Detection: CrowdStrike Falcon Stream Alerts

Description

The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.

 1`crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent) 
 2
 3| rename event.* as * 
 4
 5| eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0) 
 6
 7| eval user=coalesce(lower(SourceAccountName),lower(UserName)) 
 8
 9| eval dest=coalesce(ComputerName,SourceEndpointHostName)
10
11| eval mitre_technique = case(!match(DetectName, "(NGAV
12|Intel Detection)"), Technique)
13
14| join type=left mitre_technique 
15    [
16| inputlookup append=t mitre_attack_lookup 
17    
18| fields mitre_technique mitre_technique_id ] 
19
20| eval annotations.mitre_attack = mitre_technique_id
21
22| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
23
24| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
25
26| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"") 
27
28| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
29
30| rename "metadata.eventType" as eventType
31
32| eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) ) 
33
34| eval user_append = if(NOT isnull(user)," by " + user,"") 
35
36| eval dest_append = if(NOT isnull(dest)," on " + dest,"") 
37
38| eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) ) 
39
40| eval description = description + user_append + dest_append
41
42| eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId 
43
44| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
45
46| rename DetectId as detection_id, FalconHostLink as detection_url 
47
48| table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
49
50| `crowdstrike_falcon_stream_alerts_filter`

Data Source

Name Platform Sourcetype Source
CrowdStrike Falcon Stream Alert N/A 'CrowdStrike:Event:Streams:JSON' 'CrowdStrike:Event:Streams'

Macros Used

Name Value
crowdstrike_stream sourcetype="CrowdStrike:Event:Streams:JSON"
crowdstrike_falcon_stream_alerts_filter search *
crowdstrike_falcon_stream_alerts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the crowdstrike_stream macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.

Known False Positives

False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

$description$

Risk Object Risk Object Type Risk Score Threat Objects
user user 81 signature, process, file_hash, hash, file_name, ip
dest system 81 signature, process, file_hash, hash, file_name, ip

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset CrowdStrike:Event:Streams CrowdStrike:Event:Streams:JSON
Integration ✅ Passing Dataset CrowdStrike:Event:Streams CrowdStrike:Event:Streams:JSON

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 1