Panther supports connecting to CrowdStrike's Event Streams API
Overview
Panther can fetch CrowdStrike events by querying the CrowdStrike Event Streams API. Panther queries for new events every one minute.
CrowdStrike Event Streams only exports non-sensor data, which includes SaaS audit activity and CrowdStrike Detection Summary events. To ingest device telemetry, a CrowdStrike Falcon Data Replicator (FDR) source is required.
The action of Panther querying the Event Streams API for new events itself generates additional Crowdstrike.EventStreams logs. If this creates unwanted noise in your integration, you can configure an ingestion filter to filter out these logs.
How to onboard CrowdStrike Event Streams logs to Panther
Log into the Falcon console using an account with administrator-level permissions.
In the navigation bar, click Support and resources > API clients and keys.
Within the OAuth2 API clients tab, click Create API client.
Fill in the Create API client form:
Client name: Enter a descriptive name.
Description: Enter a useful description.
In the table of scopes, in the Event streams row, select the Read checkbox.
Click Create.
The API client created pop-up modal will display Client ID, Secret, and Base URL values. Copy these values and store them in a secure location, as you will need them in the next step. This is the only time the Secret will be shown.
Click Done.
Step 2: Create a new CrowdStrike Event Streams source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "CrowdStrike Event Streams," then click its tile.
In the slide-out panel, click Start Setup.
On the Configure page, enter a descriptive Name for the source.
Click Setup.
On the Credentials page, fill in the form:
Client Id: Enter the Client ID you generated in CrowdStrike in the previous step.
Client Secret: Enter the Secret you generated in CrowdStrike in the previous step.
Client Cloud: Select the region shown in the Base URL you generated in CrowdStrike in the previous step.
App Id: Enter a label to identify your connection.
There is a maximum of 20 alphanumeric characters (a-z, A-Z, 0-9).
Member Cid (Optional): Optionally enter the Customer ID (CID) selector, for cases when the CrowdStrike Client Id and Secret have access to multiple CIDs.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\
Supported log types
Crowdstrike.EventStreams
Crowdstrike.EventStreams logs represent activity observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searches.
schema: Crowdstrike.EventStreams
description: Events related to activity that's observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searches
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events
fields:
- name: event
required: true
description: The data for the detection or audit event
type: object
fields:
- name: OperationName
description: The operation name
type: string
- name: ServiceName
description: The service name
type: string
- name: UTCTimestamp
description: Time when the operation took place in UNIX EPOCH time
type: timestamp
timeFormats:
- unix_auto
isEventTime: true
- name: UserId
type: string
indicators:
- email
- name: UserIp
type: string
indicators:
- ip
- name: Success
type: boolean
- name: ComputerName
description: Host name
type: string
indicators:
- hostname
- name: DetectDescription
description: |
A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly
type: string
- name: Description
type: string
- name: DetectId
description: The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph
type: string
- name: CompositeId
type: string
- name: FalconHostLink
description: Link to view detection event in Falcon console
type: string
indicators:
- url
- name: IOARuleInstanceId
type: string
- name: IOARuleInstanceVersion
type: string
- name: IOARuleName
type: string
- name: IOARuleGroupName
type: string
- name: FileName
type: string
- name: FilePath
type: string
- name: ProcessStartTime
description: Timestamp of when a process started in UNIX EPOCH time
type: timestamp
timeFormats:
- unix_auto
- name: ProcessEndTime
description: Timestamp of when a process ended in UNIX EPOCH time
type: timestamp
timeFormats:
- unix_auto
- name: ProcessId
description: Process ID
type: string
- name: UserName
description: User name
type: string
indicators:
- username
- name: DetectName
description: |
NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information
type: string
- name: Name
type: string
- name: CommandLine
description: The command line used to create this process
type: string
- name: MD5String
description: MD5 hash
type: string
indicators:
- md5
- name: SHA1String
type: string
indicators:
- sha1
- name: SHA256String
description: SHA256 hash
type: string
indicators:
- sha256
- name: MachineDomain
description: The Windows Domain Name to which the machine is currently joined
type: string
- name: SensorId
description: Falcon sensor Agent ID
type: string
- name: LocalIP
type: string
indicators:
- ip
- name: MACAddress
type: string
indicators:
- mac
- name: Objective
description: The name of the objective associated to the behavior
type: string
- name: PatternDispositionDescription
description: The description of the pattern associated to the action taken on the behavior
type: string
- name: PatternDispositionValue
description: The numerical ID of the pattern associated to the action taken on the behavior
type: bigint
- name: PatternDispositionFlags
type: json
- name: DocumentsAccessed
type: array
element:
type: object
fields:
- name: Timestamp
description: Time the document was accessed in UNIX EPOCH time
type: timestamp
timeFormats:
- unix_auto
- name: Filename
description: |
Name of file accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FileName entries and there is a timestamp for each DocumentsAccessed_FileName entry.
type: string
- name: Filepath
description: |
File path, if a document was accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FilePath entries.
type: string
- name: Commands
type: array
element:
type: string
- name: ParentProcessId
description: Parent Process ID
type: string
- name: ParentCommandLine
type: string
- name: ParentImageFileName
type: string
- name: GrandparentCommandLine
type: string
- name: GrandparentImageFilename
type: string
- name: NetworkAccesses
type: array
element:
type: object
fields:
- name: ConnectionDirection
description: Whether the connection is inbound (1), outbound (0), or neither (2)
type: int
- name: LocalAddress
description: Local IP address
type: string
indicators:
- ip
- name: LocalPort
description: Local port of a network connection, as the normal port number. (i.e. an incoming ssh connection is 22)
type: bigint
- name: Protocol
description: RFC-1700 IP protocol identifier
type: string
- name: RemoteAddress
description: Remote IP address
type: string
indicators:
- ip
- name: RemotePort
description: Remote port
type: bigint
- name: Severity
description: 0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)
type: float
- name: SeverityName
description: 0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)
type: string
- name: Tactic
description: The name of the tactic associated to the behavior
type: string
- name: Technique
description: The name of the technique associated to the behavior
type: string
- name: AuditKeyValues
type: array
element:
type: json
- name: IncidentType
type: string
- name: IncidentStartTime
type: timestamp
timeFormats:
- unix_auto
- name: IncidentEndTime
type: timestamp
timeFormats:
- unix_auto
- name: IncidentId
type: string
- name: State
type: string
- name: FineScore
type: float
- name: LateralMovement
type: string
- name: SessionId
type: string
indicators:
- trace_id
- name: HostnameField
type: string
indicators:
- hostname
- name: StartTimestamp
type: timestamp
timeFormats:
- unix_auto
- name: EndTimestamp
type: timestamp
timeFormats:
- unix_auto
- name: metadata
required: true
description: The metadata for this detection or audit event
type: object
fields:
- name: customerIDString
description: Unique ID assigned by CS for each customer
type: string
- name: offset
required: true
description: |
Starts at offset=0. Each new event (AuthActivityAuditEvent, DetectionSummaryEvent, UserActivityAuditEvent) would increase the offset counter by one. When reconnecting to Falcon Streaming API, you can specify the offset value to tell the API the starting point where you’d like to receive the events. If omitted, the API would return all previous Detection Summary or Authentication events starting with offset=0
type: bigint
- name: version
type: string
- name: eventType
type: string
- name: eventCreationTime
required: true
description: Time when this event was generated in UNIX EPOCH time
type: timestamp
timeFormats:
- unix_auto
isEventTime: true
