CrowdStrike Logs

Connecting CrowdStrike logs to your Panther Console

Overview

Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator (FDR). To ingest CrowdStrike logs into panther, you must have an active subscription to FDR, and it must be enabled in CrowdStrike.

As of Panther version 1.52, all new CrowdStrike log source configurations will use the Crowdstrike.FDREvent schema.

CrowdStrike logs video walkthrough

Walkthrough video showing how to onboard CrowdStrike logs to Panther

How to onboard CrowdStrike logs to Panther

Prerequisites

  • You must have an active subscription to FDR, and it must be enabled in CrowdStrike.

    • There is no minimum version of FDR required.

Step 1: Create FDR API Keys

  1. In your CrowdStrike Falcon console, navigate to the FDR overview for your instance.

    • This URL should be falcon.<cloud-region>.crowdstrike.com/fdr

    • Click Next.

  2. On the Review page, click Create feed.

Step 2: Create a new CrowdStrike Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select CrowdStrike from the list of available log sources. Click Start Setup.

  4. Fill in the fields below:

    • Name: Enter a descriptive name for the source, e.g. CrowdStrike Falcon.

    • SQS URL: Enter the URL for the CrowdStrike-managed SQS queue, previously copied.

  5. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-built detections

See Panther's built in rules for CrowdStrike in panther-analysis in Github.

Supported log types

Crowdstrike.FDREvent

Crowdstrike.FDREvent contains all event types produced by the FDR. Including all types of events in a single log type helps to:

  • Provide ongoing ingestion flexibility and reduce maintenance efforts.

    • For example, if CrowdStrike adds a new event type, you may not need to rewrite existing detection logic and data queries.

  • Simplify querying of CrowdStrike logs by enriching all Crowdstrike.FDREvent logs with commonly referenced fields, such as event_simpleName.

  • Expedite investigations by leveraging the indicators extracted from each FDR event type and stored inCrowdstrike.FDREvent.

FDR events

The FDR data stream sends the following two types of events:

How fdr_event_type is set

Not all FDR events contain the same fields. To accommodate this, the value of fdr_event_type is assigned dynamically, according to the following rules (ordered by precedence):

  1. If event_simpleName is present, fdr_event_type = event_simpleName

  2. If event_type is present, fdr_event_type = event.event_type

  3. If ExternalApiType is present, fdr_event_type = event.ExternalApiType

    • Crowdstrike.DetectionSummary and Crowdstrike.ActivityAudit log types define this ExternalApiType field.

  4. If the FDR event is a secondary event, fdr_event_type = the event type as described in CrowdStrike's documentation on seeing additional environment information.

    • In this case, the resulting log type is still Crowdstrike.FDREvent.

  5. If none of the above conditions are met, fdr_event_type = unknown

For more information, see CrowdStrike's FDR setup documentation.

schema: Crowdstrike.FDREvent
parser:
    native:
        name: Crowdstrike.FDREvent
description: Contains all Crowdstrike Falcon Data Replicator events
referenceURL: https://falcon.us-2.crowdstrike.com/documentation/9/falcon-data-replicator
fields:
    - name: ContextTimeStamp
      description: m, as seen by the sensor.
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - md5
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - md5
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormats:
        - unix_ms
        - rfc3339
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormats:
        - '%m/%d/%Y %H:%M:%S.%f'
        - unix
      isEventTime: true
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormats:
        - unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: event_simpleName
      description: Event name
      type: string
    - name: fdr_event_type
      description: Crowdstrike Event type (populated by panther)
      type: string
    - name: TargetProcessId_decimal
      description: The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it represents the ID of the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that performed thread injection in an InjectedThread event.
      type: string
    - name: FileName
      description: The name of the file.
      type: string
    - name: FilePath
      description: The full path of the file, including the file name.
      type: string
    - name: event
      description: The full JSON payload of the event
      type: json

Legacy log types

Existing CrowdStrike log source configurations set up prior to Panther version 1.52 will continue to function using the legacy log types below, until you transition them to Crowdstrike.FDREvent. Please contact your Panther support team if you would like assistance with this transition.

Crowdstrike.AIDMaster

Sensor and Host information provided by Falcon Insight.

