CrowdStrike

Crowdstrike enables you to collect and normalize Crowdstrike logs and lets you analyze the information through the LP_Crowdstrike dashboard. The dashboard visualizes event type distributions, top host generating detection, real-time response summary, successful and failed user login events, detection techniques and tactics, quarantined files and hosts generating higher severity event detections in your network. You can customize it to perform in-depth analysis by changing the data used in a search.

Release Details

Version: 5.1.0

Release date: April 26, 2024

Supported On: Logpoint v7.4.0 or later for log source template

Release date: CrowdStrike guide

SHA 256: c1ee91ad1dfcca81f57915f6298f15a685743678d729f83fdeaf294b140180a9

Download

Key Information

You must configure the CEF config file in the system where the CrowdStrike Falcon SIEM Connector is running. Go to CEF Sample Configuration for the configuration file.

Enhancement

Description	Issue ID	Reference ID
Added Syslog Collector based CrowdStrike log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.	KB-23297	-

Past Releases

CrowdStrike v5.0.2

Release Date: December 19, 2023

Supported On: Logpoint v6.7.0 or later

Download: CrowdStrike_5.0.2.pak

SHA 256: e07b314f250cd8d7baa591939a849efa9404e6dbe915237aa21a284fe04792e3

Enhancements

Description

Issue ID

Reference ID

Added a new report package LP_CrowdStrike.

KB-22158

Updated dashboard and search template to accurately populate the searched data.

Renamed the following fields in CrowdStrikeCEFCompiledNormalizer:

Former Field Name	Updated Field Name	Event
pdf_handleoperationdowngraded	handled_operation_downgraded	-
pdf_fsoperationblocked	fsoperation_blocked
pdf_detect	detect
pdf_criticalprocessdisabled	critical_process_disabled
pdf_bootupsafeguardenabled	bootup_saftgarden_enabled
pdf_blockingunsupportedordisabled	blocking_unsupported_or_disabled
parentimagefilename	parent_process
parentcommandline	parent_command
nat_destination_address	source_address
incidentstarttime	start_ts
incidentendtime	end_ts
grandparentimagefilename	grand_parent_process
grandparentcommandline	grand_parent_command
external_id	host_id
event_id	event_type
detectionid	detection_id
destination_host	host
pdf_indicator	indicator
pdf_killprocess	kill_process
pdf_killparent	kill_parent
pdf_killactionfailed	kill_action_failed
pdf_inddetmask	inddet_mask
csmtrpatterndisposition	csmtr_pattern_disposition
pdf_killsubprocess	kill_subprocess
pdf_operationblocked	operation_blocked
pdf_policydisabled	policy_disabled
pdf_processblocked	process_blocked
pdf_quarantinefile	quarentine_file
pdf_quarantinemachine	quarantine_machine
pdf_registryoperationblocked	registry_operation_blocked
pdf_rooting	rooting
pdf_sensoronly	sensor_only
quarantinefilepath	quarantine_path
quarantinefilesha256	hash
severityname	log_level
sha256filehash	hash_sha256
source_hardware_address	hardware_address
target_user	user
windows_destination_domain	domain
action	attack_tag	DetectionSummary
category	attack_category	DetectionSummary
updatestatus	status	UserActivityAudit
appendComment	comment
assigntoname	assigned_to
assigntouserid	assigned_user
remoteresponsesessionstarttimestamp	start_ts	RemoteResponseSessionStart
sessionid	session_id
agentIdString	host_id
remoteresponsesessionstarttimestamp	end_ts
targetname	target	UserLogin
ioctype	ioc_type
iocvalue	ioc_value
associatedfile	associated_file

KB-21709

Added User and Login labels for twoFactorAuthenticate event in CrowdStrikeCEFCompiledNormalizer.

Updated the value of device_category field to EPP. The value is a general device category for tools like EDR and XDR.

KB-22843

CrowdStrike v5.0.0

Release Date: 2022-08-25

Supported On: Logpoint v6.7.0 or later

Download: CrowdStrike_5.0.0.pak

Support

If you have any questions or require assistance, create a support ticket.

Crowdstrike