diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8988f67ee3a..bddf23cda64 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -841,6 +841,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] - Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] - Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] +- Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 {issue}23118[23118] {pull}23875[23875] *Heartbeat* diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml index e70201cb174..de7c32e3d3b 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml @@ -16,11 +16,18 @@ tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: -- script: - lang: javascript - id: crowdstrike_falcon - file: ${path.home}/module/crowdstrike/falcon/config/pipeline.js +- decode_json_fields: + fields: + - message + target: crowdstrike + process_array: true + max_depth: 8 +- drop_fields: + fields: + - message + - host.name + ignore_missing: true - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js deleted file mode 100644 index 46bbf671518..00000000000 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ /dev/null @@ -1,474 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var crowdstrikeFalconProcessor = (function () { - var processor = require("processor"); - - // conversion helpers - function convertUnderscore(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - } - - function convertToMSEpoch(evt, field) { - var timestamp = evt.Get(field); - if (timestamp == 0) { - evt.Delete(field) - return - } - if (timestamp) { - if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS - evt.Put(field, timestamp * 1000); - } - (new processor.Timestamp({ - field: field, - target_field: field, - timezone: "UTC", - layouts: ["UNIX_MS"] - })).Run(evt); - } - } - - function convertProcess(evt) { - var commandLine = evt.Get("crowdstrike.event.CommandLine") - if (commandLine && commandLine.trim() !== "") { - var args = commandLine.split(' ').filter(function (arg) { - return arg !== ""; - }); - var executable = args[0] - - evt.Put("process.command_line", commandLine) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - } - } - - function convertSourceDestination(evt) { - var localAddress = evt.Get("crowdstrike.event.LocalAddress"); - var localPort = evt.Get("crowdstrike.event.LocalPort"); - var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); - var remotePort = evt.Get("crowdstrike.event.RemotePort"); - if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { - evt.Put("network.direction", "ingress") - evt.Put("source.ip", remoteAddress) - evt.Put("source.port", remotePort) - evt.Put("destination.ip", localAddress) - evt.Put("destination.port", localPort) - } else { - evt.Put("network.direction", "egress") - evt.Put("destination.ip", remoteAddress) - evt.Put("destination.port", remotePort) - evt.Put("source.ip", localAddress) - evt.Put("source.port", localPort) - } - evt.AppendTo("related.ip", remoteAddress) - evt.AppendTo("related.ip", localAddress) - } - - function convertEventAction(evt) { - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) - } - - function convertUsername(evt) { - var username = evt.Get("crowdstrike.event.UserName") - if (!username || username === "") { - username = evt.Get("crowdstrike.event.UserId") - } - if (username && username !== "") { - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - evt.AppendTo("related.user", username) - } - } - - // event processors by type - var eventProcessors = { - DetectionSummaryEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "alert", - "event.category": ["malware"], - "event.type": ["info"], - "event.dataset": "crowdstrike.falcon_endpoint", - "agent.type": "falcon", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.LocalIP", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.LocalIP", - to: "related.ip", - type: "ip" - }, { - from: "crowdstrike.event.ProcessId", - to: "process.pid", - type: "long" - }, { - from: "crowdstrike.event.ParentImageFileName", - to: "process.parent.executable" - }, { - from: "crowdstrike.event.ParentCommandLine", - to: "process.parent.command_line" - }, { - from: "crowdstrike.event.PatternDispositionDescription", - to: "event.action", - }, { - from: "crowdstrike.event.FalconHostLink", - to: "event.url", - }, { - from: "crowdstrike.event.Severity", - to: "event.severity", - }, { - from: "crowdstrike.event.DetectDescription", - to: "message", - }, { - from: "crowdstrike.event.FileName", - to: "process.name", - }, { - from: "crowdstrike.event.UserName", - to: "user.name", - }, - { - from: "crowdstrike.event.MachineDomain", - to: "user.domain", - }, - { - from: "crowdstrike.event.SensorId", - to: "agent.id", - }, - { - from: "crowdstrike.event.ComputerName", - to: "host.name", - }, - { - from: "crowdstrike.event.SHA256String", - to: "file.hash.sha256", - }, - { - from: "crowdstrike.event.MD5String", - to: "file.hash.md5", - }, - { - from: "crowdstrike.event.SHA1String", - to: "file.hash.sha1", - }, - { - from: "crowdstrike.event.DetectName", - to: "rule.name", - }, - { - from: "crowdstrike.event.DetectDescription", - to: "rule.description", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() - var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) - evt.Put("threat.tactic.name", tactic) - convertProcess(evt) - }) - .Build(), - - IncidentSummaryEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "alert", - "event.category": ["malware"], - "event.type": ["info"], - "event.action": "incident", - "event.dataset": "crowdstrike.falcon_endpoint", - "agent.type": "falcon", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.FalconHostLink", - to: "event.url", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - convertProcess(evt) - }) - .Build(), - - UserActivityAuditEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["iam"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.OperationName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.UserIp", - to: "related.