From d61eacf0222b8b649db8f1f63e3397883a433844 Mon Sep 17 00:00:00 2001 From: Navnit Chauhan Date: Thu, 11 Jun 2026 17:31:17 +0530 Subject: [PATCH 1/4] crowdstrike: add support for Correlation Detection events --- packages/crowdstrike/changelog.yml | 8 + .../pipeline/test-alert.log-expected.json | 2 + .../test-automated-lead.log-expected.json | 1 + .../pipeline/test-correlation-detection.log | 2 + ...st-correlation-detection.log-expected.json | 241 +++++++++++++++ .../ingest_pipeline/correlation_detection.yml | 286 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 16 + .../data_stream/alert/fields/fields.yml | 62 ++++ packages/crowdstrike/docs/README.md | 28 ++ packages/crowdstrike/manifest.yml | 2 +- 10 files changed, 647 insertions(+), 1 deletion(-) create mode 100644 packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log create mode 100644 packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json create mode 100644 packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 294cd6fb614..e8916cb55b4 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "3.23.0" + changes: + - description: Add support for NG-SIEM correlation-detection alerts in the Alert data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/19494 + - description: Populate `event.duration` ECS field from `event.start` and `event.end` fields in the Alert data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/19494 - version: "3.22.0" changes: - description: Add support for Automated Leads events in the Alert, Falcon, and FDR data streams. diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json index 094e362e9f8..6345322d02c 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -470,6 +470,7 @@ "version": "8.17.0" }, "event": { + "duration": -259200000000000, "end": "2024-08-16T18:43:44.242Z", "id": "ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9", "kind": "alert", @@ -668,6 +669,7 @@ "version": "8.17.0" }, "event": { + "duration": 0, "end": "2024-08-19T18:43:44.242Z", "id": "ind:4446934rf3fdb64ec3056ddfb96e:87934F-M00B-48CC-0AAC-dfafd3429", "kind": "alert", diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-automated-lead.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-automated-lead.log-expected.json index 5d60c5b8550..d5a64f93ac6 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-automated-lead.log-expected.json +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-automated-lead.log-expected.json @@ -72,6 +72,7 @@ "category": [ "threat" ], + "duration": 93000000000, "end": "2026-05-11T05:13:20.000Z", "id": "automated-lead:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc", "kind": "alert", diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log new file mode 100644 index 00000000000..2d78118c484 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log @@ -0,0 +1,2 @@ +{"cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","composite_id":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01","correlation_rule_case_template_id":"3f4edfe2e016466b91e9ae0813ccb5f41","correlation_rule_create_case":true,"correlation_rule_execution_id":"019a643539d97c47b027d43d3c0cbecc","correlation_rule_id":"019a06bf00e67be489340eca8c435140","correlation_rule_user_id":"user@example.com","correlation_rule_user_uuid":"89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b","correlation_rule_version_id":"019a640c01667962b764a645e8da1d4e","crawled_timestamp":"2026-05-26T12:14:38.196350129Z","created_timestamp":"2026-05-26T12:14:38.196340969Z","data_domains":["Network"],"detection_id":"019a643539d97c47b027d43d3c0cbecc","display_name":"UC1-InboundThreatDetection(GreyNoiseEnriched)","end_time":"2026-05-26T12:10:17.112Z","enriched_entities":{},"event_ids":"exAMPLEidEMvYiu5RwcppZtQpb_2_0_1779797417","falcon_host_link":"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001","has_truncated_entities":false,"id":"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01","linked_case_ids":["AAAAAAAAAAFt-9l_iefg-exampleCaseId01LNB-6fURYtjTZZxnwlTzsy7TpXEtzEfwHgC8TADgpKgZba19utb1ZLqs7wixNuYGlRGS5rA1XrYo"],"mitre_attack":[],"name":"UC1-InboundThreatDetection(GreyNoiseEnriched)","origin_cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","original_correlation_rules_entities_count":5,"original_indicator_entities_count":1,"pattern_id":400000,"poly_id":"AAAexamplePolyId01Dv6tw1w_eU1ZFa2wZnzQ-9droqwAATiGsJlVWZAiLF2lh-ipnt9szIsU5GAZL9nIJdRo2DfsAUQ==","priority_details":{},"product":"ngsiem","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":30,"severity_name":"Low","show_in_ui":true,"source_hosts":["censys.io"],"source_ips":["198.51.100.10"],"source_products":["FirewallLogs PaloAlto"],"source_vendors":["FirewallLogs"],"start_time":"2026-05-26T12:10:17.112Z","status":"new","timestamp":"2026-05-26T12:14:34Z","type":"correlation-detection","updated_timestamp":"2026-05-26T12:14:40.786363829Z","users":[],"vendor_pattern_id":"100012"} +{"cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","comment":"Enrichment\"|EnrichmentAdvanceddescription:logCensys.port=443|data#repo=fusion|Censys.hostname=host-nas-01.example.localenrichmentsearchviewworkflow,andby\"WritedetailseventCensys.iprepo\"|Generatedbelowinmorequerytail(1)Workflow\"CensysWorkflowRunCensys.hostname=host-desktop-01.example.local\"203.0.113.20\"|action.nameatname:Censys.hostname=slack.comCensys.port=80|Censys\"definition_name\"definition_nameprefix=Censys.)|tohttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccaceDetection=parseJson(field=action.input.raw_json,","comments":[{"falcon_user_id":"cs-workflow-executor-example-main-p-20200826","timestamp":"2026-06-02T02:42:46.39293629Z","value":"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|\"definition_name\"=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.ip=\"203.0.113.20\"|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace"},{"falcon_user_id":"cs-workflow-executor-example-main-p-20200826","timestamp":"2026-06-02T02:43:40.620005158Z","value":"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|definition_name=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.hostname=host-nas-01.example.localandCensys.port=443|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace"}],"composite_id":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","correlation_rule_create_case":true,"correlation_rule_execution_id":"019b8635817e7c77948a4d7b8ff24fad","correlation_rule_id":"019b830f23e07c6d8f1809baceb9ccb9","correlation_rule_user_id":"admin@example.org","correlation_rule_user_uuid":"a1b2c3d4-e5f6-4789-90ab-c1d2e3f4a5b6","correlation_rule_version_id":"019b862fbed67b15921a6b79eea654eb","crawled_timestamp":"2026-06-02T02:42:39.854765052Z","created_timestamp":"2026-06-02T02:42:39.85475758Z","data_domains":["Network"],"destination_hosts":["host-nas-01.example.local"],"detection_id":"019b8635817e7c77948a4d7b8ff24fad:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","display_name":"POCdomainparsingforcase","end_time":"2026-06-01T17:22:21.334Z","enriched_entities":{},"event_ids":"exAMPLEk1foCKxiZ0OFPxTT2rp_1_1_1780334541","falcon_host_link":"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001","has_truncated_entities":false,"host_names":["host-desktop-01.example.local"],"id":"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","linked_case_ids":["AAAAAAAAAAGlDA4Qk2AQyH9lgZtRA78B4OF_exampleCaseId02Dsv1ucmvWv-fdtMG-HtzxtqksbDu9BuWC3wrsNFQ1zgv0aXfTdHMlnt2I"],"mitre_attack":[],"name":"POCdomainparsingforcase","origin_cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","original_correlation_rules_entities_count":11,"original_indicator_entities_count":3,"pattern_id":400000,"poly_id":"AAAexamplePolyId01Dv6twg2uHHj3JLnZDIXfJztg-5wAATiEjyzmWTNhOwDjIbiBs5-wkSdF3ktUG0GmNU69XKQrTgw==","priority_details":{},"product":"ngsiem","seconds_to_resolved":0,"seconds_to_triaged":4664,"severity":50,"severity_name":"Medium","show_in_ui":true,"source_hosts":["slack.com","host-desktop-01.example.local"],"source_ips":["198.51.100.11"],"source_products":["CorelightNdr"],"source_vendors":["Corelight"],"start_time":"2026-06-01T17:22:21.334Z","status":"new","timestamp":"2026-06-02T02:42:32Z","type":"correlation-detection","updated_timestamp":"2026-06-02T04:16:23.064931208Z","user_names":["example-user"],"usernames":["example-user"],"users":[{"aid":"","full_name":"","full_name_is_enriched":false,"idp_id":"","idp_id_is_enriched":false,"sid":"","user_name":"example-user"}],"vendor_pattern_id":"100012"} diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json new file mode 