CrowdStrike SIEM Connector Grok Rules

I couldn’t find a good set of Grok rules for the CrowdStrike SIEM connector so I wrote my own. You need two rule sets. Set1: %{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{WORD:event_type}\|%{GREEDYDATA:event_subtype}\|%{INT:event_tactic}\|externalId=%{HOSTNAME:externalID} cn2Label=%{WORD:cn2Label} cn2=%{WORD:cn2} cn1Label=%{WORD:cn1Label} cn1=%{WORD:cn1} dhost=%{HOSTNAME:dhost} duser=%{DATA:duser} msg=%{GREEDYDATA:msg} fname=%{DATA:fname} filePath=%{GREEDYDATA:filepath} cs5Label=%{DATA:cs5Label} cs5=%{GREEDYDATA:cs5} fileHash=%{DATA:fileHash} dntdom=%{DATA:dntdom} cs6Label=%{DATA: cs6Label} cs6=%{GREEDYDATA:cs6} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} rt=%{DATA:rt} src=%{IP:src} smac=%{MAC:smac} cat=%{GREEDYDATA:cat} act=%{GREEDYDATA:act} reason=%{GREEDYDATA:reason} outcome=%{DATA:outcome} CSMTRPatternDisposition=%{GREEDYDATA:CSMTRPatternDisposition}... » read more

Graylog 2.4.6 manual index backup and restore

When you do not have enterprise support closing and opening elastic search indexes can break stuff in Graylog 2.4.6. Elastic Search Indexes Close/Open The official documentation for Elasticsearch 2.4.6 closing and opening an index can be found here: curl -XPOST 'localhost:9200/my_index/_close' curl -XPOST 'localhost:9200/my_index/_open' Closing an index To close an index: # curl -XPOST... » read more