Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CrowdStrike Falcon - Raptor release #34805

Merged
merged 87 commits into from
Jul 11, 2024
Merged

CrowdStrike Falcon - Raptor release #34805

Show file tree
Hide file tree
Changes from 85 commits
Commits
Show all changes
87 commits
Select commit Hold shift + click to select a range
accd1b5
configuration changes
RosenbergYehuda Jun 9, 2024
5d30e11
rn
RosenbergYehuda Jun 9, 2024
ba1e232
deprecation
RosenbergYehuda Jun 10, 2024
0447dd9
readme deprecation
RosenbergYehuda Jun 10, 2024
aa017ff
resolve-identity-detection
RosenbergYehuda Jun 10, 2024
1a8b23d
test
RosenbergYehuda Jun 10, 2024
7520e35
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 10, 2024
5675e36
fix conflict
RosenbergYehuda Jun 10, 2024
b4efe1e
cs-falcon-search-detection
RosenbergYehuda Jun 16, 2024
3a97c14
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 16, 2024
a94484f
unit test
RosenbergYehuda Jun 16, 2024
d852e21
!cs-falcon-resolve-detection
RosenbergYehuda Jun 16, 2024
45481d0
cs-falcon-list-detection-summaries
RosenbergYehuda Jun 18, 2024
fb1af8b
fix the filter
RosenbergYehuda Jun 19, 2024
8e52c1a
fix
RosenbergYehuda Jun 19, 2024
e2e2273
fix tests
RosenbergYehuda Jun 20, 2024
e4f0f10
fixes
RosenbergYehuda Jun 20, 2024
1758e32
fix
RosenbergYehuda Jun 20, 2024
30365fb
add CrowdStrike.Detections.behaviors.behavior_id
RosenbergYehuda Jun 22, 2024
7a256da
fix outputs of list-detection-summaries
RosenbergYehuda Jun 22, 2024
eda32f1
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 22, 2024
20c776a
finally outputs for cs-falcon-list-detection-summaries
RosenbergYehuda Jun 23, 2024
86c1bc7
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 23, 2024
e93c508
test
RosenbergYehuda Jun 23, 2024
fa1118d
fetch
RosenbergYehuda Jun 24, 2024
758d33e
mirroring
RosenbergYehuda Jun 24, 2024
d9ce66e
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 26, 2024
ea3f287
existing fetch
RosenbergYehuda Jun 27, 2024
8a2d434
new fetch
RosenbergYehuda Jun 27, 2024
4dec9d2
add tests
RosenbergYehuda Jun 27, 2024
fc282cc
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jun 28, 2024
2787993
revert unnecessary changes in the mapper
RosenbergYehuda Jul 1, 2024
a9f773e
fix the query
RosenbergYehuda Jul 1, 2024
2530096
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 1, 2024
23035a8
fix
RosenbergYehuda Jul 1, 2024
962bceb
fis tests
RosenbergYehuda Jul 1, 2024
210aad9
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 7, 2024
35d7d80
last mapper
RosenbergYehuda Jul 7, 2024
b3a3025
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 7, 2024
3f9abc3
fix mapper
RosenbergYehuda Jul 7, 2024
4f94799
mirroring of new type
RosenbergYehuda Jul 8, 2024
509d4e4
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 8, 2024
9b4b1a5
fixes from cr
RosenbergYehuda Jul 8, 2024
4b7b7cf
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 8, 2024
30f49af
fix
RosenbergYehuda Jul 8, 2024
948659f
remove the raptor from the tests
RosenbergYehuda Jul 8, 2024
44195a2
fix tests
RosenbergYehuda Jul 8, 2024
abd70fa
fixes
RosenbergYehuda Jul 8, 2024
4a80dcd
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 8, 2024
66c347d
fix old mapper
RosenbergYehuda Jul 8, 2024
b0c6780
legacy
RosenbergYehuda Jul 8, 2024
efaa0a1
RN
RosenbergYehuda Jul 8, 2024
cb2152e
rn
RosenbergYehuda Jul 8, 2024
319e6de
metadata
RosenbergYehuda Jul 9, 2024
eecabca
pre commit
RosenbergYehuda Jul 9, 2024
13c4685
build fixes
RosenbergYehuda Jul 9, 2024
996460c
build fixes #2
RosenbergYehuda Jul 9, 2024
cf90121
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 9, 2024
e0df48b
Apply suggestions from code review
RosenbergYehuda Jul 9, 2024
07bfeb9
More from Shirley
RosenbergYehuda Jul 9, 2024
2184ab0
cr
RosenbergYehuda Jul 10, 2024
dbaf0be
Merge branch 'YR-CrowdStrike-Falcon-Raptor/CIAC-9887' of https://gith…
RosenbergYehuda Jul 10, 2024
e09fce0
cr
RosenbergYehuda Jul 10, 2024
c77c0e2
format
RosenbergYehuda Jul 10, 2024
eadff64
adding testing the parameters
RosenbergYehuda Jul 10, 2024
dbcddf7
Merged master into current branch.
Jul 10, 2024
dbfa58a
Bump pack from version CommonTypes to 3.5.8.
Jul 10, 2024
e067253
fix test
RosenbergYehuda Jul 10, 2024
5b55631
cr
RosenbergYehuda Jul 10, 2024
6bea61d
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 10, 2024
9b2d15d
logs
RosenbergYehuda Jul 10, 2024
f6add2d
fix a mistake
RosenbergYehuda Jul 10, 2024
3f5c2e0
pre commit
RosenbergYehuda Jul 10, 2024
1cd7138
RN
RosenbergYehuda Jul 10, 2024
3775d38
fix rn
RosenbergYehuda Jul 10, 2024
08ce4ec
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 10, 2024
5e539f8
fix rn
RosenbergYehuda Jul 10, 2024
7a33286
fix validate errors
RosenbergYehuda Jul 10, 2024
250b6ba
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 10, 2024
b350618
fix test playbook
RosenbergYehuda Jul 11, 2024
f1dd3fc
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 11, 2024
9d1cf27
pre commit
RosenbergYehuda Jul 11, 2024
15249b5
format
RosenbergYehuda Jul 11, 2024
2a4a962
RN
RosenbergYehuda Jul 11, 2024
c54ee77
Merge remote-tracking branch 'origin' into YR-CrowdStrike-Falcon-Rapt…
RosenbergYehuda Jul 11, 2024
6ce4786
change output
RosenbergYehuda Jul 11, 2024
63803c1
fix test playbook
RosenbergYehuda Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Device_Id.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
"associatedTypes": [
"Tripwire File Change",
"Carbon Black EDR",
"Symantec DLP Endpoint Incident"
"Symantec DLP Endpoint Incident",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"breachScript": "",
"caseInsensitive": true,
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Display_Name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"IAM - Rehire User",
"Vectra Account",
"CrowdStrike Falcon IDP Detection",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"caseInsensitive": true,
"cliName": "displayname",
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Last_Update_Time.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@
"Graph Security Alert",
"CrowdStrike Falcon IDP Detection",
"Cyberint Incident",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"breachScript": "",
"caseInsensitive": true,
Expand Down
3 changes: 2 additions & 1 deletion Packs/CommonTypes/IncidentFields/incidentfield-Vendor_Product.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
"FireEye NX IPS Event",
"Microsoft Sentinel Incident",
"CrowdStrike Falcon IDP Detection",
"CrowdStrike Falcon Mobile Detection"
"CrowdStrike Falcon Mobile Detection",
"CrowdStrike Falcon On-Demand Scans Detection"
],
"associatedToAll": false,
"unmapped": false,
Expand Down
15 changes: 15 additions & 0 deletions Packs/CommonTypes/ReleaseNotes/3_5_8.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@

#### Incident Fields

##### Display Name

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Last Update Time

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Vendor Product

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
##### Device Id

Added the `CrowdStrike Falcon On-Demand Scans Detection` incident type as an associated type.
2 changes: 1 addition & 1 deletion Packs/CommonTypes/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Common Types",
"description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
"support": "xsoar",
"currentVersion": "3.5.7",
"currentVersion": "3.5.8",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
1 change: 1 addition & 0 deletions Packs/CrowdStrikeFalcon/.pack-ignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ IOA
enrichments
cspm
ioarules
checkbox

[file:classifier-CrowdStrike_Falcon_Incident_Classifier.json]
ignore=BA101
Expand Down
3 changes: 2 additions & 1 deletion Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Incident_Classifier.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
"IDP detection": "CrowdStrike Falcon IDP Detection",
"iom_configurations": "CrowdStrike Falcon IOM Event",
"ioa_events": "CrowdStrike Falcon IOA Event",
"MOBILE detection": "CrowdStrike Falcon Mobile Detection"
"MOBILE detection": "CrowdStrike Falcon Mobile Detection",
"On-Demand Scans detection": "CrowdStrike Falcon On-Demand Scans Detection"
},
"transformer": {
"complex": null,
Expand Down
200 changes: 160 additions & 40 deletions Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@
"Display Name": {
"simple": "display_name"
},
"Description": {
"simple": "description"
},
"End Time": {
"simple": "end_time"
},
Expand Down Expand Up @@ -242,7 +245,7 @@
"simple": "product"
},
"name": {
"simple": "id"
"simple": "composite_id"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it true for all the CS types?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Joining this question - is that the new ID for each fetched event/incident?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had 3 detection types to fetch:
Endpoint Detection IDP Detection had changed to use "composite_id". and i changed the mapper.

Mobile Detection did not change to composite_id, so i did not modify its mapper.

