diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b5a84930f264..b235a4d2d028 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -128,6 +128,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] - Fix memory leak in tcp and unix input sources. {pull}19459[19459] - Fix bug with empty filter values in system/service {pull}19812[19812] +- Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972] +- Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984] +- Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] +- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] +- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] *Heartbeat* @@ -254,6 +259,41 @@ from being added to events by default. {pull}18159[18159] - Add support for array parsing in azure-eventhub input. {pull}18585[18585] from being added to events by default. {pull}18159[18159] - Improved performance of PANW sample dashboards. {issue}19031[19031] {pull}19032[19032] +- Add support for v1 consumer API in Cloud Foundry input, use it by default. {pull}19125[19125] +- Explicitly set ECS version in all Filebeat modules. {pull}19198[19198] +- Add new mode to multiline reader to aggregate constant number of lines {pull}18352[18352] +- Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Add awscloudwatch input. {pull}19025[19025] +- Changed the panw module to pass through (rather than drop) message types other than threat and traffic. {issue}16815[16815] {pull}19375[19375] +- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346] +- Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] +- Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] +- Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Added Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197] +- Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] +- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] +- Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add event.ingested for CrowdStrike module {pull}20138[20138] +- Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d1c13e46e1de..7e50b4299bb4 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -6729,7 +6729,7 @@ type: integer *`checkpoint.duration`*:: + -- -Scan duration. +Scan duration. type: keyword @@ -6819,7 +6819,7 @@ type: integer *`checkpoint.next_scheduled_scan_date`*:: + -- -Next scan scheduled time according to time object. +Next scan scheduled time according to time object. type: keyword @@ -10108,7 +10108,7 @@ Meta data fields for each event that include type and timestamp. *`crowdstrike.metadata.eventType`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent +DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword @@ -10288,6 +10288,16 @@ type: keyword Executable path with command line arguments. +type: keyword + +-- + +*`crowdstrike.event.SHA1String`*:: ++ +-- +SHA1 sum of the executable associated with the detection. + + type: keyword -- @@ -10538,6 +10548,16 @@ type: date Fields that were changed in this event. +type: nested + +-- + +*`crowdstrike.event.ExecutablesWritten`*:: ++ +-- +Detected executables written to disk by a process. + + type: nested -- @@ -10582,6 +10602,406 @@ type: date -- +*`crowdstrike.event.LateralMovement`*:: ++ +-- +Lateral movement field for incident. + + +type: long + +-- + +*`crowdstrike.event.ParentImageFileName`*:: ++ +-- +Path to the parent process. + + +type: keyword + +-- + +*`crowdstrike.event.ParentCommandLine`*:: ++ +-- +Parent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentImageFileName`*:: ++ +-- +Path to the grandparent process. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentCommandLine`*:: ++ +-- +Grandparent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.IOCType`*:: ++ +-- +CrowdStrike type for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.IOCValue`*:: ++ +-- +CrowdStrike value for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.CustomerId`*:: ++ +-- +Customer identifier. + + +type: keyword + +-- + +*`crowdstrike.event.DeviceId`*:: ++ +-- +Device on which the event occurred. + + +type: keyword + +-- + +*`crowdstrike.event.Ipv`*:: ++ +-- +Protocol for network request. + + +type: keyword + +-- + +*`crowdstrike.event.ConnectionDirection`*:: ++ +-- +Direction for network connection. + + +type: keyword + +-- + +*`crowdstrike.event.EventType`*:: ++ +-- +CrowdStrike provided event type. + + +type: keyword + +-- + +*`crowdstrike.event.HostName`*:: ++ +-- +Host name of the local machine. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPCode`*:: ++ +-- +RFC2780 ICMP Code field. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPType`*:: ++ +-- +RFC2780 ICMP Type field. + + +type: keyword + +-- + +*`crowdstrike.event.ImageFileName`*:: ++ +-- +File name of the associated process for the detection. + + +type: keyword + +-- + +*`crowdstrike.event.PID`*:: ++ +-- +Associated process id for the detection. + + +type: long + +-- + +*`crowdstrike.event.LocalAddress`*:: ++ +-- +IP address of local machine. + + +type: ip + +-- + +*`crowdstrike.event.LocalPort`*:: ++ +-- +Port of local machine. + + +type: long + +-- + +*`crowdstrike.event.RemoteAddress`*:: ++ +-- +IP address of remote machine. + + +type: ip + +-- + +*`crowdstrike.event.RemotePort`*:: ++ +-- +Port of remote machine. + + +type: long + +-- + +*`crowdstrike.event.RuleAction`*:: ++ +-- +Firewall rule action. + + +type: keyword + +-- + +*`crowdstrike.event.RuleDescription`*:: ++ +-- +Firewall rule description. + + +type: keyword + +-- + +*`crowdstrike.event.RuleFamilyID`*:: ++ +-- +Firewall rule family id. + + +type: keyword + +-- + +*`crowdstrike.event.RuleGroupName`*:: ++ +-- +Firewall rule group name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleName`*:: ++ +-- +Firewall rule name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleId`*:: ++ +-- +Firewall rule id. + + +type: keyword + +-- + +*`crowdstrike.event.MatchCount`*:: ++ +-- +Number of firewall rule matches. + + +type: long + +-- + +*`crowdstrike.event.MatchCountSinceLastReport`*:: ++ +-- +Number of firewall rule matches since the last report. + + +type: long + +-- + +*`crowdstrike.event.Timestamp`*:: ++ +-- +Firewall rule triggered timestamp. + + +type: date + +-- + +*`crowdstrike.event.Flags.Audit`*:: ++ +-- +CrowdStrike audit flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Log`*:: ++ +-- +CrowdStrike log flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Monitor`*:: ++ +-- +CrowdStrike monitor flag. + + +type: boolean + +-- + +*`crowdstrike.event.Protocol`*:: ++ +-- +CrowdStrike provided protocol. + + +type: keyword + +-- + +*`crowdstrike.event.NetworkProfile`*:: ++ +-- +CrowdStrike network profile. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyName`*:: ++ +-- +CrowdStrike policy name. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyID`*:: ++ +-- +CrowdStrike policy id. + + +type: keyword + +-- + +*`crowdstrike.event.Status`*:: ++ +-- +CrowdStrike status. + + +type: keyword + +-- + +*`crowdstrike.event.TreeID`*:: ++ +-- +CrowdStrike tree id. + + +type: keyword + +-- + +*`crowdstrike.event.Commands`*:: ++ +-- +Commands run in a remote session. + + +type: keyword + +-- + [[exported-fields-docker-processor]] == Docker fields @@ -17827,7 +18247,7 @@ type: float *`elasticsearch.gc.phase.cpu_time.sys_sec`*:: + -- -CPU time spent inside the kernel. +CPU time spent inside the kernel. type: float @@ -17997,7 +18417,7 @@ Young GC type: long -example: +example: -- @@ -18008,7 +18428,7 @@ example: type: long -example: +example: -- @@ -18080,7 +18500,7 @@ Types type: keyword -example: +example: -- @@ -18124,7 +18544,7 @@ Extra source information type: keyword -example: +example: -- @@ -18168,7 +18588,7 @@ Id type: keyword -example: +example: -- @@ -18452,7 +18872,7 @@ type: keyword *`fortinet.firewall.analyticssubmit`*:: + -- -The flag for analytics submission +The flag for analytics submission type: keyword @@ -19552,7 +19972,7 @@ type: keyword *`fortinet.firewall.ds`*:: + -- -Direction with distribution system +Direction with distribution system type: keyword @@ -19732,7 +20152,7 @@ type: keyword *`fortinet.firewall.eapolcnt`*:: + -- -EAPOL packet count +EAPOL packet count type: integer @@ -19752,7 +20172,7 @@ type: keyword *`fortinet.firewall.encrypt`*:: + -- -Whether the