{ "name": "crowdstrike", "title": "CrowdStrike", "version": "3.13.1", "release": "ga", "description": "Collect logs from Crowdstrike with Elastic Agent.", "type": "integration", "download": "/epr/crowdstrike/crowdstrike-3.13.1.zip", "path": "/package/crowdstrike/3.13.1", "icons": [ { "src": "/img/logo-integrations-crowdstrike.svg", "path": "/package/crowdstrike/3.13.1/img/logo-integrations-crowdstrike.svg", "title": "CrowdStrike", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr" ], "signature_path": "/epr/crowdstrike/crowdstrike-3.13.1.zip.sig", "format_version": "3.4.0", "readme": "/package/crowdstrike/3.13.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/siem-alerts-cs.jpg", "path": "/package/crowdstrike/3.13.1/img/siem-alerts-cs.jpg", "title": "CrowdStrike SIEM Alerts", "size": "3360x1776", "type": "image/jpg" }, { "src": "/img/siem-events-cs.jpg", "path": "/package/crowdstrike/3.13.1/img/siem-events-cs.jpg", "title": "CrowdStrike SIEM Events", "size": "3360x1776", "type": "image/jpg" }, { "src": "/img/crowdstrike-fdr-dashboard.png", "path": "/package/crowdstrike/3.13.1/img/crowdstrike-fdr-dashboard.png", "title": "CrowdStrike FDR Overview", "size": "1535x626", "type": "image/png" }, { "src": "/img/cs-falcon1.png", "path": "/package/crowdstrike/3.13.1/img/cs-falcon1.png", "title": "CrowdStrike Falcon Overview", "size": "1535x626", "type": "image/png" }, { "src": "/img/cs-overview1.png", "path": "/package/crowdstrike/3.13.1/img/cs-overview1.png", "title": "CrowdStrike Overview", "size": "1535x626", "type": "image/png" }, { "src": "/img/crowdstrike-alert-dashboard.png", "path": "/package/crowdstrike/3.13.1/img/crowdstrike-alert-dashboard.png", "title": "CrowdStrike Alert", "size": "1535x626", "type": "image/png" }, { "src": "/img/crowdstrike-host-dashboard.png", "path": "/package/crowdstrike/3.13.1/img/crowdstrike-host-dashboard.png", "title": "CrowdStrike Host", "size": "1535x626", "type": "image/png" }, { "src": "/img/crowdstrike-vulnerability-dashboard.png", "path": "/package/crowdstrike/3.13.1/img/crowdstrike-vulnerability-dashboard.png", "title": "CrowdStrike Vulnerability", "size": "1535x626", "type": "image/png" } ], "assets": [ "/package/crowdstrike/3.13.1/LICENSE.txt", "/package/crowdstrike/3.13.1/changelog.yml", "/package/crowdstrike/3.13.1/manifest.yml", "/package/crowdstrike/3.13.1/validation.yml", "/package/crowdstrike/3.13.1/docs/README.md", "/package/crowdstrike/3.13.1/img/crowdstrike-alert-dashboard.png", "/package/crowdstrike/3.13.1/img/crowdstrike-elastic-data-flow.drawio.svg", "/package/crowdstrike/3.13.1/img/crowdstrike-fdr-dashboard.png", "/package/crowdstrike/3.13.1/img/crowdstrike-host-dashboard.png", "/package/crowdstrike/3.13.1/img/crowdstrike-vulnerability-dashboard.png", "/package/crowdstrike/3.13.1/img/cs-falcon1.png", "/package/crowdstrike/3.13.1/img/cs-overview1.png", "/package/crowdstrike/3.13.1/img/logo-integrations-crowdstrike.svg", "/package/crowdstrike/3.13.1/img/siem-alerts-cs.jpg", "/package/crowdstrike/3.13.1/img/siem-events-cs.jpg", "/package/crowdstrike/3.13.1/kibana/tags.yml", "/package/crowdstrike/3.13.1/data_stream/alert/manifest.yml", "/package/crowdstrike/3.13.1/data_stream/alert/sample_event.json", "/package/crowdstrike/3.13.1/data_stream/falcon/manifest.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/sample_event.json", "/package/crowdstrike/3.13.1/data_stream/fdr/manifest.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/sample_event.json", "/package/crowdstrike/3.13.1/data_stream/host/manifest.yml", "/package/crowdstrike/3.13.1/data_stream/host/sample_event.json", "/package/crowdstrike/3.13.1/data_stream/vulnerability/manifest.yml", "/package/crowdstrike/3.13.1/data_stream/vulnerability/sample_event.json", "/package/crowdstrike/3.13.1/elasticsearch/ingest_pipeline/aidmaster_lookup_namespaced.yml", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c.json", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5.json", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750.json", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c.json", "/package/crowdstrike/3.13.1/kibana/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750.json", "/package/crowdstrike/3.13.1/kibana/search/crowdstrike-56381e0f-4f72-4fc7-810c-5ba5b2c47b8c.json", "/package/crowdstrike/3.13.1/kibana/search/crowdstrike-9b99d190-8214-11ee-bae0-937af575b750.json", "/package/crowdstrike/3.13.1/kibana/search/crowdstrike-a9e7ff80-8212-11ee-bae0-937af575b750.json", "/package/crowdstrike/3.13.1/data_stream/alert/fields/base-fields.yml", "/package/crowdstrike/3.13.1/data_stream/alert/fields/beats.yml", "/package/crowdstrike/3.13.1/data_stream/alert/fields/ecs.yml", "/package/crowdstrike/3.13.1/data_stream/alert/fields/fields.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/fields/agent.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/fields/base-fields.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/fields/beats.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/fields/ecs.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/fields/fields.