Re: Difference between all Crowdstrike available P...

TPankaj · 02-09-2024 04:11 AM

Hi Everyone,

As per Chronicle documenation , we have 4 below pre built parsers. Would you please let me know the difference bewteen them ? I can see two parsers for the same category EDR.

Vendor / Product Category Ingestion label Format Latest Update

CrowdStrike Detection Monitoring	EDR	CS_DETECTS	JSON	2023-07-21 View Change
CrowdStrike Falcon	EDR	CS_EDR	JSON	2023-12-22 View Change
CrowdStrike Falcon Stream	Alerts	CS_STREAM	KV (LEEF)	2022-07-18 View Change
Crowdstrike IOC	IOC	CROWDSTRIKE_IOC	JSON	2023-08-23 View Change

rfhart

Hi TPankaj,
I can help you with your question. There are multiple parsers for the event data produced by Crowdstrike. You're correct in your statement, in that there are 4 Crowdstrike Log Types or Ingestion Labels. Below is a little more information about the different parsers and log types:

Crowdstrike Detection Monitoring

Ingestion Label or Log_type is CS_DETECTS
Utilizes a Cloud to Cloud connection to Crowdstrike using the Detect API.
Ingests the Crowdstrike Detection Summary Events, that you typically find on the Crowdstrike Endpoint Detections Dashboard
Chronicle Documentation on how to export Crowdstrike Detection logs to Chronicle

Crowdstrike Falcon Data Replicator (FDR)

Ingestion Label is CS_EDR
Provides near real time telemetry data, such as files being accessed, registry modifications, etc.
Ingested via a Crowdstrike owned AWS S3 Bucket

Crowdstrike Falcon Stream

Ingestion Label is CS_STREAM
Includes Detections, Events, and Audit data using the Crowdstrike Event Streaming API
Requires the Crowdstrike SIEM Connector service, which is a service and executable maintained by CS, but requires that you stand up a linux system on which to install the service.

Crowdstrike IOCs

Ingestion Label is CROWDSTRIKE_IOC
Ingests the IOCs and IOAs via Crowdstrike Threat Intelligence
Requires the Crowdstrike Chronicle Intel bridge, which is a CS Maintained docker container.
Chronicle Documentation on how to export Crowdstrike IOC logs to Chronicle

All of this said, Google Chronicle recommends that you utilize the Crowdstrike Detection Monitoring (CS_DETECTS) and Crowdstrike Falcon (CS_EDR) log types to ingest Crowdstrike Event data, and the Crowdstrike IOCs (CROWDSTRIKE_IOC) log type to ingest the IOCs and IOAs created by the Crowdstrike Threat Intelligence team.

Below you'll find a rudimentary drawing of what the ingestion looks for each log type or ingestion label.

Starting with the red, Crowdstrike Detection Monitoring. We can see that this is handled by Feed Management and is a direct cloud to cloud connection using the CS Detect API.
Second, the blue, Crowdstrike FDR. This feed is also managed by Feed Management, but is a connection to a S3 or GCS bucket owned and maintained by your organization into which CS copies the event data. This requires a ticket with CS Support to disable and enable.
Third, if we focus on the yellow, Crowdstrike Falcon Stream, the Crowdstrike SIEM Connector service is installed on a linux VM. The service supports CentOS or Ubuntu, and requires at a minimum 2 CPUs, 8GB of RAM and 12GB of disk space. The SIEM Connector connects to the Crowdstrike Streaming Event API and then forwards those events to the Chronicle Forwarder using Syslog, in one of several formats that include JSON or CEF.
Finally the green, Crowdstrike IOCs. In order to ingest the IOCs and IOAs provided by Crowdstrike Threat Intelligence, it is required to use the Crowdstrike Chronicle Intel Bridge which is a docker container maintained by Crowdstrike. The docker container pulls down the IOCs and IOAs and then forwards them to the Chronicle Forwarder using Syslog.

I hope this helps explains the differences and provides you with a better understanding of the 4 Crowdstrike log types.

TPankaj

@rfhart Thank you for the detailed explaination. It is awesome. Would you please also share the documenation links to ingest data from Crowdstrike to Chronicle for Crowdstrike Falcon Data Replicator (FDR) and Crowdstrike Falcon Stream ?

Thank you !!

rfhart

@TPankaj You're welcome. I'm glad you appreicate the information. However, this is the only link that I could find for CS_STREAM. Basically configure the connector service to send it's data via syslog to the IP and port configured in the Chronicle Forwarder configuration. However, make sure to set the logtype to be CS_STREAM in the Chronicle Forwarder config.