packet is encrypted or not +Whether the packet is encrypted or not type: integer @@ -19832,7 +20252,7 @@ type: keyword *`fortinet.firewall.expiry`*:: + -- -FortiGuard override expiry timestamp +FortiGuard override expiry timestamp type: keyword @@ -21592,7 +22012,7 @@ type: keyword *`fortinet.firewall.shapersentname`*:: + -- -Traffic shaper name for sent traffic +Traffic shaper name for sent traffic type: keyword @@ -22072,7 +22492,7 @@ type: integer *`fortinet.firewall.totalsession`*:: + -- -Total Number of Sessions +Total Number of Sessions type: integer @@ -22771,14 +23191,14 @@ type: keyword [float] === authentication_info -Authentication information. +Authentication information. *`googlecloud.audit.authentication_info.principal_email`*:: + -- -The email address of the authenticated user making the request. +The email address of the authenticated user making the request. type: keyword @@ -22788,7 +23208,7 @@ type: keyword *`googlecloud.audit.authentication_info.authority_selector`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. type: keyword @@ -22855,7 +23275,7 @@ type: keyword *`googlecloud.audit.request.name`*:: + -- -Name of the request. +Name of the request. type: keyword @@ -22865,7 +23285,7 @@ type: keyword *`googlecloud.audit.request.resource_name`*:: + -- -Name of the request resource. +Name of the request resource. type: keyword @@ -22882,7 +23302,7 @@ Metadata about the request. *`googlecloud.audit.request_metadata.caller_ip`*:: + -- -The IP address of the caller. +The IP address of the caller. type: ip @@ -22966,7 +23386,7 @@ type: keyword *`googlecloud.audit.response.status`*:: + -- -Status of the response. +Status of the response. type: keyword @@ -23013,14 +23433,14 @@ type: keyword [float] === status -The status of the overall operation. +The status of the overall operation. *`googlecloud.audit.status.code`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +The status code, which should be an enum value of google.rpc.Code. type: integer @@ -23030,7 +23450,7 @@ type: integer *`googlecloud.audit.status.message`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type: keyword @@ -25791,7 +26211,7 @@ type: text *`misp.identity.identity_class`*:: + -- -The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov +The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov type: keyword @@ -25801,7 +26221,7 @@ type: keyword *`misp.identity.labels`*:: + -- -The list of roles that this Identity performs. +The list of roles that this Identity performs. type: keyword @@ -25814,7 +26234,7 @@ example: CEO *`misp.identity.sectors`*:: + -- -The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov +The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov type: keyword @@ -26064,7 +26484,7 @@ Fields provide support for specifying information about threat indicators, and r *`misp.threat_indicator.labels`*:: + -- -list of type open-vocab that specifies the type of indicator. +list of type open-vocab that specifies the type of indicator. type: keyword @@ -26213,7 +26633,7 @@ format: string *`misp.threat_indicator.attack_pattern`*:: + -- -The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. +The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. type: keyword @@ -26226,7 +26646,7 @@ example: [destination:ip = '91.219.29.188/32'] *`misp.threat_indicator.attack_pattern_kql`*:: + -- -The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. +The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. type: keyword @@ -27041,7 +27461,7 @@ type: long *`mysql.slowlog.sort_range_count`*:: + -- -Number of sorts that were done using ranges. +Number of sorts that were done using ranges. type: long @@ -27141,7 +27561,7 @@ type: long *`mysql.slowlog.read_rnd`*:: + -- -The number of requests to read a row based on a fixed position. +The number of requests to read a row based on a fixed position. type: long diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 0479868ccc01..4e06f515a115 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -224,8 +224,37 @@ def clean_keys(obj): # ECS versions change for any ECS release, large or small ecs_key = ["ecs.version"] # datasets for which @timestamp is removed due to date missing - remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log", - "system.auth", "system.syslog", "cef.log", "activemq.audit", "iptables.log", "cisco.asa", "cisco.ios"} + remove_timestamp = { + "activemq.audit", + "barracuda.waf", + "bluecoat.director", + "cef.log", + "cisco.asa", + "cisco.ios", + "f5.firepass", + "fortinet.clientendpoint", + "haproxy.log", + "icinga.startup", + "imperva.securesphere", + "infoblox.nios", + "iptables.log", + "netscout.sightline", + "rapid7.nexpose", + "redis.log", + "system.auth", + "system.syslog", + "microsoft.defender_atp", + "crowdstrike.falcon_endpoint", + "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", + } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { ('system.syslog', 'tz-offset.log'), @@ -249,6 +278,10 @@ def clean_keys(obj): if obj["event.dataset"] in remove_timestamp: if not (obj['event.dataset'], filename) in remove_timestamp_exception: delete_key(obj, "@timestamp") + # Also remove alternate time field from rsa parsers. + delete_key(obj, "rsa.time.event_time") + # Remove event.ingested from testing, as it will never be the same. + delete_key(obj, "event.ingested") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 2b32b5d270d5..6d7daaf1469b 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -8,7 +8,7 @@ - name: eventType type: keyword description: > - DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date @@ -36,7 +36,7 @@ Event data fields for each event and alert. type: group default_field: false - fields: + fields: - name: ProcessStartTime type: date description: > @@ -102,11 +102,16 @@ description: > Executable path with command line arguments. + - name: SHA1String + type: keyword + description: > + SHA1 sum of the executable associated with the detection. + - name: SHA256String type: keyword description: > SHA256 sum of the executable associated with the detection. - + - name: MD5String type: keyword description: > @@ -227,6 +232,11 @@ description: > Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: > + Detected executables written to disk by a process. + - name: SessionId type: keyword description: > @@ -246,3 +256,206 @@ type: date description: > End time for the remote session in UTC UNIX format. + + - name: LateralMovement + type: long + description: > + Lateral movement field for incident. + + - name: ParentImageFileName + type: keyword + description: > + Path to the parent process. + + - name: ParentCommandLine + type: keyword + description: > + Parent process command line arguments. + + - name: GrandparentImageFileName + type: keyword + description: > + Path to the grandparent process. + + - name: GrandparentCommandLine + type: keyword + description: > + Grandparent process command line arguments. + + - name: IOCType + type: keyword + description: > + CrowdStrike type for indicator of compromise. + + - name: IOCValue + type: keyword + description: > + CrowdStrike value for indicator of compromise. + + # FirewallMatchEvent + - name: CustomerId + type: keyword + description: > + Customer identifier. + + - name: DeviceId + type: keyword + description: > + Device on which the event occurred. + + - name: Ipv + type: keyword + description: > + Protocol for network request. + + - name: ConnectionDirection + type: keyword + description: > + Direction for network connection. + + - name: EventType + type: keyword + description: > + CrowdStrike provided event type. + + - name: HostName + type: keyword + description: > + Host name of the local machine. + + - name: ICMPCode + type: keyword + description: > + RFC2780 ICMP Code field. + + - name: ICMPType + type: keyword + description: > + RFC2780 ICMP Type field. + + - name: ImageFileName + type: keyword + description: > + File name of the associated process for the detection. + + - name: PID + type: long + description: > + Associated process id for the detection. + + - name: LocalAddress + type: ip + description: > + IP address of local machine. + + - name: LocalPort + type: long + description: > + Port of local machine. + + - name: RemoteAddress + type: ip + description: > + IP address of remote machine. + + - name: RemotePort + type: long + description: > + Port of remote machine. + + - name: RuleAction + type: keyword + description: > + Firewall rule action. + + - name: RuleDescription + type: keyword + description: > + Firewall rule description. + + - name: RuleFamilyID + type: keyword + description: > + Firewall rule family id. + + - name: RuleGroupName + type: keyword + description: > + Firewall rule group name. + + - name: RuleName + type: keyword + description: > + Firewall rule name. + + - name: RuleId + type: keyword + description: > + Firewall rule id. + + - name: MatchCount + type: long + description: > + Number of firewall rule matches. + + - name: MatchCountSinceLastReport + type: long + description: > + Number of firewall rule matches since the last report. + + - name: Timestamp + type: date + description: > + Firewall rule triggered timestamp. + + # Not entirely sure about the descriptions of the following fields + - name: Flags.Audit + type: boolean + description: > + CrowdStrike audit flag. + + - name: Flags.Log + type: boolean + description: > + CrowdStrike log flag. + + - name: Flags.Monitor + type: boolean + description: > + CrowdStrike monitor flag. + + - name: Protocol + type: keyword + description: > + CrowdStrike provided protocol. + + - name: NetworkProfile + type: keyword + description: > + CrowdStrike network profile. + + - name: PolicyName + type: keyword + description: > + CrowdStrike policy name. + + - name: PolicyID + type: keyword + description: > + CrowdStrike policy id. + + - name: Status + type: keyword + description: > + CrowdStrike status. + + - name: TreeID + type: keyword + description: > + CrowdStrike tree id. + + # RemoteResponseSessionEndEvent + - name: Commands + type: keyword + description: > + Commands run in a remote session. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 6ef77376175d..b12309caef50 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,186 +2,429 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function() { +var crowdstrikeFalconProcessor = (function () { var processor = require("processor"); - var convertUnderscore = function(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - }; - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }); - - var dropFields = function(evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }; - - var setFields = function (evt) { - evt.Put("agent.name", "falcon"); - }; - - var convertFields = new processor.Convert({ - fields: [ - // DetectionSummaryEvent - { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" }, - { from: "crowdstrike.event.ProcessId", to: "process.pid" }, - // UserActivityAuditEvent and AuthActivityAuditEvent - { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, - ], - mode: "copy", - ignore_missing: true, - ignore_failure: true - }); - - var parseTimestamp = new processor.Timestamp({ - field: "crowdstrike.metadata.eventCreationTime", - target_field: "@timestamp", - timezone: "UTC", - layouts: ["UNIX_MS"], - ignore_missing: false, - }); - - var processEvent = function(evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") + // conversion helpers + function convertUnderscore(text) { + return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + } + + function convertToMSEpoch(evt, field) { + var timestamp = evt.Get(field); + if (timestamp) { + if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } + (new processor.Timestamp({ + field: field, + target_field: field, + timezone: "UTC", + layouts: ["UNIX_MS"] + })).Run(evt); } - else if (outcome === false) { - evt.Put("event.outcome", "failure") + } + + function convertProcess(evt) { + var commandLine = evt.Get("crowdstrike.event.CommandLine") + if (commandLine && commandLine.trim() !== "") { + var args = commandLine.split(' ').filter(function (arg) { + return arg !== ""; + }); + var executable = args[0] + + evt.Put("process.command_line", commandLine) + evt.Put("process.args", args) + evt.Put("process.executable", executable) } - else { - evt.Put("event.outcome", "unknown") + } + + function convertSourceDestination(evt) { + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) + } else { + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) } - - switch (eventType) { - case "DetectionSummaryEvent": + evt.AppendTo("related.ip", remoteAddress) + evt.AppendTo("related.ip", localAddress) + } + + function convertEventAction(evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) + } + + function convertUsername(evt) { + var username = evt.Get("crowdstrike.event.UserName") + if (!username || username === "") { + username = evt.Get("crowdstrike.event.UserId") + } + if (username && username !== "") { + evt.Put("user.name", username) + if (username.split('@').length == 2) { + evt.Put("user.email", username) + } + evt.AppendTo("related.user", username) + } + } + + // event processors by type + var eventProcessors = { + DetectionSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.LocalIP", + to: "related.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) + evt.Put("threat.technique.name", technique) evt.Put("threat.tactic.name", tactic) - - evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("event.severity", evt.Get("crowdstrike.event.Severity")) - evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) - evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - - evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) - evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) - evt.Put("agent.id", evt.Get("crowdstrike.event.SensorId")) - evt.Put("host.name", evt.Get("crowdstrike.event.ComputerName")) - evt.Put("agent.type", "falcon") - evt.Put("file.hash.sha256", evt.Get("crowdstrike.event.SHA256String")) - evt.Put("file.hash.md5", evt.Get("crowdstrike.event.MD5String")) - evt.Put("rule.name", evt.Get("crowdstrike.event.DetectName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.DetectDescription")) - - break; - - case "IncidentSummaryEvent": - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.action", "incident") - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - + convertProcess(evt) + }) + .Build(), + + IncidentSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.action": "incident", + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - - break; - - case "UserActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.OperationName")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["iam"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "AuthActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.ServiceName")) + convertProcess(evt) + }) + .Build(), + + UserActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + AuthActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["authentication"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "RemoteResponseSessionStartEvent": - case "RemoteResponseSessionEndEvent": - var username = evt.Get("crowdstrike.event.UserName") - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - - evt.Put("host.name", evt.Get("crowdstrike.event.HostnameField")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - if (eventType == "RemoteResponseSessionStartEvent") { - evt.Put("event.type", ["start"]) - evt.Put("message", "Remote response session started") - } else { - evt.Put("event.type", ["end"]) - evt.Put("message", "Remote response session ended") - } - - break; - - default: - break; - } - } - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(dropFields) - .Add(convertFields) - .Add(processEvent) - .Build(); - - return { - process: pipeline.Run, - }; + convertUsername(evt) + }) + .Build(), + + FirewallMatchEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + convertEventAction(evt) + convertProcess(evt) + convertSourceDestination(evt) + }) + .Build(), + + RemoteResponseSessionStartEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["start"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session started", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + RemoteResponseSessionEndEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["end"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session ended", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + } + + // main processor + return new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 + }) + .Add(function (evt) { + evt.Delete("message"); + evt.Delete("host.name"); + + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + + var outcome = evt.Get("crowdstrike.event.Success") + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") + } else { + evt.Put("event.outcome", "unknown") + } + + var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] + if (eventProcessor) { + eventProcessor.Run(evt) + } + }) + .Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", + ignore_missing: false, + fail_on_error: true + }) + .Build() + .Run })(); function process(evt) { - crowdstrikeFalcon.process(evt); + crowdstrikeFalconProcessor(evt); } diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml new file mode 100644 index 000000000000..3aa632ab7158 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -0,0 +1,31 @@ +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index b3d3edbb6416..88a2f5b177fa 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -6,3 +6,4 @@ var: - /var/log/crowdstrike/falconhoseclient/output input: config/falcon.yml +ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index d23985338fcd..1a403c955ce4 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -150,10 +150,10 @@ ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 5, + "offset": 5, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601341730, "version": "1.0" @@ -167,10 +167,10 @@ "UTCTimestamp": 1581601341730 } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 6, + "offset": 6, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601520236, "version": "1.0" @@ -183,17 +183,17 @@ "Success": true, "UTCTimestamp": 1581601520236, "AuditKeyValues": [ - { + { "Key": "target_name", "ValueString": "first.last@company.com" } ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 7, + "offset": 7, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601572362, "version": "1.0" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e54660242473..9a081933be35 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,97 +1,65 @@ [ { - "@timestamp": "2020-02-27T19:12:14.000Z", - "service.type": "crowdstrike", - "input.type": "log", + "crowdstrike.event.HostnameField": "hostnameofmachine", + "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", + "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", + "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1045, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:14.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", - "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.HostnameField": "hostnameofmachine", - "crowdstrike.event.UserName": "first.last@company.com", - "crowdstrike.event.StartTimestamp": 1582830734, - "event.module": "crowdstrike", + "event.action": "remote_response_session_start_event", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "remote_response_session_start_event", - "event.type": [ "start" ], + "event.module": "crowdstrike", "event.outcome": "unknown", - "message": "Remote response session started", - "host.name": "hostnameofmachine", - "user.name": "first.last@company.com", - "user.email": "first.last@company.com", - "agent.type": "falcon", + "event.type": [ + "start" + ], "fileset.name": "falcon", - "log.file.path": "falcon-events.log", + "input.type": "log", "log.flags": [ "multiline" ], - "log.offset": 0 + "log.offset": 0, + "message": "Remote response session started", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.metadata.offset": 1046, - "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", - "crowdstrike.metadata.eventCreationTime": 1582830772000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", + "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", + "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", - "crowdstrike.event.EndTimestamp": 1582830772, - "user.name": "first.last@company.com", - "user.email": "first.last@company.com", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "input.type": "log", - "event.module": "crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:52.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 1046, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "remote_response_session_end_event", - "event.type": ["end"], + "event.module": "crowdstrike", "event.outcome": "unknown", - "message": "Remote response session ended", - "host.name": "hostnameofmachine", - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "event.type": [ + "end" ], - "log.offset": 457, - "agent.type": "falcon" - }, - { - "@timestamp": "2020-02-12T21:29:10.710Z", - "message": "Crowdstrike Streaming API", - "source.ip": "10.10.0.8", + "fileset.name": "falcon", "input.type": "log", - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "event.action": "stream_started", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "agent.type": "falcon", - "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "log.offset": 910, - "log.file.path": "falcon-events.log", "log.flags": [ "multiline" ], + "log.offset": 457, + "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", - "fileset.name": "falcon", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 0, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581542950710, - "crowdstrike.event.UserIp": "10.10.0.8", - "crowdstrike.event.OperationName": "streamStarted", - "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", - "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -114,359 +82,396 @@ "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" } ], - "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - }, - { - "@timestamp": "2020-02-12T21:39:37.147Z", - "log.offset": 2152, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.OperationName": "streamStarted", + "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:29:10.000Z", + "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "crowdstrike.event.UserIp": "10.10.0.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:29:10.710Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 0, + "crowdstrike.metadata.version": "1.0", + "event.action": "stream_started", + "event.category": [ + "authentication" ], - "source.ip": "192.168.6.8", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "input.type": "log", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", - "crowdstrike.metadata.eventCreationTime": 1581543577147, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 910, + "message": "Crowdstrike Streaming API", + "related.ip": "10.10.0.8", + "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "service.type": "crowdstrike", + "source.ip": "10.10.0.8", + "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + }, + { + "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581543577147, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "twoFactorAuthenticate", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication" - }, - { - "@timestamp": "2020-02-12T22:14:37.554Z", - "log.flags": [ - "multiline" + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:39:37.147Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 1, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" ], - "log.offset": 2645, - "log.file.path": "falcon-events.log", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 2, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581545677554, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.UserId": "bob@company.com", - "crowdstrike.event.UserIp": "192.168.6.3", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2152, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581545677554, - "user.name": "bob@company.com", - "user.email": "bob@company.com", + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:14:37.554Z", + "crowdstrike.event.UserId": "bob@company.com", + "crowdstrike.event.UserIp": "192.168.6.3", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:14:37.554Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 2, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2645, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.3", + "related.user": "bob@company.com", + "service.type": "crowdstrike", "source.ip": "192.168.6.3", - "input.type": "log", - "agent.type": "falcon" + "user.email": "bob@company.com", + "user.name": "bob@company.com" }, { - "@timestamp": "2020-02-12T22:24:08.000Z", - "input.type": "log", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 3, - "crowdstrike.metadata.eventType": "UserActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581546248000, - "crowdstrike.event.ServiceName": "groups", "crowdstrike.event.AuditKeyValues": [ { - "ValueString": "3c80ce30b9654cb4bd15beec6a517e65", - "Key": "group_id" + "Key": "group_id", + "ValueString": "3c80ce30b9654cb4bd15beec6a517e65" }, { "Key": "action_name", "ValueString": "add_group_member" } ], - "crowdstrike.event.UTCTimestamp": 1581546248, + "crowdstrike.event.OperationName": "update_group", + "crowdstrike.event.ServiceName": "groups", + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", - "crowdstrike.event.OperationName": "update_group", - "log.offset": 3136, - "log.file.path": "falcon-events.log", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:24:08.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 3, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], - "service.type": "crowdstrike", - "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "chris@company.com", - "user.email": "chris@company.com", + "log.offset": 3136, "message": "update_group", + "related.ip": "192.168.6.13", + "related.user": "chris@company.com", + "service.type": "crowdstrike", "source.ip": "192.168.6.13", - "event.kind": "event", - "event.action": "user_activity_audit_event", - "event.type": ["change"], - "event.outcome": "unknown", - "event.category": ["iam"], - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit" + "user.email": "chris@company.com", + "user.name": "chris@company.com" }, { - "@timestamp": "2020-02-13T13:41:52.140Z", - "source.ip": "192.168.6.8", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 4, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601312140, - "crowdstrike.metadata.version": "1.0", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", "ValueString": "alice@company.com" } ], - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601312140, - "agent.type": "falcon", - "message": "CrowdStrike Authentication", - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:41:52.140Z", + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:41:52.140Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 4, + "crowdstrike.metadata.version": "1.0", + "event.action": "request_reset_password", + "event.category": [ + "authentication" ], - "log.offset": 3858, - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "request_reset_password", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "fileset.name": "falcon" - }, - { - "@timestamp": "2020-02-13T13:42:21.730Z", - "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.dataset": "crowdstrike.falcon_audit", "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com", "input.type": "log", - "source.ip": "192.168.6.8", + "log.flags": [ + "multiline" + ], + "log.offset": 3858, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601341730, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 5, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:42:21.730Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", - "message": "CrowdStrike Authentication", - "log.offset": 4506, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" - ] - }, - { - "@timestamp": "2020-02-13T13:45:20.236Z", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "log.offset": 5003, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" ], - "event.action": "change_password", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4506, "message": "CrowdStrike Authentication", - "source.ip": "192.168.6.8", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 6, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601520236, - "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", "ValueString": "first.last@company.com" } ], + "crowdstrike.event.OperationName": "changePassword", + "crowdstrike.event.ServiceName": "CrowdStrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "changePassword", - "crowdstrike.event.ServiceName": "CrowdStrike Authentication" - }, - { - "@timestamp": "2020-02-13T13:46:12.362Z", - "log.offset": 5657, - "log.file.path": "falcon-events.log", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:45:20.236Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 6, + "crowdstrike.metadata.version": "1.0", + "event.action": "change_password", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], + "log.offset": 4999, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601572362, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 7, + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { + "crowdstrike.event.OperationName": "userAuthenticate", + "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601572362, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "userAuthenticate", - "crowdstrike.event.ServiceName": "CrowdStrike Authentication", - "message": "CrowdStrike Authentication", - "source.ip": "192.168.6.8", - "event.module": "crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:46:12.362Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 7, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_authenticate", + "event.category": [ + "authentication" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "user_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com" + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:14.754Z", - "input.type": "log", - "crowdstrike.metadata.eventCreationTime": 1581601814754, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 8, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601814754, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "twoFactorAuthenticate", - "agent.type": "falcon", - "source.ip": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:14.754Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 8, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "service.type": "crowdstrike", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication", - "log.offset": 6149, - "log.file.path": "falcon-events.log", + "input.type": "log", "log.flags": [ "multiline" - ] + ], + "log.offset": 6134, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:20.289Z", - "agent.type": "falcon", - "event.action": "self_accept_eula", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 9, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601820289, - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 9, + "crowdstrike.metadata.version": "1.0", + "event.action": "self_accept_eula", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "service.type": "crowdstrike", "input.type": "log", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication", - "log.file.path": "falcon-events.log", "log.flags": [ "multiline" ], - "log.offset": 6642, - "source.ip": "192.168.6.8" + "log.offset": 6627, + "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T14:14:22.000Z", - "agent.type": "falcon", - "message": "detection_update", - "source.ip": "192.168.6.8", - "input.type": "log", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "event.action": "user_activity_audit_event", - "event.type": ["change"], - "event.outcome": "unknown", - "event.category": ["iam"], - "event.module": "crowdstrike", - "fileset.name": "falcon", - "crowdstrike.metadata.eventCreationTime": 1581603262000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 10, - "crowdstrike.metadata.eventType": "UserActivityAuditEvent", - "crowdstrike.event.UTCTimestamp": 1581603262, - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "detection_update", - "crowdstrike.event.ServiceName": "detections", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -485,13 +490,39 @@ "ValueString": "first.last@company.com" } ], - "log.offset": 7128, - "log.file.path": "falcon-events.log", + "crowdstrike.event.OperationName": "detection_update", + "crowdstrike.event.ServiceName": "detections", + "crowdstrike.event.UTCTimestamp": "2020-02-13T14:14:22.000Z", + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T14:14:22.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 10, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], + "log.offset": 7113, + "message": "detection_update", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", - "user.name": "alice@company.com", - "user.email": "alice@company.com" + "source.ip": "192.168.6.8", + "user.email": "alice@company.com", + "user.name": "alice@company.com" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 7842299bacff..0980bf0fb601 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -66,3 +66,29 @@ "FineScore": 1.2 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 22865, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1593186952000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1593186952 + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index fddd89e4fea2..5857879f5875 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,113 +1,160 @@ [ { - "@timestamp": "2020-02-19T08:30:00.000Z", - "process.pid": 38684386611, - "process.name": "explorer.exe", - "process.command_line": "C:\\Windows\\Explorer.EXE", - "process.executable": "C:\\Windows\\Explorer.EXE", - "process.args": ["C:\\Windows\\Explorer.EXE"], - "event.dataset": "crowdstrike.falcon_endpoint", - "event.kind": "alert", - "event.action": "Prevention, process killed.", - "event.type": ["info"], - "event.category": ["malware"], - "event.severity": 4, - "event.module": "crowdstrike", - "event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", - "event.outcome": "unknown", - "service.type": "crowdstrike", - "user.name": "alice", - "user.domain": "CORP-DOMAIN", - "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", - "rule.name": "Process Terminated", - "log.flags": [ - "multiline" - ], - "log.offset": 0, - "log.file.path": "falcon-events.log", - "source.ip": "192.168.12.51", - "agent.type": "falcon", - "host.name": "alice-laptop", - "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", - "fileset.name": "falcon", - "input.type": "log", - "file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24", - "file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", - "threat.tactic.name": "malware", - "threat.technique.name": "ransomware", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 294564, - "crowdstrike.metadata.eventType": "DetectionSummaryEvent", - "crowdstrike.metadata.eventCreationTime": 1582101000000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.ParentProcessId": 38682494050, - "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", - "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", - "crowdstrike.event.LocalIP": "192.168.12.51", - "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", - "crowdstrike.event.Tactic": "Malware", - "crowdstrike.event.ProcessEndTime": 0, - "crowdstrike.event.Severity": 4, "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", - "crowdstrike.event.Technique": "Ransomware", - "crowdstrike.event.Objective": "Falcon Detection Method", - "crowdstrike.event.ProcessId": 38684386611, + "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", + "crowdstrike.event.DetectName": "Process Terminated", + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", + "crowdstrike.event.FileName": "explorer.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows", + "crowdstrike.event.LocalIP": "192.168.12.51", + "crowdstrike.event.MACAddress": "00-00-00-11-22-33", + "crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24", + "crowdstrike.event.MachineDomain": "CORP-DOMAIN", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentProcessId": 38682494050, "crowdstrike.event.PatternDispositionDescription": "Prevention, process killed.", - "crowdstrike.event.PatternDispositionFlags.Indicator": false, "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, "crowdstrike.event.PatternDispositionFlags.KillProcess": true, "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, - "crowdstrike.event.PatternDispositionFlags.KillParent": false, "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false, "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": false, - "crowdstrike.event.PatternDispositionFlags.InddetMask": false, - "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, - "crowdstrike.event.PatternDispositionFlags.Rooting": false, - "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, - "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false, - "crowdstrike.event.FileName": "explorer.exe", - "crowdstrike.event.MachineDomain": "CORP-DOMAIN", + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, "crowdstrike.event.PatternDispositionValue": 16, - "crowdstrike.event.ComputerName": "alice-laptop", - "crowdstrike.event.UserName": "alice", - "crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24", - "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", - "crowdstrike.event.MACAddress": "00-00-00-11-22-33", - "crowdstrike.event.ProcessStartTime": 1536846339, - "crowdstrike.event.DetectName": "Process Terminated", + "crowdstrike.event.ProcessEndTime": 0, + "crowdstrike.event.ProcessId": 38684386611, + "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", + "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", + "crowdstrike.event.Severity": 4, "crowdstrike.event.SeverityName": "High", - "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows" - }, - { - "@timestamp": "2020-03-04T04:17:56.766Z", - "log.offset": 2063, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.Tactic": "Malware", + "crowdstrike.event.Technique": "Ransomware", + "crowdstrike.event.UserName": "alice", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-19T08:30:00.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 294564, + "crowdstrike.metadata.version": "1.0", + "event.action": "Prevention, process killed.", + "event.category": [ + "malware" ], - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_endpoint", "event.kind": "alert", - "event.type": ["info"], - "event.category": ["malware"], - "event.action": "incident", - "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "event.module": "crowdstrike", "event.outcome": "unknown", + "event.severity": 4, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", + "file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24", + "file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "fileset.name": "falcon", "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "process.args": [ + "C:\\Windows\\Explorer.EXE" + ], + "process.command_line": "C:\\Windows\\Explorer.EXE", + "process.executable": "C:\\Windows\\Explorer.EXE", + "process.name": "explorer.exe", + "process.pid": 38684386611, + "related.ip": "192.168.12.51", + "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "rule.name": "Process Terminated", + "service.type": "crowdstrike", + "source.ip": "192.168.12.51", + "threat.tactic.name": "malware", + "threat.technique.name": "ransomware", + "user.domain": "CORP-DOMAIN", + "user.name": "alice" + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.event.FineScore": 1.2, + "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", + "crowdstrike.event.IncidentStartTime": "2020-03-04T04:13:48.000Z", + "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1824, + "crowdstrike.metadata.eventCreationTime": "2020-03-04T04:17:56.766Z", "crowdstrike.metadata.eventType": "IncidentSummaryEvent", - "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.IncidentStartTime": 1583295228, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.event.State": "open", - "crowdstrike.event.FineScore": 1.2, - "message": "Incident score 1.2", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2063, + "message": "Incident score 1.2", "service.type": "crowdstrike" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 22865, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2579, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "user.name": "Crowdstrike" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log new file mode 100644 index 000000000000..efd3b565576e --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log @@ -0,0 +1,254 @@ +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70689, + "eventType": "FirewallMatchEvent", + "eventCreationTime": 1595248906000, + "version": "1.0" + }, + "event": { + "DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "Ipv": "ipv4", + "CommandLine": "", + "ConnectionDirection": "1", + "EventType": "FirewallRuleIP4Matched", + "Flags": { + "Audit": false, + "Log": false, + "Monitor": true + }, + "HostName": "TESTDEVICE01", + "ICMPCode": "", + "ICMPType": "", + "ImageFileName": "", + "LocalAddress": "10.37.60.194", + "LocalPort": "445", + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PID": "206158879910", + "PolicyName": "PROD-FW-Workstations-General", + "PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "Protocol": "6", + "RemoteAddress": "10.37.60.21", + "RemotePort": "54952", + "RuleAction": "2", + "RuleDescription": "", + "RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "RuleGroupName": "SMB Rules", + "RuleName": "Inbound SMB Block \u0026 Log Private", + "RuleId": "4877172638743447345", + "Status": "", + "Timestamp": "2020-07-20T12:41:44Z", + "TreeID": "" + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57181, + "eventType": "IncidentSummaryEvent", + "eventCreationTime": 1595005328414, + "version": "1.0" + }, + "event": { + "IncidentStartTime": 1595005316, + "IncidentEndTime": 1595005316, + "FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "State": "open", + "FineScore": 0.1, + "LateralMovement": 0 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70509, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1595247970093, + "version": "1.0" + }, + "event": { + "UserId": "first.last@company.com", + "UserIp": "165.225.220.184", + "OperationName": "saml2Assert", + "ServiceName": "Crowdstrike Authentication", + "Success": true, + "UTCTimestamp": 1595247970, + "AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70683, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1595248885000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1595248885 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57217, + "eventType": "RemoteResponseSessionStartEvent", + "eventCreationTime": 1595006093000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "StartTimestamp": 1595006093 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57269, + "eventType": "RemoteResponseSessionEndEvent", + "eventCreationTime": 1595006899000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "EndTimestamp": 1595006899, + "Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57047, + "eventType": "DetectionSummaryEvent", + "eventCreationTime": 1595002291000, + "version": "1.0" + }, + "event": { + "ProcessStartTime": 1595002290, + "ProcessEndTime": 1595002290, + "ProcessId": 663790158277, + "ParentProcessId": 627311656469, + "ComputerName": "TESTDEVICE01", + "UserName": "First.last", + "DetectName": "NGAV", + "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "Severity": 2, + "SeverityName": "Low", + "FileName": "filename.exe", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "SHA1String": "0000000000000000000000000000000000000000", + "MachineDomain": "NA", + "ExecutablesWritten": [ + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + } + ], + "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "IOCType": "hash_sha256", + "IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "LocalIP": "10.1.190.117", + "MACAddress": "54-ad-d4-d2-a8-0b", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "PatternDispositionValue": 2304, + "PatternDispositionFlags": { + "Indicator": false, + "Detect": false, + "InddetMask": false, + "SensorOnly": false, + "Rooting": false, + "KillProcess": false, + "KillSubProcess": false, + "QuarantineMachine": false, + "QuarantineFile": false, + "PolicyDisabled": true, + "KillParent": false, + "OperationBlocked": false, + "ProcessBlocked": true, + "RegistryOperationBlocked": false, + "CriticalProcessDisabled": false, + "BootupSafeguardEnabled": false, + "FsOperationBlocked": false + }, + "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe" + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json new file mode 100644 index 000000000000..1ef7cf3c7951 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -0,0 +1,399 @@ +[ + { + "crowdstrike.event.ConnectionDirection": "1", + "crowdstrike.event.CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "crowdstrike.event.EventType": "FirewallRuleIP4Matched", + "crowdstrike.event.Flags.Audit": false, + "crowdstrike.event.Flags.Log": false, + "crowdstrike.event.Flags.Monitor": true, + "crowdstrike.event.HostName": "TESTDEVICE01", + "crowdstrike.event.Ipv": "ipv4", + "crowdstrike.event.LocalAddress": "10.37.60.194", + "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.MatchCount": 1, + "crowdstrike.event.MatchCountSinceLastReport": 1, + "crowdstrike.event.NetworkProfile": "2", + "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", + "crowdstrike.event.Protocol": "6", + "crowdstrike.event.RemoteAddress": "10.37.60.21", + "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RuleAction": "2", + "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "crowdstrike.event.RuleGroupName": "SMB Rules", + "crowdstrike.event.RuleId": "4877172638743447345", + "crowdstrike.event.RuleName": "Inbound SMB Block & Log Private", + "crowdstrike.event.Timestamp": "2020-07-20T12:41:44Z", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:46.000Z", + "crowdstrike.metadata.eventType": "FirewallMatchEvent", + "crowdstrike.metadata.offset": 70689, + "crowdstrike.metadata.version": "1.0", + "destination.ip": "10.37.60.194", + "destination.port": "445", + "event.action": "firewall_match_event", + "event.category": [ + "network" + ], + "event.code": "FirewallRuleIP4Matched", + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": [ + "unknown" + ], + "event.type": [ + "start", + "connection" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", + "network.direction": "inbound", + "network.type": "ipv4", + "process.pid": "206158879910", + "related.ip": [ + "10.37.60.21", + "10.37.60.194" + ], + "rule.category": "fec73e96a1bf4481be582c3f89b234fa", + "rule.description": "", + "rule.id": "4877172638743447345", + "rule.name": "Inbound SMB Block & Log Private", + "rule.ruleset": "SMB Rules", + "service.type": "crowdstrike", + "source.ip": "10.37.60.21", + "source.port": "54952" + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "crowdstrike.event.FineScore": 0.1, + "crowdstrike.event.IncidentEndTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.IncidentStartTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.LateralMovement": 0, + "crowdstrike.event.State": "open", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:02:08.414Z", + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 57181, + "crowdstrike.metadata.version": "1.0", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1469, + "message": "Incident score 0.1", + "service.type": "crowdstrike" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ], + "crowdstrike.event.OperationName": "saml2Assert", + "crowdstrike.event.ServiceName": "Crowdstrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:26:10.000Z", + "crowdstrike.event.UserId": "first.last@company.com", + "crowdstrike.event.UserIp": "165.225.220.184", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:26:10.093Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 70509, + "crowdstrike.metadata.version": "1.0", + "event.action": "saml2_assert", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2041, + "message": "Crowdstrike Authentication", + "related.ip": "165.225.220.184", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "source.ip": "165.225.220.184", + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:41:25.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:25.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 70683, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3219, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "user.name": "Crowdstrike" + }, + { + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.StartTimestamp": "2020-07-17T17:14:53.000Z", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:14:53.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 57217, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_start_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "start" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4017, + "message": "Remote response session started", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ], + "crowdstrike.event.EndTimestamp": "2020-07-17T17:28:19.000Z", + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:28:19.