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/fields/base-fields.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/fields/ecs.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/fields/fields.yml", "/package/crowdstrike/3.13.1/data_stream/host/fields/base-fields.yml", "/package/crowdstrike/3.13.1/data_stream/host/fields/beats.yml", "/package/crowdstrike/3.13.1/data_stream/host/fields/ecs.yml", "/package/crowdstrike/3.13.1/data_stream/host/fields/fields.yml", "/package/crowdstrike/3.13.1/data_stream/vulnerability/fields/base-fields.yml", "/package/crowdstrike/3.13.1/data_stream/vulnerability/fields/beats.yml", "/package/crowdstrike/3.13.1/data_stream/vulnerability/fields/fields.yml", "/package/crowdstrike/3.13.1/elasticsearch/transform/latest_aidmaster/manifest.yml", "/package/crowdstrike/3.13.1/elasticsearch/transform/latest_aidmaster/transform.yml", "/package/crowdstrike/3.13.1/data_stream/alert/agent/stream/cel.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/agent/stream/log.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/falcon/agent/stream/streaming.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml", "/package/crowdstrike/3.13.1/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/agent/stream/aws-s3.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/fdr/agent/stream/stream.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/categorize.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_ioa.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_iom.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/epp_detection_summary.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/fim_rule_matched.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/inbound_network.yml", "/package/crowdstrike/3.13.1/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml", "/package/crowdstrike/3.13.1/data_stream/host/agent/stream/cel.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/host/elasticsearch/ingest_pipeline/default.yml", "/package/crowdstrike/3.13.1/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/crowdstrike/3.13.1/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/crowdstrike/3.13.1/elasticsearch/transform/latest_aidmaster/fields/ecs.yml", "/package/crowdstrike/3.13.1/elasticsearch/transform/latest_aidmaster/fields/fields.yml" ], "policy_templates": [ { "name": "crowdstrike", "title": "CrowdStrike", "description": "Collect events and data from CrowdStrike Falcon", "inputs": [ { "type": "logfile", "title": "Collect Falcon events and FDR logs through file system", "description": "Collect Falcon events from the SIEM Connector and Falcon Data Replicator (FDR) logs through the file system." }, { "type": "aws-s3", "title": "Collect Falcon Data Replicator logs using AWS S3 and SQS", "description": "Collect Falcon Data Replicator (FDR) logs using AWS S3 and SQS notifications." }, { "type": "streaming", "vars": [ { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_headers", "type": "yaml", "title": "Proxy headers", "description": "This specifies the headers to be sent to the proxy server.", "multi": false, "required": false, "show_user": false } ], "title": "Collect Falcon events using Event Streams API", "description": "Collect CrowdStrike Falcon events using the Event Streams API." }, { "type": "cel", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for the CrowdStrike API.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for the CrowdStrike API.", "multi": false, "required": true, "show_user": true }, { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the CrowdStrike API. Defaults to https://api.crowdstrike.com", "multi": false, "required": true, "show_user": true, "default": "https://api.crowdstrike.com" }, { "name": "token_url", "type": "text", "title": "Token URL", "description": "CrowdStrike API token URL.", "multi": false, "required": true, "show_user": false, "default": "https://api.crowdstrike.com/oauth2/token" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_headers", "type": "yaml", "title": "Proxy headers", "description": "This specifies the headers to be sent to the proxy server.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect data using the CrowdStrike REST API", "description": "Collect CrowdStrike Falcon data (alerts, hosts, vulnerabilities) using the REST API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "crowdstrike.alert", "title": "Collect alerts from CrowdStrike.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Alert logs from CrowdStrike. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the CrowdStrike API. By default, differential data is pulled once per day. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the CrowdStrike API. It must be between 1 - 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "query", "type": "text", "title": "FQL Query", "description": "This is an additional FQL query that can be included in requests to the API. You should not include any reference to the `timestamp` property. See the [FalconPy documentation](https://www.falconpy.io/Usage/Falcon-Query-Language.