Skip to content

Commit 7cf9641

Browse files
bpluta-splunkpatel-bhavinljstella
authored
upodated SPL based on new raw events (#3898)
* upodated SPL based on new raw events * updating dataset link and data source file --------- Co-authored-by: Bhavin Patel <bpatel@splunk.com> Co-authored-by: Lou Stella <ljstella@gmail.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
1 parent d13e377 commit 7cf9641

File tree

2 files changed

+18
-17
lines changed

2 files changed

+18
-17
lines changed

data_sources/crowdstrike_falcon_stream_alert.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ output_fields:
147147
- user
148148
- process
149149
- file_name
150-
- DetectName
150+
- Name
151151
example_log: |
152152
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 12570031, "eventType": "DetectionSummaryEvent", "eventCreationTime": 1748883058001, "version": "1.0"}, "event": {"ProcessStartTime": 1748883033, "ProcessEndTime": 1748883033, "ProcessId": 25482595567828, "ParentProcessId": 25482588177316, "ComputerName": "CROWDFAL1", "UserName": "Administrator", "DetectName": "Suspicious Activity", "DetectDescription": "For evaluation only - benign, no action needed.", "Severity": 2, "SeverityName": "Low", "FileName": "choice.exe", "FilePath": "\\Device\\HarddiskVolume2\\Windows\\System32", "CommandLine": "choice /m crowdstrike_sample_detection", "SHA256String": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5String": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SHA1String": "0000000000000000000000000000000000000000", "MachineDomain": "CROWDFAL1", "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/12e75112bdc44ac7a60b5ad1d2765303/10907785292170?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "SensorId": "12e75112bdc44ac7a60b5ad1d2765303", "DetectId": "ldt:12e75112bdc44ac7a60b5ad1d2765303:10907785292170", "LocalIP": "10.1.17.3", "MACAddress": "00-50-56-aa-64-1f", "Tactic": "Malware", "Technique": "Malicious File", "Objective": "Falcon Detection Method", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false}, "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", "ParentCommandLine": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"\"C:\\CS_Script.bat\"\"", "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "GrandparentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "HostGroups": "0ebde3fe33d547fc9bbe24f50be44da8,fd63f5073f644377a8150e9c1e5a86d0", "PatternId": 10197}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.5.0", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
153153

detections/endpoint/crowdstrike_falcon_stream_alerts.yml

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,38 +1,39 @@
11
name: CrowdStrike Falcon Stream Alerts
22
id: cb6af2b3-29ab-441c-8d8d-679811c8b014
3-
version: 1
4-
date: '2025-05-12'
3+
version: 2
4+
date: '2026-02-06'
55
author: Bryan Pluta, Teoderick Contreras, Splunk
66
status: production
77
type: Anomaly
88
data_source:
99
- CrowdStrike Falcon Stream Alert
1010
description: The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.
1111
search: |
12-
`crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent)
12+
`crowdstrike_stream` metadata.eventType IN (XdrDetectionSummaryEvent,IdpDetectionSummaryEvent,EppDetectionSummaryEvent)
1313
| rename event.* as *
14-
| eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0)
14+
| eval risk_score=case(Severity<20, 0, Severity<40 AND Severity>=20, 25, Severity<60 AND Severity>=40, 100, Severity<80 AND Severity>=60, 250, Severity>=80, 500)
1515
| eval user=coalesce(lower(SourceAccountName),lower(UserName))
16-
| eval dest=coalesce(ComputerName,SourceEndpointHostName)
17-
| eval mitre_technique = case(!match(DetectName, "(NGAV|Intel Detection)"), Technique)
16+
| eval dest=coalesce(HostNames,SourceEndpointHostName)
17+
| eval mitre_technique = case(!match(Name, "(NGAV
18+
|Intel Detection)"), Technique)
1819
| join type=left mitre_technique
19-
[| inputlookup append=t mitre_attack_lookup
20-
| fields mitre_technique mitre_technique_id ]
20+
[| inputlookup append=t mitre_attack_lookup
21+
| fields mitre_technique mitre_technique_id ]
2122
| eval annotations.mitre_attack = mitre_technique_id
2223
| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
23-
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
24-
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"")
24+
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.HostNames=" + $HostNames$ +"*"),"")
25+
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $HostNames$ +"*"),"")
2526
| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
2627
| rename "metadata.eventType" as eventType
27-
| eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) )
28+
| eval title = case(Name=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),Name=="Intel Detection", ("RR - CS - " + Name),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + Name + " - " + Technique) )
2829
| eval user_append = if(NOT isnull(user)," by " + user,"")
2930
| eval dest_append = if(NOT isnull(dest)," on " + dest,"")
30-
| eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
31+
| eval description = case(Name=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + Name),Name=="Intel Detection", ("CS " + Name + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
3132
| eval description = description + user_append + dest_append
32-
| eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
33+
| eval gid=id, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
3334
| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
34-
| rename DetectId as detection_id, FalconHostLink as detection_url
35-
| table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
35+
| rename id as detection_id, FalconHostLink as detection_url
36+
| table _time source detection_id detection_url title risk_score description Severity severity HostNames dest Tactic Technique user UserName Objective Name DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
3637
| `crowdstrike_falcon_stream_alerts_filter`
3738
how_to_implement: In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the `crowdstrike_stream` macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
3839
known_false_positives: False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.
@@ -89,6 +90,6 @@ tags:
8990
tests:
9091
- name: True Positive Test
9192
attack_data:
92-
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.log
93+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_2.log
9394
source: CrowdStrike:Event:Streams
9495
sourcetype: CrowdStrike:Event:Streams:JSON

0 commit comments

Comments
 (0)