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - - AuthActivityAuditEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["authentication"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.ServiceName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.UserIp", - to: "related.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - convertUsername(evt) - }) - .Build(), - - FirewallMatchEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["network"], - type: ["start", "connection"], - outcome: ["unknown"], - dataset: "crowdstrike.falcon_endpoint", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.Ipv", - to: "network.type", - }, { - from: "crowdstrike.event.PID", - to: "process.pid", - type: "long" - }, - { - from: "crowdstrike.event.RuleId", - to: "rule.id" - }, - { - from: "crowdstrike.event.RuleName", - to: "rule.name" - }, - { - from: "crowdstrike.event.RuleGroupName", - to: "rule.ruleset" - }, - { - from: "crowdstrike.event.RuleDescription", - to: "rule.description" - }, - { - from: "crowdstrike.event.RuleFamilyID", - to: "rule.category" - }, - { - from: "crowdstrike.event.HostName", - to: "host.name" - }, - { - from: "crowdstrike.event.Ipv", - to: "network.type", - }, - { - from: "crowdstrike.event.EventType", - to: "event.code", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") - convertEventAction(evt) - convertProcess(evt) - convertSourceDestination(evt) - }) - .Build(), - - RemoteResponseSessionStartEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "event", - "event.type": ["start"], - "event.dataset": "crowdstrike.falcon_audit", - message: "Remote response session started", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - - RemoteResponseSessionEndEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "event", - "event.type": ["end"], - "event.dataset": "crowdstrike.falcon_audit", - message: "Remote response session ended", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - } - - // main processor - return new processor.Chain() - .DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }) - .Add(function (evt) { - evt.Delete("message"); - evt.Delete("host.name"); - - convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") - convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") - convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") - convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") - - var outcome = evt.Get("crowdstrike.event.Success") - if (outcome === true) { - evt.Put("event.outcome", "success") - } else if (outcome === false) { - evt.Put("event.outcome", "failure") - } else { - evt.Put("event.outcome", "unknown") - } - - var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] - if (eventProcessor) { - eventProcessor.Run(evt) - } - }) - .Convert({ - fields: [{ - from: "crowdstrike.metadata.eventCreationTime", - to: "@timestamp", - }], - mode: "copy", - ignore_missing: false, - fail_on_error: true - }) - .Convert({ - fields: [ - { - from: "crowdstrike.event.LateralMovement", - type: "long", - }, - { - from: "crowdstrike.event.LocalPort", - type: "long", - }, - { - from: "crowdstrike.event.MatchCount", - type: "long", - }, - { - from: "crowdstrike.event.MatchCountSinceLastReport", - type: "long", - }, - { - from: "crowdstrike.event.PID", - type: "long", - }, - { - from: "crowdstrike.event.RemotePort", - type: "long", - }, - { - from: "source.port", - type: "long", - }, - { - from: "destination.port", - type: "long", - } - ], - ignore_missing: true, - fail_on_error: false - }) - .Build() - .Run -})(); - -function process(evt) { - crowdstrikeFalconProcessor(evt); -} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml new file mode 100644 index 00000000000..c7ba463c7bc --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml @@ -0,0 +1,34 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [authentication] + - append: + field: event.type + value: [change] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - convert: + field: crowdstrike.event.ServiceName + type: string + target_field: message + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" + - script: + lang: painless + source: | + def regex = /([a-z0-9])([A-Z])/; + def replacement = "$1_$2"; + def action = ctx?.crowdstrike?.event?.OperationName; + if (action == null || action == "") return; + ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml new file mode 100644 index 00000000000..b721c6df1bf --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml @@ -0,0 +1,163 @@ +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.LocalIP + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" + - convert: + field: crowdstrike.event.ProcessId + target_field: process.pid + ignore_failure: true + type: long + ignore_missing: true + - convert: + field: crowdstrike.event.ParentImageFileName + target_field: process.parent.executable + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ParentCommandLine + target_field: process.parent.command_line + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.PatternDispositionDescription + target_field: event.action + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Severity + target_field: event.severity + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FileName + target_field: process.