Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] CrowdStrike log type support #572

Open
sandeshkr419 opened this issue Sep 13, 2023 · 1 comment
Open

[FEATURE] CrowdStrike log type support #572

sandeshkr419 opened this issue Sep 13, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@sandeshkr419
Copy link
Contributor

sandeshkr419 commented Sep 13, 2023
edited
Loading

Is your feature request related to a problem?
This issue discusses the addition of crowdstrike log group support in Security Analytics plugin. CrowdStrike is a product used for security related use-cases. The use-case is basically to monitor activities and threats related to Crowdstrike Falcon as the primary objective.

What solution would you like?
Introduce crowdstrike log type. The rules are aggregated from Sigma repo.

Rules to be added in the log type:

Windows:

  1. Uninstall Crowdstrike Falcon Sensor

Linux:

  1. Disabling Security Tools - Builtin
  2. Disabling Security Tools
  3. Security Software Discovery - Linux

MacOS:

  1. Disable Security Tools
  2. Security Software Discovery - MacOs

What alternatives have you considered?
Presently, Sigma only supports the above rules for this. More rules can be added in future iterations / improvements.

Do you have any additional context?
Suggestions are welcome from users for more use-cases.
@sandeshkr419 sandeshkr419 added enhancement New feature or request untriaged labels Sep 13, 2023
This was referenced Sep 26, 2023
Open
Closed
riysaxen-amzn pushed a commit to riysaxen-amzn/security-analytics that referenced this issue Feb 20, 2024
@jovancvetkovic3006
Add a details button to open the findings flyout from the correlation…
01c3266 
…s page. (opensearch-project#572)

* Add a details button to open the findings flyout from the correlations page. opensearch-project#564

Signed-off-by: Jovan Cvetkovic <[email protected]>

* Add a details button to open the findings flyout from the correlations page. opensearch-project#564

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Add a details button to open the findings flyout from the correlations page. opensearch-project#564

Signed-off-by: Jovan Cvetkovic <[email protected]>

* fix tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* code review

Signed-off-by: Jovan Cvetkovic <[email protected]>

* code review

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [BUG] Wrong field mappings for the cloud trail logs opensearch-project#573

Signed-off-by: Jovan Cvetkovic <[email protected]>

* code review

Signed-off-by: Jovan Cvetkovic <[email protected]>

---------

Signed-off-by: Jovan Cvetkovic <[email protected]>
@tw-dpd
Copy link

tw-dpd commented Apr 23, 2024

Why would you wish to have a separate log-type for these rules when they are already present in their respective log-types for each platform (windows, Linux, macOS)
All of the rules above exist in the repo at present within their respective log-types and would be so for uninstall of any protection client (SentinelOne, Cisco Secure Endpoint, etc etc)

Is there a logfeed you'd like to process from Crowdstrike itself directly that would necessitate a separate product log-type?
If there is, then a custom log type could already be created by yourself and submitted for inclusion as a pre-packaged log-type?

@github-project-automation github-project-automation bot moved this to Backlog (Feature Requests, Enhancements) in Security Analytics Roadmap Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Security Analytics Roadmap
Status: Backlog (Feature Requests, Enhancements)
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sandeshkr419 @praveensameneni @tw-dpd