Update Crowdstrike Falcon Content Pack.htm

Content/Content Packs/Crowdstrike Falcon Content Pack.htm

@@ -1,145 +1,97 @@
 <?xml version="1.0" encoding="utf-8"?>
 <html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd">
-    <head>
+    <head><title></title>
     </head>
     <body>
-        <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
-        <p>CrowdStrike Falcon is a cutting-edge endpoint security solution with advanced capabilities. Leveraging artificial intelligence and threat intelligence, Falcon empowers organizations to proactively defend against cyber threats, detect malicious activities in real-time, and respond swiftly to secure their endpoints with unmatched precision and agility.
-
-</p>
+        <p>CrowdStrike Falcon is a cutting-edge endpoint security solution with advanced capabilities. Leveraging Artificial Intelligence (AI)&#160;and threat intelligence, Falcon empowers organizations to proactively defend against cyber threats, detect malicious activities in real-time, and respond swiftly to secure their endpoints with unmatched precision and agility.</p>
         <p>This technology pack will:</p>
         <ul>
             <li>
-                <p> 
-
-Process Crowdstrike Falcon logs, providing normalization and enrichment of those events.
-</p>
+                <p>Process CrowdStrike Falcon logs, providing normalization and enrichment of those events.</p>
             </li>
         </ul>
-        <h2>Supported Version(s)
-</h2>
+        <h2>Supported Version(s)</h2>
         <ul>
             <li>
-                <p>Crowdstrike Falcon  6.54.16812.0
-</p>
+                <p>CrowdStrike Falcon 7.15.18514.0</p>
             </li>
         </ul>
-        <h2>Requirements
-</h2>
+        <h2>Requirements</h2>
         <ul>
             <li>
-                <p>Crowdstrike Falcon version  6.54.16812.0</p>
+                <p>CrowdStrike Falcon version 7.15.18514.0</p>
             </li>
         </ul>
-        <h2>Stream Configuration
-</h2>
-        <p>This technology pack includes one stream:
-</p>
+        <h2>Stream Configuration</h2>
+        <p>This technology pack includes one stream:</p>
         <ul>
             <li>
-                <p>“Illuminate:Crowdstrike Falcon Messages”
-</p>
+                <p>“Illuminate: CrowdStrike Falcon Messages”</p>
             </li>
         </ul>
         <p>
             <section class="infoBox">
-                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
-</span>
+                <div class="title"><strong>Hint: </strong><span style="font-weight: normal;">If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.</span>
                 </div>
             </section>
         </p>
-        <h2>Index Set Configuration
-</h2>
-        <p>This technology pack includes one index set definition:
-</p>
+        <h2>Index Set Configuration</h2>
+        <p>This technology pack includes one index set definition:</p>
         <ul>
-            <li>
-                <p>“Crowdstrike Falcon Event Log Messages”
-</p>
-            </li>
+            <li>“CrowdStrike Falcon Event Log Messages”</li>
         </ul>
         <p>
             <section class="infoBox">
-                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
-</span>
+                <div class="title"><strong>Hint: </strong><span style="font-weight: normal;">If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.</span>
                 </div>
             </section>
         </p>
         <h2>Log Collection</h2>
         <ul>
-            <li>
-                <p>Sending logs via Graylog’s Crowdstrike Input 
-</p>
-            </li>
+            <li>Sending logs via Graylog’s <MadCap:annotation MadCap:createDate="2024-10-11T08:31:50.5586775-08:00" MadCap:creator="AnnieZempel" MadCap:initials="AN" MadCap:comment="Will add doc link" MadCap:editor="AnnieZempel" MadCap:editDate="2024-10-11T08:31:53.7092038-08:00">CrowdStrike Input</MadCap:annotation></li>
         </ul>
-        <h2>Log Format Example
-</h2>
-        <p><code class="linecode">-	{"timestamp":1693337449.649,"version":"1.1","host":"customer-id","short_message":"{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}","full_message":"{\"metadata\":{\"customerIDString\":\"customer-id\",\"offset\":2802412,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1688847014000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}}","_event_source_product":"crowdstrike_falcon","_vendor_subtype":"UserActivityAuditEvent","_vendor_version":"1.0","_event_created":"2023-07-08T20:10:14.000Z"}
-</code>
+        <h2>Log Format Example</h2>
+        <p><code class="linecode">- {"timestamp":1693337449.649,"version":"1.1","host":"customer-id","short_message":"{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}","full_message":"{\"metadata\":{\"customerIDString\":\"customer-id\",\"offset\":2802412,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1688847014000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"api-client-id\",\"UserIp\":\"10.1.1.1\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"UTCTimestamp\":1688847014,\"Attributes\":{\"device_id\":\"6614e76223cc47699c09b18e84da6425\",\"message\":\"\",\"seedID\":\"101\"}}}","_event_source_product":"crowdstrike_falcon","_vendor_subtype":"UserActivityAuditEvent","_vendor_version":"1.0","_event_created":"2023-07-08T20:10:14.000Z"}</code>
         </p>
         <h2>What is Provided</h2>
         <ul>
-            <li>
-                <p>We provide parsing rules to normalize and enrich Crowdstrike Falcon log messages
-.</p>
-            </li>
-            <li>
-                <p><b>All messages sent via the Crowdstrike API to the Graylog Crowdstrike Input will be parsed, but not all will receive categorization or normalization.