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.MachineDomain + target_field: user.domain + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SensorId + target_field: agent.id + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ComputerName + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SHA256String + target_field: file.hash.sha256 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha256}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) + - convert: + field: crowdstrike.event.MD5String + target_field: file.hash.md5 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.md5}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) + - convert: + field: crowdstrike.event.SHA1String + target_field: file.hash.sha1 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha1}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) + - convert: + field: crowdstrike.event.DetectName + target_field: rule.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: rule.description + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Technique + target_field: threat.technique.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.technique.name + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.Tactic + target_field: threat.tactic.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.tactic.name + ignore_missing: true + ignore_failure: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml new file mode 100644 index 00000000000..5437812dd1c --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml @@ -0,0 +1,137 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [firewall_match_event] + - append: + field: event.type + value: [start, connection] + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: message + value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" + if: ctx?.crowdstrike?.event?.RuleName != null + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.PID" + target_field: "process.pid" + ignore_failure: true + ignore_missing: true + type: "long" + - convert: + field: "crowdstrike.event.RuleId" + target_field: "rule.id" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleName" + target_field: "rule.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleGroupName" + target_field: "rule.ruleset" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleDescription" + target_field: "rule.description" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleFamilyID" + target_field: "rule.category" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.HostName" + target_field: "host.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.EventType" + target_field: "event.code" + type: string + ignore_missing: true + ignore_failure: true + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: source.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: source.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml new file mode 100644 index 00000000000..5877ed4f20d --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml @@ -0,0 +1,29 @@ +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: event.action + value: incident + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - set: + field: message + value: "Incident score {{crowdstrike.event.FineScore}}" + if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml index 3aa632ab715..7e7efe5cd74 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -3,6 +3,313 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + ctx.crowdstrike.event.ProcessStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + ctx.crowdstrike.event.ProcessEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + ctx.crowdstrike.event.IncidentStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + ctx.crowdstrike.event.IncidentEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + ctx.crowdstrike.event.StartTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + ctx.crowdstrike.event.EndTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + ctx.crowdstrike.event.UTCTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + ctx.crowdstrike.metadata.eventCreationTime != 0 && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + ctx.crowdstrike.event.ProcessStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + ctx.crowdstrike.event.ProcessEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + ctx.crowdstrike.event.IncidentStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + ctx.crowdstrike.event.IncidentEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + ctx.crowdstrike.event.StartTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + ctx.crowdstrike.event.EndTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + ctx.crowdstrike.event.UTCTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + ctx.crowdstrike.metadata.eventCreationTime != 0 && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 + - set: + field: event.outcome + value: success + if: ctx?.crowdstrike?.event?.Success == true + - set: + field: event.outcome + value: failure + if: ctx?.crowdstrike?.event?.Success == false + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - convert: + field: crowdstrike.metadata.eventCreationTime + target_field: "@timestamp" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LateralMovement + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LocalPort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCount + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCountSinceLastReport + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.PID + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.RemotePort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: source.