...
Use this collector to get intelligence about attacks from CrowdStrike. It should be used with the CrowdStrike Falcon Data Replicator SQS collector, which replicates endpoint logs to Devo. In addition to these collectors, custom data can be sent from Crowdstrike Falcon to Devo using a webhook and Devo’s HTTP endpoint.
An analyst wants to create an alert that triggers when there is a brute force attack on Active Directory. Using this collector, the “Password brute force attack (Active Directory)” event in CrowdStrike will trigger the alert so the analyst can determine if the attack was successful using a separate log of successful logins. The analyst will disable compromised accounts, preventing the brute force attacker from exfiltrating data.
An analyst wants to create an alert that will trigger when an endpoint is infected by a rootkit. Using this collector, the “Attempt to tamper with Falcon sensor” event in CrowdStrike will trigger an alert indicating use of Windows Remote Management to prevent CrowdStrike from sensing subsequent actions. The analyst will isolate the endpoint to prevent it from collecting users' passwords.
Example tables
Table | Description |
|---|---|
edr.crowdstrike.falconstreaming.* | Data from different CrowdStrike APIs |
edr.crowdstrike.falconstreaming.detection_summary | Threat intelligence relating to processes and users. |
edr.crowdstrike.falconstreaming.alert | Threat intelligence relating to files. |
Devo Collector Features
Feature | Details |
|---|---|
Allow parallel downloading (multipod) |
|
Running environments |
|
Populated Devo events |
|
Flattening pre-processing |
|
Allowed source events obfuscation |
|
...