Reference: CrowdStrike Documentation on Falcon Data Replicator.

schema: Crowdstrike.AIDMaster
parser:
    native:
        name: Crowdstrike.AIDMaster
description: Sensor and Host information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
fields:
    - name: Time
      required: true
      description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: AgentLoadFlags
      required: true
      description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
      type: int
    - name: AgentLocalTime
      required: true
      description: The local time for the sensor in epoch format.
      type: timestamp
      timeFormat: unix
    - name: AgentTimeOffset
      required: true
      description: The time since the last reboot in epoch format.
      type: float
    - name: AgentVersion
      required: true
      description: The version of the sensor running on a host.
      type: string
    - name: aid
      required: true
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - md5
        - trace_id
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - md5
        - trace_id
    - name: aip
      required: true
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: BiosManufacturer
      description: The manufacturer of the host's BIOS.
      type: string
    - name: BiosVersion
      description: The version of the host's BIOS.
      type: string
    - name: ChassisType
      description: Type of system chassis, as defined in SMBIOS Standard.
      type: string
    - name: City
      description: The system's city of origin.
      type: string
    - name: Country
      description: The system's country of origin.
      type: string
    - name: Continent
      description: The sensor's continent, as seen from the CrowdStrike cloud.
      type: string
    - name: ComputerName
      description: The name of the host.
      type: string
    - name: ConfigBuild
      description: ConfigBuild field
      type: string
    - name: ConfigIDBuild
      description: Build number used as part of the ConfigID.
      type: string
    - name: event_platform
      description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
      type: string
    - name: FalconGroupingTags
      description: FalconGroupingTags field
      type: string
    - name: FirstSeen
      description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
      type: timestamp
      timeFormat: unix
    - name: MachineDomain
      description: The Windows domain name to which the host is currently joined.
      type: string
    - name: OU
      description: The organizational unit of the host as seen by the sensor (defined by system admin).
      type: string
    - name: PointerSize
      description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
      type: string
    - name: ProductType
      description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
      type: string
    - name: SensorGroupingTags
      description: SensorGroupingTags field
      type: string
    - name: ServicePackMajor
      description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
      type: string
    - name: SiteName
      description: The site name of the domain to which the host is joined (defined by system admin).
      type: string
    - name: SystemManufacturer
      description: The host's system manufacturer.
      type: string
    - name: SystemProductName
      description: The host's product name.
      type: string
    - name: Timezone
      description: The sensor's time zone, as seen from the CrowdStrike cloud.
      type: string
    - name: Version
      description: The host's system version.
      type: string
    - name: HostHiddenStatus
      description: Whether the host is visible or not.
      type: string

Crowdstrike.ActivityAudit

Contains activity audit information.

Reference: CrowdStrike Documentation on Streaming API Event Authentication.

schema: Crowdstrike.ActivityAudit
parser:
    native:
        name: Crowdstrike.ActivityAudit
description: Contains activity audit information
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
fields:
    - name: AgentIdString
      description: The Agent ID
      type: string
    - name: cid
      description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
      type: string
      indicators:
        - md5
        - trace_id
    - name: ExternalApiType
      required: true
      description: The external API type
      type: string
    - name: Nonce
      description: The nonce
      type: bigint
    - name: ServiceName
      description: The service name
      type: string
    - name: UserId
      description: User that performed the operation, e.g. person that performed the operation to create a new user account.
      type: string
      indicators:
        - email
    - name: UserIp
      description: IP address of user that performs the operation.
      type: string
      indicators:
        - ip
    - name: CustomerIdString
      description: Unique ID assigned by CS for each customer.
      type: string
    - name: EventType
      required: true
      description: Will be Event_ExternalApiEvent
      type: string
    - name: OperationName
      description: The operation name
      type: string
    - name: UTCTimestamp
      description: The timestamp
      type: timestamp
      timeFormat: unix_ms
    - name: timestamp
      required: true
      description: The timestamp
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: AuditKeyValues
      description: The AuditKeyValues
      type: array
      element:
        type: object
        fields:
            - name: Key
              description: The Key
              type: string
            - name: ValueString
              description: The value as a string
              type: string
    - name: eid
      description: The EID
      type: bigint
    - name: Success
      description: If the operation was successful or not
      type: boolean
    - name: EventUUID
      description: The EventUUID
      type: string

Crowdstrike.AppInfo

Detected Application Information provided by Falcon Discover.

