'
	event.PatternDispositionFlags.OperationBlocked: 'false'
	event.PatternDispositionFlags.PolicyDisabled: 'false'
	event.PatternDispositionFlags.ProcessBlocked: 'true'
	event.PatternDispositionFlags.QuarantineFile: 'false'
	event.PatternDispositionFlags.QuarantineMachine: 'false'
	event.PatternDispositionFlags.RegistryOperationBlocked: 'false'
	event.PatternDispositionFlags.Rooting: 'false'
	event.PatternDispositionFlags.SensorOnly: 'false'
	event.PatternDispositionFlags.SuspendParent: 'false'
	event.PatternDispositionFlags.SuspendProcess: 'false'
	event.PatternDispositionValue: '2048'
	event.ProcessEndTime: '0'
	event.ProcessId: '152927595828.000000'
	event.ProcessStartTime: '1628973348'
	event.SHA1String: '0000000000000000000000000000000000000000'
	event.SHA256String: 'b0b8c0b9e1cea6d87cd10de1ba022955e4ece120b84f001b46998e9a3691eeec'
	event.SensorId: '8f16d32a3b014d189329a7b8aa38daad'
	event.Severity: '2'
	event.SeverityName: 'Low'
	event.Tactic: 'Malware'
	event.Technique: 'PUP'
	event.UserName: '------'
	metadata.customerIDString: '----------------------'
	metadata.eventCreationTime: '1633411055000.000000'
	metadata.eventType: 'DetectionSummaryEvent'
	metadata.offset: '150'
	metadata.version: '1.0'

**Phase 3: Completed filtering (rules).
	id: '1002'
	level: '2'
	description: 'Unknown problem somewhere in the system.'
	groups: '['syslog', 'errors']'
	firedtimes: '3'
	gpg13: '['4.3']'
	mail: 'False'

Searching in the documentation how to work with these fields to create basic rules for Crowdstrike.
Since the documentation doesn't give too much information, will study the logs and set rules with them.

Rules to create

• SeverityName has the values Low, Medium and High so three rules can be created from this.
• ServiceName field can be used for auth this can create a level 0 rule and be the parent of two rules that uses the field Succes with values true and false (Maybe a repetition of failure can give another rule with MITRE mapping)
• There's an action of releal_token given by OperationName.

[maumrsms]

Hello team!

Based on the logs samples we have and on these documents:

• https://help.sumologic.com/07Sumo-Logic-Apps/22Security_and_Threat_Detection/CrowdStrike_Falcon_Endpoint_Protection/Collect_logs_for_the_CrowdStrike_Falcon_Endpoint_Protection_App
• https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-crowdstrike.html

I've created next ruleset :

<group name="crowdstrike">

  <rule id="195001" level="0">
    <decoded_as>json</decoded_as>
    <field name="metadata.customerIDString">\.+</field>
    <field name="metadata.offset">\.+</field>
    <field name="metadata.eventType">\.+</field>
    <field name="metadata.eventCreationTime">\.+</field>
    <field name="metadata.version">\.+</field>
    <description>Crowdstrike parent alert</description>
  </rule>

  <rule id="195002" level="0">
    <if_sid>195001</if_sid>
    <field name="metadata.eventType">DetectionSummaryEvent</field>
    <description>Crowdstrike alert - DetectionSummaryEvent:- $(event.DetectDescription)</description>
  </rule>

  <rule id="195003" level="0">
    <if_sid>195001</if_sid>
    <field name="metadata.eventType">AuthActivityAuditEvent</field>
    <description>Crowdstrike alert - AuthActivityAuditEvent: $(event.DetectDescription)</description>
  </rule>

  <rule id="195004" level="3">
    <if_sid>195001</if_sid>
    <field name="metadata.eventType">UserActivityAuditEvent</field>
    <description>Crowdstrike alert - UserActivityAuditEvent: $(event.OperationName)</description>
  </rule>

  <rule id="195005" level="5">
    <if_sid>195001</if_sid>
    <field name="metadata.eventType">IncidentSummaryEvent</field>
    <description>Crowdstrike alert - IncidentSummaryEvent: $(event.DetectDescription)</description>
  </rule>

  <rule id="195006" level="3">
    <if_sid>195002</if_sid>
    <field name="event.SeverityName">Low</field>
    <description>Crowdstrike alert - Low severity detection: $(event.DetectDescription)</description>
  </rule>

  <rule id="195007" level="5">
    <if_sid>195002</if_sid>
    <field name="event.SeverityName">Medium</field>
    <description>Crowdstrike alert - Medium severity detection: $(event.DetectDescription)</description>
  </rule>

  <rule id="195008" level="7">
    <if_sid>195002</if_sid>
    <field name="event.SeverityName">High</field>
    <description>Crowdstrike alert - High severity detection: $(event.DetectDescription)</description>
  </rule>

  <rule id="195009" level="3">
    <if_sid>195003</if_sid>
    <field name="event.Success">true</field>
    <description>Crowdstrike alert - User authentication success - UserId: $(event.UserId)</description>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

  <rule id="195010" level="6">
    <if_sid>195003</if_sid>
    <field name="event.Success">false</field>
    <description>Crowdstrike alert - User authentication failed - UserId: $(event.UserId)</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

</group>

I still need to assign them proper groups for the resulting alerts to be part of adequate dashboards.

[maumrsms]

I've just updated this comment to update the rules with recent improvements.

[aderumier]

Hi,
I'm currently try to test your rules.

It seem that crowdstrike siem connector json logs are send multines, it don't seem to be supported by wazuh currently
#3403

I don't have found an option in crowdstrike to enable single line json.

How do you handle this ?

[jctello]

Hi @aderumier,

You may collect multiline Crowdstrike logs with the following configuration:

  <localfile>
    <log_format>multi-line-regex</log_format>
    <location>/var/log/crowdstrike/falconhoseclient/output</location>
    <multiline_regex replace="wspace">^{</multiline_regex>
  </localfile>

Variable multiline log collection was added on Wazuh 4.2.0 and in this configuration I'm looking to start every log with lines that begin with the opening { character while replacing all white space characters (including line breaks) to make it natively readable by the built-in JSON decoder.

[eltonpadilha]

Hello everyone, nice content, I'm looking for the same integration, but I'm not able to use the connector, there's a way to create this integration using for example a python script, any ideas? My Wazuh runs behind a Kubernetes cluster.

[brmb]

Hello everyone, any news? I'm also looking for the same integration ;)

[eltonpadilha]

Hello guys, I found a "Workaround"!
The solution I made it is basically create a Lambda Function to connect Falcon Api and pull the events, the Lambda runs every five minutes, using the AWS EventBridge feature, then send the events to a cloudwatch log group, with that, you can use the Wazuh AWS Cloudwatch integration to pull the events to Wazuh, here you just need to create the Custom rules to generate the alerts.

[vslknsgr]

@eltonpadilha :- Please share me the this Lambda function on vslknsgr@yahoo.com

[nednones]

@eltonpadilha can you ping me the solution too for Crowdstrike