CrowdStrike External Alerts

  1[metadata]
  2creation_date = "2025/07/31"
  3integration = ["crowdstrike"]
  4maturity = "production"
  5promotion = true
  6min_stack_version = "8.18.0"
  7min_stack_comments = "Introduced support for CrowdStrike alert promotion"
  8updated_date = "2025/09/02"
  9
 10[rule]
 11author = ["Elastic"]
 12description = """
 13Generates a detection alert for each CrowdStrike alert written to the configured indices. Enabling this rule allows you
 14to immediately begin investigating CrowdStrike alerts in the app.
 15"""
 16from = "now-2m"
 17index = ["logs-crowdstrike.alert-*"]
 18interval = "1m"
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 1000
 22name = "CrowdStrike External Alerts"
 23note = """## Triage and analysis
 24
 25### Investigating CrowdStrike External Alerts
 26
 27CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence.
 28
 29### Possible investigation steps
 30
 31- Review the associated process, file path, and command line to determine whether the activity is legitimate or suspicious.
 32- Investigate the user account and host involved in the alert to validate whether the activity was authorized.
 33- Cross-reference the alert with CrowdStrike Falcon console for additional context, including process tree, behavioral tags, and threat intelligence matches.
 34- Check for any related alerts from the same host, user, or file hash to identify whether this is part of a larger attack chain.
 35- Consult the Crowdstrike investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
 36
 37### False positive analysis
 38
 39- Alerts involving known and trusted software tools (e.g., remote administration tools) may be false positives. Confirm intent before excluding.
 40- Security assessments or penetration testing activities might mimic real threats. Validate the activity with responsible teams.
 41- Scheduled jobs, IT scripts, or automation tools may trigger alerts if they behave similarly to malicious code.
 42- Review alerts based on detection confidence levels and behavioral scoring to filter out low-confidence or known-benign triggers.
 43
 44### Response and remediation
 45
 46- Isolate affected endpoints to prevent lateral movement if malicious behavior is confirmed.
 47- Quarantine any identified malicious files and block related hashes or domains.
 48- Investigate how the threat entered the environment and close any exploited vulnerabilities.
 49- Reset credentials for compromised user accounts or escalate to incident response.
 50- Review CrowdStrike Falcon policies and detections to fine-tune future alerting and response coverage.
 51- Document the findings and update detection logic or exceptions accordingly.
 52"""
 53references = ["https://docs.elastic.co/en/integrations/crowdstrike"]
 54risk_score = 47
 55rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58"
 56rule_name_override = "crowdstrike.alert.name"
 57setup = """## Setup
 58
 59### CrowdStrike Alert Integration
 60This rule is designed to capture alert events generated by the CrowdStrike integration and promote them as Elastic detection alerts.
 61
 62To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern.
 63
 64If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:crowdstrike.alert to avoid receiving duplicate alerts.
 65
 66### Additional notes
 67
 68For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 69"""
 70severity = "medium"
 71tags = ["Data Source: Crowdstrike", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
 72timestamp_override = "event.ingested"
 73type = "query"
 74
 75query = '''
 76event.kind: alert and data_stream.dataset: crowdstrike.alert
 77'''
 78
 79[[rule.risk_score_mapping]]
 80field = "crowdstrike.alert.incident.score"
 81operator = "equals"
 82value = ""
 83
 84[[rule.severity_mapping]]
 85field = "event.severity"
 86operator = "equals"
 87severity = "low"
 88value = "21"
 89
 90[[rule.severity_mapping]]
 91field = "event.severity"
 92operator = "equals"
 93severity = "medium"
 94value = "47"
 95
 96[[rule.severity_mapping]]
 97field = "event.severity"
 98operator = "equals"
 99severity = "high"
100value = "73"
101
102[[rule.severity_mapping]]
103field = "event.severity"
104operator = "equals"
105severity = "critical"
106value = "99"