Skip to content

Commit

Permalink
Add system test for CrowdStrike Falcon
Browse files Browse the repository at this point in the history 
Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

    crowdstrike/falcon :
    [0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
    [1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
    [2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
    [3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
    [4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
    [5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
    [6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
    [7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
    [8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
    [9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
    [10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
    [11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
    [12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
    [13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
    [14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
    [15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
    [16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
    [17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
    [18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
    [19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long
  • Loading branch information
@andrewkroh
andrewkroh committed Dec 2, 2020
1 parent 2ddaeb7 commit e868429
Show file tree
Hide file tree
Showing 7 changed files with 674 additions and 1 deletion.
7 changes: 7 additions & 0 deletions packages/crowdstrike/_dev/deploy/docker/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM alpine

COPY ./falcon-audit-events.log /sample_logs/
COPY ./falcon-events.log /sample_logs/
COPY ./falcon-sample.log /sample_logs/

ENTRYPOINT [ "/bin/sh" ]
8 changes: 8 additions & 0 deletions packages/crowdstrike/_dev/deploy/docker/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
version: '2.3'
services:
crowdstrike:
tty: true
build: .
volumes:
- ${SERVICE_LOGS_DIR}:/logs
command: -c "cp /sample_logs/*.log /logs/"
277 changes: 277 additions & 0 deletions packages/crowdstrike/_dev/deploy/docker/falcon-audit-events.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,277 @@
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 1045,
"eventType": "RemoteResponseSessionStartEvent",
"eventCreationTime": 1582830734000,
"version": "1.0"
},
"event": {
"SessionId": "6020260b-0398-4d41-999d-5531b55522de",
"HostnameField": "hostnameofmachine",
"UserName": "first.last@company.com",
"StartTimestamp": 1582830734
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 1046,
"eventType": "RemoteResponseSessionEndEvent",
"eventCreationTime": 1582830772000,
"version": "1.0"
},
"event": {
"SessionId": "6020260b-0398-4d41-999d-5531b55522de",
"HostnameField": "hostnameofmachine",
"UserName": "first.last@company.com",
"EndTimestamp": 1582830772
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 0,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581542950710,
"version": "1.0"
},
"event": {
"UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz",
"UserIp": "10.10.0.8",
"OperationName": "streamStarted",
"ServiceName": "Crowdstrike Streaming API",
"Success": true,
"UTCTimestamp": 1581542950,
"AuditKeyValues": [
{
"Key": "APIClientID",
"ValueString": "1234567890abcdefghijklmnopqr"
},
{
"Key": "partition",
"ValueString": "0"
},
{
"Key": "offset",
"ValueString": "-1"
},
{
"Key": "appId",
"ValueString": "siem-connector-v2.0.0"
},
{
"Key": "eventType",
"ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]"
}
]
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 1,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581543577147,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "twoFactorAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581543577147
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 2,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581545677554,
"version": "1.0"
},
"event": {
"UserId": "bob@company.com",
"UserIp": "192.168.6.3",
"OperationName": "twoFactorAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581545677554
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 3,
"eventType": "UserActivityAuditEvent",
"eventCreationTime": 1581546248000,
"version": "1.0"
},
"event": {
"UserId": "chris@company.com",
"UserIp": "192.168.6.13",
"OperationName": "update_group",
"ServiceName": "groups",
"AuditKeyValues": [
{
"Key": "group_id",
"ValueString": "3c80ce30b9654cb4bd15beec6a517e65"
},
{
"Key": "action_name",
"ValueString": "add_group_member"
}
],
"UTCTimestamp": 1581546248
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 4,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601312140,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "requestResetPassword",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601312140,
"AuditKeyValues": [
{
"Key": "target_name",
"ValueString": "alice@company.com"
}
]
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 5,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601341730,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "twoFactorAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601341730
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 6,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601520236,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "changePassword",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601520236,
"AuditKeyValues": [
{
"Key": "target_name",
"ValueString": "first.last@company.com"
}
]
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 7,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601572362,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "userAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601572362
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 8,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601814754,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "twoFactorAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601814754
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 9,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1581601820289,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "selfAcceptEula",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": 1581601820289
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 10,
"eventType": "UserActivityAuditEvent",
"eventCreationTime": 1581603262000,
"version": "1.0"
},
"event": {
"UserId": "alice@company.com",
"UserIp": "192.168.6.8",
"OperationName": "detection_update",
"ServiceName": "detections",
"AuditKeyValues": [
{
"Key": "detection_id",
"ValueString": "ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745"
},
{
"Key": "new_state",
"ValueString": "in_progress"
},
{
"Key": "assigned_to",
"ValueString": "First Last"
},
{
"Key": "assigned_to_uid",
"ValueString": "first.last@company.com"
}
],
"UTCTimestamp": 1581603262
}
}
94 changes: 94 additions & 0 deletions packages/crowdstrike/_dev/deploy/docker/falcon-events.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 294564,
"eventType": "DetectionSummaryEvent",
"eventCreationTime": 1582101000000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1536846339,
"ProcessEndTime": 0,
"ProcessId": 38684386611,
"ParentProcessId": 38682494050,
"ComputerName": "alice-laptop",
"UserName": "alice",
"DetectName": "Process Terminated",
"DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"Severity": 4,
"SeverityName": "High",
"FileName": "explorer.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Windows",
"CommandLine": "C:\\Windows\\Explorer.EXE",
"SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"MD5String": "ac4c51eb24aa95b77f705ab159189e24",
"MachineDomain": "CORP-DOMAIN",
"FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4",
"SensorId": "7c808b4c8878433287eea53d4a8c3268",
"DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",
"LocalIP": "192.168.12.51",
"MACAddress": "00-00-00-11-22-33",
"Tactic": "Malware",
"Technique": "Ransomware",
"Objective": "Falcon Detection Method",
"PatternDispositionDescription": "Prevention, process killed.",
"PatternDispositionValue": 16,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": true,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": false
}
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 1824,
"eventType": "IncidentSummaryEvent",
"eventCreationTime": 1583295476766,
"version": "1.0"
},
"event": {
"IncidentStartTime": 1583295228,
"IncidentEndTime": 1583295470,
"FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"State": "open",
"FineScore": 1.2
}
}
{
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"offset": 22865,
"eventType": "UserActivityAuditEvent",
"eventCreationTime": 1593186952000,
"version": "1.0"
},
"event": {
"UserId": "Crowdstrike",
"UserIp": "",
"OperationName": "quarantined_file_update",
"ServiceName": "quarantined_files",
"AuditKeyValues": [
{
"Key": "quarantined_file_id",
"ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78"
},
{
"Key": "action_taken",
"ValueString": "quarantined"
}
],
"UTCTimestamp": 1593186952
}
}
Loading

0 comments on commit e868429

Please sign in to comment.