diff --git a/packs/crowdstrike_event_streams.yml b/packs/crowdstrike_event_streams.yml index 6cf46dbbf..6f42c54e6 100644 --- a/packs/crowdstrike_event_streams.yml +++ b/packs/crowdstrike_event_streams.yml @@ -9,6 +9,7 @@ PackDefinition: - Crowdstrike.AllowlistRemoved - Crowdstrike.API.Key.Created - Crowdstrike.API.Key.Deleted + - Crowdstrike.EppDetectionSummary - Crowdstrike.EphemeralUserAccount - Crowdstrike.IpAllowlistChanged - Crowdstrike.NewAdminUserCreated diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py new file mode 100644 index 000000000..3653fbd0a --- /dev/null +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py @@ -0,0 +1,47 @@ +from panther_core import PantherEvent +from panther_crowdstrike_event_streams_helpers import cs_alert_context + + +def rule(event: PantherEvent): + return event.deep_get("metadata", "eventType") == "EppDetectionSummaryEvent" + + +def title(event: PantherEvent): + alert_title = event.deep_get("event", "Name", default="New CrowdStrike Detection") + alert_desc = event.deep_get("event", "Description") + return f"{alert_title}: {alert_desc}" if alert_desc else alert_title + + +def dedup(event: PantherEvent): + if alert_id := event.deep_get("event", "CompositeId"): + return alert_id + # Else, fall back on title string + return title(event) + + +def severity(event: PantherEvent): + # First, try returning the severity based on the SeverityName + sevname = event.deep_get("event", "SeverityName").upper() + allowed_values = ("INFO", "LOW", "MEDIUM", "HIGH", "CRITICAL") + if sevname == "INFORMATIONAL": + sevname = "INFO" + if sevname in allowed_values: + return sevname + + # Else, fallback on the numerical value, falling back on MEDIUM if we still don't have a value + sevval = event.deep_get("event", "Severity") // 20 + return {0: "INFO", 1: "LOW", 2: "MEDIUM", 3: "HIGH", 4: "CRITICAL", 5: "CRITICAL"}.get( + sevval, "DEFAULT" + ) + + +def reference(event: PantherEvent): + return event.deep_get("event", "FalconHostLink", default="") + + +def alert_context(event: PantherEvent): + context = cs_alert_context(event) + context.update( + {"FalconLink": event.deep_get("event", "FalconHostLink", default="")} + ) + return context diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml new file mode 100644 index 000000000..2ca9c12fc --- /dev/null +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml @@ -0,0 +1,348 @@ +AnalysisType: rule +Filename: crowdstrike_detection_summary.py +RuleID: "Crowdstrike.EppDetectionSummary" +DisplayName: "Crowdstrike Detection Summary" +Enabled: true +LogTypes: + - Crowdstrike.EventStreams +Severity: Medium +Description: Forwards any alerts generated by CrowdStrike to your Panther destinations. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: Followup with the alert according to CrowdStrike's recommendations. +Tags: + - Crowdstrike + - Passthrough +Tests: + - Name: INFO Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 10, + "SeverityName": "Informational", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: LOW Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 20, + "SeverityName": "Low", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: MEDIUM Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 50, + "SeverityName": "Medium", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: HIGH Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 70, + "SeverityName": "High", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: CRIT Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 90, + "SeverityName": "Critical", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: Unrelated Event + ExpectedResult: false + Log: + { + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "AuthActivityAuditEvent", + "offset": 1201171, + "version": "1.0" + } + }