Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Getting started with adding a new security data source in your Elastic SIEM - Ingest Pipeline
PUT _ingest/pipeline/crowdstrike_falcon
{
"processors":
[
{
"set": {
"field": "event.action",
"value": "{{crowdstrike.event.PatternDispositionDescription}}",
"if": "ctx.crowdstrike?.event?.PatternDispositionDescription != null"
}
},
{
"set": {
"field": "event.severity",
"value": "{{crowdstrike.event.Severity}}",
"if": "ctx.crowdstrike?.event?.Severity != null"
}
},
{
"set": {
"field": "event.url",
"value": "{{crowdstrike.event.FalconHostLink}}",
"if": "ctx.crowdstrike?.event?.FalconHostLink != null"
}
},
{
"set": {
"field": "file.hash.md5",
"value": "{{crowdstrike.event.MD5String}}",
"if": "ctx.crowdstrike?.event?.MD5String != null"
}
},
{
"set": {
"field": "file.hash.sha256",
"value": "{{crowdstrike.event.SHA256String}}",
"if": "ctx.crowdstrike?.event?.SHA256String != null"
}
},
{
"set": {
"field": "host.name",
"value": "{{crowdstrike.event.ComputerName}}",
"if": "ctx.crowdstrike?.event?.ComputerName != null"
}
},
{
"set": {
"field": "message",
"value": "{{crowdstrike.event.DetectDescription}}",
"if": "ctx.crowdstrike?.event?.DetectDescription != null"
}
},
{
"set": {
"field": "process.command_line",
"value": "{{crowdstrike.event.CommandLine}}",
"if": "ctx.crowdstrike?.event?.CommandLine != null"
}
},
{
"set": {
"field": "process.name",
"value": "{{crowdstrike.event.FileName}}",
"if": "ctx.crowdstrike?.event?.FileName != null"
}
},
{
"set": {
"field": "rule.name",
"value": "{{crowdstrike.event.DetectName}}",
"if": "ctx.crowdstrike?.event?.DetectName != null"
}
},
{
"set": {
"field": "threat.tactic.name",
"value": "{{crowdstrike.event.Tactic}}",
"if": "ctx.crowdstrike?.event?.Tactic != null"
}
},
{
"set": {
"field": "threat.technique.name",
"value": "{{crowdstrike.event.Technique}}",
"if": "ctx.crowdstrike?.event?.Technique != null"
}
},
{
"set": {
"field": "user.domain",
"value": "{{crowdstrike.event.MachineDomain}}",
"if": "ctx.crowdstrike?.event?.MachineDomain != null"
}
},
{
"set": {
"field": "user.name",
"value": "{{crowdstrike.event.UserName}}",
"if": "ctx.crowdstrike?.event?.UserName != null"
}
},
{
"set": {
"field": "agent.id",
"value": "{{crowdstrike.event.SensorId}}",
"if": "ctx.crowdstrike?.event?.SensorId != null"
}
},
{
"date": {
"field": "crowdstrike.metadata.eventCreationTime",
"target_field": "@timestamp",
"formats": [
"UNIX_MS"
],
"timezone": "UTC",
"ignore_failure": true
}
},
{
"set": {
"field": "event.kind",
"value": "alert"
}
},
{
"set": {
"field": "event.type",
"value": [ "info" ]
}
},
{
"set": {
"field": "event.category",
"value": [ "malware" ]
}
},
{
"drop": {
"if": "ctx.crowdstrike.metadata.eventType != 'DetectionSummaryEvent'"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment