Skip to content

Commit

Permalink
added "Crowdstrike.EppDetectionSummary"
Browse files Browse the repository at this point in the history
  • Loading branch information
@ben-githubs
ben-githubs committed Dec 3, 2024
1 parent f1eee0c commit 914ad2f
Show file tree
Hide file tree
Showing 3 changed files with 388 additions and 0 deletions.
1 change: 1 addition & 0 deletions packs/crowdstrike_event_streams.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ PackDefinition:
- Crowdstrike.AllowlistRemoved
- Crowdstrike.API.Key.Created
- Crowdstrike.API.Key.Deleted
- Crowdstrike.EppDetectionSummary
- Crowdstrike.EphemeralUserAccount
- Crowdstrike.IpAllowlistChanged
- Crowdstrike.NewAdminUserCreated
Expand Down
42 changes: 42 additions & 0 deletions rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
from panther_crowdstrike_event_streams_helpers import cs_alert_context


def rule(event):
return event.deep_get("metadata", "eventType") == "EppDetectionSummaryEvent"


def title(event):
alert_title = event.deep_get("event", "Name", default="New CrowdStrike Detection")
alert_desc = event.deep_get("event", "Description")
return f"{alert_title}: {alert_desc}" if alert_desc else alert_title


def dedup(event):
if alert_id := event.deep_get("event", "CompositeId"):
return alert_id
# Else, fall back on title string
return title(event)


def severity(event):
# First, try returning the severity based on the SeverityName
sevname = event.deep_get("event", "SeverityName").upper()
allowed_values = ("INFO", "LOW", "MEDIUM", "HIGH", "CRITICAL")
if sevname == "INFORMATIONAL":
sevname = "INFO"
if sevname in allowed_values:
return sevname

# Else, fallback on the numerical value, falling back on MEDIUM if we still don't have a value
sevval = event.deep_get("event", "Severity") // 20
return {0: "INFO", 1: "LOW", 2: "MEDIUM", 3: "HIGH", 4: "CRITICAL", 5: "CRITICAL"}.get(
sevval, "MEDIUM"
)


def alert_context(event):
context = cs_alert_context(event)
context.update(
{"FalconLink": event.deep_get("event", "FalconHostLink", default="<NO LINK PROVIDED>")}
)
return context
345 changes: 345 additions & 0 deletions rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,345 @@
AnalysisType: rule
Filename: crowdstrike_detection_summary.py
RuleID: "Crowdstrike.EppDetectionSummary"
DisplayName: "Crowdstrike Detection Summary"
Enabled: true
LogTypes:
- Crowdstrike.EventStreams
Severity: Medium
Description: Forwards any alerts generated by CrowdStrike to your Panther destinations.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Followup with the alert according to CrowdStrike's recommendations.
Tests:
- Name: INFO Alert
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-03 19:54:30.000000000",
"p_log_type": "Crowdstrike.EventStreams",
"p_parse_time": "2024-12-03 19:55:53.866056859",
"event": {
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8",
"CompositeId": "DETECTION ID",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4",
"FileName": "msedge.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"GrandparentCommandLine": "C:\\Windows\\Explorer.EXE",
"GrandparentImageFilename": "explorer.exe",
"LocalIP": "10.0.6.37",
"MACAddress": "06-a7-e1-13-09-0d",
"MD5String": "fcde6b30b89cabf7d0460bc5a580cb12",
"Name": "Known Malware",
"Objective": "Follow Through",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default",
"ParentImageFileName": "msedge.exe",
"ParentProcessId": "90559720124",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"InddetMask": false,
"Indicator": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false
},
"PatternDispositionValue": 0,
"ProcessEndTime": "1970-01-01 00:00:00.000000000",
"ProcessId": "90597916092",
"ProcessStartTime": "2024-12-03 19:53:19.000000000",
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae",
"Severity": 10,
"SeverityName": "Informational",
"Tactic": "Execution",
"Technique": "User Execution",
"UserName": "Administrator"
},
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "EppDetectionSummaryEvent",
"offset": 1201171,
"version": "1.0"
}
}
- Name: LOW Alert
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-03 19:54:30.000000000",
"p_log_type": "Crowdstrike.EventStreams",
"p_parse_time": "2024-12-03 19:55:53.866056859",
"event": {
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8",
"CompositeId": "DETECTION ID",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4",
"FileName": "msedge.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"GrandparentCommandLine": "C:\\Windows\\Explorer.EXE",
"GrandparentImageFilename": "explorer.exe",
"LocalIP": "10.0.6.37",
"MACAddress": "06-a7-e1-13-09-0d",
"MD5String": "fcde6b30b89cabf7d0460bc5a580cb12",
"Name": "Known Malware",
"Objective": "Follow Through",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default",
"ParentImageFileName": "msedge.exe",
"ParentProcessId": "90559720124",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"InddetMask": false,
"Indicator": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false
},
"PatternDispositionValue": 0,
"ProcessEndTime": "1970-01-01 00:00:00.000000000",
"ProcessId": "90597916092",
"ProcessStartTime": "2024-12-03 19:53:19.000000000",
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae",
"Severity": 20,
"SeverityName": "Low",
"Tactic": "Execution",
"Technique": "User Execution",
"UserName": "Administrator"
},
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "EppDetectionSummaryEvent",
"offset": 1201171,
"version": "1.0"
}
}
- Name: MEDIUM Alert
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-03 19:54:30.000000000",
"p_log_type": "Crowdstrike.EventStreams",
"p_parse_time": "2024-12-03 19:55:53.866056859",
"event": {
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8",
"CompositeId": "DETECTION ID",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4",
"FileName": "msedge.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"GrandparentCommandLine": "C:\\Windows\\Explorer.EXE",
"GrandparentImageFilename": "explorer.exe",
"LocalIP": "10.0.6.37",
"MACAddress": "06-a7-e1-13-09-0d",
"MD5String": "fcde6b30b89cabf7d0460bc5a580cb12",
"Name": "Known Malware",
"Objective": "Follow Through",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default",
"ParentImageFileName": "msedge.exe",
"ParentProcessId": "90559720124",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"InddetMask": false,
"Indicator": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false
},
"PatternDispositionValue": 0,
"ProcessEndTime": "1970-01-01 00:00:00.000000000",
"ProcessId": "90597916092",
"ProcessStartTime": "2024-12-03 19:53:19.000000000",
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae",
"Severity": 50,
"SeverityName": "Medium",
"Tactic": "Execution",
"Technique": "User Execution",
"UserName": "Administrator"
},
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "EppDetectionSummaryEvent",
"offset": 1201171,
"version": "1.0"
}
}
- Name: HIGH Alert
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-03 19:54:30.000000000",
"p_log_type": "Crowdstrike.EventStreams",
"p_parse_time": "2024-12-03 19:55:53.866056859",
"event": {
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8",
"CompositeId": "DETECTION ID",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4",
"FileName": "msedge.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"GrandparentCommandLine": "C:\\Windows\\Explorer.EXE",
"GrandparentImageFilename": "explorer.exe",
"LocalIP": "10.0.6.37",
"MACAddress": "06-a7-e1-13-09-0d",
"MD5String": "fcde6b30b89cabf7d0460bc5a580cb12",
"Name": "Known Malware",
"Objective": "Follow Through",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default",
"ParentImageFileName": "msedge.exe",
"ParentProcessId": "90559720124",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"InddetMask": false,
"Indicator": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false
},
"PatternDispositionValue": 0,
"ProcessEndTime": "1970-01-01 00:00:00.000000000",
"ProcessId": "90597916092",
"ProcessStartTime": "2024-12-03 19:53:19.000000000",
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae",
"Severity": 70,
"SeverityName": "High",
"Tactic": "Execution",
"Technique": "User Execution",
"UserName": "Administrator"
},
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "EppDetectionSummaryEvent",
"offset": 1201171,
"version": "1.0"
}
}
- Name: CRIT Alert
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-03 19:54:30.000000000",
"p_log_type": "Crowdstrike.EventStreams",
"p_parse_time": "2024-12-03 19:55:53.866056859",
"event": {
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8",
"CompositeId": "DETECTION ID",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4",
"FileName": "msedge.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"GrandparentCommandLine": "C:\\Windows\\Explorer.EXE",
"GrandparentImageFilename": "explorer.exe",
"LocalIP": "10.0.6.37",
"MACAddress": "06-a7-e1-13-09-0d",
"MD5String": "fcde6b30b89cabf7d0460bc5a580cb12",
"Name": "Known Malware",
"Objective": "Follow Through",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default",
"ParentImageFileName": "msedge.exe",
"ParentProcessId": "90559720124",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"InddetMask": false,
"Indicator": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false
},
"PatternDispositionValue": 0,
"ProcessEndTime": "1970-01-01 00:00:00.000000000",
"ProcessId": "90597916092",
"ProcessStartTime": "2024-12-03 19:53:19.000000000",
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae",
"Severity": 90,
"SeverityName": "Critical",
"Tactic": "Execution",
"Technique": "User Execution",
"UserName": "Administrator"
},
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "EppDetectionSummaryEvent",
"offset": 1201171,
"version": "1.0"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"metadata": {
"customerIDString": "CUST_ID",
"eventCreationTime": "2024-12-03 19:54:30.000000000",
"eventType": "AuthActivityAuditEvent",
"offset": 1201171,
"version": "1.0"
}
}

0 comments on commit 914ad2f

Please sign in to comment.