-</b>
-                </p>
-            </li>
-            <li>
-                <p>	We provide Categorization for the following log types:
-</p>
-                <ul>
-                    <li>
-                        <p><code class="linecode">DetectionSummaryEvent
-</code>
-                        </p>
-                    </li>
-                    <li>
-                        <p><![CDATA[	]]><code class="linecode">UserActivityAuditEvent</code></p>
-                    </li>
-                </ul>
+            <li>We provide categorization for the following log types:<ul><li><code class="linecode">DetectionSummaryEvent</code></li><li><code class="linecode">EppDetectionSummaryEvent</code></li><li><code class="linecode">XdrDetectionSummaryEvent</code></li><li><code class="linecode">AuthActivityAuditEvent</code></li></ul></li>
+            <li><b>All messages sent via the CrowdStrike API to the Graylog CrowdStrike input will be parsed but not all will receive categorization or normalization.</b>
             </li>
+            <li>We provide parsing rules to normalize and enrich CrowdStrike Falcon log messages.</li>
         </ul>
         <h2>Input Configuration</h2>
         <ol>
-            <li>
-                <p>In order to successfully connect your Crowdstrike Falcon device to the Graylog Crowdstrike input, you will need your CrowdStrike client ID and your Client Secret. 
-</p>
-            </li>
-            <li>
-                <p>Then, once connected, your Crowdstrike logs should successfully be coming into your Graylog instance.
-</p>
-            </li>
+            <li>To successfully connect your CrowdStrike Falcon device <MadCap:annotation MadCap:createDate="2024-10-11T08:32:24.0749168-08:00" MadCap:creator="AnnieZempel" MadCap:initials="AN" MadCap:comment="Add doc link here" MadCap:editor="AnnieZempel" MadCap:editDate="2024-10-11T08:32:26.9638593-08:00">to the Graylog CrowdStrike input</MadCap:annotation>, you will need your CrowdStrike client ID and your Client Secret.</li>
+            <li>Once connected, your CrowdStrike logs should successfully be coming into your Graylog instance.</li>
         </ol>
         <p>
-            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_1.png" />
+            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_1.png" alt="CrowdStrike Image 1" />
         </p>
-        <h2>Events Processed by This Technology Pack
-</h2>
-        <p>The Crowdstrike Falcon content pack supports parsing for all fields and GIM categorization for the <code class="linecode">CustomerIOCEvent</code>, <code class="linecode">DetectionSummaryEvent</code>, and <code class="linecode">UserActivityAuditEvent </code>events. 
-</p>
-        <h2>Crowdstrike Spotlight Content Pack
-</h2>
+        <h2>Events Processed by This Technology Pack</h2>
+        <p>The CrowdStrike Falcon content pack supports parsing for all fields and GIM categorization for the <code class="linecode">CustomerIOCEvent</code>, <code class="linecode">DetectionSummaryEvent</code>, and <code class="linecode">UserActivityAuditEvent</code> events.</p>
+        <h2>CrowdStrike Spotlight Content Pack</h2>
+        <p>CrowdStrike Falcon: Overview Tab</p>
         <p>
-            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_2.png" />
+            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_2.png" alt="CrowdStrike Spotlight" />
         </p>
-        <p>Crowdstrike Falcon: Overview Tab</p>
-        <p>Crowdstrike Falcon: Authentication Tab</p>
+        <p>CrowdStrike Falcon: Authentication Tab</p>
         <p>
-            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_3.png" />
+            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_3.png" alt="CrowdStrike Image 3">
+            </img>
         </p>
         <p>
             <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_4.png" />
         </p>
-        <p>Crowdstrike Falcon: Alert Tab</p>
+        <p>CrowdStrike Falcon: Alert Tab</p>
         <p>
-            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_5.png" />
+            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_5.png" alt="CrowdStrike Image 5">
+            </img>
         </p>
         <p>
-            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_6.png" />
+            <img src="../Resources/Images/Crowdstrike Content Pack/Crowdstrike_6.png" alt="CrowdStrike Image 6">
+            </img>
         </p>
+        <!--?xml version="1.0" encoding="utf-8"?-->
     </body>
 </html>