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 57269, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4466, + "message": "Remote response session ended", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "crowdstrike.event.ComputerName": "TESTDEVICE01", + "crowdstrike.event.DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "crowdstrike.event.DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "crowdstrike.event.DetectName": "NGAV", + "crowdstrike.event.ExecutablesWritten": [ + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + } + ], + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.FileName": "filename.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "crowdstrike.event.GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "crowdstrike.event.GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "crowdstrike.event.IOCType": "hash_sha256", + "crowdstrike.event.IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.LocalIP": "10.1.190.117", + "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", + "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "crowdstrike.event.MachineDomain": "NA", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "crowdstrike.event.ParentProcessId": 627311656469, + "crowdstrike.event.PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled": false, + "crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled": false, + "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.FsOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, + "crowdstrike.event.PatternDispositionFlags.KillProcess": false, + "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, + "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": true, + "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": true, + "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, + "crowdstrike.event.PatternDispositionValue": 2304, + "crowdstrike.event.ProcessEndTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.ProcessId": 663790158277, + "crowdstrike.event.ProcessStartTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.SHA1String": "0000000000000000000000000000000000000000", + "crowdstrike.event.SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "crowdstrike.event.Severity": 2, + "crowdstrike.event.SeverityName": "Low", + "crowdstrike.event.Tactic": "Machine Learning", + "crowdstrike.event.Technique": "Sensor-based ML", + "crowdstrike.event.UserName": "First.last", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T16:11:31.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 57047, + "crowdstrike.metadata.version": "1.0", + "event.action": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.severity": 2, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha1": "0000000000000000000000000000000000000000", + "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "process.args": [ + "\"C:\\ProgramData\\file\\path\\filename.exe\"" + ], + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "process.name": "filename.exe", + "process.parent.command_line": "C:\\Windows\\Explorer.EXE", + "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "process.pid": 663790158277, + "related.ip": "10.1.190.117", + "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "rule.name": "NGAV", + "service.type": "crowdstrike", + "source.ip": "10.1.190.117", + "threat.tactic.name": "machine learning", + "threat.technique.name": "sensor-based ml", + "user.domain": "NA", + "user.name": "First.last" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index e4a1224d75ef..11622ad9ea7f 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mc1u4zYQx+95isGeuzkU2B58KGDYDtZoshvETtvbYkyNLTYSqZIje/32BUlJUWw5lmymOQWm+OdPw/kgR5/hhfYjEEbvEstGvtANAEvOaASfJq+/froBMJQRWhrBihhvABKywsiCpVYj+P0GAOBBJ2VGsNYGhM4yEizVBlo6QFtSbG9vANaSssSO/LzPoDCnQw73x/uCRrAxuiyqXzqWdX93Xs4v3V7vDjOhVVgWUCWAGRmGBBlvq7ltkDZMTozuuWagscxDNVJNbT1wAs7bhhihNcujEoq0guMUGaQSWZmQf22PyzIny5gXt22MI6OEtddYZvzDy49gjZml1vDha7Zf1RMs9wW9Ga0XeqH9TpvkYOydV3V/U2K3/VotyjxHs5+5JX6BuRIyIcVvf32iXDM9kS20srQga91ERsPvPTBTSTU8LjkdC5Zbyftxmch6mjbwbMkcDzW4p80xMYSOfynzbrMkyIcDZ2yyTMlvKHAqbbXtWojSGEpAK+CUgFRSaKmcK8DzcgLP3+Z//3hYOG/JkW/fB9frtSXupJWKaUNmGPB3rweqzFdkgoeyQfFiPWqmhbcQ6HVA9y8kFVg2hPktLN1rSgulpQRYg995ud5DqeS/JUFS+0grLbzzdqK0rHMy8+mCjVSbeM46qZRrQtkyVCfKlozzwHgEC5FSjke6R0mJ3nhvk5G8Uw9KR2HGO/moSZaxMk+3JR+NFmStD/bIoVYEabBOOwTeJUFVEc5U8kF8TCaXKoTStZTzQ7+7IvorSZhPXe1HDkHsIr0J3HNQaEjxR6B54caClxNOdF6UTOYbntjai6LZqdVZUVQrwC4lQ2/hmux/htIVsbiETtGLA1qrhfS220lOB1kvFPmPs90wjumrcMxzTDM8lGpBWzKS9/HcvlYEK7QZbKV6dtz9OmBi+nkuVd3JjOIyOMXgzZVJWk5d5whX3oZYy2k+IqfxKJ1ac1b6SaJkXGXXBeBE5zmq5F6qiNacvbIVDtlTibASZFIRoNmUeY8T2+Lr+Ncvv8U+rQVVsGV+uTW7eR+mX2LDPky/XEfaDYoilYqmOkcZM9l5vSZU8rDKVaThAv5VW76X6iViAXu6d7V+K2l3UFOlqhY9mw6V1ebEqeQypnCtmU87LVa1IqxftldB+//Y+u7mvRaYzR/jYc0fAZPEuARdRUiqLV8XG+PJOEhGjOLxJDrnEgVLEZFxvnyaAXtVEMi00WY/9IywJJF6T4nOVQtfjPZ99Y97bhsTjTjViQPpf6NhJqOm0hbaSjfhQ06d45DKGF9IwWrfL6Eds/2J2YmdvOj4eTqHYIt3MOVdhpvuWNV+yweeBZ0aSJVIgb79HNhsL7gFH9/kr9jGv1LilEIxlVXn050GcjR7kBZ0Qco3WrTaaMeqDYhM27MXwqaNGrltsnhtldSHgIa71ZXo15KoIeN2TmZVVzwC4J1UtHC3lk60daZxoO95MQ9WQ/W42Mes8rMcZfZaqQyU7p5/ouj7Pl8fwOJD6n0XksM9VwYKMr5XFvcKGfqhtlw5jbMnR7OVIvIdthLtMEv9reAcVSnEqUPPSuuM8LBAndurkEO1cQVyV6UybUBpbn/B2KEFG9Zel9k5f1pOlvUnrUgJodF7x3TDc4P/VvQH7X0J7TaqIss0uFPhe+3+U8qODIFIUW0ocYD9dzp8/4qZOCpJlyqqY5nxn9zAVN/cwIYnzqC5i577z79nPDwn+6bBU19N6yJQ0faDbKpmTDfsKJ1voYb7YFU4Y1IeVc8ejP8FAAD//637dzY=" + return "eJy8m19v47gRwN/zKQZ3r72gXWCvRR4KGHayazTJBrG317cDQ40tNhSpI0f2+dsfSEqKbMuWZFObpyCShj8OyfnL/ALvuLsDbvQ2sWTEO94AkCCJd/DT9OOvP90AGJTILN7BGxK7AUjQciNyElrdwb9vAACedFJIhJU2wLWUyEmoNTTkAG5Qkb29AVgJlIm989/9AopleMjhfmiX4x2sjS7y8i8tw7qfBy/OD90c74FJrlUYFphKgEk0BAkjdlt+2wRpwmRIzL1XP6g181Q+KT9tvHACzusGiUHjK4+KjKclHKWMQCguiwT9tD0uiQwtsSy/bWIcKSWMvWKFpN+9+DtYMWmx8fhwms2peoLlLse9p9VA77jbapMcPDszVfczQ3LLr9WiyDJmdvduiL/BgzC4ZVI+MeJp+be54iJBRftvvmKmCV/R5lpZXKC1ThgxQ+deuFdJ+XhSUDrhJDaCdpMiEdVn2sB3i+b4UT2F0yqaGmRuTkuRtasqYXT4oENPyxT9IgOlwpZbQXNeGIMJaAWUIqBKci2U2x7wfTmF78/z//3+tHA7KGN0ex5cr1YWqZVWKMI1mmHA37w8UEX2hibsWjKMv1uPKjX3GgK9Cuh+QkKBJYMsu4Wlm6awUFhMgDT4lRerHRRK/FEgJNW+aZiKM7PjhSWdoZnPFmSEWsfbwNNSckUoGopqRdmgcTswHsGCp5ixI7lHhgr3dm9tpfymHmSiwhdnbFRtQEe1Ri9Gc7TWn/XIJy0PosE62eHcXXKmSsJ7lYzER2gyocJJupZyfrjtrjj8pUiYz1w4wCicYXfQ63PbBcUMKhoDzQuuNXg54VRneUFontmJpb3oMDtplVHk5QiwTdHgPlxt/DsonQ+LS+gkeuHArNVceN1tBaWDtBf8/ni6G8Yx+xAcM7SpHw+lWuAGjaBdvG1fSQTLtRmsperruOt1wET4Z5epehAS4zI4iWE3lyppbOrKRjjvNkRbTuYLozQepZNWh0p/Ii+IvcnrDuBUZxlTyaNQEbV5/8GWO2RPxcNIIIVCYGZdZD0CtsXXyT9ih2pOJtgii6zJxdfJp8+/jgD76fOvI+A+zT7HZn2afR4DlPFUKJzpjImYZtnLqw91Fka5ijRUD75qS49CvUd0ta+PLirZCNweeH+hykE7Dbey2pyIny5jCvnXfNaqsbKOYv2wvVzvj2Pru5qPmjM5f4mHNX8BliTGuZLyhKTa0nVnYzKdBJERT/FkGp1zyTgJHpFxvny9B/JSgTPCtTa7odHMEnnqd0p0rkrwxWjf3v7v3tvERENKdeJA+udeRGjUTNhcW+E+GCU+ngRTRuwdFbzt+hm0Y7b/MnliJS8KlE/bENbgHUz5INm6/axqv+QDo1YnDYRKBGe+dh7YbC+4BR3XHK5Yxt9SpBSDMxVlidZFAxkzOxAWdI7KV4S0WmvHqg1wqW1n6lrXeyMXeBYfRZ0qCKi5G/WTfsWTCjJujee+LOlHAHwQChcuv2pFW0nNBu49L8yDVVA9ShAxvfx9xoT88FQGCovmlNP3Bck+gPko/r4NyeF2uYEcja/qxU12Q+HWFm9ORmfkaDaCR862S6EtaqmaGl1UBeengp43rSWyQwfVtVbBhmrjHOS2NGXagNLUbLVsmQUbxl4Vsms/LafLqh8XySDU8s6obrht8E2t/+DOu9B2pSq0hINrKr4p4Hs+WzQIPGVqjYkD7L3SH6UE+5sRRNgeeVzCFxIPTBqJqoVtGMTlW4mw7y4gYVUFqPOo+J5iTBtXinRWrYwgjW9jgin7mGDDGx1oLid1v/kliYfnxO5VzaosuvJXJW0/yNrBxzwxLV5+H2r4cSl9fEzKI0d/LeMjIzRMPukNZvvtvg9MqY+KPx2YpVTISrGhLzckCAhtl3nG1hi/iOvLo2X7Jt/r7/SiGqUUetBnuqgI+sUwleQ/SnPrj9F6qq/BN4oOvxwTXabI+bdp3Gsr/u7QItwd8pdwwlFoxBJcZ7nRmbBdgdb82/R0Cns13MaJvoDu55YrOK341f2HmN6v5U5FZy3RxZUxGYJE0Aq2qeCNZKJv53WebyKeU6NJcy39SiqkrTbvYPCPAm2X5Z1qpULZZyZM+CWiliqRe2C8HrLLo8a/UNbc/LnRG5G4QC9cnevOelxgE9fCHoVKUnPnSUPA1LWHpk8vU51ExHl9mH7657/+7iWDEx1ceQ+OuMu0x7H0FrQPxzhecIwm8Mt8Fin4mhzDiGQwj+9qnOsZiMOYdlBXY8iu9igv2sSKTp2ooQzhVuh4+ijj+CEwI2hkGEUhcRLZP1RBBJhCYlml7oExSr9hn6Xxcg+gB5YJuTtxpCPQrLx8EF0G0LF8MbrIYxvAJoy/o+kH7EEzJkhPhJhh3z5A53r44Hiqi2iZ9nO4L61XsNojydxA2JXnfOAshOL4yCy9Yh7PrnTQgXWjhiiHWQLjx+7qxkYuqeyvIBmxXqPB1n+ROMh4njWByzcMyh3YwiCwN11Q6WbrQevu+EpLqbdCrY9vTzf6L5Kt7a2vtLZO8KKqdTPIZU40rCRbd3WCPMmjbr/4czWH1Ov+FE9aCdKHrdlIJFkQ3oemyqtGzj/ycpgOmueQP70YvRJypJyoytHyMEiXfrQUPPK1zz0Nefl9DH0giemBWzg67f2CGBUR79w0GayX3WUtDeJYSiCDZ1zez+f/k6qVtqwKxlRYKRFM4avj7KjV8FcAAAD//42ko/I=" }