-
Notifications
You must be signed in to change notification settings - Fork 422
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add system test for CrowdStrike Falcon
Add a system test for CrowdStrike Falcon and fix the issues it detected. These were the errors initially detected. crowdstrike/falcon : [0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined [1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined [2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined [3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined [4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined [5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined [6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined [7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined [8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined [9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined [10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined [11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined [12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined [13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long [14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long [15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date [16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long [17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long [18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long [19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long
- Loading branch information
1 parent
2ddaeb7
commit e868429
Showing
7 changed files
with
674 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM alpine | ||
|
||
COPY ./falcon-audit-events.log /sample_logs/ | ||
COPY ./falcon-events.log /sample_logs/ | ||
COPY ./falcon-sample.log /sample_logs/ | ||
|
||
ENTRYPOINT [ "/bin/sh" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
version: '2.3' | ||
services: | ||
crowdstrike: | ||
tty: true | ||
build: . | ||
volumes: | ||
- ${SERVICE_LOGS_DIR}:/logs | ||
command: -c "cp /sample_logs/*.log /logs/" |
277 changes: 277 additions & 0 deletions
277
packages/crowdstrike/_dev/deploy/docker/falcon-audit-events.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,277 @@ | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 1045, | ||
"eventType": "RemoteResponseSessionStartEvent", | ||
"eventCreationTime": 1582830734000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"SessionId": "6020260b-0398-4d41-999d-5531b55522de", | ||
"HostnameField": "hostnameofmachine", | ||
"UserName": "first.last@company.com", | ||
"StartTimestamp": 1582830734 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 1046, | ||
"eventType": "RemoteResponseSessionEndEvent", | ||
"eventCreationTime": 1582830772000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"SessionId": "6020260b-0398-4d41-999d-5531b55522de", | ||
"HostnameField": "hostnameofmachine", | ||
"UserName": "first.last@company.com", | ||
"EndTimestamp": 1582830772 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 0, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581542950710, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", | ||
"UserIp": "10.10.0.8", | ||
"OperationName": "streamStarted", | ||
"ServiceName": "Crowdstrike Streaming API", | ||
"Success": true, | ||
"UTCTimestamp": 1581542950, | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "APIClientID", | ||
"ValueString": "1234567890abcdefghijklmnopqr" | ||
}, | ||
{ | ||
"Key": "partition", | ||
"ValueString": "0" | ||
}, | ||
{ | ||
"Key": "offset", | ||
"ValueString": "-1" | ||
}, | ||
{ | ||
"Key": "appId", | ||
"ValueString": "siem-connector-v2.0.0" | ||
}, | ||
{ | ||
"Key": "eventType", | ||
"ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" | ||
} | ||
] | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 1, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581543577147, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "twoFactorAuthenticate", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581543577147 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 2, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581545677554, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "bob@company.com", | ||
"UserIp": "192.168.6.3", | ||
"OperationName": "twoFactorAuthenticate", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581545677554 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 3, | ||
"eventType": "UserActivityAuditEvent", | ||
"eventCreationTime": 1581546248000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "chris@company.com", | ||
"UserIp": "192.168.6.13", | ||
"OperationName": "update_group", | ||
"ServiceName": "groups", | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "group_id", | ||
"ValueString": "3c80ce30b9654cb4bd15beec6a517e65" | ||
}, | ||
{ | ||
"Key": "action_name", | ||
"ValueString": "add_group_member" | ||
} | ||
], | ||
"UTCTimestamp": 1581546248 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 4, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601312140, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "requestResetPassword", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601312140, | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "target_name", | ||
"ValueString": "alice@company.com" | ||
} | ||
] | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 5, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601341730, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "twoFactorAuthenticate", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601341730 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 6, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601520236, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "changePassword", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601520236, | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "target_name", | ||
"ValueString": "first.last@company.com" | ||
} | ||
] | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 7, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601572362, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "userAuthenticate", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601572362 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 8, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601814754, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "twoFactorAuthenticate", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601814754 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 9, | ||
"eventType": "AuthActivityAuditEvent", | ||
"eventCreationTime": 1581601820289, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "selfAcceptEula", | ||
"ServiceName": "CrowdStrike Authentication", | ||
"Success": true, | ||
"UTCTimestamp": 1581601820289 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 10, | ||
"eventType": "UserActivityAuditEvent", | ||
"eventCreationTime": 1581603262000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "alice@company.com", | ||
"UserIp": "192.168.6.8", | ||
"OperationName": "detection_update", | ||
"ServiceName": "detections", | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "detection_id", | ||
"ValueString": "ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745" | ||
}, | ||
{ | ||
"Key": "new_state", | ||
"ValueString": "in_progress" | ||
}, | ||
{ | ||
"Key": "assigned_to", | ||
"ValueString": "First Last" | ||
}, | ||
{ | ||
"Key": "assigned_to_uid", | ||
"ValueString": "first.last@company.com" | ||
} | ||
], | ||
"UTCTimestamp": 1581603262 | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 294564, | ||
"eventType": "DetectionSummaryEvent", | ||
"eventCreationTime": 1582101000000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"ProcessStartTime": 1536846339, | ||
"ProcessEndTime": 0, | ||
"ProcessId": 38684386611, | ||
"ParentProcessId": 38682494050, | ||
"ComputerName": "alice-laptop", | ||
"UserName": "alice", | ||
"DetectName": "Process Terminated", | ||
"DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", | ||
"Severity": 4, | ||
"SeverityName": "High", | ||
"FileName": "explorer.exe", | ||
"FilePath": "\\Device\\HarddiskVolume1\\Windows", | ||
"CommandLine": "C:\\Windows\\Explorer.EXE", | ||
"SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", | ||
"MD5String": "ac4c51eb24aa95b77f705ab159189e24", | ||
"MachineDomain": "CORP-DOMAIN", | ||
"FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", | ||
"SensorId": "7c808b4c8878433287eea53d4a8c3268", | ||
"DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", | ||
"LocalIP": "192.168.12.51", | ||
"MACAddress": "00-00-00-11-22-33", | ||
"Tactic": "Malware", | ||
"Technique": "Ransomware", | ||
"Objective": "Falcon Detection Method", | ||
"PatternDispositionDescription": "Prevention, process killed.", | ||
"PatternDispositionValue": 16, | ||
"PatternDispositionFlags": { | ||
"Indicator": false, | ||
"Detect": false, | ||
"InddetMask": false, | ||
"SensorOnly": false, | ||
"Rooting": false, | ||
"KillProcess": true, | ||
"KillSubProcess": false, | ||
"QuarantineMachine": false, | ||
"QuarantineFile": false, | ||
"PolicyDisabled": false, | ||
"KillParent": false, | ||
"OperationBlocked": false, | ||
"ProcessBlocked": false | ||
} | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 1824, | ||
"eventType": "IncidentSummaryEvent", | ||
"eventCreationTime": 1583295476766, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"IncidentStartTime": 1583295228, | ||
"IncidentEndTime": 1583295470, | ||
"FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"State": "open", | ||
"FineScore": 1.2 | ||
} | ||
} | ||
{ | ||
"metadata": { | ||
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", | ||
"offset": 22865, | ||
"eventType": "UserActivityAuditEvent", | ||
"eventCreationTime": 1593186952000, | ||
"version": "1.0" | ||
}, | ||
"event": { | ||
"UserId": "Crowdstrike", | ||
"UserIp": "", | ||
"OperationName": "quarantined_file_update", | ||
"ServiceName": "quarantined_files", | ||
"AuditKeyValues": [ | ||
{ | ||
"Key": "quarantined_file_id", | ||
"ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" | ||
}, | ||
{ | ||
"Key": "action_taken", | ||
"ValueString": "quarantined" | ||
} | ||
], | ||
"UTCTimestamp": 1593186952 | ||
} | ||
} |
Oops, something went wrong.