search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
28 stars 444 forks source link

[CrowdStrike FDR] Process fields #4132

Closed jamiehynds closed 2 years ago

jamiehynds commented 2 years ago

process.name is not currently exported by the CrowdStrike FDR. Based on a sample event where process.executable path that points to SoundVolumeView.exe, process.name should be set to SoundVolumeView.exe

$ csvtojson --delimiter=',' CrowdStrike\ FDR\ Process\ Fields.csv | jq '[.[]|select(.process.executable|endswith("SoundVolumeView.exe"))][-1]'
{
  "@timestamp": "Aug 16, 2022 @ 09:01:09.410",
  "process": {
    "command_line": "\"C:\\Program Files\\nirsoft\\SoundVolumeView.exe\" /SetDefault \"Teradici Virtual Audio Driver\\device\\speakers\" all",
    "args": "C:\\Program Files\\nirsoft\\SoundVolumeView.exe, /SetDefault, Teradici Virtual Audio Driver\\device\\speakers, all",
    "args_count": "4",
    "entity_id": "434985669758362104",
    "executable": "\\Device\\HarddiskVolume3\\Program Files\\NirSoft\\SoundVolumeView.exe",
    "exit_code": "-",
    "hash": {
      "md5": "e570911fc2ab74ecf0dc59f324318f6e",
      "sha256": "f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2"
    },
    "parent": {
      "entity_id": "434985540832797032",
      "name": "EmUser.exe"
    },
    "pid": "6,108",
    "start": "Aug 16, 2022 @ 09:01:08.576",
    "thread": {
      "id": "-"
    },
    "title": "-"
  },
  "event": {
    "original": "{\"ProcessCreateFlags\":\"1024\",\"IntegrityLevel\":\"8192\",\"ParentProcessId\":\"434985540832797032\",\"SourceProcessId\":\"434985540832797032\",\"aip\":\"212.30.19.58\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"UserSid\":\"S-1-5-21-4084637156-299436391-3671333128-115430\",\"event_platform\":\"Win\",\"TokenType\":\"2\",\"ProcessEndTime\":\"\",\"ParentBaseFileName\":\"EmUser.exe\",\"ImageSubsystem\":\"2\",\"id\":\"9686a6b3-1d39-11ed-9370-0660bfa16adf\",\"EffectiveTransmissionClass\":\"3\",\"SessionId\":\"1\",\"Tags\":\"25, 27, 862, 874, 924, 12094627905582, 12094627906234\",\"timestamp\":\"1660636869410\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"6108\",\"ConfigStateHash\":\"518095218\",\"MD5HashData\":\"e570911fc2ab74ecf0dc59f324318f6e\",\"SHA256HashData\":\"f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2\",\"ProcessSxsFlags\":\"64\",\"AuthenticationId\":\"29530993\",\"ConfigBuild\":\"1007.3.0015103.1\",\"CommandLine\":\"\\\"C:\\\\Program Files\\\\nirsoft\\\\SoundVolumeView.exe\\\" /SetDefault \\\"Teradici Virtual Audio Driver\\\\device\\\\speakers\\\" all\",\"ParentAuthenticationId\":\"29530993\",\"TargetProcessId\":\"434985669758362104\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\NirSoft\\\\SoundVolumeView.exe\",\"SourceThreadId\":\"434985668331321297\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2V19\",\"ProcessStartTime\":\"1660636868.576\",\"ProcessParameterFlags\":\"24577\",\"aid\":\"50deaa55144543089a1f463b568cdc53\",\"cid\":\"1301ac65ae144fbb9689a8472f828c2e\"}"
  }
}

Feedback from @leehinman: We will need to parse ImageFileName field from crowdstrike and split it on path separators, it will need to work for both Unix & Windows style paths.

elasticmachine commented 2 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)