100644 index 00000000000..c2ebbf4cb61 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json @@ -0,0 +1,241 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-26T12:14:34.000Z", + "crowdstrike": { + "alert": { + "cid": "a1b2c3d4e5f6478990a1b2c3d4e5f6a70", + "composite_id": "a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01", + "correlation_rule_case_template_id": "3f4edfe2e016466b91e9ae0813ccb5f41", + "correlation_rule_create_case": true, + "correlation_rule_execution_id": "019a643539d97c47b027d43d3c0cbecc", + "correlation_rule_id": "019a06bf00e67be489340eca8c435140", + "correlation_rule_user_id": "user@example.com", + "correlation_rule_user_uuid": "89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b", + "correlation_rule_version_id": "019a640c01667962b764a645e8da1d4e", + "crawled_timestamp": "2026-05-26T12:14:38.196Z", + "created_timestamp": "2026-05-26T12:14:38.196Z", + "data_domains": [ + "Network" + ], + "detection_id": "019a643539d97c47b027d43d3c0cbecc", + "display_name": "UC1-InboundThreatDetection(GreyNoiseEnriched)", + "end_time": "2026-05-26T12:10:17.112Z", + "event_ids": "exAMPLEidEMvYiu5RwcppZtQpb_2_0_1779797417", + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001", + "has_truncated_entities": false, + "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01", + "linked_case_ids": [ + "AAAAAAAAAAFt-9l_iefg-exampleCaseId01LNB-6fURYtjTZZxnwlTzsy7TpXEtzEfwHgC8TADgpKgZba19utb1ZLqs7wixNuYGlRGS5rA1XrYo" + ], + "name": "UC1-InboundThreatDetection(GreyNoiseEnriched)", + "original_correlation_rules_entities_count": 5, + "original_indicator_entities_count": 1, + "pattern_id": "400000", + "poly_id": "AAAexamplePolyId01Dv6tw1w_eU1ZFa2wZnzQ-9droqwAATiGsJlVWZAiLF2lh-ipnt9szIsU5GAZL9nIJdRo2DfsAUQ==", + "product": "ngsiem", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": true, + "source_hosts": [ + "censys.io" + ], + "source_ips": [ + "198.51.100.10" + ], + "source_products": [ + "FirewallLogs PaloAlto" + ], + "source_vendors": [ + "FirewallLogs" + ], + "start_time": "2026-05-26T12:10:17.112Z", + "status": "new", + "timestamp": "2026-05-26T12:14:34.000Z", + "type": "correlation-detection", + "updated_timestamp": "2026-05-26T12:14:40.786Z", + "vendor_pattern_id": "100012" + } + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "duration": 0, + "end": "2026-05-26T12:10:17.112Z", + "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01", + "kind": "alert", + "original": "{\"cid\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70\",\"composite_id\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01\",\"correlation_rule_case_template_id\":\"3f4edfe2e016466b91e9ae0813ccb5f41\",\"correlation_rule_create_case\":true,\"correlation_rule_execution_id\":\"019a643539d97c47b027d43d3c0cbecc\",\"correlation_rule_id\":\"019a06bf00e67be489340eca8c435140\",\"correlation_rule_user_id\":\"user@example.com\",\"correlation_rule_user_uuid\":\"89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b\",\"correlation_rule_version_id\":\"019a640c01667962b764a645e8da1d4e\",\"crawled_timestamp\":\"2026-05-26T12:14:38.196350129Z\",\"created_timestamp\":\"2026-05-26T12:14:38.196340969Z\",\"data_domains\":[\"Network\"],\"detection_id\":\"019a643539d97c47b027d43d3c0cbecc\",\"display_name\":\"UC1-InboundThreatDetection(GreyNoiseEnriched)\",\"end_time\":\"2026-05-26T12:10:17.112Z\",\"enriched_entities\":{},\"event_ids\":\"exAMPLEidEMvYiu5RwcppZtQpb_2_0_1779797417\",\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001\",\"has_truncated_entities\":false,\"id\":\"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01\",\"linked_case_ids\":[\"AAAAAAAAAAFt-9l_iefg-exampleCaseId01LNB-6fURYtjTZZxnwlTzsy7TpXEtzEfwHgC8TADgpKgZba19utb1ZLqs7wixNuYGlRGS5rA1XrYo\"],\"mitre_attack\":[],\"name\":\"UC1-InboundThreatDetection(GreyNoiseEnriched)\",\"origin_cid\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70\",\"original_correlation_rules_entities_count\":5,\"original_indicator_entities_count\":1,\"pattern_id\":400000,\"poly_id\":\"AAAexamplePolyId01Dv6tw1w_eU1ZFa2wZnzQ-9droqwAATiGsJlVWZAiLF2lh-ipnt9szIsU5GAZL9nIJdRo2DfsAUQ==\",\"priority_details\":{},\"product\":\"ngsiem\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":0,\"severity\":30,\"severity_name\":\"Low\",\"show_in_ui\":true,\"source_hosts\":[\"censys.io\"],\"source_ips\":[\"198.51.100.10\"],\"source_products\":[\"FirewallLogs PaloAlto\"],\"source_vendors\":[\"FirewallLogs\"],\"start_time\":\"2026-05-26T12:10:17.112Z\",\"status\":\"new\",\"timestamp\":\"2026-05-26T12:14:34Z\",\"type\":\"correlation-detection\",\"updated_timestamp\":\"2026-05-26T12:14:40.786363829Z\",\"users\":[],\"vendor_pattern_id\":\"100012\"}", + "provider": "FirewallLogs PaloAlto", + "severity": 21, + "start": "2026-05-26T12:10:17.112Z", + "type": [ + "indicator" + ], + "url": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001" + }, + "message": "UC1-InboundThreatDetection(GreyNoiseEnriched)", + "related": { + "hosts": [ + "censys.io" + ], + "ip": [ + "198.51.100.10" + ] + }, + "rule": { + "id": "019a06bf00e67be489340eca8c435140", + "name": "UC1-InboundThreatDetection(GreyNoiseEnriched)" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2026-06-02T02:42:32.000Z", + "crowdstrike": { + "alert": { + "cid": "a1b2c3d4e5f6478990a1b2c3d4e5f6a70", + "comment": "Enrichment\"|EnrichmentAdvanceddescription:logCensys.port=443|data#repo=fusion|Censys.hostname=host-nas-01.example.localenrichmentsearchviewworkflow,andby\"WritedetailseventCensys.iprepo\"|Generatedbelowinmorequerytail(1)Workflow\"CensysWorkflowRunCensys.hostname=host-desktop-01.example.local\"203.0.113.20\"|action.nameatname:Censys.hostname=slack.comCensys.port=80|Censys\"definition_name\"definition_nameprefix=Censys.)|tohttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccaceDetection=parseJson(field=action.input.raw_json,", + "comments": [ + { + "falcon_user_id": "cs-workflow-executor-example-main-p-20200826", + "timestamp": "2026-06-02T02:42:46.392Z", + "value": "RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|\"definition_name\"=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.ip=\"203.0.113.20\"|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace" + }, + { + "falcon_user_id": "cs-workflow-executor-example-main-p-20200826", + "timestamp": "2026-06-02T02:43:40.620Z", + "value": "RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|definition_name=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.hostname=host-nas-01.example.localandCensys.port=443|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace" + } + ], + "composite_id": "a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02", + "correlation_rule_create_case": true, + "correlation_rule_execution_id": "019b8635817e7c77948a4d7b8ff24fad", + "correlation_rule_id": "019b830f23e07c6d8f1809baceb9ccb9", + "correlation_rule_user_id": "admin@example.org", + "correlation_rule_user_uuid": "a1b2c3d4-e5f6-4789-90ab-c1d2e3f4a5b6", + "correlation_rule_version_id": "019b862fbed67b15921a6b79eea654eb", + "crawled_timestamp": "2026-06-02T02:42:39.854Z", + "created_timestamp": "2026-06-02T02:42:39.854Z", + "data_domains": [ + "Network" + ], + "destination_hosts": [ + "host-nas-01.example.local" + ], + "detection_id": "019b8635817e7c77948a4d7b8ff24fad:f1e2d3c4b5a6478990a1b2c3d4e5f6a02", + "display_name": "POCdomainparsingforcase", + "end_time": "2026-06-01T17:22:21.334Z", + "event_ids": "exAMPLEk1foCKxiZ0OFPxTT2rp_1_1_1780334541", + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001", + "has_truncated_entities": false, + "host_names": [ + "host-desktop-01.example.local" + ], + "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02", + "linked_case_ids": [ + "AAAAAAAAAAGlDA4Qk2AQyH9lgZtRA78B4OF_exampleCaseId02Dsv1ucmvWv-fdtMG-HtzxtqksbDu9BuWC3wrsNFQ1zgv0aXfTdHMlnt2I" + ], + "name": "POCdomainparsingforcase", + "original_correlation_rules_entities_count": 11, + "original_indicator_entities_count": 3, + "pattern_id": "400000", + "poly_id": "AAAexamplePolyId01Dv6twg2uHHj3JLnZDIXfJztg-5wAATiEjyzmWTNhOwDjIbiBs5-wkSdF3ktUG0GmNU69XKQrTgw==", + "product": "ngsiem", + "seconds_to_resolved": 0, + "seconds_to_triaged": 4664, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": true, + "source_hosts": [ + "slack.com", + "host-desktop-01.example.local" + ], + "source_ips": [ + "198.51.100.11" + ], + "source_products": [ + "CorelightNdr" + ], + "source_vendors": [ + "Corelight" + ], + "start_time": "2026-06-01T17:22:21.334Z", + "status": "new", + "timestamp": "2026-06-02T02:42:32.000Z", + "type": "correlation-detection", + "updated_timestamp": "2026-06-02T04:16:23.064Z", + "user_names": [ + "example-user" + ], + "usernames": [ + "example-user" + ], + "users": [ + { + "full_name_is_enriched": false, + "idp_id_is_enriched": false, + "user_name": "example-user" + } + ], + "vendor_pattern_id": "100012" + } + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "duration": 0, + "end": "2026-06-01T17:22:21.334Z", + "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02", + "kind": "alert", + "original": "{\"cid\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70\",\"comment\":\"Enrichment\\\"|EnrichmentAdvanceddescription:logCensys.port=443|data#repo=fusion|Censys.hostname=host-nas-01.example.localenrichmentsearchviewworkflow,andby\\\"WritedetailseventCensys.iprepo\\\"|Generatedbelowinmorequerytail(1)Workflow\\\"CensysWorkflowRunCensys.hostname=host-desktop-01.example.local\\\"203.0.113.20\\\"|action.nameatname:Censys.hostname=slack.comCensys.port=80|Censys\\\"definition_name\\\"definition_nameprefix=Censys.)|tohttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccaceDetection=parseJson(field=action.input.raw_json,\",\"comments\":[{\"falcon_user_id\":\"cs-workflow-executor-example-main-p-20200826\",\"timestamp\":\"2026-06-02T02:42:46.39293629Z\",\"value\":\"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|\\\"definition_name\\\"=\\\"CensysDetectionEnrichment\\\"|action.name=\\\"Writetologrepo\\\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.ip=\\\"203.0.113.20\\\"|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace\"},{\"falcon_user_id\":\"cs-workflow-executor-example-main-p-20200826\",\"timestamp\":\"2026-06-02T02:43:40.620005158Z\",\"value\":\"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|definition_name=\\\"CensysDetectionEnrichment\\\"|action.name=\\\"Writetologrepo\\\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.hostname=host-nas-01.example.localandCensys.port=443|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace\"}],\"composite_id\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02\",\"correlation_rule_create_case\":true,\"correlation_rule_execution_id\":\"019b8635817e7c77948a4d7b8ff24fad\",\"correlation_rule_id\":\"019b830f23e07c6d8f1809baceb9ccb9\",\"correlation_rule_user_id\":\"admin@example.org\",\"correlation_rule_user_uuid\":\"a1b2c3d4-e5f6-4789-90ab-c1d2e3f4a5b6\",\"correlation_rule_version_id\":\"019b862fbed67b15921a6b79eea654eb\",\"crawled_timestamp\":\"2026-06-02T02:42:39.854765052Z\",\"created_timestamp\":\"2026-06-02T02:42:39.85475758Z\",\"data_domains\":[\"Network\"],\"destination_hosts\":[\"host-nas-01.example.local\"],\"detection_id\":\"019b8635817e7c77948a4d7b8ff24fad:f1e2d3c4b5a6478990a1b2c3d4e5f6a02\",\"display_name\":\"POCdomainparsingforcase\",\"end_time\":\"2026-06-01T17:22:21.334Z\",\"enriched_entities\":{},\"event_ids\":\"exAMPLEk1foCKxiZ0OFPxTT2rp_1_1_1780334541\",\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001\",\"has_truncated_entities\":false,\"host_names\":[\"host-desktop-01.example.local\"],\"id\":\"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02\",\"linked_case_ids\":[\"AAAAAAAAAAGlDA4Qk2AQyH9lgZtRA78B4OF_exampleCaseId02Dsv1ucmvWv-fdtMG-HtzxtqksbDu9BuWC3wrsNFQ1zgv0aXfTdHMlnt2I\"],\"mitre_attack\":[],\"name\":\"POCdomainparsingforcase\",\"origin_cid\":\"a1b2c3d4e5f6478990a1b2c3d4e5f6a70\",\"original_correlation_rules_entities_count\":11,\"original_indicator_entities_count\":3,\"pattern_id\":400000,\"poly_id\":\"AAAexamplePolyId01Dv6twg2uHHj3JLnZDIXfJztg-5wAATiEjyzmWTNhOwDjIbiBs5-wkSdF3ktUG0GmNU69XKQrTgw==\",\"priority_details\":{},\"product\":\"ngsiem\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":4664,\"severity\":50,\"severity_name\":\"Medium\",\"show_in_ui\":true,\"source_hosts\":[\"slack.com\",\"host-desktop-01.example.local\"],\"source_ips\":[\"198.51.100.11\"],\"source_products\":[\"CorelightNdr\"],\"source_vendors\":[\"Corelight\"],\"start_time\":\"2026-06-01T17:22:21.334Z\",\"status\":\"new\",\"timestamp\":\"2026-06-02T02:42:32Z\",\"type\":\"correlation-detection\",\"updated_timestamp\":\"2026-06-02T04:16:23.064931208Z\",\"user_names\":[\"example-user\"],\"usernames\":[\"example-user\"],\"users\":[{\"aid\":\"\",\"full_name\":\"\",\"full_name_is_enriched\":false,\"idp_id\":\"\",\"idp_id_is_enriched\":false,\"sid\":\"\",\"user_name\":\"example-user\"}],\"vendor_pattern_id\":\"100012\"}", + "provider": "CorelightNdr", + "severity": 47, + "start": "2026-06-01T17:22:21.334Z", + "type": [ + "indicator" + ], + "url": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001" + }, + "host": { + "name": "host-desktop-01.example.local" + }, + "message": "POCdomainparsingforcase", + "related": { + "hosts": [ + "host-desktop-01.example.local", + "slack.com", + "host-nas-01.example.local" + ], + "ip": [ + "198.51.100.11" + ], + "user": [ + "example-user" + ] + }, + "rule": { + "id": "019b830f23e07c6d8f1809baceb9ccb9", + "name": "POCdomainparsingforcase" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "example-user" + } + } + ] +} diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml new file mode 100644 index 00000000000..897f3ca85e2 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml @@ -0,0 +1,286 @@ +--- +description: Pipeline for NG-SIEM correlation-detection alerts. +processors: + - append: + field: event.category + tag: append_event_category_threat + value: threat + - append: + field: event.type + tag: append_event_type_indicator + value: indicator + - set: + field: message + tag: set_message_from_display_name + copy_from: crowdstrike.alert.display_name + ignore_empty_value: true + - set: + field: message + tag: set_message_from_name + copy_from: crowdstrike.alert.name + ignore_empty_value: true + if: ctx.message == null || ctx.message == '' + - set: + field: event.url + tag: set_event_url_from_falcon_host_link + copy_from: crowdstrike.alert.falcon_host_link + ignore_empty_value: true + - set: + field: rule.name + tag: set_rule_name_from_display_name + copy_from: crowdstrike.alert.display_name + ignore_empty_value: true + - set: + field: rule.id + tag: set_rule_id_from_correlation_rule_id + copy_from: crowdstrike.alert.correlation_rule_id + ignore_empty_value: true + - script: + lang: painless + tag: set_event_provider_from_first_source_product + if: ctx.crowdstrike?.alert?.source_products instanceof List && !ctx.crowdstrike.alert.source_products.isEmpty() + source: |- + ctx.event = ctx.event ?: [:]; + ctx.event.provider = ctx.crowdstrike.alert.source_products[0]; + - convert: + field: crowdstrike.alert.has_truncated_entities + tag: convert_has_truncated_entities_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_alert_has_truncated_entities + field: crowdstrike.alert.has_truncated_entities + ignore_missing: true + - append: + tag: append_error_message_has_truncated_entities + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - convert: + field: crowdstrike.alert.correlation_rule_create_case + tag: convert_correlation_rule_create_case_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_alert_correlation_rule_create_case + field: crowdstrike.alert.correlation_rule_create_case + ignore_missing: true + - append: + tag: append_error_message_correlation_rule_create_case + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - convert: + field: crowdstrike.alert.original_correlation_rules_entities_count + tag: convert_original_correlation_rules_entities_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_alert_original_correlation_rules_entities_count + field: crowdstrike.alert.original_correlation_rules_entities_count + ignore_missing: true + - append: + tag: append_error_message_original_correlation_rules_entities_count + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - convert: + field: crowdstrike.alert.original_indicator_entities_count + tag: convert_original_indicator_entities_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_alert_original_indicator_entities_count + field: crowdstrike.alert.original_indicator_entities_count + ignore_missing: true + - append: + tag: append_error_message_original_indicator_entities_count + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - foreach: + tag: foreach_crowdstrike_alert_users_ccacc2db + field: crowdstrike.alert.users + if: ctx.crowdstrike?.alert?.users instanceof List + processor: + convert: + field: _ingest._value.full_name_is_enriched + tag: convert_users_full_name_is_enriched_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.full_name_is_enriched + ignore_missing: true + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - foreach: + tag: foreach_crowdstrike_alert_comments_timestamp + field: crowdstrike.alert.comments + if: ctx.crowdstrike?.alert?.comments instanceof List + processor: + date: + field: _ingest._value.timestamp + tag: date_comments_timestamp + target_field: _ingest._value.timestamp + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - foreach: + tag: foreach_crowdstrike_alert_users_f4c467bd + field: crowdstrike.alert.users + if: ctx.crowdstrike?.alert?.users instanceof List + processor: + convert: + field: _ingest._value.idp_id_is_enriched + tag: convert_users_idp_id_is_enriched_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.idp_id_is_enriched + ignore_missing: true + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - script: + lang: painless + tag: set_host_name_from_first_host_name + if: ctx.crowdstrike?.alert?.host_names instanceof List && !ctx.crowdstrike.alert.host_names.isEmpty() + source: |- + ctx.host = ctx.host ?: [:]; + if (ctx.host.name == null || ctx.host.name == '') { + ctx.host.name = ctx.crowdstrike.alert.host_names[0]; + } + - foreach: + field: crowdstrike.alert.host_names + tag: foreach_host_names_related_hosts + if: ctx.crowdstrike?.alert?.host_names instanceof List + processor: + append: + field: related.hosts + tag: append_related_hosts_from_host_names + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.alert.source_hosts + tag: foreach_source_hosts_related_hosts + if: ctx.crowdstrike?.alert?.source_hosts instanceof List + processor: + append: + field: related.hosts + tag: append_related_hosts_from_source_hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.alert.destination_hosts + tag: foreach_destination_hosts_related_hosts + if: ctx.crowdstrike?.alert?.destination_hosts instanceof List + processor: + append: + field: related.hosts + tag: append_related_hosts_from_destination_hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.alert.source_ips + tag: foreach_source_ips_related_ip + if: ctx.crowdstrike?.alert?.source_ips instanceof List + processor: + append: + field: related.ip + tag: append_related_ip_from_source_ips + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.alert.destination_ips + tag: foreach_destination_ips_related_ip + if: ctx.crowdstrike?.alert?.destination_ips instanceof List + processor: + append: + field: related.ip + tag: append_related_ip_from_destination_ips + value: '{{{_ingest._value}}}' + allow_duplicates: false + - script: + lang: painless + tag: set_user_name_from_first_user_name + if: ctx.crowdstrike?.alert?.user_names instanceof List && !ctx.crowdstrike.alert.user_names.isEmpty() + source: |- + ctx.user = ctx.user ?: [:]; + if (ctx.user.name == null || ctx.user.name == '') { + ctx.user.name = ctx.crowdstrike.alert.user_names[0]; + } + - foreach: + field: crowdstrike.alert.user_names + tag: foreach_user_names_related_user + if: ctx.crowdstrike?.alert?.user_names instanceof List + processor: + append: + field: related.user + tag: append_related_user_from_user_names + value: '{{{_ingest._value}}}' + allow_duplicates: false + - script: + lang: painless + tag: set_user_from_users_entries + if: ctx.crowdstrike?.alert?.users instanceof List && !ctx.crowdstrike.alert.users.isEmpty() + source: |- + for (def userEntry : ctx.crowdstrike.alert.users) { + if (userEntry.user_name != null && userEntry.user_name != '') { + ctx.user = ctx.user ?: [:]; + if (ctx.user.name == null || ctx.user.name == '') { + ctx.user.name = userEntry.user_name; + } + + ctx.related = ctx.related ?: [:]; + ctx.related.user = ctx.related.user ?: []; + if (!ctx.related.user.contains(userEntry.user_name)) { + ctx.related.user.add(userEntry.user_name); + } + } + + ctx.user = ctx.user ?: [:]; + if (userEntry.sid != null && userEntry.sid != '' && (ctx.user.id == null || ctx.user.id == '')) { + ctx.user.id = userEntry.sid; + } + } + + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + tag: append_tags_9fe66b2c + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + tag: append_preserve_original_event_tag + value: preserve_original_event + allow_duplicates: false diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 317e584d862..b984e1a754f 100644 --- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -50,6 +50,10 @@ processors: name: '{{ IngestPipeline "automated_lead" }}' tag: pipeline_automated_lead if: ctx.crowdstrike?.alert?.product == 'automated-lead' || ctx.crowdstrike?.alert?.product == 'automated-lead-context' + - pipeline: + name: '{{ IngestPipeline "correlation_detection" }}' + tag: pipeline_correlation_detection + if: ctx.crowdstrike?.alert?.product == 'ngsiem' && ctx.crowdstrike?.alert?.type == 'correlation-detection' - set: field: event.category tag: set_event_category_process @@ -1894,6 +1898,18 @@ processors: tag: set_event_start_from_alert_start_time copy_from: crowdstrike.alert.start_time ignore_empty_value: true + - script: + lang: painless + tag: set_event_duration_from_start_and_end + if: ctx.event?.start != null && ctx.event?.end != null + source: |- + def start = ZonedDateTime.parse(ctx.event.start); + def end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: threat.tactic.name tag: append_threat_tactic_name diff --git a/packages/crowdstrike/data_stream/alert/fields/fields.yml b/packages/crowdstrike/data_stream/alert/fields/fields.yml index e81c86bec22..f05a58eb9d5 100644 --- a/packages/crowdstrike/data_stream/alert/fields/fields.yml +++ b/packages/crowdstrike/data_stream/alert/fields/fields.yml @@ -55,10 +55,33 @@ type: keyword - name: comment type: keyword + - name: comments + type: group + fields: + - name: falcon_user_id + type: keyword + - name: timestamp + type: date + - name: value + type: keyword - name: composite_id type: keyword - name: confidence type: long + - name: correlation_rule_case_template_id + type: keyword + - name: correlation_rule_create_case + type: boolean + - name: correlation_rule_execution_id + type: keyword + - name: correlation_rule_id + type: keyword + - name: correlation_rule_user_id + type: keyword + - name: correlation_rule_user_uuid + type: keyword + - name: correlation_rule_version_id + type: keyword - name: context_timestamp type: date - name: control_graph_id @@ -81,8 +104,14 @@ type: keyword - name: description type: keyword + - name: destination_hosts + type: keyword + - name: destination_ips + type: ip - name: detect_type type: keyword + - name: detection_id + type: keyword - name: event_correlation_id type: keyword - name: detection_context @@ -182,6 +211,8 @@ type: date - name: event_id type: keyword + - name: event_ids + type: keyword - name: executables_written type: group fields: @@ -253,8 +284,12 @@ type: keyword - name: has_script_or_module_ioc type: boolean + - name: has_truncated_entities + type: boolean - name: host_name type: keyword + - name: host_names + type: keyword - name: host_type type: keyword - name: id @@ -293,6 +328,8 @@ type: date - name: indicator_id type: keyword + - name: linked_case_ids + type: keyword - name: ioc_context type: group fields: @@ -388,6 +425,10 @@ type: keyword - name: operating_system type: keyword + - name: original_correlation_rules_entities_count + type: long + - name: original_indicator_entities_count + type: long - name: os_name type: keyword - name: overwatch_note @@ -680,10 +721,31 @@ type: date - name: user_id type: keyword + - name: users + type: group + fields: + - name: aid + type: keyword + - name: full_name + type: keyword + - name: full_name_is_enriched + type: boolean + - name: idp_id + type: keyword + - name: idp_id_is_enriched + type: boolean + - name: sid + type: keyword + - name: user_name + type: keyword - name: user_names type: keyword - name: user_name type: keyword + - name: usernames + type: keyword + - name: vendor_pattern_id + type: keyword - name: user_principal type: keyword - name: worker_node_name diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index fa808a0d1dc..83791ec76e5 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -811,18 +811,31 @@ An example event for `alert` looks as following: | crowdstrike.alert.cmdline | | keyword | | crowdstrike.alert.command_line | | keyword | | crowdstrike.alert.comment | | keyword | +| crowdstrike.alert.comments.falcon_user_id | | keyword | +| crowdstrike.alert.comments.timestamp | | date | +| crowdstrike.alert.comments.value | | keyword | | crowdstrike.alert.composite_id | | keyword | | crowdstrike.alert.confidence | | long | | crowdstrike.alert.context_timestamp | | date | | crowdstrike.alert.control_graph_id | | keyword | +| crowdstrike.alert.correlation_rule_case_template_id | | keyword | +| crowdstrike.alert.correlation_rule_create_case | | boolean | +| crowdstrike.alert.correlation_rule_execution_id | | keyword | +| crowdstrike.alert.correlation_rule_id | | keyword | +| crowdstrike.alert.correlation_rule_user_id | | keyword | +| crowdstrike.alert.correlation_rule_user_uuid | | keyword | +| crowdstrike.alert.correlation_rule_version_id | | keyword | | crowdstrike.alert.crawl_edge_ids.Sensor | | keyword | | crowdstrike.alert.crawl_vertex_ids.Sensor | | keyword | | crowdstrike.alert.crawled_timestamp | | date | | crowdstrike.alert.created_timestamp | | date | | crowdstrike.alert.data_domains | | keyword | | crowdstrike.alert.description | | keyword | +| crowdstrike.alert.destination_hosts | | keyword | +| crowdstrike.alert.destination_ips | | ip | | crowdstrike.alert.detect_type | | keyword | | crowdstrike.alert.detection_context | | flattened | +| crowdstrike.alert.detection_id | | keyword | | crowdstrike.alert.device.agent_load_flags | | long | | crowdstrike.alert.device.agent_local_time | | date | | crowdstrike.alert.device.agent_version | | keyword | @@ -867,6 +880,7 @@ An example event for `alert` looks as following: | crowdstrike.alert.end_time | | date | | crowdstrike.alert.event_correlation_id | | keyword | | crowdstrike.alert.event_id | | keyword | +| crowdstrike.alert.event_ids | | keyword | | crowdstrike.alert.executables_written.filename | | keyword | | crowdstrike.alert.executables_written.filepath | | keyword | | crowdstrike.alert.executables_written.timestamp | | date | @@ -895,7 +909,9 @@ An example event for `alert` looks as following: | crowdstrike.alert.grandparent_details.user_id | | keyword | | crowdstrike.alert.grandparent_details.user_name | | keyword | | crowdstrike.alert.has_script_or_module_ioc | | boolean | +| crowdstrike.alert.has_truncated_entities | | boolean | | crowdstrike.alert.host_name | | keyword | +| crowdstrike.alert.host_names | | keyword | | crowdstrike.alert.host_type | | keyword | | crowdstrike.alert.id | | keyword | | crowdstrike.alert.idp_policy.enforced_externally | | long | @@ -930,6 +946,7 @@ An example event for `alert` looks as following: | crowdstrike.alert.ldap_search_query_attack | | long | | crowdstrike.alert.lead_id | | keyword | | crowdstrike.alert.lead_type | | keyword | +| crowdstrike.alert.linked_case_ids | | keyword | | crowdstrike.alert.local_prevalence | | keyword | | crowdstrike.alert.local_process_id | | keyword | | crowdstrike.alert.location_country_code | | keyword | @@ -955,6 +972,8 @@ An example event for `alert` looks as following: | crowdstrike.alert.network_accesses.remote_port | | long | | crowdstrike.alert.objective | | keyword | | crowdstrike.alert.operating_system | | keyword | +| crowdstrike.alert.original_correlation_rules_entities_count | | long | +| crowdstrike.alert.original_indicator_entities_count | | long | | crowdstrike.alert.os_name | | keyword | | crowdstrike.alert.overwatch_note | | keyword | | crowdstrike.alert.overwatch_note_timestamp | | date | @@ -1095,6 +1114,15 @@ An example event for `alert` looks as following: | crowdstrike.alert.user_name | | keyword | | crowdstrike.alert.user_names | | keyword | | crowdstrike.alert.user_principal | | keyword | +| crowdstrike.alert.usernames | | keyword | +| crowdstrike.alert.users.aid | | keyword | +| crowdstrike.alert.users.full_name | | keyword | +| crowdstrike.alert.users.full_name_is_enriched | | boolean | +| crowdstrike.alert.users.idp_id | | keyword | +| crowdstrike.alert.users.idp_id_is_enriched | | boolean | +| crowdstrike.alert.users.sid | | keyword | +| crowdstrike.alert.users.user_name | | keyword | +| crowdstrike.alert.vendor_pattern_id | | keyword | | crowdstrike.alert.worker_node_name | | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index bb24ea24f76..2384f798d10 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "3.22.0" +version: "3.23.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.4.0" From 35c30d5c350d4c2adbc6f4be83a0a171a49a52b3 Mon Sep 17 00:00:00 2001 From: Navnit Chauhan Date: Mon, 15 Jun 2026 16:13:01 +0530 Subject: [PATCH 2/4] remove unnecessary null checks in default.yml --- .../alert/elasticsearch/ingest_pipeline/default.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index b984e1a754f..2582a34e0f4 100644 --- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -53,7 +53,7 @@ processors: - pipeline: name: '{{ IngestPipeline "correlation_detection" }}' tag: pipeline_correlation_detection - if: ctx.crowdstrike?.alert?.product == 'ngsiem' && ctx.crowdstrike?.alert?.type == 'correlation-detection' + if: ctx.crowdstrike?.alert?.product == 'ngsiem' && ctx.crowdstrike.alert.type == 'correlation-detection' - set: field: event.category tag: set_event_category_process @@ -1901,7 +1901,7 @@ processors: - script: lang: painless tag: set_event_duration_from_start_and_end - if: ctx.event?.start != null && ctx.event?.end != null + if: ctx.event?.start != null && ctx.event.end != null source: |- def start = ZonedDateTime.parse(ctx.event.start); def end = ZonedDateTime.parse(ctx.event.end); From 2b0fc3de3ef140d1f531d6b16ac145e45a60664c Mon Sep 17 00:00:00 2001 From: Navnit Chauhan Date: Mon, 15 Jun 2026 17:21:32 +0530 Subject: [PATCH 3/4] remove event.category and set event.type: info --- .../test-correlation-detection.log-expected.json | 10 ++-------- .../ingest_pipeline/correlation_detection.yml | 8 ++------ 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json index c2ebbf4cb61..07c1d3a3fb7 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json @@ -63,9 +63,6 @@ "version": "8.17.0" }, "event": { - "category": [ - "threat" - ], "duration": 0, "end": "2026-05-26T12:10:17.112Z", "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01", @@ -75,7 +72,7 @@ "severity": 21, "start": "2026-05-26T12:10:17.112Z", "type": [ - "indicator" + "info" ], "url": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001" }, @@ -192,9 +189,6 @@ "version": "8.17.0" }, "event": { - "category": [ - "threat" - ], "duration": 0, "end": "2026-06-01T17:22:21.334Z", "id": "ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02", @@ -204,7 +198,7 @@ "severity": 47, "start": "2026-06-01T17:22:21.334Z", "type": [ - "indicator" + "info" ], "url": "https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001" }, diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml index 897f3ca85e2..13c9e8542ae 100644 --- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml @@ -1,14 +1,10 @@ --- description: Pipeline for NG-SIEM correlation-detection alerts. processors: - - append: - field: event.category - tag: append_event_category_threat - value: threat - append: field: event.type - tag: append_event_type_indicator - value: indicator + tag: append_event_type_info + value: info - set: field: message tag: set_message_from_display_name From f38f65a87b601ec9170319e60ceae48b8df96715 Mon Sep 17 00:00:00 2001 From: Navnit Chauhan Date: Tue, 16 Jun 2026 11:56:14 +0530 Subject: [PATCH 4/4] address PR review feedback for correlation detection --- .../alert/_dev/test/pipeline/test-alert.log | 2 +- .../pipeline/test-alert.log-expected.json | 8 +- ...st-correlation-detection.log-expected.json | 51 ++++++++ .../ingest_pipeline/correlation_detection.yml | 120 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 6 +- 5 files changed, 181 insertions(+), 6 deletions(-) diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log index 5d5ac3066d5..63cacae598e 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log @@ -1,5 +1,5 @@ {"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"has_script_or_module_ioc":"true","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"is_synthetic_quarantine_disposition":true,"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","overwatch_note":"Activity Notice: OverWatch has observed XYZ","overwatch_note_timestamp":"2025-03-01T15:31:00Z","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"rule_group_id":"1b27b7f123c44e15a13fe7f44801d123","rule_group_name":"Windows Group","rule_instance_created_by":"myuser@mydomain.com","rule_instance_id":"123","rule_instance_name":"INSTANCE-1","rule_instance_version":"1","scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"} -{"agent_id":"38293534662e48c99f33c61631b3536d","aggregate_id":"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","cid":"4446934rf3fdb64ec3056ddfb96e","composite_id":"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","confidence":80,"context_timestamp":"2024-08-16T18:43:44.242Z","crawled_timestamp":"2024-08-16T18:49:02.798354466Z","created_timestamp":"2024-08-16T18:45:02.987127397Z","data_domains":["Identity"],"description":"A