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: destination.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserId + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name == null || ctx?.user?.name == "" + - set: + field: user.email + value: "{{user.name}}" + ignore_empty_value: true + ignore_failure: true + if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 + - script: + lang: painless + source: | + def commandLine = ctx?.crowdstrike?.event?.CommandLine; + if (commandLine != null) { + + commandLine = commandLine.trim(); + + if (commandLine != "") { + def args = Arrays.asList(/ /.split(commandLine)); + args.removeIf(arg -> arg == ""); + + ctx["process.command_line"] = commandLine; + ctx["process.args"] = args; + ctx["process.executable"] = args.get(0); + } + } + - pipeline: + name: '{< IngestPipeline "detection_summary" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" + - pipeline: + name: '{< IngestPipeline "incident_summary" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" + - pipeline: + name: '{< IngestPipeline "user_activity_audit" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" + - pipeline: + name: '{< IngestPipeline "auth_activity_audit" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" + - pipeline: + name: '{< IngestPipeline "firewall_match" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" + - pipeline: + name: '{< IngestPipeline "remote_response_session_start" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" + - pipeline: + name: '{< IngestPipeline "remote_response_session_end" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" - script: lang: painless if: ctx?.crowdstrike?.event != null @@ -12,6 +319,8 @@ processors: - '' - '-' - 'N/A' + - 'NA' + - 0 source: | ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - script: @@ -23,8 +332,33 @@ processors: - '' - '-' - 'N/A' + - 'NA' source: | ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - append: + field: related.user + value: "{{user.name}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.user?.name != null && ctx?.user?.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + - append: + field: related.hosts + value: "{{host.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.host?.name != null && ctx?.host?.name != "" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml new file mode 100644 index 00000000000..4e3b7b834a9 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml @@ -0,0 +1,25 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [remote_response_session_end_event] + - append: + field: event.type + value: [end, session] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: message + value: Remote response session ended. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml new file mode 100644 index 00000000000..834a3dee73d --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml @@ -0,0 +1,25 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [remote_response_session_start_event] + - append: + field: event.type + value: [start, session] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: message + value: Remote response session started. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml new file mode 100644 index 00000000000..6998062561d --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml @@ -0,0 +1,29 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [iam] + - append: + field: event.type + value: [change] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: event.action + value: user_activity_audit_event + - convert: + field: crowdstrike.event.OperationName + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index 905124a0eab..d4f04b84f11 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,4 +8,13 @@ var: default: [forwarded] input: config/falcon.yml -ingest_pipeline: ingest/pipeline.yml + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/auth_activity_audit.yml + - ingest/detection_summary.yml + - ingest/firewall_match.yml + - ingest/incident_summary.yml + - ingest/remote_response_session_end.yml + - ingest/remote_response_session_start.yml + - ingest/user_activity_audit.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index 4d21948cac7..690cb98ed09 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -9,13 +9,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_start_event", + "event.action": [ + "remote_response_session_start_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start" + "start", + "session" ], "fileset.name": "falcon", "host.name": "hostnameofmachine", @@ -24,8 +30,13 @@ "multiline" ], "log.offset": 0, - "message": "Remote response session started", - "related.user": "first.last@company.com", + "message": "Remote response session started.", + "related.hosts": [ + "hostnameofmachine" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -43,13 +54,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_end_event", + "event.action": [ + "remote_response_session_end_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "end" + "end", + "session" ], "fileset.name": "falcon", "host.name": "hostnameofmachine", @@ -58,8 +75,13 @@ "multiline" ], "log.offset": 457, - "message": "Remote response session ended", - "related.user": "first.last@company.com", + "message": "Remote response session ended.", + "related.hosts": [ + "hostnameofmachine" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -119,8 +141,12 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", - "related.ip": "10.10.0.8", - "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "related.ip": [ + "10.10.0.8" + ], + "related.user": [ + "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + ], "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -158,8 +184,12 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -198,8 +228,12 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.3", - "related.user": "bob@company.com", + "related.ip": [ + "192.168.6.3" + ], + "related.user": [ + "bob@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -247,8 +281,12 @@ ], "log.offset": 3136, "message": "update_group", - "related.ip": "192.168.6.13", - "related.user": "chris@company.com", + "related.ip": [ + "192.168.6.13" + ], + "related.user": [ + "chris@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -293,8 +331,12 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -333,8 +375,12 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -379,8 +425,12 @@ ], "log.offset": 4999, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -419,8 +469,12 @@ ], "log.offset": 5646, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -459,8 +513,12 @@ ], "log.offset": 6134, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -499,8 +557,12 @@ ], "log.offset": 6627, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -556,8 +618,12 @@ ], "log.offset": 7113, "message": "detection_update", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index eab6fb1db0e..0756dfac477 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -73,7 +73,19 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, - "related.ip": "192.168.12.51", + "related.hash": [ + "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "ac4c51eb24aa95b77f705ab159189e24" + ], + "related.hosts": [ + "alice-laptop" + ], + "related.ip": [ + "192.168.12.51" + ], + "related.user": [ + "alice" + ], "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -159,7 +171,9 @@ ], "log.offset": 2579, "message": "quarantined_file_update", - "related.user": "Crowdstrike", + "related.user": [ + "Crowdstrike" + ], "service.type": "crowdstrike", "tags": [ "forwarded" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index becdbecc7c8..dd277a3f2c9 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -33,7 +33,9 @@ "crowdstrike.metadata.version": "1.0", "destination.ip": "10.37.60.194", "destination.port": 445, - "event.action": "firewall_match_event", + "event.action": [ + "firewall_match_event" + ], "event.category": [ "network" ], @@ -41,9 +43,7 @@ "event.dataset": "crowdstrike.falcon_endpoint", "event.kind": "event", "event.module": "crowdstrike", - "event.outcome": [ - "unknown" - ], + "event.outcome": "unknown", "event.type": [ "start", "connection" @@ -59,6 +59,9 @@ "network.direction": "ingress", "network.type": "ipv4", "process.pid": 206158879910, + "related.hosts": [ + "TESTDEVICE01" + ], "related.ip": [ "10.37.60.21", "10.37.60.194" @@ -163,8 +166,12 @@ ], "log.offset": 2041, "message": "Crowdstrike Authentication", - "related.ip": "165.225.220.184", - "related.user": "first.last@company.com", + "related.ip": [ + "165.225.220.184" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "source.ip": "165.225.220.184", "tags": [ @@ -211,7 +218,9 @@ ], "log.offset": 3219, "message": "quarantined_file_update", - "related.user": "Crowdstrike", + "related.user": [ + "Crowdstrike" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -228,13 +237,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 57217, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_start_event", + "event.action": [ + "remote_response_session_start_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start" + "start", + "session" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -243,8 +258,13 @@ "multiline" ], "log.offset": 4017, - "message": "Remote response session started", - "related.user": "first.last@company.com", + "message": "Remote response session started.", + "related.hosts": [ + "TESTDEVICE01" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -273,13 +293,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 57269, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_end_event", + "event.action": [ + "remote_response_session_end_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "end" + "end", + "session" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -288,8 +314,13 @@ "multiline" ], "log.offset": 4466, - "message": "Remote response session ended", - "related.user": "first.last@company.com", + "message": "Remote response session ended.", + "related.hosts": [ + "TESTDEVICE01" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -335,7 +366,6 @@ "crowdstrike.event.LocalIP": "10.1.190.117", "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", - "crowdstrike.event.MachineDomain": "NA", "crowdstrike.event.Objective": "Falcon Detection Method", "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", @@ -402,13 +432,25 @@ "process.args": [ "\"C:\\ProgramData\\file\\path\\filename.exe\"" ], - "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"", "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", "process.name": "filename.exe", "process.parent.command_line": "C:\\Windows\\Explorer.EXE", "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "process.pid": 663790158277, - "related.ip": "10.1.190.117", + "related.hash": [ + "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "0ab1235adca04aef6239f5496ef0a5df" + ], + "related.hosts": [ + "TESTDEVICE01" + ], + "related.ip": [ + "10.1.190.117" + ], + "related.user": [ + "First.last" + ], "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "rule.name": "NGAV", "service.type": "crowdstrike",