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "crowdstrike-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve crowdstrike.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Alerts", "description": "Collect unified alerts from CrowdStrike Falcon.", "enabled": false, "ingestion_method": "API" } ], "package": "crowdstrike", "path": "alert" }, { "type": "logs", "dataset": "crowdstrike.falcon", "title": "CrowdStrike Falcon events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "description": "Location of the files where event outputs are written. The contents of these files should be in a valid JSON format.", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/crowdstrike/falconhoseclient/output*" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "crowdstrike-falcon" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Falcon events", "description": "Collect CrowdStrike Falcon events through Falcon SIEM Connector.", "enabled": false, "ingestion_method": "File" }, { "input": "streaming", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the CrowdStrike API. Defaults to https://api.crowdstrike.com.", "multi": false, "required": true, "show_user": true, "default": "https://api.crowdstrike.com" }, { "name": "token_url", "type": "text", "title": "Token URL", "description": "CrowdStrike API token URL.", "multi": false, "required": true, "show_user": false, "default": "https://api.crowdstrike.com/oauth2/token" }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for the CrowdStrike API.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for the CrowdStrike API.", "multi": false, "required": true, "show_user": true }, { "name": "app_id", "type": "text", "title": "App ID", "description": "This field specifies the `appId` parameter sent to the CrowdStrike API. See the CrowdStrike documentation for details.", "multi": false, "required": true, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "crowdstrike-falcon" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "streaming.yml.hbs", "title": "Falcon events", "description": "Collect CrowdStrike Falcon events using Event Streams API.", "enabled": false, "ingestion_method": "API" } ], "package": "crowdstrike", "path": "falcon" }, { "type": "logs", "dataset": "crowdstrike.fdr", "title": "Falcon Data Replicator", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "aws-s3", "vars": [ { "name": "access_key_id", "type": "text", "title": "Access Key ID", "multi": false, "required": false, "show_user": true }, { "name": "secret_access_key", "type": "password", "title": "Secret Access Key", "multi": false, "required": false, "show_user": true }, { "name": "session_token", "type": "password", "title": "Session Token", "multi": false, "required": false, "show_user": true }, { "name": "queue_url", "type": "text", "title": "Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.", "multi": false, "required": true, "show_user": true }, { "name": "enrich_metadata", "type": "bool", "title": "Enrich Host and User Metadata", "description": "Uses data in aidmaster and userinfo to add host and user information to events. The aidmaster blob must contain the string \"aidmaster\" in its path and the userinfo blob path must contain \"userinfo\", and the FDR Notification Parsing Script must sort events so that aidmaster and userinfo events appear first in the stream.", "multi": false, "required": true, "show_user": true, "default": true }, { "name": "keep_metadata", "type": "bool", "title": "Keep Original Host and User Metadata", "description": "Keep the aidmaster and userinfo documents after they have been used for event enrichment.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "metadata_ttl", "type": "text", "title": "Metadata TTL", "description": "The period of time that metadata is considered valid for. Valid time units are h, m, s, ms, us/µs and ns.", "multi": false, "required": true, "show_user": true, "default": "168h" }, { "name": "metadata_cache_capacity", "type": "text", "title": "Metadata cache capacity", "description": "The maximum amount of metadata objects to cache. Operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. Values at or below zero indicate no limit. \nWARNING: This setting needs to be set only if the amount of metadata elements is known beforehand, otherwise it might lead to enrichment data loss. If you are not sure, leave it untouched.