user denied a policy identity verification request","display_name":"Identity verification denied","end_time":"2024-08-16T18:43:44.242Z","falcon_host_link":"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a","id":"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","idp_policy_mfa_factor_type":"32769","idp_policy_mfa_provider":"14","idp_policy_rule_id":"1B82F2DE-2A08-49E0-8F85-AD46996F9A65","idp_policy_rule_name":"admin - RDP Access to TIER-0 Servers","name":"IdpPolicyIdentityVerificationDenied","objective":"Gain Access","pattern_id":51143,"poly_id":"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==","product":"idp","scenario":"suspicious_activity","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":79,"severity_name":"High","show_in_ui":true,"source_account_azure_id":"65ddx-c454-45f9-9034-Fdf34353","source_account_domain":"NET.example.com","source_account_name":"admin.example","source_account_object_sid":"S-14-5424-21-dfaf3-234343-3434-1567733","source_account_sam_account_name":"admin.abcdef","source_account_upn":"admin.abcdef@example.com","source_endpoint_account_object_guid":"E436B3F0-078C-4629-9437-D3E3169147C0","source_endpoint_address_ip4":"81.2.69.144","source_endpoint_host_name":"ABDC454.net.example.com","source_endpoint_ip_address":"81.2.69.144","source_endpoint_sensor_id":"38293534662e48c99f33c61631b3536d","source_products":["Falcon Identity Protection"],"source_vendors":["CrowdStrike"],"start_time":"2024-08-19T18:43:44.242Z","status":"new","tactic":"Credential Access","tactic_id":"TA0006","technique":"Brute Force","technique_id":"T1110","tags":["falcon_complete"],"target_account_name":"HFJFJFFFFFFF$","target_endpoint_account_object_guid":"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E","target_endpoint_account_object_sid":"S-1-5-21-746137067-1844237615-1801674531-298236","target_endpoint_host_name":"GH787.net.example.com","target_endpoint_sensor_id":"ac89a368e77a4fa5837b53c7f11fc9e7","timestamp":"2024-08-19T18:44:01.1Z","type":"idp-user-endpoint-app-info","updated_timestamp":"2024-08-19T18:49:02.798344752Z","user_name":"admin.abcdef","activity_browser":"Edge 126.0.0","activity_device":"LAPTOP-AP7299QV","activity_os":"Windows","active_directory_authentication_method":"5","activity_id":"2A8A7C96-0F17-412C-8105-94542784E00D","alert_attributes":"0","location_country_code":"US","location_latitude_as_int":340726,"location_longitude_as_int":-1182610,"model_anomaly_indicators":["ACCOUNT_IMPOSSIBLE_VELOCITY","ENVIRONMENT_UNUSUAL_IP","ENVIRONMENT_UNUSUAL_ISP_DOMAIN","ISP_DATACENTER_CLASSIFICATION"],"ldap_search_query_attack":"16","protocol_anomaly_classification":"1","source_account_object_guid":"9F2CE16C-4A78-42E6-8565-87147707EE79","source_endpoint_account_object_sid":"S-1-5-21-111111111-2222222-1417001333-101158","source_endpoint_ip_reputation":"128","source_ip_isp_classification":"9","source_ip_isp_domain":"sioru.com","target_domain_controller_host_name":"APINTAL19DC01","target_domain_controller_object_guid":"45A24DB7-6CD3-48C5-974F-A97159E7E2B2","target_domain_controller_object_sid":"S-1-5-21-111111111-2222222-1417001333-85512","target_service_access_identifier":"HOST/admin.example.com"} +{"agent_id":"38293534662e48c99f33c61631b3536d","aggregate_id":"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","cid":"4446934rf3fdb64ec3056ddfb96e","composite_id":"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","confidence":80,"context_timestamp":"2024-08-16T18:43:44.242Z","crawled_timestamp":"2024-08-16T18:49:02.798354466Z","created_timestamp":"2024-08-16T18:45:02.987127397Z","data_domains":["Identity"],"description":"A user denied a policy identity verification request","display_name":"Identity verification denied","end_time":"2024-08-16T18:43:44.242Z","falcon_host_link":"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a","id":"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","idp_policy_mfa_factor_type":"32769","idp_policy_mfa_provider":"14","idp_policy_rule_id":"1B82F2DE-2A08-49E0-8F85-AD46996F9A65","idp_policy_rule_name":"admin - RDP Access to TIER-0 Servers","name":"IdpPolicyIdentityVerificationDenied","objective":"Gain Access","pattern_id":51143,"poly_id":"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==","product":"idp","scenario":"suspicious_activity","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":79,"severity_name":"High","show_in_ui":true,"source_account_azure_id":"65ddx-c454-45f9-9034-Fdf34353","source_account_domain":"NET.example.com","source_account_name":"admin.example","source_account_object_sid":"S-14-5424-21-dfaf3-234343-3434-1567733","source_account_sam_account_name":"admin.abcdef","source_account_upn":"admin.abcdef@example.com","source_endpoint_account_object_guid":"E436B3F0-078C-4629-9437-D3E3169147C0","source_endpoint_address_ip4":"81.2.69.144","source_endpoint_host_name":"ABDC454.net.example.com","source_endpoint_ip_address":"81.2.69.144","source_endpoint_sensor_id":"38293534662e48c99f33c61631b3536d","source_products":["Falcon Identity Protection"],"source_vendors":["CrowdStrike"],"start_time":"2024-08-16T18:43:44.242Z","status":"new","tactic":"Credential Access","tactic_id":"TA0006","technique":"Brute Force","technique_id":"T1110","tags":["falcon_complete"],"target_account_name":"HFJFJFFFFFFF$","target_endpoint_account_object_guid":"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E","target_endpoint_account_object_sid":"S-1-5-21-746137067-1844237615-1801674531-298236","target_endpoint_host_name":"GH787.net.example.com","target_endpoint_sensor_id":"ac89a368e77a4fa5837b53c7f11fc9e7","timestamp":"2024-08-19T18:44:01.1Z","type":"idp-user-endpoint-app-info","updated_timestamp":"2024-08-19T18:49:02.798344752Z","user_name":"admin.abcdef","activity_browser":"Edge 126.0.0","activity_device":"LAPTOP-AP7299QV","activity_os":"Windows","active_directory_authentication_method":"5","activity_id":"2A8A7C96-0F17-412C-8105-94542784E00D","alert_attributes":"0","location_country_code":"US","location_latitude_as_int":340726,"location_longitude_as_int":-1182610,"model_anomaly_indicators":["ACCOUNT_IMPOSSIBLE_VELOCITY","ENVIRONMENT_UNUSUAL_IP","ENVIRONMENT_UNUSUAL_ISP_DOMAIN","ISP_DATACENTER_CLASSIFICATION"],"ldap_search_query_attack":"16","protocol_anomaly_classification":"1","source_account_object_guid":"9F2CE16C-4A78-42E6-8565-87147707EE79","source_endpoint_account_object_sid":"S-1-5-21-111111111-2222222-1417001333-101158","source_endpoint_ip_reputation":"128","source_ip_isp_classification":"9","source_ip_isp_domain":"sioru.com","target_domain_controller_host_name":"APINTAL19DC01","target_domain_controller_object_guid":"45A24DB7-6CD3-48C5-974F-A97159E7E2B2","target_domain_controller_object_sid":"S-1-5-21-111111111-2222222-1417001333-85512","target_service_access_identifier":"HOST/admin.example.com"} {"aggregate_id":"aggind:4444934rf3fdb64ec2059dmmb96e:5876E98M-F91K-48AW-8FFC-1191C663A1E9","agent_id":"58293534772e48c99f33c61631b3536d","cid":"4446934rf3fdb64ec3056ddfb96e","context_timestamp":"2024-08-19T18:43:44.242Z","composite_id":"874594c2ff8c23fdf64ef3086ddfb03e:ind:4441934rf3mmb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","crawled_timestamp":"2024-08-19T18:49:02.798354466Z","created_timestamp":"2024-08-19T18:45:02.987127397Z","data_domains":["Identity"],"description":"Auserdeniedapolicyidentityverificationrequest","display_name":"Identityverificationdenied","end_time":"2024-08-19T18:43:44.242Z","falcon_host_link":"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a","id":"ind:4446934rf3fdb64ec3056ddfb96e:87934F-M00B-48CC-0AAC-dfafd3429","idp_policy_mfa_factor_type":"42669","idp_policy_mfa_provider":"11","idp_policy_rule_id":"123324-343-4dfa9E0-8F85-dfaa3242","idp_policy_rule_name":"admin-RDPAccesstoTIER-0Servers","name":"IdpPolicyIdentityVerificationDenied","objective":"GainAccess","pattern_id":45897,"poly_id":"MJdfafdB3RpTC74xD_bZOwwVt37erewrewdWwicqVJrn1DHb_UVfrn1QTiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==","product":"idp","scenario":"suspicious_activity","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":79,"severity_name":"Medium","show_in_ui":true,"source_account_azure_id":"65ddx-c454-324d-9034-Fdf34353","source_account_domain":"BCD.example.com","source_account_name":"admin.example","source_account_object_sid":"S-14-5424-21-dfaf3-234343-3434-1117733","source_account_sam_account