Reference: CrowdStrike Documentation on Falcon Data Replicator AppInfo.

schema: Crowdstrike.AppInfo
parser:
    native:
        name: Crowdstrike.AppInfo
description: Detected Application Information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
fields:
    - name: _time
      required: true
      description: The host's local time in epoch format.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - md5
        - trace_id
    - name: CompanyName
      required: true
      description: The name of the company.
      type: string
    - name: detectioncount
      required: true
      description: The number of detections.
      type: bigint
    - name: FileName
      required: true
      description: The name of the file.
      type: string
    - name: SHA256HashData
      required: true
      description: The file hash bashed on SHA-256.
      type: string
      indicators:
        - sha256
    - name: FileDescription
      description: The description of the file, if any.
      type: string
    - name: FileVersion
      description: The version of the file.
      type: string
    - name: ProductName
      description: The name of the product.
      type: string
    - name: ProductVersion
      description: The version of the product.
      type: string

Crowdstrike.CriticalFile

This event is generated every time a critical file is accessed or modified.

Reference: CrowdStrike Documentation on CriticalFile.

schema: Crowdstrike.CriticalFile
parser:
    native:
        name: Crowdstrike.CriticalFile
description: This event is generated every time a critical file is accessed or modified
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - md5
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - md5
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: EffectiveTransmissionClass
      description: Effective transmission class
      type: bigint
    - name: GID
      description: The user Group ID
      type: bigint
    - name: TargetFileName
      description: The file that was accessed
      type: string
    - name: UID
      description: The User ID
      type: bigint
    - name: UnixMode
      description: The unix file permissions
      type: string
    - name: FileIdentifier
      description: The file identifier
      type: string
    - name: USN
      description: The USN
      type: bigint

Crowdstrike.DNSRequest

This event is generated for every attempted DNS name resolution on a host.

Reference: CrowdStrike Documentation on DNSRequest.

schema: Crowdstrike.DNSRequest
parser:
    native:
        name: Crowdstrike.DNSRequest
description: This event is generated for every attempted DNS name resolution on a host.
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - md5
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - md5
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: EffectiveTransmissionClass
      description: Effective transmission class
      type: bigint
    - name: DomainName
      description: The domain name requested
      type: string
      indicators:
        - domain
    - name: InterfaceIndex
      description: The network interface index (Windows only)
      type: bigint
    - name: DualRequest
      description: If the event is dual request (Windows only)
      type: bigint
    - name: DnsRequestCount
      description: The number of DNS requests (Windows only)
      type: bigint
    - name: AppIdentifier
      description: The identifier of the app that made the request (Android, iOS)
      type: string
    - name: IpAddress
      description: The device ip address (Android, iOS)
      type: string
      indicators:
        - ip
    - name: RequestType
      description: The DNS request type
      type: string

Crowdstrike.DetectionSummary

Detection Summary events include multiple detections, when multiple malicious behaviors are detected.

Reference: CrowdStrike Documentation on Streaming API Detection Summary.

schema: Crowdstrike.DetectionSummary
parser:
    native:
        name: Crowdstrike.DetectionSummary
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
fields:
    - name: cid
      description: Customer ID
      type: string
      indicators:
        - md5
        - trace_id
    - name: Technique
      description: The name of the technique associated to the behavior.
      type: string
    - name: ProcessId
      description: Process ID.
      type: bigint
    - name: AgentIdString
      description: Agent Id.
      type: string
    - name: DetectName
      description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
      type: string
    - name: ComputerName
      description: Host name.
      type: string
    - name: ProcessStartTime
      description: Timestamp of when a process started.
      type: timestamp
      timeFormat: unix
    - name: GrandparentCommandLine
      description: Effective transmission class
      type: string
    - name: MACAddress
      description: The MAC Address
      type: string
    - name: CommandLine
      description: The command line execution of the process.
      type: string
    - name: Objective
      description: The name of the objective associated to the behavior.
      type: string
    - name: Nonce
      description: The nonce.
      type: bigint
    - name: SHA256String
      description: SHA256 hash.
      type: string
      indicators:
        - sha256
    - name: ExternalApiType
      required: true
      description: The type of the External API
      type: string
    - name: PatternDispositionValue
      description: The pattern disposition value.