\n", "multi": false, "required": true, "show_user": false, "default": 0 }, { "name": "metadata_cache_write_interval", "type": "text", "title": "Metadata cache write interval", "description": "The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes.", "multi": false, "required": true, "show_user": false, "default": 0 }, { "name": "long_fields", "type": "select", "title": "Long Fields", "description": "Choose to `Index` or `Delete` long fields. Fields longer than 1024 bytes (except `event.original`) will be kept (indexed) or deleted based on this option.", "multi": false, "required": true, "show_user": false, "default": "index_long_fields" }, { "name": "long_fields_max_length", "type": "integer", "title": "Maximum Length of Fields", "description": "The maximum length of fields (in bytes) to consider them as too long. By default, fields larger than `1024` bytes are considered too long. This option in addition to `Long Fields` option helps users configure how integration should handle long fields.", "multi": false, "required": true, "show_user": false, "default": 1024 }, { "name": "enable_deduplication", "type": "bool", "title": "Enable Data Deduplication", "description": "If data deduplication is enabled, it ensures that no duplicate events are indexed. This is achieved by generating an `_id` value based on the content of each event using the [fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html). If the option is disabled, every received event will be indexed with a unique `_id` generated by Elasticsearch (overriding the the AWS-S3 input's [_id-Based Deduplication](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-aws-s3#_document_id_generation) feature).", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "enable_geoip_observer_ip", "type": "bool", "title": "Enable GeoIP enrichment for observer.ip", "description": "If enabled, the `observer.ip` field will be enriched with geolocation data using the [GeoIP processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/geoip-processor.html).", "multi": false, "required": true, "show_user": false, "default": true }, { "name": "enable_geoip_source_ip", "type": "bool", "title": "Enable GeoIP enrichment for source.ip", "description": "If enabled, the `source.ip` field will be enriched with geolocation data using the [GeoIP processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/geoip-processor.html).", "multi": false, "required": true, "show_user": false, "default": true }, { "name": "enable_geoip_destination_ip", "type": "bool", "title": "Enable GeoIP enrichment for destination.ip", "description": "If enabled, the `destination.ip` field will be enriched with geolocation data using the [GeoIP processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/geoip-processor.html).", "multi": false, "required": true, "show_user": false, "default": true }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "shared_credential_file", "type": "text", "title": "Shared Credential File", "description": "Directory of the shared credentials file", "multi": false, "required": false, "show_user": false }, { "name": "credential_profile_name", "type": "text", "title": "Credential Profile Name", "multi": false, "required": false, "show_user": false }, { "name": "role_arn", "type": "text", "title": "Role ARN", "multi": false, "required": false, "show_user": false }, { "name": "endpoint", "type": "text", "title": "Endpoint", "description": "URL of the entry point for an AWS web service", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "default_region", "type": "text", "title": "Default AWS Region", "description": "Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated.", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "visibility_timeout", "type": "text", "title": "Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": false }, { "name": "api_timeout", "type": "text", "title": "API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": false }, { "name": "fips_enabled", "type": "bool", "title": "Enable S3 FIPS", "description": "Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "crowdstrike-fdr" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "max_number_of_messages", "type": "integer", "title": "Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use `Number of Workers` instead. The maximum number of SQS messages that can be in flight at any time.", "multi": false, "required": false, "show_user": false, "default": 5 }, { "name": "number_of_workers", "type": "integer", "title": "Number of Workers", "description": "Number of workers that will process the S3 or SQS objects listed.", "multi": false, "required": false, "show_user": false, "default": 5 }, { "name": "prune_fields", "type": "bool", "title": "Prune Fields", "description": "Prune fields deletes fields that are less likely to be useful. This includes `agent.ephemeral_id`, `ecs.version`, `event.timezone` and `log.offset`.", "multi": false, "required": false, "show_user": false, "default": true } ], "template_path": "aws-s3.yml.hbs", "title": "Falcon Data Replicator logs", "description": "Collect Falcon Data Replicator logs using AWS S3 and AWS SQS.", "enabled": false, "ingestion_method": "AWS S3" }, { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": false, "show_user": true, "default": [ "/var/log/falcon_data_replicator.log" ] }, { "name": "enrich_host_metadata", "type": "bool", "title": "Enrich Host and User Metadata", "description": "Uses data in aidmaster and userinfo to add host and user information to events. The aidmaster file must be included in the paths configuration, include the string \"aidmaster\" in the path host information file path and \"userinfo\" in the user information file path, and have a file paths that sorts before the FDR log file paths.", "multi": false, "required": true, "show_user": true, "default": true }, { "name": "keep_metadata", "type": "bool", "title": "Keep Original Host and User Metadata", "description": "Keep the aidmaster and userinfo documents after they have been used for event enrichment.