_name":"admin.abcdef","source_account_upn":"admin.abcdef@example.com","source_endpoint_account_object_guid":"FDHJJ343-098C-4629-9437-DD3424GHJ","source_endpoint_address_ip4":"81.2.69.144","source_endpoint_host_name":"ABDC454.net.example.com","source_endpoint_ip_address":"81.2.69.144","source_endpoint_sensor_id":"38293523261gh48c99ffd234c6190123536e","source_products":["FalconIdentityProtection"],"source_vendors":["CrowdStrike"],"start_time":"2024-08-19T18:43:44.242Z","status":"new","tactic":"CredentialAccess","tactic_id":"TA0006","technique":"BruteForce","technique_id":"T1110","tags":["falcon_complete"],"target_account_name":"HFJFJFFFFFFF$","target_endpoint_account_object_guid":"AAAAAAAA-0000-FFFFF-000000-A302EFCC8M4536","target_endpoint_account_object_sid":"S-1-5-21-HG43242JJ-1844237615-18dfa1674531-298236","target_endpoint_host_name":"GH787.abc.example.com","target_endpoint_sensor_id":"afdsasf3423432nndv3432v","timestamp":"2024-08-19T18:44:01.1Z","type":"idp-user-endpoint-app-info","updated_timestamp":"2024-08-19T18:49:02.798344752Z","user_name":"admin.abcdef","activity_browser":"Edge126.0.0","activity_device":"LAPTOP-ADFVEJM234V","activity_os":"Windows","active_directory_authentication_method":"4","activity_id":"3A7H7C00-FFF2344-23FFFF-9199905-91245754E10099D","alert_attributes":"0","location_country_code":"US","location_latitude_as_int":320316,"location_longitude_as_int":-12729080,"model_anomaly_indicators":["ACCOUNT_IMPOSSIBLE_VELOCITY","ENVIRONMENT_UNUSUAL_IP","ENVIRONMENT_UNUSUAL_ISP_DOMAIN","ISP_DATACENTER_CLASSIFICATION"],"ldap_search_query_attack":"16","protocol_anomaly_classification":"1","source_account_object_guid":"78HF9842-HGG5-324F-9565-GJD47324","source_endpoint_account_object_sid":"S-1-4-21-111111111-2222222-14171121333-1045999","source_endpoint_ip_reputation":"118","source_ip_isp_classification":"8","source_ip_isp_domain":"abc.com","target_domain_controller_host_name":"GHPOTAL12578","target_domain_controller_object_guid":"59B24AA7-4GH8-f7H0-994F-B90159E7M2K1","target_domain_controller_object_sid":"S-2-8-21-333333-2222222-3431-95511","target_service_access_identifier":"HOST/root.demo.com"} {"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"} {"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"} diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json index 6345322d02c..f3defee8d37 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -433,7 +433,7 @@ "source_vendors": [ "CrowdStrike" ], - "start_time": "2024-08-19T18:43:44.242Z", + "start_time": "2024-08-16T18:43:44.242Z", "status": "new", "tactic": "Credential Access", "tactic_id": "TA0006", @@ -470,13 +470,13 @@ "version": "8.17.0" }, "event": { - "duration": -259200000000000, + "duration": 0, "end": "2024-08-16T18:43:44.242Z", "id": "ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9", "kind": "alert", - "original": "{\"agent_id\":\"38293534662e48c99f33c61631b3536d\",\"aggregate_id\":\"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"cid\":\"4446934rf3fdb64ec3056ddfb96e\",\"composite_id\":\"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"confidence\":80,\"context_timestamp\":\"2024-08-16T18:43:44.242Z\",\"crawled_timestamp\":\"2024-08-16T18:49:02.798354466Z\",\"created_timestamp\":\"2024-08-16T18:45:02.987127397Z\",\"data_domains\":[\"Identity\"],\"description\":\"A user denied a policy identity verification request\",\"display_name\":\"Identity verification denied\",\"end_time\":\"2024-08-16T18:43:44.242Z\",\"falcon_host_link\":\"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a\",\"id\":\"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"idp_policy_mfa_factor_type\":\"32769\",\"idp_policy_mfa_provider\":\"14\",\"idp_policy_rule_id\":\"1B82F2DE-2A08-49E0-8F85-AD46996F9A65\",\"idp_policy_rule_name\":\"admin - RDP Access to TIER-0 Servers\",\"name\":\"IdpPolicyIdentityVerificationDenied\",\"objective\":\"Gain Access\",\"pattern_id\":51143,\"poly_id\":\"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==\",\"product\":\"idp\",\"scenario\":\"suspicious_activity\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":0,\"severity\":79,\"severity_name\":\"High\",\"show_in_ui\":true,\"source_account_azure_id\":\"65ddx-c454-45f9-9034-Fdf34353\",\"source_account_domain\":\"NET.example.com\",\"source_account_name\":\"admin.example\",\"source_account_object_sid\":\"S-14-5424-21-dfaf3-234343-3434-1567733\",\"source_account_sam_account_name\":\"admin.abcdef\",\"source_account_upn\":\"admin.abcdef@example.com\",\"source_endpoint_account_object_guid\":\"E436B3F0-078C-4629-9437-D3E3169147C0\",\"source_endpoint_address_ip4\":\"81.2.69.144\",\"source_endpoint_host_name\":\"ABDC454.net.example.com\",\"source_endpoint_ip_address\":\"81.2.69.144\",\"source_endpoint_sensor_id\":\"38293534662e48c99f33c61631b3536d\",\"source_products\":[\"Falcon Identity Protection\"],\"source_vendors\":[\"CrowdStrike\"],\"start_time\":\"2024-08-19T18:43:44.242Z\",\"status\":\"new\",\"tactic\":\"Credential Access\",\"tactic_id\":\"TA0006\",\"technique\":\"Brute Force\",\"technique_id\":\"T1110\",\"tags\":[\"falcon_complete\"],\"target_account_name\":\"HFJFJFFFFFFF$\",\"target_endpoint_account_object_guid\":\"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E\",\"target_endpoint_account_object_sid\":\"S-1-5-21-746137067-1844237615-1801674531-298236\",\"target_endpoint_host_name\":\"GH787.net.example.com\",\"target_endpoint_sensor_id\":\"ac89a368e77a4fa5837b53c7f11fc9e7\",\"timestamp\":\"2024-08-19T18:44:01.1Z\",\"type\":\"idp-user-endpoint-app-info\",\"updated_timestamp\":\"2024-08-19T18:49:02.798344752Z\",\"user_name\":\"admin.abcdef\",\"activity_browser\":\"Edge 126.0.0\",\"activity_device\":\"LAPTOP-AP7299QV\",\"activity_os\":\"Windows\",\"active_directory_authentication_method\":\"5\",\"activity_id\":\"2A8A7C96-0F17-412C-8105-94542784E00D\",\"alert_attributes\":\"0\",\"location_country_code\":\"US\",\"location_latitude_as_int\":340726,\"location_longitude_as_int\":-1182610,\"model_anomaly_indicators\":[\"ACCOUNT_IMPOSSIBLE_VELOCITY\",\"ENVIRONMENT_UNUSUAL_IP\",\"ENVIRONMENT_UNUSUAL_ISP_DOMAIN\",\"ISP_DATACENTER_CLASSIFICATION\"],\"ldap_search_query_attack\":\"16\",\"protocol_anomaly_classification\":\"1\",\"source_account_object_guid\":\"9F2CE16C-4A78-42E6-8565-87147707EE79\",\"source_endpoint_account_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-101158\",\"source_endpoint_ip_reputation\":\"128\",\"source_ip_isp_classification\":\"9\",\"source_ip_isp_domain\":\"sioru.com\",\"target_domain_controller_host_name\":\"APINTAL19DC01\",\"target_domain_controller_object_guid\":\"45A24DB7-6CD3-48C5-974F-A97159E7E2B2\",\"target_domain_controller_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-85512\",\"target_service_access_identifier\":\"HOST/admin.example.com\"}", + "original": "{\"agent_id\":\"38293534662e48c99f33c61631b3536d\",\"aggregate_id\":\"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"cid\":\"4446934rf3fdb64ec3056ddfb96e\",\"composite_id\":\"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"confidence\":80,\"context_timestamp\":\"2024-08-16T18:43:44.242Z\",\"crawled_timestamp\":\"2024-08-16T18:49:02.798354466Z\",\"created_timestamp\":\"2024-08-16T18:45:02.987127397Z\",\"data_domains\":[\"Identity\"],\"description\":\"A user denied a policy identity verification request\",\"display_name\":\"Identity verification denied\",\"end_time\":\"2024-08-16T18:43:44.242Z\",\"falcon_host_link\":\"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a\",\"id\":\"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"idp_policy_mfa_factor_type\":\"32769\",\"idp_policy_mfa_provider\":\"14\",\"idp_policy_rule_id\":\"1B82F2DE-2A08-49E0-8F85-AD46996F9A65\",\"idp_policy_rule_name\":\"admin - RDP Access to TIER-0 Servers\",\"name\":\"IdpPolicyIdentityVerificationDenied\",\"objective\":\"Gain Access\",\"pattern_id\":51143,\"poly_id\":\"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==\",\"product\":\"idp\",\"scenario\":\"suspicious_activity\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":0,\"severity\":79,\"severity_name\":\"High\",\"show_in_ui\":true,\"source_account_azure_id\":\"65ddx-c454-45f9-9034-Fdf34353\",\"source_account_domain\":\"NET.example.com\",\"source_account_name\":\"admin.example\",\"source_account_object_sid\":\"S-14-5424-21-dfaf3-234343-3434-1567733\",\"source_account_sam_account_name\":\"admin.abcdef\",\"source_account_upn\":\"admin.abcdef@example.com\",\"source_endpoint_account_object_guid\":\"E436B3F0-078C-4629-9437-D3E3169147C0\",\"source_endpoint_address_ip4\":\"81.2.69.144\",\"source_endpoint_host_name\":\"ABDC454.net.example.com\",\"source_endpoint_ip_address\":\"81.2.69.144\",\"source_endpoint_sensor_id\":\"38293534662e48c99f33c61631b3536d\",\"source_products\":[\"Falcon