CrowdStrike 数据来源配置
与 CrowdStrike Falcon 的集成配置
CrowdStrike Falcon 数据复制器(FDR)依托 CrowdStrike 安全云平台及业界领先的人工智能(AI)技术,实现端点、云工作负载与身份数据的交付和数据增强,助力您的团队提炼切实可行的见解信息,提升安全运营中心(SOC)的运营效能。Amazon CloudWatch Logs 支持将这类数据收集到 CloudWatch Logs 中。
Amazon S3 与 Amazon SQS 设置说明
将 CrowdStrike FDR 配置为向 Amazon S3 存储桶推送日志,需执行多个操作步骤,核心为搭建 Amazon S3 存储桶、配置 Amazon SQS 队列、创建 IAM 角色,再完成 Amazon 遥测管道配置。
-
确保在您的 CrowdStrike Falcon 环境中启用 CrowdStrike FDR。该功能的启用通常需要特定授权许可,必要时可联系 CrowdStrike 支持团队协助操作。
-
用于存储 CrowdStrike 日志的 Amazon S3 存储桶,需部署在 FDR 功能已启用的同一 Amazon 区域。
-
为该 Amazon S3 存储桶配置事件通知,需专门针对“对象创建”事件进行设置。这些通知需发送到 Amazon SQS 队列。
-
Amazon SQS 队列必须与您的 Amazon S3 存储桶位于同一 Amazon 区域。此队列将在新的日志文件添加到 Amazon S3 存储桶时收到通知。
配置 CloudWatch 管道
将管道配置为从 CrowdStrike FDR 读取数据时,需选择 CrowdStrike 作为数据来源。填写必填信息并创建管道后,所选的 CloudWatch Logs 日志组中将显示数据。
支持的开放式网络安全架构框架事件类
本次集成支持 OCSF 架构 v1.5.0 版本,同时支持可映射到“检测调查发现”(2004)和“进程活动”(1007)的 CrowdStrike FDR 操作。
检测调查发现
“检测调查发现”事件包含以下操作:
-
CloudAssociateTreeIdWithRoot
-
CustomIOADomainNameDetectionInfoEvent
-
TemplateDetectAnalysis
进程活动
“进程活动”事件包含以下操作:
-
ActiveDirectoryIncomingPsExecExecution2
-
AndroidIntentSentIPC
-
AssociateTreeIdWithRoot
-
AutoRunProcessInfo
-
BamRegAppRunTime
-
BlockThreadFailed
-
BrowserInjectedThread
-
CidMigrationConfirmation
-
CodeSigningAltered
-
CommandHistory
-
CreateProcessArgs
-
CreateThreadNoStartImage
-
CriticalEnvironmentVariableChanged
-
CsUmProcessCrashAuxiliaryEvent
-
CsUmProcessCrashSummaryEvent
-
CustomIOABasicProcessDetectionInfoEvent
-
DebuggableFlagTurnedOn
-
DebuggedState
-
DllInjection
-
DocumentProgramInjectedThread
-
EarlyExploitPivotDetect
-
EndOfProcess
-
EnvironmentVariablesChanged
-
FalconProcessHandleOpDetectInfo
-
FlashThreadCreateProcess
-
IdpWatchdogRemediationActionTaken
-
InjectedThread
-
InjectedThreadFromUnsignedModule
-
IPCDetectInfo
-
JavaInjectedThread
-
KillProcessError
-
LsassHandleFromUnsignedModule
-
MacKnowledgeActivityEnd
-
MacKnowledgeActivityStart
-
NamespaceChanged
-
PcaAppLaunchEntry
-
PcaGeneralDbEntry
-
PrivilegedProcessHandle
-
PrivilegedProcessHandleFromUnsignedModule
-
ProcessActivitySummary
-
ProcessBlocked
-
ProcessControl
-
ProcessDataUsage
-
ProcessExecOnPackedExecutable
-
ProcessHandleOpDetectInfo
-
ProcessHandleOpDowngraded
-
ProcessInjection
-
ProcessPatternTelemetry
-
ProcessRollup
-
ProcessRollup2
-
ProcessRollup2Stats
-
ProcessSelfDeleted
-
ProcessSessionCreated
-
ProcessSubstituteUser
-
ProcessTokenStolen
-
ProcessTrace
-
ProcessTreeCompositionPatternTelemetry
-
PtTelemetry
-
PtyCreated
-
QueueApcEtw
-
ReflectiveDllOpenProcess
-
RegisterRawInputDevicesEtw
-
RemediationActionKillProcess
-
RemediationMonitorKillProcess
-
RuntimeEnvironmentVariable
-
ScriptControlDotNetMetadata
-
ScriptControlErrorEvent
-
ServiceStarted
-
SessionPatternTelemetry
-
SetThreadCtxEtw
-
SetWindowsHook
-
SetWindowsHookExEtw
-
SetWinEventHookEtw
-
ShellCommandLineInfo
-
SruApplicationTimelineProvider
-
SudoCommandAttempt
-
SuspectCreateThreadStack
-
SuspendProcessError
-
SuspiciousPrivilegedProcessHandle
-
SuspiciousUserFontLoad
-
SuspiciousUserRemoteAPCAttempt
-
SyntheticPR2Stats
-
SyntheticProcessRollup2
-
SyntheticProcessTrace
-
SystemTokenStolen
-
TerminateProcess
-
ThreadBlocked
-
UACAxisElevation
-
UACCOMElevation
-
UACExeElevation
-
UACMSIElevation
-
UmppcBypassSuspected
-
UnexpectedEnvironmentVariable
-
UserAssistAppLaunchInfo
-
UserSetProcessBreakOnTermination
-
WmiCreateProcess
-
WmiFilterConsumerBindingEtw