Unfortunately, I could not find a public facing document on how to configure Falcon Data Replicator (logtype CS_EDR) to be ingested by Chronicle. Essentially the process is, if you are paying for FDR, you put in a Support request with CS Support to have them provide you access to their S3 bucket where the FDR resides or to have the forward the data to a AWS S3 or GCS bucket that you own. In Chronicle go Settings | Feeds | Add New. Choose Either Amazon S3 or Google Cloud storage depending upon the option you chose above, and then choose Crowdstrike Falcon, which is Falcon Data Replicator (logtype CS_EDR). And then on the next configuration dialog, fill in the details for the bucket, the path, keys o

adam9

You can reference this document on how to set up CrowdStrike FDR with Chronicle: https://cloud.google.com/chronicle/docs/preview/default-parsers/crowdstrike-edr

It's in preview because we will be releasing a new parser along with this document within the next month or so.

rfhart

Thank you @adam9. I appreciate it. 😄

TPankaj

@rfhart @adam9 Thank you for the response. Just one more doubt. Does Crowdstrike Detection Monitoring (Ingestion Label or Log_type is CS_DETECTS) collect logs of CrowdStrike Identity Protection.

rfhart

@TPankaj it does not. CS_DETECTS utilizes the Crowdstrike Detect API, which limits you to only Crowdstrike Detections.

TPankaj

@rfhart do you know which lable will cover identity protection ( CS_Edr, CS_stream or any other). Also while creating API key, I can see Identity protection options in API scope.

rfhart

@TPankaj Unfortunately none of the current Crowdstrike logtypes support the Identity Protection or other Identity related APIs that Crowdstrike has to offer. You do have the option to write a custom ingestion script that pulls this data and sends it to Chronicle SIEM but you would have to write a parser. A better option, if you're current Google Chronicle customer, would be to work with your account team and Support to submit a Feature Request to get this supported by Chronicle SIEM.

adam9

@TPankaj If CrowdStrike FDR is sending Identity Protection events, then Chronicle should be able to ingest them using the CS_EDR log type. In case you run into any parser issues with it, please open a support case and request that your tenant be switched to the new CS_EDR preview parser.

TPankaj

@rfhart Thank you for the response. Surely, will work with the support team however it will take a lot of time to get it enabled.

Meanwhile, Is it possible for you to share the custom ingestion script or steps on how to write it ? We will create custom parser for ingested data.

rfhart

@TPankaj Unfortunately I am not aware of any ingestion script available from Google for CS identity protection. I'm sorry.

TPankaj

@rfhart No worries. Thank you for all the answers. It helped a lot.

TimNemceff

There is a new log type for Crowdstrike Identity Protection Services (CS_IDP) as of last week, but without a default parser:
https://cloud.google.com/chronicle/docs/release-notes#March_14_2024

I have a client that is able to ingest these (unparsed) identity protection events from the new Crowdstrike Alerts API (you need a Crowdstrike account to access these links):
https://falcon.crowdstrike.com/support/news/release-notes-new-falcon-endpoint-detections-experience
https://falcon.crowdstrike.com/documentation/page/adf2fd07/incident-detection-and-alert-monitoring-a...

There is a feature request to support the new CS Alerts API in the future.

TPankaj

@TimNemceff Thank you for the response. Yes, we have placed a feature request for CS IDP however it seems it might take some time. Meanwhile, can we please connect to discuss this ? We really need some assistance to ingest logs in Chronicle. It will be really helpful for us. Thank you so much in advance.

TPankaj

@TimNemceff Hi, Is it possible to connect to understand on to how ingest unparsed logs for CrowdStrike IDP ?

TimNemceff

Unfortunately, I am new to Chronicle, too, and don't know the solution to that yet, either. I will try to share a solution if I find one.

TPankaj

@TimNemceff Thank you !

gkush

CS_EDR is the data coming out of Crowdstrike Falcon Data Replicator; it's a massive firehose of raw telemetry as well as alerts. CS_DETECTS is part of the CS managed service where they are monitoring your endpoints and flagging findings. CS_STREAM is the CS feed that focuses on detections and key events. Crowdstrike IOC is their own Indicator of Compromise (IOC) feed, which they claim to be exposed from across their customer base.

CWNOM

Hi @rfhart @gkush, this thread has been helpful! Am I correct in understanding that the CS_DETECTS feed wouldn't create an Alert 'automatically', i.e. if a CrowdStrike Detection comes in via the feed, SecOps won't automatically create an Alert? Which raises the question, do we need to create a custom rule in order to have all CrowdStrike Detections create an Alert?

gkush

There is a way to make a change to the parser to make alerts show up again as alerts. We turned them off as first-order objects because people were getting swamped with device alerts plus corresponding rule alerts. Often you can write rules referencing a UDM field that evaluates metadata about a device alert while trying to make the result less noisy - only generate an alert if there were three alerting events in an hour, or only if there was an process related event followed by a network-related event within 5 minutes.

rfhart

@CWNOM That's correct. When a detection from CS comes into Secops, there is no associated Alert automatically created, unless the detection matches the behavior described in a Curated Detection or the logic in a Detection Rule that you created. That said I wouldn't create a simple rule that simply triggers when any CS detection is ingested as that would create a lot of noise.

vgera

Just an update, CS_STREAM now supports JSON logs as well, if you have a code that can query the Streaming API you can get the endpoint & identity protections alerts they will now parse.
Additionally Detecttions v1 api that Google uses in 3rd party api feeds is also deprecated (CS_DETECTS), not sure what is Google's plan to support new unified API v2.

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Difference between all Crowdstrike available Parsers