Panther can fetch CrowdStrike events by querying the CrowdStrike Event Streams API. Panther queries for new events every one minute.
CrowdStrike Event Streams only exports non-sensor data, which includes SaaS audit activity and CrowdStrike Detection Summary events. To ingest device telemetry, a CrowdStrike Falcon Data Replicator (FDR) source is required.
The action of Panther querying the Event Streams API for new events itself generates additional Crowdstrike.EventStreams logs. If this creates unwanted noise in your integration, you can configure an ingestion filter to filter out these logs.
How to onboard CrowdStrike Event Streams logs to Panther
Log into the Falcon console using an account with administrator-level permissions.
In the navigation bar, click Support and resources > API clients and keys.
Within the OAuth2 API clients tab, click Create API client.
Fill in the Create API client form:
Client name: Enter a descriptive name.
Description: Enter a useful description.
In the table of scopes, in the Event streams row, select the Read checkbox.
Click Create.
The API client created pop-up modal will display Client ID, Secret, and Base URL values. Copy these values and store them in a secure location, as you will need them in the next step. This is the only time the Secret will be shown.
Click Done.
Step 2: Create a new CrowdStrike Event Streams source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "CrowdStrike Event Streams," then click its tile.
On the Configure page, enter a descriptive Name for the source.
Click Setup.
On the Credentials page, fill in the form:
Client Id: Enter the Client ID you generated in CrowdStrike in the previous step.
Client Secret: Enter the Secret you generated in CrowdStrike in the previous step.
Client Cloud: Select the region shown in the Base URL you generated in CrowdStrike in the previous step.
App Id: Enter a label to identify your connection.
There is a maximum of 20 alphanumeric characters (a-z, A-Z, 0-9).
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Crowdstrike.EventStreams
Crowdstrike.EventStreams logs represent activity observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searches.
schema:Crowdstrike.EventStreamsdescription:Events related to activity that's observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searchesreferenceURL:https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-eventsfields: - name:eventrequired:truedescription:The data for the detection or audit eventtype:objectfields: - name:OperationNamedescription:The operation nametype:string - name:ServiceNamedescription:The service nametype:string - name:UTCTimestampdescription:Time when the operation took place in UNIX EPOCH timetype:timestamptimeFormats: - unix_autoisEventTime:true - name:UserIdtype:stringindicators: - email - name:UserIptype:stringindicators: - ip - name:Successtype:boolean - name:ComputerNamedescription:Host nametype:stringindicators: - hostname - name:DetectDescriptiondescription:| A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularlytype:string - name:Descriptiontype:string - name:DetectIddescription:The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraphtype:string - name:CompositeIdtype:string - name:FalconHostLinkdescription:Link to view detection event in Falcon consoletype:stringindicators: - url - name:IOARuleInstanceIdtype:string - name:IOARuleInstanceVersiontype:string - name:IOARuleNametype:string - name:IOARuleGroupNametype:string - name:FileNametype:string - name:FilePathtype:string - name:ProcessStartTimedescription:Timestamp of when a process started in UNIX EPOCH timetype:timestamptimeFormats: - unix_auto - name:ProcessEndTimedescription:Timestamp of when a process ended in UNIX EPOCH timetype:timestamptimeFormats: - unix_auto - name:ProcessIddescription:Process IDtype:string - name:UserNamedescription:User nametype:stringindicators: - username - name:DetectNamedescription:| NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more informationtype:string - name:Nametype:string - name:CommandLinedescription:The command line used to create this processtype:string - name:MD5Stringdescription:MD5 hashtype:stringindicators: - md5 - name:SHA1Stringtype:stringindicators: - sha1 - name:SHA256Stringdescription:SHA256 hashtype:stringindicators: - sha256 - name:MachineDomaindescription:The Windows Domain Name to which the machine is currently joinedtype:string - name:SensorIddescription:Falcon sensor Agent IDtype:string - name:LocalIPtype:stringindicators: - ip - name:MACAddresstype:stringindicators: - mac - name:Objectivedescription:The name of the objective associated to the behaviortype:string - name:PatternDispositionDescriptiondescription:The description of the pattern associated to the action taken on the behaviortype:string - name:PatternDispositionValuedescription:The numerical ID of the pattern associated to the action taken on the behaviortype:bigint - name:PatternDispositionFlagstype:json - name:DocumentsAccessedtype:arrayelement:type:objectfields: - name:Timestampdescription:Time the document was accessed in UNIX EPOCH timetype:timestamptimeFormats: - unix_auto - name:Filenamedescription:| Name of file accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FileName entries and there is a timestamp for each DocumentsAccessed_FileName entry.type:string - name:Filepathdescription:| File path, if a document was accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FilePath entries.type:string - name:Commandstype:arrayelement:type:string - name:ParentProcessIddescription:Parent Process IDtype:string - name:ParentCommandLinetype:string - name:ParentImageFileNametype:string - name:GrandparentCommandLinetype:string - name:GrandparentImageFilenametype:string - name:NetworkAccessestype:arrayelement:type:objectfields: - name:ConnectionDirectiondescription:Whether the connection is inbound (1), outbound (0), or neither (2)type:int - name:LocalAddressdescription:Local IP addresstype:stringindicators: - ip - name:LocalPortdescription:Local port of a network connection, as the normal port number. (i.e. an incoming ssh connection is 22)type:bigint - name:Protocoldescription:RFC-1700 IP protocol identifiertype:string - name:RemoteAddressdescription:Remote IP addresstype:stringindicators: - ip - name:RemotePortdescription:Remote porttype:bigint - name:Severitydescription:0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)type:float - name:SeverityNamedescription:0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)type:string - name:Tacticdescription:The name of the tactic associated to the behaviortype:string - name:Techniquedescription:The name of the technique associated to the behaviortype:string - name:AuditKeyValuestype:arrayelement:type:json - name:IncidentTypetype:string - name:IncidentStartTimetype:timestamptimeFormats: - unix_auto - name:IncidentEndTimetype:timestamptimeFormats: - unix_auto - name:IncidentIdtype:string - name:Statetype:string - name:FineScoretype:float - name:LateralMovementtype:string - name:SessionIdtype:stringindicators: - trace_id - name:HostnameFieldtype:stringindicators: - hostname - name:StartTimestamptype:timestamptimeFormats: - unix_auto - name:EndTimestamptype:timestamptimeFormats: - unix_auto - name:metadatarequired:truedescription:The metadata for this detection or audit eventtype:objectfields: - name:customerIDStringdescription:Unique ID assigned by CS for each customertype:string - name:offsetrequired:truedescription:| Starts at offset=0. Each new event (AuthActivityAuditEvent, DetectionSummaryEvent, UserActivityAuditEvent) would increase the offset counter by one. When reconnecting to Falcon Streaming API, you can specify the offset value to tell the API the starting point where you’d like to receive the events. If omitted, the API would return all previous Detection Summary or Authentication events starting with offset=0
type: bigint - name:versiontype:string - name:eventTypetype:string - name:eventCreationTimerequired:truedescription:Time when this event was generated in UNIX EPOCH timetype:timestamptimeFormats: - unix_autoisEventTime:true
In the slide-out panel, click Start Setup.
Member Cid (Optional): Optionally enter the Customer ID (CID) selector, for cases when the CrowdStrike Client Id and Secret have access to multiple CIDs.
