Open sandeshkr419 opened 10 months ago
Why would you wish to have a separate log-type for these rules when they are already present in their respective log-types for each platform (windows, Linux, macOS) All of the rules above exist in the repo at present within their respective log-types and would be so for uninstall of any protection client (SentinelOne, Cisco Secure Endpoint, etc etc)
Is there a logfeed you'd like to process from Crowdstrike itself directly that would necessitate a separate product log-type? If there is, then a custom log type could already be created by yourself and submitted for inclusion as a pre-packaged log-type?
Is your feature request related to a problem? This issue discusses the addition of
crowdstrike
log group support in Security Analytics plugin. CrowdStrike is a product used for security related use-cases. The use-case is basically to monitor activities and threats related to Crowdstrike Falcon as the primary objective.What solution would you like? Introduce
crowdstrike
log type. The rules are aggregated from Sigma repo.Rules to be added in the log type:
Windows:
Linux:
MacOS:
What alternatives have you considered? Presently, Sigma only supports the above rules for this. More rules can be added in future iterations / improvements.
Do you have any additional context? Suggestions are welcome from users for more use-cases.