[FEATURE] CrowdStrike log type support

[sandeshkr419]

Is your feature request related to a problem? This issue discusses the addition of crowdstrike log group support in Security Analytics plugin. CrowdStrike is a product used for security related use-cases. The use-case is basically to monitor activities and threats related to Crowdstrike Falcon as the primary objective.

What solution would you like? Introduce crowdstrike log type. The rules are aggregated from Sigma repo.

Rules to be added in the log type:

Windows:

1. Uninstall Crowdstrike Falcon Sensor

Linux:

1. Disabling Security Tools - Builtin
2. Disabling Security Tools
3. Security Software Discovery - Linux

MacOS:

1. Disable Security Tools
2. Security Software Discovery - MacOs

What alternatives have you considered? Presently, Sigma only supports the above rules for this. More rules can be added in future iterations / improvements.

Do you have any additional context? Suggestions are welcome from users for more use-cases.

[tw-dpd]

Why would you wish to have a separate log-type for these rules when they are already present in their respective log-types for each platform (windows, Linux, macOS) All of the rules above exist in the repo at present within their respective log-types and would be so for uninstall of any protection client (SentinelOne, Cisco Secure Endpoint, etc etc)

Is there a logfeed you'd like to process from Crowdstrike itself directly that would necessitate a separate product log-type? If there is, then a custom log type could already be created by yourself and submitted for inclusion as a pre-packaged log-type?