diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml similarity index 94% rename from Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml rename to Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml index 7a748e5..b4d665e 100644 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml +++ b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml @@ -1,5 +1,4 @@ fromversion: 6.10.0 -rule_id: 0 action: ALERTS alert_category: User Defined alert_description: $alert_description @@ -73,7 +72,7 @@ description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detecti Event drilldown_query_timeframe: ALERT execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0043 +global_rule_id: SOC CrowdStrike Falcon - Endpoint Alerts investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry is being collected @@ -82,16 +81,19 @@ investigation_query_link: '// All (stitched) activity from host - assuming raw t | filter agent_hostname = $hostname | fields * ' +is_enabled: true lookup_mapping: [] mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Reconnaissance +mitre_defs: {} +name: SOC CrowdStrike Falcon - Endpoint Alerts +rule_id: 0 search_window: null severity: User Defined +simple_schedule: null suppression_duration: null suppression_enabled: false suppression_fields: null +timezone: null user_defined_category: tactic user_defined_severity: severity_name xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ @@ -103,8 +105,7 @@ xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: S \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ \ mitre_tactic = tactic,\n mitre_tactic_id \ \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0043\" or mitre_tactic = \"\ - Reconnaissance\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ + \ = technique_id\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ \ objects\n| alter \n hostname = device->hostname,\n domain\ \ = device->machine_domain,\n local_ip = device->local_ip,\n \ \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml deleted file mode 100644 index 2425980..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml +++ /dev/null @@ -1,125 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_other -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC CrowdStrike Falcon - Endpoint Alerts - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"\" and mitre_tactic = \"\"\n\n\ - | filter product = \"epp\"\n\n// Extract fields from nested objects\n| alter \n\ - \ hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml deleted file mode 100644 index 56f1af5..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0001 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0001\" or mitre_tactic = \"\ - Initial Access\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml deleted file mode 100644 index 6cdd492..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0002 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0002\" or mitre_tactic = \"\ - Execution\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml deleted file mode 100644 index 4f4f2a2..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0003 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0003\" or mitre_tactic = \"\ - Persistence\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml deleted file mode 100644 index cc89330..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0004 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0004\" or mitre_tactic = \"\ - Privilege Escalation\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml deleted file mode 100644 index 27abbf5..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0005 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0005\" or mitre_tactic = \"\ - Defense Evasion\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml deleted file mode 100644 index 6f929db..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0006 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0006\" or mitre_tactic = \"\ - Credential Access\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml deleted file mode 100644 index 888b0a9..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0007 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0007\" or mitre_tactic = \"\ - Discovery\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml deleted file mode 100644 index d25016d..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0008 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0008\" or mitre_tactic = \"\ - Lateral Movement\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml deleted file mode 100644 index ed531cd..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0009 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0009\" or mitre_tactic = \"\ - Collection\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml deleted file mode 100644 index 2e3e26d..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0010 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0010\" or mitre_tactic = \"\ - Exfiltration\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml deleted file mode 100644 index d8d2eaa..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0011 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Command and Control -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0011\" or mitre_tactic = \"\ - Command and Control\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml deleted file mode 100644 index 41dd474..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0040 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0040\" or mitre_tactic = \"\ - Impact\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml deleted file mode 100644 index 45a8191..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0042 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0042\" or mitre_tactic = \"\ - Resource Development\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/pack_metadata.json b/Packs/soc-crowdstrike-falcon/pack_metadata.json index cfea8a9..8cd59ed 100644 --- a/Packs/soc-crowdstrike-falcon/pack_metadata.json +++ b/Packs/soc-crowdstrike-falcon/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-crowdstrike-falcon", "description": "This contains the content for XSIAM CrowdStrike Falcon. This includes layouts, playbooks and incident fields", "support": "xsoar", - "currentVersion": "1.0.38", + "currentVersion": "1.0.39", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-crowdstrike-falcon/xsoar_config.json b/Packs/soc-crowdstrike-falcon/xsoar_config.json index 7f513f4..930a29e 100644 --- a/Packs/soc-crowdstrike-falcon/xsoar_config.json +++ b/Packs/soc-crowdstrike-falcon/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-crowdstrike-falcon.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.38/soc-crowdstrike-falcon-v1.0.38.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.39/soc-crowdstrike-falcon-v1.0.39.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 67c4d73..811268e 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-crowdstrike-falcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", - "version": "1.0.38", + "version": "1.0.39", "path": "Packs/soc-crowdstrike-falcon", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-crowdstrike-falcon/xsoar_config.json"