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "metadata_ttl", "type": "text", "title": "Metadata TTL", "description": "The period of time that host metadata is considered valid for. Valid time units are h, m, s, ms, us/µs and ns.", "multi": false, "required": true, "show_user": true, "default": "168h" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "crowdstrike-fdr" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "prune_fields", "type": "bool", "title": "Prune Fields", "description": "Prune fields deletes fields that are less likely to be useful. This includes `agent.ephemeral_id`, `ecs.version`, `event.timezone` and `log.offset`.", "multi": false, "required": false, "show_user": false, "default": true } ], "template_path": "stream.yml.hbs", "title": "Falcon Data Replicator logs", "description": "Collect Falcon Data Replicator logs through file system.", "enabled": false, "ingestion_method": "File" } ], "package": "crowdstrike", "elasticsearch": { "index_template.settings": { "index": { "mapping": { "total_fields": { "limit": 2000 } } } }, "ingest_pipeline.name": "default" }, "path": "fdr" }, { "type": "logs", "dataset": "crowdstrike.host", "title": "Collect host inventory from CrowdStrike.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Host logs from CrowdStrike. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the CrowdStrike API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the CrowdStrike API. For Commercial CIDs, it must be between 1 - 10000. For GovCloud CIDs, it must be between 1 - 5000.", "multi": false, "required": true, "show_user": false, "default": 5000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "query", "type": "text", "title": "FQL Query", "description": "This is an additional FQL query that can be included in requests to the API. You should not include any reference to the `modified_timestamp` property. See the [FalconPy documentation](https://www.falconpy.io/Usage/Falcon-Query-Language.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "select_fields", "type": "text", "title": "Fields", "description": "The fields to return, comma delimited if specifying more than one field. For example, hostname,device_id would return device records only containing the hostname and device_id. This only applies to the combined devices endpoint.", "multi": false, "required": false, "show_user": false }, { "name": "gov_cloud", "type": "bool", "title": "GovCloud", "description": "GovCloud CIDs must enable this. When enabled, the integration will use CrowdStrike’s GovCloud-supported devices endpoint (`/devices/entities/devices/v2`) instead of the standard combined endpoint (`/devices/combined/devices/v1`).", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "crowdstrike-host" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve crowdstrike.host fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Hosts", "description": "Collect host and device inventory from CrowdStrike Falcon.", "enabled": false, "ingestion_method": "API" } ], "package": "crowdstrike", "path": "host" }, { "type": "logs", "dataset": "crowdstrike.vulnerability", "title": "Collect vulnerability data from CrowdStrike.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the vulnerability logs from CrowdStrike. Defaults to 90 days (2160h) before end. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "2160h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the CrowdStrike spotlight vulnerabilities API. CrowdStrike recommends pulling differential data once-per-day. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the CrowdStrike spotlight vulnerabilities API. It must be between 1 - 5000.", "multi": false, "required": true, "show_user": false, "default": 5000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "query", "type": "text", "title": "FQL Query", "description": "This is an additional FQL query that can be included in requests to the API. You should not include any reference to the `modified_timestamp` property. See the [FalconPy documentation](https://www.falconpy.io/Usage/Falcon-Query-Language.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "facet", "type": "text", "title": "Facet", "description": "Select various details blocks to be returned for each vulnerability entity. Supported values are host_info, remediation, cve, evaluation_logic.", "multi": true, "required": false, "show_user": false, "default": [ "host_info", "remediation", "cve", "evaluation_logic" ] }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "crowdstrike-vulnerability" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve crowdstrike.vulnerability fields that were mapped to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerabilities", "description": "Collect vulnerability data from CrowdStrike Falcon Spotlight.", "enabled": false, "ingestion_method": "API" } ], "package": "crowdstrike", "path": "vulnerability" } ] }