CrowdStrike Event Streams

Panther supports connecting to CrowdStrike's Event Streams API

Overview

Panther can fetch CrowdStrike events by querying the CrowdStrike Event Streams API. Panther queries for new events every one minute.

CrowdStrike Event Streams only exports non-sensor data, which includes SaaS audit activity and CrowdStrike Detection Summary events. To ingest device telemetry, a CrowdStrike Falcon Data Replicator (FDR) source is required.

The action of Panther querying the Event Streams API for new events itself generates additional Crowdstrike.EventStreams logs. If this creates unwanted noise in your integration, you can configure an ingestion filter to filter out these logs.

How to onboard CrowdStrike Event Streams logs to Panther

Prerequisite

Before you can use this method, you'll need to contact your CrowdStrike support team to enable streaming APIs on your CrowdStrike account.

Step 1: Create CrowdStrike Falcon API client

Log into the Falcon console using an account with administrator-level permissions.
In the navigation bar, click Support and resources > API clients and keys.
Within the OAuth2 API clients tab, click Create API client.
Fill in the Create API client form:
- Client name: Enter a descriptive name.
- Description: Enter a useful description.
- In the table of scopes, in the Event streams row, select the Read checkbox.
Click Create.
The API client created pop-up modal will display Client ID, Secret, and Base URL values. Copy these values and store them in a secure location, as you will need them in the next step. This is the only time the Secret will be shown.
Click Done.

Step 2: Create a new CrowdStrike Event Streams source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "CrowdStrike Event Streams," then click its tile.
In the slide-out panel, click Start Setup.
On the Configure page, enter a descriptive Name for the source.
Click Setup.
On the Credentials page, fill in the form:
- Client Id: Enter the Client ID you generated in CrowdStrike in the previous step.
- Client Secret: Enter the Secret you generated in CrowdStrike in the previous step.
- Client Cloud: Select the region shown in the Base URL you generated in CrowdStrike in the previous step.
- App Id: Enter a label to identify your connection.
  - There is a maximum of 20 alphanumeric characters (a-z, A-Z, 0-9).
- Member Cid (Optional): Optionally enter the Customer ID (CID) selector, for cases when the CrowdStrike Client Id and Secret have access to multiple CIDs.
Click Setup. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Crowdstrike.EventStreams

Crowdstrike.EventStreams logs represent activity observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searches.