},
"occurred": {
"simple": "created_timestamp"
Expand All @@ -267,32 +270,148 @@
}
}
},
"CrowdStrike Falcon On-Demand Scans Detection": {
"dontMapEventToLabels": false,
"internalMapping": {
"Alert ID": {
"simple": "composite_id"
},
"Behaviour Objective": {
"simple": "objective"
},
"Behaviour Tactic": {
"simple": "tactic"
},
"CrowdStrike Falcon Platform Name": {
"simple": "device.platform_name"
},
"CrowdStrike Falcon Product Type Description": {
"simple": "device.product_type_desc"
},
"CrowdStrike Falcon System Manufacturer": {
"simple": "device.system_manufacturer"
},
"CrowdStrike Falcon System Product Name": {
"simple": "device.system_product_name"
},
"CrowdStrike Falcon Scan Name": {
"simple": "name"
},
"CrowdStrike Falcon Scan Id": {
"simple": "scan_id"
},
"CrowdStrike Falcon Pattern ID":{
"simple": "pattern_id"
},
"Tactic ID": {
"simple": "tactic_id"
},
"Technique": {
"simple": "technique"
},
"Technique ID": {
"simple": "technique_id"
},
"Device External IP": {
"simple": "device.external_ip"
},
"Device Local IP": {
"simple": "device.local_ip"
},
"MAC Address": {
"simple": "device.mac_address"
},
"OS": {
"simple": "device.os_version"
},
"Device Name": {
"simple": "device.hostname"
},
"Cloud Instance ID": {
"simple": "device.instance_id"
},
"Agent Version": {
"simple": "device.agent_version"
},
"Cloud Service": {
"simple": "service_provider"
},
"Cloud Account ID": {
"simple": "service_provider_account_id"
},
"Last Update Time": {
"simple": "timestamp"
},
"Display Name":{
"simple": "display_name"
},
"Device Id": {
"simple": "device.device_id"
},
"Event ID": {
"simple": "event_id"
},
"File Name": {
"simple": "filename"
},
"File Path": {
"simple": "filepath"
},
"Vendor Product": {
"simple": "product"
},
"severity": {
"simple": "severity"
},
"SHA256": {
"simple": "sha256"
},
"CrowdStrike Falcon Detection Type": {
"simple": "type"
},
"State": {
"simple": "status"
},
"dbotMirrorDirection": {
"simple": "mirror_direction"
},
"dbotMirrorId": {
"simple": "composite_id"
},
"dbotMirrorInstance": {
"simple": "mirror_instance"
},
"IncomingMirrorError": {
"simple": "in_mirror_error"
}
}
},
"CrowdStrike Falcon Detection": {
"dontMapEventToLabels": true,
"internalMapping": {
"Account Name": {
"simple": "behaviors.user_name"
},
"Alert ID": {
"simple": "detection_id"
"simple": "composite_id"
},
"Assigned User": {
"simple": "assigned_to_uid"
},
"Behaviour Objective": {
"simple": "behaviors.objective"
"simple": "objective"
},
"Behaviour Scenario": {
"simple": "behaviors.scenario"
"simple": "scenario"
},
"Behaviour Tactic": {
"simple": "behaviors.tactic"
"simple": "tactic"
},
"Technique": {
"simple": "behaviors.technique"
"simple": "technique"
},
"CMD line": {
"simple": "behaviors.cmdline"
"simple": "cmdline"
},
"Cloud Instance ID": {
"simple": "device.instance_id"
Expand All @@ -301,10 +420,10 @@
"simple": "device.service_provider"
},
"Description": {
"simple": "behaviors.description"
"simple": "description"
},
"Detected User": {
"simple": "behaviors.user_name"
"simple": "user_name"
},
"Device External IP": {
"simple": "device.external_ip"
Expand All @@ -322,45 +441,45 @@
"simple": "device.agent_version"
},
"File MD5": {
"simple": "behaviors.md5"
"simple": "md5"
},
"MD5": {
"complex": null,
"simple": "behaviors.md5"
"simple": "md5"
},
"SHA256": {
"complex": null,
"simple": "behaviors.sha256"
"simple": "sha256"
},
"File Name": {
"simple": "behaviors.filename"
"simple": "filename"
},
"File Paths": {
"simple": "behaviors.filepath"
"simple": "filepath"
},
"File SHA256": {
"simple": "behaviors.sha256"
"simple": "sha256"
},
"Hostnames": {
"simple": "device.hostname"
},
"Last Update Time": {
"simple": "last_behavior"
"simple": "timestamp"
},
"MAC Address": {
"simple": "device.mac_address"
},
"Event Names": {
"simple": "behaviors.display_name"
"simple": "display_name"
},
"Event Descriptions": {
"simple": "behaviors.description"
"simple": "description"
},
"OS": {
"simple": "device.os_version"
},
"Parent CMD line": {
"simple": "behaviors.parent_details.parent_cmdline"
"simple": "parent_details.cmdline"
},
"Start Time": {
"simple": "first_behavior"
Expand All @@ -369,33 +488,34 @@
"simple": "status"
},
"name": {
"complex": {
"accessor": "display_name",
"filters": [],
"root": "behaviors.[0]",
"transformers": [
{
"args": {
"prefix": {
"value": {
"simple": "Falcon Detection - "
}
},
"suffix": {
"value": {
"simple": " - Detection ID: "
}
}
},
"operator": "concat"
"complex": {
"filters": [],
"root": "display_name",
"transformers": [
{
"args": {
"prefix": {
"isContext": false,
"value": {
"simple": "Falcon Detection - "
}
},
"suffix": {
"isContext": false,
"value": {
"simple": " - Detection ID: "
}
}
},
"operator": "concat"
},
{
"args": {
"prefix": {},
"suffix": {
"isContext": true,
"value": {
"simple": "detection_id"
"simple": "composite_id"
}
}
},
Expand All @@ -408,7 +528,7 @@
"simple": "mirror_direction"
},
"dbotMirrorId": {
"simple": "detection_id"
"simple": "composite_id"
},
"dbotMirrorInstance": {
"simple": "mirror_instance"
Expand Down
Loading
Loading