| ID | Technique | Tactic |
|---|
Detection: CrowdStrike Falcon Stream Alerts
Description
The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.
Search
1`crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent)
2
3| rename event.* as *
4
5| eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0)
6
7| eval user=coalesce(lower(SourceAccountName),lower(UserName))
8
9| eval dest=coalesce(ComputerName,SourceEndpointHostName)
10
11| eval mitre_technique = case(!match(DetectName, "(NGAV
12|Intel Detection)"), Technique)
13
14| join type=left mitre_technique
15 [
16| inputlookup append=t mitre_attack_lookup
17
18| fields mitre_technique mitre_technique_id ]
19
20| eval annotations.mitre_attack = mitre_technique_id
21
22| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
23
24| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
25
26| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"")
27
28| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
29
30| rename "metadata.eventType" as eventType
31
32| eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) )
33
34| eval user_append = if(NOT isnull(user)," by " + user,"")
35
36| eval dest_append = if(NOT isnull(dest)," on " + dest,"")
37
38| eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
39
40| eval description = description + user_append + dest_append
41
42| eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
43
44| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
45
46| rename DetectId as detection_id, FalconHostLink as detection_url
47
48| table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
49
50| `crowdstrike_falcon_stream_alerts_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike Falcon Stream Alert | N/A | 'CrowdStrike:Event:Streams:JSON' |
'CrowdStrike:Event:Streams' |
Macros Used
| Name | Value |
|---|---|
| crowdstrike_stream | sourcetype="CrowdStrike:Event:Streams:JSON" |
| crowdstrike_falcon_stream_alerts_filter | search * |
crowdstrike_falcon_stream_alerts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the crowdstrike_stream macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
Known False Positives
False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
$description$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 81 | signature, process, file_hash, hash, file_name, ip |
| dest | system | 81 | signature, process, file_hash, hash, file_name, ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | CrowdStrike:Event:Streams |
CrowdStrike:Event:Streams:JSON |
| Integration | ✅ Passing | Dataset | CrowdStrike:Event:Streams |
CrowdStrike:Event:Streams:JSON |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1