schema: Crowdstrike.EventStreams
description: Events related to activity that's observed on your hosts by the Falcon sensor and shown in the Falcon console's Investigate dashboards and searches
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events
fields:
  - name: event
    required: true
    description: The data for the detection or audit event
    type: object
    fields:
      - name: OperationName
        description: The operation name
        type: string
      - name: ServiceName
        description: The service name
        type: string
      - name: UTCTimestamp
        description: Time when the operation took place in UNIX EPOCH time
        type: timestamp
        timeFormats:
          - unix_auto
        isEventTime: true
      - name: UserId
        type: string
        indicators:
          - email
      - name: UserIp
        type: string
        indicators:
          - ip
      - name: Success
        type: boolean
      - name: ComputerName
        description: Host name
        type: string
        indicators:
          - hostname
      - name: DetectDescription
        description: |
          A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly
        type: string
      - name: Description
        type: string
      - name: DetectId
        description: The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph
        type: string
      - name: CompositeId
        type: string
      - name: FalconHostLink
        description: Link to view detection event in Falcon console
        type: string
        indicators:
          - url
      - name: IOARuleInstanceId
        type: string
      - name: IOARuleInstanceVersion
        type: string
      - name: IOARuleName
        type: string
      - name: IOARuleGroupName
        type: string
      - name: FileName
        type: string
      - name: FilePath
        type: string
      - name: ProcessStartTime
        description: Timestamp of when a process started in UNIX EPOCH time
        type: timestamp
        timeFormats:
          - unix_auto
      - name: ProcessEndTime
        description: Timestamp of when a process ended in UNIX EPOCH time
        type: timestamp
        timeFormats:
          - unix_auto
      - name: ProcessId
        description: Process ID
        type: string
      - name: UserName
        description: User name
        type: string
        indicators:
          - username
      - name: DetectName
        description: |
          NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information
        type: string
      - name: Name
        type: string
      - name: CommandLine
        description: The command line used to create this process
        type: string
      - name: MD5String
        description: MD5 hash
        type: string
        indicators:
          - md5
      - name: SHA1String
        type: string
        indicators:
          - sha1
      - name: SHA256String
        description: SHA256 hash
        type: string
        indicators:
          - sha256
      - name: MachineDomain
        description: The Windows Domain Name to which the machine is currently joined
        type: string
      - name: SensorId
        description: Falcon sensor Agent ID
        type: string
      - name: LocalIP
        type: string
        indicators:
          - ip
      - name: MACAddress
        type: string
        indicators:
          - mac
      - name: Objective
        description: The name of the objective associated to the behavior
        type: string
      - name: PatternDispositionDescription
        description: The description of the pattern associated to the action taken on the behavior
        type: string
      - name: PatternDispositionValue
        description: The numerical ID of the pattern associated to the action taken on the behavior
        type: bigint
      - name: PatternDispositionFlags
        type: json
      - name: DocumentsAccessed
        type: array
        element:
          type: object
          fields:
            - name: Timestamp
              description: Time the document was accessed in UNIX EPOCH time
              type: timestamp
              timeFormats:
                - unix_auto
            - name: Filename
              description: |
                Name of file accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FileName entries and there is a timestamp for each DocumentsAccessed_FileName entry.
              type: string
            - name: Filepath
              description: |
                File path, if a document was accessed. Note: A detect Summary can have 0 or more DocumentsAccessed_FilePath entries.
              type: string
      - name: Commands
        type: array
        element:
          type: string
      - name: ParentProcessId
        description: Parent Process ID
        type: string
      - name: ParentCommandLine
        type: string
      - name: ParentImageFileName
        type: string
      - name: GrandparentCommandLine
        type: string
      - name: GrandparentImageFilename
        type: string
      - name: NetworkAccesses
        type: array
        element:
          type: object
          fields:
            - name: ConnectionDirection
              description: Whether the connection is inbound (1), outbound (0), or neither (2)
              type: int
            - name: LocalAddress
              description: Local IP address
              type: string
              indicators:
                - ip
            - name: LocalPort
              description: Local port of a network connection, as the normal port number. (i.e. an incoming ssh connection is 22)
              type: bigint
            - name: Protocol
              description: RFC-1700 IP protocol identifier
              type: string
            - name: RemoteAddress
              description: Remote IP address
              type: string
              indicators:
                - ip
            - name: RemotePort
              description: Remote port
              type: bigint
      - name: Severity
        description: 0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)
        type: float
      - name: SeverityName
        description: 0 (N/A), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical)
        type: string
      - name: Tactic
        description: The name of the tactic associated to the behavior
        type: string
      - name: Technique
        description: The name of the technique associated to the behavior
        type: string
      - name: AuditKeyValues
        type: array
        element:
          type: json
      - name: IncidentType
        type: string
      - name: IncidentStartTime
        type: timestamp
        timeFormats:
          - unix_auto
      - name: IncidentEndTime
        type: timestamp
        timeFormats:
          - unix_auto
      - name: IncidentId
        type: string
      - name: State
        type: string
      - name: FineScore
        type: float
      - name: LateralMovement
        type: string
      - name: SessionId
        type: string
        indicators:
          - trace_id
      - name: HostnameField
        type: string
        indicators:
          - hostname
      - name: StartTimestamp
        type: timestamp
        timeFormats:
          - unix_auto
      - name: EndTimestamp
        type: timestamp
        timeFormats:
          - unix_auto
  - name: metadata
    required: true
    description: The metadata for this detection or audit event
    type: object
    fields:
      - name: customerIDString
        description: Unique ID assigned by CS for each customer
        type: string
      - name: offset
        required: true
        description: |
          Starts at offset=0. Each new event (AuthActivityAuditEvent, DetectionSummaryEvent, UserActivityAuditEvent) would increase the offset counter by one. When reconnecting to Falcon Streaming API, you can specify the offset value to tell the API the starting point where you’d like to receive the events. If omitted, the API would return all previous Detection Summary or Authentication events starting with offset=0
        type: bigint
      - name: version
        type: string
      - name: eventType
        type: string
      - name: eventCreationTime
        required: true
        description: Time when this event was generated in UNIX EPOCH time
        type: timestamp
        timeFormats:
          - unix_auto
        isEventTime: true

PreviousCrowdStrike Falcon Data Replicator NextDocker Logs

Last updated 11 months ago

Was this helpful?