Identity Protection\"],\"source_vendors\":[\"CrowdStrike\"],\"start_time\":\"2024-08-16T18:43:44.242Z\",\"status\":\"new\",\"tactic\":\"Credential Access\",\"tactic_id\":\"TA0006\",\"technique\":\"Brute Force\",\"technique_id\":\"T1110\",\"tags\":[\"falcon_complete\"],\"target_account_name\":\"HFJFJFFFFFFF$\",\"target_endpoint_account_object_guid\":\"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E\",\"target_endpoint_account_object_sid\":\"S-1-5-21-746137067-1844237615-1801674531-298236\",\"target_endpoint_host_name\":\"GH787.net.example.com\",\"target_endpoint_sensor_id\":\"ac89a368e77a4fa5837b53c7f11fc9e7\",\"timestamp\":\"2024-08-19T18:44:01.1Z\",\"type\":\"idp-user-endpoint-app-info\",\"updated_timestamp\":\"2024-08-19T18:49:02.798344752Z\",\"user_name\":\"admin.abcdef\",\"activity_browser\":\"Edge 126.0.0\",\"activity_device\":\"LAPTOP-AP7299QV\",\"activity_os\":\"Windows\",\"active_directory_authentication_method\":\"5\",\"activity_id\":\"2A8A7C96-0F17-412C-8105-94542784E00D\",\"alert_attributes\":\"0\",\"location_country_code\":\"US\",\"location_latitude_as_int\":340726,\"location_longitude_as_int\":-1182610,\"model_anomaly_indicators\":[\"ACCOUNT_IMPOSSIBLE_VELOCITY\",\"ENVIRONMENT_UNUSUAL_IP\",\"ENVIRONMENT_UNUSUAL_ISP_DOMAIN\",\"ISP_DATACENTER_CLASSIFICATION\"],\"ldap_search_query_attack\":\"16\",\"protocol_anomaly_classification\":\"1\",\"source_account_object_guid\":\"9F2CE16C-4A78-42E6-8565-87147707EE79\",\"source_endpoint_account_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-101158\",\"source_endpoint_ip_reputation\":\"128\",\"source_ip_isp_classification\":\"9\",\"source_ip_isp_domain\":\"sioru.com\",\"target_domain_controller_host_name\":\"APINTAL19DC01\",\"target_domain_controller_object_guid\":\"45A24DB7-6CD3-48C5-974F-A97159E7E2B2\",\"target_domain_controller_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-85512\",\"target_service_access_identifier\":\"HOST/admin.example.com\"}", "severity": 73, - "start": "2024-08-19T18:43:44.242Z" + "start": "2024-08-16T18:43:44.242Z" }, "host": { "id": "38293534662e48c99f33c61631b3536d" diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json index 07c1d3a3fb7..f6c0f7c86c3 100644 --- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log-expected.json @@ -83,12 +83,37 @@ ], "ip": [ "198.51.100.10" + ], + "user": [ + "user@example.com" ] }, "rule": { "id": "019a06bf00e67be489340eca8c435140", "name": "UC1-InboundThreatDetection(GreyNoiseEnriched)" }, + "source": { + "as": { + "number": 64501, + "organization": { + "name": "Documentation ASN" + } + }, + "domain": "censys.io", + "geo": { + "city_name": "Amsterdam", + "continent_name": "Europe", + "country_iso_code": "NL", + "country_name": "Netherlands", + "location": { + "lat": 52.37404, + "lon": 4.88969 + }, + "region_iso_code": "NL-NH", + "region_name": "North Holland" + }, + "ip": "198.51.100.10" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" @@ -185,6 +210,9 @@ "vendor_pattern_id": "100012" } }, + "destination": { + "domain": "host-nas-01.example.local" + }, "ecs": { "version": "8.17.0" }, @@ -216,6 +244,7 @@ "198.51.100.11" ], "user": [ + "admin@example.org", "example-user" ] }, @@ -223,6 +252,28 @@ "id": "019b830f23e07c6d8f1809baceb9ccb9", "name": "POCdomainparsingforcase" }, + "source": { + "as": { + "number": 64501, + "organization": { + "name": "Documentation ASN" + } + }, + "domain": "slack.com", + "geo": { + "city_name": "Amsterdam", + "continent_name": "Europe", + "country_iso_code": "NL", + "country_name": "Netherlands", + "location": { + "lat": 52.37404, + "lon": 4.88969 + }, + "region_iso_code": "NL-NH", + "region_name": "North Holland" + }, + "ip": "198.51.100.11" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml index 13c9e8542ae..52e1760e937 100644 --- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/correlation_detection.yml @@ -192,6 +192,72 @@ processors: tag: append_related_hosts_from_destination_hosts value: '{{{_ingest._value}}}' allow_duplicates: false + - script: + lang: painless + tag: set_source_domain_from_first_source_host + if: ctx.crowdstrike?.alert?.source_hosts instanceof List && !ctx.crowdstrike.alert.source_hosts.isEmpty() + source: |- + ctx.source = ctx.source ?: [:]; + if (ctx.source.domain == null || ctx.source.domain == '') { + ctx.source.domain = ctx.crowdstrike.alert.source_hosts[0]; + } + - script: + lang: painless + tag: set_destination_domain_from_first_destination_host + if: ctx.crowdstrike?.alert?.destination_hosts instanceof List && !ctx.crowdstrike.alert.destination_hosts.isEmpty() + source: |- + ctx.destination = ctx.destination ?: [:]; + if (ctx.destination.domain == null || ctx.destination.domain == '') { + ctx.destination.domain = ctx.crowdstrike.alert.destination_hosts[0]; + } + - foreach: + field: crowdstrike.alert.source_ips + tag: foreach_source_ips_convert_to_ip + if: ctx.crowdstrike?.alert?.source_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_source_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - script: + lang: painless + tag: set_source_ip_from_first_source_ip + if: ctx.crowdstrike?.alert?.source_ips instanceof List && !ctx.crowdstrike.alert.source_ips.isEmpty() + source: |- + ctx.source = ctx.source ?: [:]; + if (ctx.source.ip == null || ctx.source.ip == '') { + ctx.source.ip = ctx.crowdstrike.alert.source_ips[0]; + } + - geoip: + tag: geoip_source_ip_to_source_geo_da2e41b2 + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + tag: geoip_source_ip_to_source_as_28d69883 + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + tag: rename_source_as_asn_to_source_as_number_a917047d + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + tag: rename_source_as_organization_name_to_source_as_organization_name_f1362d0b + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - foreach: field: crowdstrike.alert.source_ips tag: foreach_source_ips_related_ip @@ -202,6 +268,54 @@ processors: tag: append_related_ip_from_source_ips value: '{{{_ingest._value}}}' allow_duplicates: false + - foreach: + field: crowdstrike.alert.destination_ips + tag: foreach_destination_ips_convert_to_ip + if: ctx.crowdstrike?.alert?.destination_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_destination_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - script: + lang: painless + tag: set_destination_ip_from_first_destination_ip + if: ctx.crowdstrike?.alert?.destination_ips instanceof List && !ctx.crowdstrike.alert.destination_ips.isEmpty() + source: |- + ctx.destination = ctx.destination ?: [:]; + if (ctx.destination.ip == null || ctx.destination.ip == '') { + ctx.destination.ip = ctx.crowdstrike.alert.destination_ips[0]; + } + - geoip: + tag: geoip_destination_ip_to_destination_geo_ab5e2968 + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + tag: geoip_destination_ip_to_destination_as_8a007787 + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + tag: rename_destination_as_asn_to_destination_as_number_3b459fcd + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + tag: rename_destination_as_organization_name_to_destination_as_organization_name_814bd459 + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - foreach: field: crowdstrike.alert.destination_ips tag: foreach_destination_ips_related_ip @@ -212,6 +326,12 @@ processors: tag: append_related_ip_from_destination_ips value: '{{{_ingest._value}}}' allow_duplicates: false + - append: + field: related.user + tag: append_related_user_from_correlation_rule_user_id + value: '{{{crowdstrike.alert.correlation_rule_user_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.correlation_rule_user_id != null && ctx.crowdstrike.alert.correlation_rule_user_id != '' - script: lang: painless tag: set_user_name_from_first_user_name diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 2582a34e0f4..0a6c2030688 100644 --- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -1905,9 +1905,13 @@ processors: source: |- def start = ZonedDateTime.parse(ctx.event.start); def end = ZonedDateTime.parse(ctx.event.end); - ctx.event.duration = ChronoUnit.NANOS.between(start, end); + def duration = ChronoUnit.NANOS.between(start, end); + if (duration >= 0) { + ctx.event.duration = duration; + } on_failure: - append: + tag: append_error_message_08a132e3 field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: