[Crowdstrike] Overhaul of Crowdstrike Falcon pipelines and mappings

packages/crowdstrike/_dev/build/docs/README.md

@@ -16,6 +16,21 @@ This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.
 
 Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector.
 
+#### Falcon SIEM Connector configuration file
+
+By default, the configuration file located at `/opt/crowdstrike/etc/cs.falconhoseclient.cf` provides configuration options related to the events collected by Falcon SIEM Connector.
+
+Parts of the configuration file called `EventTypeCollection` and `EventSubTypeCollection` provides a list of event types that the connector should collect.
+
+Current supported event types are:
+- DetectionSummaryEvent
+- IncidentSummaryEvent
+- UserActivityAuditEvent
+- AuthActivityAuditEvent
+- FirewallMatchEvent
+- RemoteResponseSessionStartEvent
+- RemoteResponseSessionEndEvent
+
 {{fields "falcon"}}
 
 {{event "falcon"}}

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.15.0"
+ changes:
+ - description: Overhaul of the Falcon Datastream, adding plenty of new fields and ECS mappings.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6668
 - version: "1.14.0"
  changes:
  - description: Ensure event.kind is correctly set for pipeline errors.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-auth-activity.log

@@ -0,0 +1,92 @@
+{
+ "metadata": {
+ "customerIDString": "123123abcd",
+ "offset": 6,
+ "eventType": "AuthActivityAuditEvent",
+ "eventCreationTime": 1686845212400,
+ "version": "1.0"
+ },
+ "event": {
+ "UserId": "API:USERID",
+ "UserIp": "175.16.199.1",
+ "OperationName": "streamStopped",
+ "ServiceName": "Crowdstrike Streaming API",
+ "Success": true,
+ "UTCTimestamp": 1686839378,
+ "AuditKeyValues": [
+ {
+ "Key": "eventType",
+ "ValueString": "All event type(s)"
+ },
+ {
+ "Key": "APIClientID",
+ "ValueString": "APIID"
+ },
+ {
+ "Key": "partition",
+ "ValueString": "0"
+ },
+ {
+ "Key": "offset",
+ "ValueString": "2"
+ },
+ {
+ "Key": "appId",
+ "ValueString": "APPIDTEST"
+ }
+ ],
+ "Attributes": {
+ "APIClientID": "APPCLIENTIDTEST",
+ "appId": "APPIDTEST",
+ "eventType": "All event type(s)",
+ "offset": "2",
+ "partition": "0"
+ }
+ }
+}
+{
+ "metadata": {
+ "customerIDString": "123123abcd",
+ "offset": 8,
+ "eventType": "AuthActivityAuditEvent",
+ "eventCreationTime": 1686849556137,
+ "version": "1.0"
+ },
+ "event": {
+ "UserId": "API:USERID",
+ "UserIp": "175.16.199.1",
+ "OperationName": "streamStarted",
+ "ServiceName": "Crowdstrike Streaming API",
+ "Success": true,
+ "UTCTimestamp": 1686849556,
+ "AuditKeyValues": [
+ {
+ "Key": "APIClientID",
+ "ValueString": "APICLIENTID"
+ },
+ {
+ "Key": "partition",
+ "ValueString": "0"
+ },
+ {
+ "Key": "offset",
+ "ValueString": "8"
+ },
+ {
+ "Key": "appId",
+ "ValueString": "APPIDTEST"
+ },
+ {
+ "Key": "eventType",
+ "ValueString": "All event type(s)"
+ }
+ ],
+ "Attributes": {
+ "APIClientID": "APICLIENTID",
+ "appId": "APPIDTEST",
+ "eventType": "All event type(s)",
+ "offset": "8",
+ "partition": "0"
+ }
+ }
+}

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-auth-activity.log-expected.json

@@ -0,0 +1,186 @@
+{
+ "expected": [
+ {
+ "crowdstrike": {
+ "event": {
+ "Attributes": {
+ "APIClientID": "APPCLIENTIDTEST",
+ "appId": "APPIDTEST",
+ "eventType": "All event type(s)",
+ "offset": "2",
+ "partition": "0"
+ },
+ "AuditKeyValues": [
+ {
+ "Key": "eventType",
+ "ValueString": "All event type(s)"
+ },
+ {
+ "Key": "APIClientID",
+ "ValueString": "APIID"
+ },
+ {
+ "Key": "partition",
+ "ValueString": "0"
+ },
+ {
+ "Key": "offset",
+ "ValueString": "2"
+ },
+ {
+ "Key": "appId",
+ "ValueString": "APPIDTEST"
+ }
+ ],
+ "OperationName": "streamStopped",
+ "Success": true
+ },
+ "metadata": {
+ "customerIDString": "123123abcd",
+ "eventType": "AuthActivityAuditEvent",
+ "offset": 6,
+ "version": "1.0"
+ }
+ },
+ "ecs": {
+ "version": "8.8.0"
+ },
+ "event": {
+ "action": [
+ "streamStopped"
+ ],
+ "category": [
+ "iam"
+ ],
+ "kind": "event",
+ "original": "{\n \"metadata\": {\n \"customerIDString\": \"123123abcd\",\n \"offset\": 6,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1686845212400,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"API:USERID\",\n \"UserIp\": \"175.16.199.1\",\n \"OperationName\": \"streamStopped\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1686839378,\n \"AuditKeyValues\": [\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"All event type(s)\"\n },\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"APIID\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"2\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"APPIDTEST\"\n }\n ],\n \"Attributes\": {\n \"APIClientID\": \"APPCLIENTIDTEST\",\n \"appId\": \"APPIDTEST\",\n \"eventType\": \"All event type(s)\",\n \"offset\": \"2\",\n \"partition\": \"0\"\n }\n }\n}",
+ "outcome": "success"
+ },
+ "message": "Crowdstrike Streaming API",
+ "observer": {
+ "product": "Falcon",
+ "vendor": "Crowdstrike"
+ },
+ "related": {
+ "ip": [
+ "175.16.199.1"
+ ],
+ "user": [
+ "API:USERID"
+ ]
+ },
+ "source": {
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "API:USERID"
+ }
+ },
+ {
+ "crowdstrike": {
+ "event": {
+ "Attributes": {
+ "APIClientID": "APICLIENTID",
+ "appId": "APPIDTEST",
+ "eventType": "All event type(s)",
+ "offset": "8",
+ "partition": "0"
+ },
+ "AuditKeyValues": [
+ {
+ "Key": "APIClientID",
+ "ValueString": "APICLIENTID"
+ },
+ {
+ "Key": "partition",
+ "ValueString": "0"
+ },
+ {
+ "Key": "offset",
+ "ValueString": "8"
+ },
+ {
+ "Key": "appId",
+ "ValueString": "APPIDTEST"
+ },
+ {
+ "Key": "eventType",
+ "ValueString": "All event type(s)"
+ }
+ ],
+ "OperationName": "streamStarted",
+ "Success": true
+ },
+ "metadata": {
+ "customerIDString": "123123abcd",
+ "eventType": "AuthActivityAuditEvent",
+ "offset": 8,
+ "version": "1.0"
+ }
+ },
+ "ecs": {
+ "version": "8.8.0"
+ },
+ "event": {
+ "action": [
+ "streamStarted"
+ ],
+ "category": [
+ "iam"
+ ],
+ "kind": "event",
+ "original": "{\n \"metadata\": {\n \"customerIDString\": \"123123abcd\",\n \"offset\": 8,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1686849556137,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"API:USERID\",\n \"UserIp\": \"175.16.199.1\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1686849556,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"APICLIENTID\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"8\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"APPIDTEST\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"All event type(s)\"\n }\n ],\n \"Attributes\": {\n \"APIClientID\": \"APICLIENTID\",\n \"appId\": \"APPIDTEST\",\n \"eventType\": \"All event type(s)\",\n \"offset\": \"8\",\n \"partition\": \"0\"\n }\n }\n}",
+ "outcome": "success"
+ },
+ "message": "Crowdstrike Streaming API",
+ "observer": {
+ "product": "Falcon",
+ "vendor": "Crowdstrike"
+ },
+ "related": {
+ "ip": [
+ "175.16.199.1"
+ ],
+ "user": [
+ "API:USERID"
+ ]
+ },
+ "source": {
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "API:USERID"
+ }
+ }
+ ]
+}