Skip to content

Commit

Permalink
CrowdStrike Falcon - Raptor release (#34805)
Browse files Browse the repository at this point in the history 
* configuration changes

* rn

* deprecation

* readme deprecation

* resolve-identity-detection

* test

* fix conflict

* cs-falcon-search-detection

* unit test

* !cs-falcon-resolve-detection

* cs-falcon-list-detection-summaries

* fix the filter

* fix

* fix tests

* fixes

* fix

* add CrowdStrike.Detections.behaviors.behavior_id

* fix outputs of list-detection-summaries

* finally outputs for cs-falcon-list-detection-summaries

* test

* fetch

* mirroring

* existing fetch

* new fetch

* add tests

* revert unnecessary changes in the mapper

* fix the query

* fix

* fis tests

* last mapper

* fix mapper

* mirroring of new type

* fixes from cr

* fix

* remove the raptor from the tests

* fix tests

* fixes

* fix old mapper

* legacy

* RN

* rn

* metadata

* pre commit

* build fixes

* build fixes #2

* Apply suggestions from code review

Shirley fixes

Co-authored-by: ShirleyDenkberg <[email protected]>

* More from Shirley

Co-authored-by: ShirleyDenkberg <[email protected]>

* cr

* cr

* format

* adding testing the parameters

* Bump pack from version CommonTypes to 3.5.8.

* fix test

* cr

* logs

* fix a mistake

* pre commit

* RN

* fix rn

* fix rn

* fix validate errors

* fix test playbook

* pre commit

* format

* RN

* change output

* fix test playbook

---------

Co-authored-by: ShirleyDenkberg <[email protected]>
Co-authored-by: Content Bot <[email protected]>
  • Loading branch information
@RosenbergYehuda @ShirleyDenkberg @maimorag
3 people authored and maimorag committed Jul 16, 2024
1 parent ade0d7f commit 46d0463
Show file tree
Hide file tree
Showing 33 changed files with 3,781 additions and 1,143 deletions.
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Device_Id.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
"associatedTypes": [
"Tripwire File Change",
"Carbon Black EDR",
"Symantec DLP Endpoint Incident"
"Symantec DLP Endpoint Incident",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"breachScript": "",
"caseInsensitive": true,
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Display_Name.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"IAM - Rehire User",
"Vectra Account",
"CrowdStrike Falcon IDP Detection",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"caseInsensitive": true,
"cliName": "displayname",
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Last_Update_Time.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@
"Graph Security Alert",
"CrowdStrike Falcon IDP Detection",
"Cyberint Incident",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"breachScript": "",
"caseInsensitive": true,
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Vendor_Product.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
"FireEye NX IPS Event",
"Microsoft Sentinel Incident",
"CrowdStrike Falcon IDP Detection",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"associatedToAll": false,
"unmapped": false,
Expand Down
15 changes: 15 additions & 0 deletions Packs/CommonTypes/ReleaseNotes/3_5_8.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@

#### Incident Fields

##### Display Name

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Last Update Time

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Vendor Product

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Device Id

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
2 changes: 1 addition & 1 deletion Packs/CommonTypes/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Common Types",
"description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
"support": "xsoar",
"currentVersion": "3.5.7",
"currentVersion": "3.5.8",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
1 change: 1 addition & 0 deletions Packs/CrowdStrikeFalcon/.pack-ignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ IOA
enrichments
cspm
ioarules
checkbox

