CrowdStrike SIEM Connector Grok Rules

October 8, 2019

I couldn’t find a good set of Grok rules for the CrowdStrike SIEM connector so I wrote my own.

You need two rule sets.

Set1:

%{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{WORD:event_type}\|%{GREEDYDATA:event_subtype}\|%{INT:event_tactic}\|externalId=%{HOSTNAME:externalID} cn2Label=%{WORD:cn2Label} cn2=%{WORD:cn2} cn1Label=%{WORD:cn1Label} cn1=%{WORD:cn1} dhost=%{HOSTNAME:dhost} duser=%{DATA:duser} msg=%{GREEDYDATA:msg} fname=%{DATA:fname} filePath=%{GREEDYDATA:filepath} cs5Label=%{DATA:cs5Label} cs5=%{GREEDYDATA:cs5} fileHash=%{DATA:fileHash} dntdom=%{DATA:dntdom} cs6Label=%{DATA: cs6Label} cs6=%{GREEDYDATA:cs6} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} rt=%{DATA:rt} src=%{IP:src} smac=%{MAC:smac} cat=%{GREEDYDATA:cat} act=%{GREEDYDATA:act} reason=%{GREEDYDATA:reason} outcome=%{DATA:outcome} CSMTRPatternDisposition=%{GREEDYDATA:CSMTRPatternDisposition}

Set2:

%{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{DATA:event_type}\|%{DATA:event_subtype}\|%{INT:event_tactic}\|cat=%{GREEDYDATA:cat} destinationTranslatedAddress=%{IP:destinationTranslatedAddress} duser=%{EMAILADDRESS:duser} deviceProcessName=%{GREEDYDATA:deviceProcessName} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} outcome=%{DATA:outcome} deviceCustomDate1Label=%{GREEDYDATA: deviceCustomDate1Label} deviceCustomDate1=%{GREEDYDATA:deviceCustomDate1} rt=%{GREEDYDATA:rt}