CrowdStrike Falcon Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

CrowdStrike Falcon is a cloud-native endpoint detection and response (EDR) platform providing AI-powered real-time threat detection, prevention, and response. This technology pack processes CrowdStrike Falcon events, providing normalization and enrichment of detection summaries, EPP/XDR/IDP detections, authentication audit events, firewall matches, remote response sessions, and user activity audit events.

Supported Version(s)

• CrowdStrike Falcon 7.15.18514.0

Requirements

• CrowdStrike Falcon 7.15.18514.0 or later.

• Graylog Enterprise version 6.0.1 or later.

Stream Configuration

This technology pack includes 1 stream:

• "Illuminate:Crowdstrike Falcon Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

• "Crowdstrike Falcon Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Sending logs via Graylog's CrowdStrike input.

Log Format Example

CrowdStrike Falcon events are delivered in GELF JSON format via the CrowdStrike input.

UserActivityAuditEvent

{"timestamp":1693337449.649,"version":"1.1","host":"customer-id","short_message":"{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}","full_message":"{\"metadata\":{\"customerIDString\":\"customer-id\",\"offset\":2802412,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1688847014000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}}","_event_source_product":"crowdstrike_falcon","_vendor_subtype":"UserActivityAuditEvent","_vendor_version":"1.0","_event_created":"2023-07-08T20:10:14.000Z"}

What is Provided

• Parsing rules for CrowdStrike Falcon events.

• GIM categorization for detection, authentication, audit, and firewall events.

• Alert severity with MITRE ATT&CK technique and tactic extraction.

GIM Categorization

GIM categorization is provided for the following event types. All messages sent via the CrowdStrike API will be parsed, but not all event types receive categorization.

CrowdStrike Falcon Spotlight

The CrowdStrike Falcon Spotlight offers dashboards with three tabs: Overview, Authentication, and Detections.

Overview

Authentication

Detections