[file:classifier-CrowdStrike_Falcon_Incident_Classifier.json]
ignore=BA101
Expand Down
3 changes: 2 additions & 1 deletion Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Incident_Classifier.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
"IDP detection": "CrowdStrike Falcon IDP Detection",
"iom_configurations": "CrowdStrike Falcon IOM Event",
"ioa_events": "CrowdStrike Falcon IOA Event",
"MOBILE detection": "CrowdStrike Falcon Mobile Detection"
"MOBILE detection": "CrowdStrike Falcon Mobile Detection",
"On-Demand Scans detection": "CrowdStrike Falcon On-Demand Scans Detection"
},
"transformer": {
"complex": null,
Expand Down
200 changes: 160 additions & 40 deletions Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@
"Display Name": {
"simple": "display_name"
},
"Description": {
"simple": "description"
},
"End Time": {
"simple": "end_time"
},
Expand Down Expand Up @@ -242,7 +245,7 @@
"simple": "product"
},
"name": {
"simple": "id"
"simple": "composite_id"
},
"occurred": {
"simple": "created_timestamp"
Expand All @@ -267,32 +270,148 @@
}
}
},
"CrowdStrike Falcon On-Demand Scans Detection": {
"dontMapEventToLabels": false,
"internalMapping": {
"Alert ID": {
"simple": "composite_id"
},
"Behaviour Objective": {
"simple": "objective"
},
"Behaviour Tactic": {
"simple": "tactic"
},
"CrowdStrike Falcon Platform Name": {
"simple": "device.platform_name"
},
"CrowdStrike Falcon Product Type Description": {
"simple": "device.product_type_desc"
},
"CrowdStrike Falcon System Manufacturer": {
"simple": "device.system_manufacturer"
},
"CrowdStrike Falcon System Product Name": {
"simple": "device.system_product_name"
},
"CrowdStrike Falcon Scan Name": {
"simple": "name"
},
"CrowdStrike Falcon Scan Id": {
"simple": "scan_id"
},
"CrowdStrike Falcon Pattern ID":{
"simple": "pattern_id"
},
"Tactic ID": {
"simple": "tactic_id"
},
"Technique": {
"simple": "technique"
},
"Technique ID": {
"simple": "technique_id"
},
"Device External IP": {
"simple": "device.external_ip"
},
"Device Local IP": {
"simple": "device.local_ip"
},
"MAC Address": {
"simple": "device.mac_address"
},
"OS": {
"simple": "device.os_version"
},
"Device Name": {
"simple": "device.hostname"
},
"Cloud Instance ID": {
"simple": "device.instance_id"
},
"Agent Version": {
"simple": "device.agent_version"
},
"Cloud Service": {
"simple": "service_provider"
},
"Cloud Account ID": {
"simple": "service_provider_account_id"
},
"Last Update Time": {
"simple": "timestamp"
},
"Display Name":{
"simple": "display_name"
},
"Device Id": {
"simple": "device.device_id"
},
"Event ID": {
"simple": "event_id"
},
"File Name": {
"simple": "filename"
},
"File Path": {
"simple": "filepath"
},
"Vendor Product": {
"simple": "product"
},
"severity": {
"simple": "severity"
},
"SHA256": {
"simple": "sha256"
},
"CrowdStrike Falcon Detection Type": {
"simple": "type"
},
"State": {
"simple": "status"
},
"dbotMirrorDirection": {
"simple": "mirror_direction"
},
"dbotMirrorId": {
"simple": "composite_id"
},
"dbotMirrorInstance": {
"simple": "mirror_instance"
},
"IncomingMirrorError": {
"simple": "in_mirror_error"
}
}
},
"CrowdStrike Falcon Detection": {
"dontMapEventToLabels": true,
"internalMapping": {
"Account Name": {
"simple": "behaviors.user_name"
},
"Alert ID": {
"simple": "detection_id"
"simple": "composite_id"
},
"Assigned User": {
"simple": "assigned_to_uid"
},
"Behaviour Objective": {
"simple": "behaviors.objective"
"simple": "objective"
},
"Behaviour Scenario": {
"simple": "behaviors.scenario"
"simple": "scenario"
},
"Behaviour Tactic": {
"simple": "behaviors.tactic"
"simple": "tactic"
},
"Technique": {
"simple": "behaviors.technique"
"simple": "technique"
},
"CMD line": {
"simple": "behaviors.cmdline"
"simple": "cmdline"
},
"Cloud Instance ID": {
"simple": "device.instance_id"
Expand All @@ -301,10 +420,10 @@
"simple": "device.service_provider"
},
"Description": {
"simple": "behaviors.description"
"simple": "description"
},
"Detected User": {
"simple": "behaviors.user_name"
"simple": "user_name"
},
"Device External IP": {
"simple": "device.external_ip"
Expand All @@ -322,45 +441,45 @@
"simple": "device.agent_version"
},
"File MD5": {
"simple": "behaviors.md5"
"simple": "md5"
},
"MD5": {
"complex": null,
"simple": "behaviors.md5"
"simple": "md5"
},
"SHA256": {
"complex": null,
"simple": "behaviors.sha256"
"simple": "sha256"
},
"File Name": {
"simple": "behaviors.filename"
"simple": "filename"
},
"File Paths": {
"simple": "behaviors.filepath"
"simple": "filepath"
},
"File SHA256": {
"simple": "behaviors.sha256"
"simple": "sha256"
},
"Hostnames": {
"simple": "device.hostname"
},
"Last Update Time": {
"simple": "last_behavior"
"simple": "timestamp"
},
"MAC Address": {
"simple": "device.mac_address"
},
"Event Names": {
"simple": "behaviors.display_name"
"simple": "display_name"
},
"Event Descriptions": {
"simple": "behaviors.description"
"simple": "description"
},
"OS": {
"simple": "device.os_version"
},
"Parent CMD line": {
"simple": "behaviors.parent_details.parent_cmdline"
"simple": "parent_details.cmdline"
},
"Start Time": {
"simple": "first_behavior"
Expand All @@ -369,33 +488,34 @@
"simple": "status"
},
"name": {
"complex": {
"accessor": "display_name",
"filters": [],
"root": "behaviors.[0]",
"transformers": [
{
"args": {
"prefix": {
"value": {
"simple": "Falcon Detection - "
}
},
"suffix": {
"value": {
"simple": " - Detection ID: "
}
}
},
"operator": "concat"
"complex": {
"filters": [],
"root": "display_name",
"transformers": [
{
"args": {
"prefix": {
"isContext": false,
"value": {
"simple": "Falcon Detection - "
}
},
"suffix": {
"isContext": false,
"value": {
"simple": " - Detection ID: "
}
}
},
"operator": "concat"
},
{
"args": {
"prefix": {},
"suffix": {
"isContext": true,
"value": {
"simple": "detection_id"
"simple": "composite_id"
}
}
},
Expand All @@ -408,7 +528,7 @@
"simple": "mirror_direction"
},
"dbotMirrorId": {
"simple": "detection_id"
"simple": "composite_id"
},
"dbotMirrorInstance": {
"simple": "mirror_instance"
Expand Down
Loading

0 comments on commit 46d0463

Please sign in to comment.