Collect CrowdStrike IOC logs

Supported in:

Overview

This parser extracts CrowdStrike Falcon Intelligence data from JSON-formatted messages. It transforms various IOC fields into the UDM format, handling different indicator types (domains, IPs, URLs, hashes, etc.) and their associated metadata, including relations, labels, and threat information. The parser also performs data validation and error handling. It prioritizes JSON parsing, falling back to grok matching if necessary, and drops malformed messages.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have access to the CrowdStrike Falcon Intelligence platform with appropriate permissions.

Configure a feed in Google SecOps to ingest the CrowdStrike IOC logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, CrowdStrike IOC Logs).
  4. Select Webhook as the Source type.
  5. Select Crowdstrike IOC as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. On the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

Replace the following:

  • ENDPOINT_URL: the feed endpoint URL.
  • API_KEY: the API key to authenticate to Google SecOps.
  • SECRET: the secret key that you generated to authenticate the feed.

Create a CrowdStrike webhook

  1. Sign in to the CrowdStrike Falcon Intelligence console.
  2. Go to the CrowdStrike Store.
  3. Find Webhook.
  4. Activate the Webhook integration.
  5. Click Configure.
  6. Select Add configuration.
  7. Ensure only IOCs are sent to the webhook.
  8. Paste the endpoint URL into the Webhook URL field in the Configure Webhook screen.
  9. Click Save.
  10. CrowdStrike now sends generated events to the specified Google SecOps feed.

UDM Mapping Table

Log Field UDM Mapping Logic
_marker event.idm.entity.entity.labels.value The value of the _marker field is mapped directly.
actors event.idm.entity.entity.group.group_display_name If the first value in actors contains "panda", "bear", "kitten", "chollima", "jackal", or "Spider", it is mapped and the event.idm.entity.entity.location.country_or_region is derived (China, Russia, Iran, North Korea, Activist groups, Criminal groups respectively). Other values in actors are added as labels with key "actor" within event.idm.entity.entity.group.attribute.labels.
actors event.idm.entity.entity.location.country_or_region Derived based on the first value in actors (see above).
deleted event.idm.entity.metadata.threat.action If deleted is "false", the action is "BLOCK". If deleted is "true", the action is "ALLOW".
deleted event.idm.entity.metadata.threat.action_details The value of deleted is mapped directly.
domain_types event.idm.entity.metadata.threat.detection_fields.value All values in domain_types are concatenated with commas and mapped with key "domain_types".
id event.idm.entity.metadata.product_entity_id The value of id is mapped directly.
indicator event.idm.entity.entity.hostname Mapped if type is "domain".
indicator event.idm.entity.entity.file.md5 Mapped if type is "hash_md5" and the value is a valid MD5 hash.
indicator event.idm.entity.entity.file.sha1 Mapped if type is "hash_sha1" and the value is a valid SHA1 hash.
indicator event.idm.entity.entity.file.sha256 Mapped if type is "hash_sha256" and the value is a valid SHA256 hash.
indicator event.idm.entity.entity.ip Mapped if type is "ip_address" and the value is a valid IP address.
indicator event.ioc.ip_and_ports.ip_address Mapped if type is "ip_address" and the value is a valid IP address.
indicator event.idm.entity.entity.url Mapped if type is "url".
indicator event.idm.entity.entity.resource.name Mapped if type is "device_name" or "mutex_name".
indicator event.idm.entity.entity.user.email_addresses Mapped if type is "email_address" and the value is a valid email address.
indicator event.idm.entity.metadata.threat.detection_fields.value Mapped with various keys based on the type field (e.g., "campaign_id", "binary_string", etc.). If the type is not specifically handled, it's mapped with the type as the key.
indicator event.ioc.domain_and_ports.domain Mapped if type is not "ip_address" or "port".
ip_address_types event.idm.entity.metadata.threat.detection_fields.value All values in ip_address_types are concatenated with commas and mapped with key "ip_address_types".
kill_chains event.idm.entity.metadata.threat.category The category is derived based on the values in kill_chains. "reconnaissance", "weaponization", or "actionOnObjectives" result in "NETWORK_MALICIOUS". "delivery" or "exploitation" result in "EXPLOIT". "installation" or "c3" result in "SOFTWARE_MALICIOUS". "c2" results in "NETWORK_COMMAND_AND_CONTROL". Other values result in "UNKNOWN_CATEGORY". Multiple categories can be assigned.
kill_chains event.idm.entity.metadata.threat.category_details The raw values from kill_chains are mapped directly. Multiple values are possible.
labels event.idm.entity.metadata.threat.detection_fields The "name" field within each label is split into label_key and label_value by the "/". If label_key is "Malware" or "ThreatType", label_value is mapped to threat_name. Otherwise, label_key and label_value are mapped as a key-value pair. "created_on" and "last_valid_on" within each label are also mapped as key-value pairs.
labels event.idm.entity.metadata.threat.threat_name Derived from the labels field (see above).
last_updated event.idm.entity.metadata.threat.detection_fields.value The value of last_updated is mapped with key "last_updated".
malicious_confidence event.idm.entity.metadata.threat.confidence If malicious_confidence is "high", the confidence is "HIGH_CONFIDENCE". If it's "low", the confidence is "LOW_CONFIDENCE". If it's "medium", the confidence is "MEDIUM_CONFIDENCE". Otherwise, it's "UNKNOWN_CONFIDENCE".
malicious_confidence event.idm.entity.metadata.threat.confidence_details The value of malicious_confidence is mapped directly.
malicious_confidence event.ioc.confidence_score The value of malicious_confidence is mapped directly.
malware_families event.idm.entity.metadata.threat.threat_name All values in malware_families are concatenated with commas and mapped.
published_date event.idm.entity.metadata.creation_timestamp The value of published_date is converted to a timestamp.
published_date event.idm.entity.metadata.interval.start_time The value of published_date is converted to a timestamp.
published_date event.ioc.active_timerange.start The value of published_date is converted to a timestamp.
relations event.idm.entity.metadata.threat.about The fields within each relation are mapped to the about object based on their type. "created_date", "last_valid_date", and "id" are added as labels.
reports event.idm.entity.metadata.threat.about.labels.value All values in reports are concatenated with commas and mapped with key "report_ids".
threat_types event.idm.entity.metadata.threat.threat_name All values in threat_types are concatenated with commas with the existing threat_name derived from malware_families.
type event.ioc.categorization The value of type is mapped directly.
(Parser Logic) event.idm.entity.metadata.collected_timestamp The value of create_time from the raw log is used.
(Parser Logic) event.idm.entity.metadata.interval.end_time Hardcoded to a far-future timestamp (253402300799).
(Parser Logic) event.idm.entity.metadata.product_name Hardcoded to "Falcon".
(Parser Logic) event.idm.entity.metadata.vendor_name Hardcoded to "CrowdStrike".
(Parser Logic) event.idm.entity.metadata.entity_type Derived based on the type field and the presence of other fields. See parser code for the specific logic.
(Parser Logic) event.ioc.feed_name Hardcoded to "CrowdStrike Falcon Intelligence".
(Parser Logic) event.timestamp The value of create_time from the raw log is used.

Changes

2023-08-23

  • Changed mapping for malicious_confidence field.

2023-05-04

  • Promoted crowdstrike_ioc parser to default.