CrowdStrike Falcon Stream Alerts

Name:CrowdStrike Falcon Stream Alerts
id:cb6af2b3-29ab-441c-8d8d-679811c8b014
version:1
date:2025-05-12
author:Bryan Pluta, Teoderick Contreras, Splunk
status:production
type:Anomaly
Description:The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.
Data_source:

• -CrowdStrike Falcon Stream Alert

search:`crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent)
| rename event.* as *
| eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0)
| eval user=coalesce(lower(SourceAccountName),lower(UserName))
| eval dest=coalesce(ComputerName,SourceEndpointHostName)
| eval mitre_technique = case(!match(DetectName, "(NGAV|Intel Detection)"), Technique)
| join type=left mitre_technique
[| inputlookup append=t mitre_attack_lookup

| fields mitre_technique mitre_technique_id ]
| eval annotations.mitre_attack = mitre_technique_id
| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"")
| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
| rename "metadata.eventType" as eventType
| eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) )
| eval user_append = if(NOT isnull(user)," by " + user,"")
| eval dest_append = if(NOT isnull(dest)," on " + dest,"")
| eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
| eval description = description + user_append + dest_append
| eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
| rename DetectId as detection_id, FalconHostLink as detection_url
| table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
| `crowdstrike_falcon_stream_alerts_filter`


how_to_implement:In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the `crowdstrike_stream` macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
known_false_positives:False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.
References:
  -https://www.crowdstrike.com/en-us/resources/guides/crowdstrike-falcon-event-streams-add-on-for-splunk-guide-v3/
  -https://splunkbase.splunk.com/app/5082
drilldown_searches:
 name:'View the detection results for - "$dest$"'
 search:'%original_detection_search% | search dest = "$dest$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$dest$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View other CrowdStrike events for "$user$ on "$dest$"'
 search:'$annotations.drilldown_search$'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Critical Alerts'
  asset_type:Endpoint
  atomic_guid:
  mitre_attack_id:
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint
  manual_test:We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting this detection to manual test since otherwise we fail integration testing. This detection is also based on the mitre_attack_lookup lookup table which is not available in the ESCU app

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.log
  source: CrowdStrike:Event:Streams
  sourcetype: CrowdStrike:Event:Streams:JSON
manual_test:None