CrowdStrike Falcon Data Replicator SQS Collector

Purpose

An analyst wants to detect malicious behavior in endpoints. Using the CrowdStrike Falcon Data Replicator SQS collector to send endpoint logs to Devo, the analyst will find unauthorized endpoint configuration changes. As a result, the analyst will revoke access to the endpoint, preventing infections from engaging in lateral movement and exfiltration.

Example tables

Table	Description
edr.crowdstrike.cannon	CrowdStrike Endpoint Detection
edr.crowdstrike.cannon.*	The fourth level tag is determined by the `event_simpleName` field of the log.
domains.all	DNS logs, including edr.crowdstrike.cannon.dnsrequest
network.dns	DNS logs, including edr.crowdstrike.cannon.dnsrequest
edr.all.processes	Processes running on endpoints, including edr.crowdstrike.cannon.processrollup2
edr.all.netconns	Network connections running on endpoints, including edr.crowdstrike.cannon.networkconnectip4
edr.all.threats	Threats detected on endpoints, including edr.crowdstrike.cannon

Authorize It

Obtain credentials from CrowdStrike.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_fdr_large": {}
      },
      "credentials": {
        "aws_access_key_id": "<KEY_ID>",
        "aws_secret_access_key": "<SECRET>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>",
      "sqs_visibility_timeout": 1800
    }
  }
}

Secure It

Devo Exchange provides pre-built alerts:

Devo 360 for CrowdStrike
DNS Log Threat Detection Suite
Endpoint Detection & Response Log Threat Detection Suite
Network Service Discovery
Exploit Public-Facing Application
Remote System Discovery
Resource Hijacking
System Services
Active Scanning
Application Layer Protocol
Obfuscated Files or Information
Possible Exchange Server Remote Code Execution
File and Directory Discovery
Ransomware MOVEit Vulnerability

Devo provides this activeboard:

Threat Hunting by DNS

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from edr.crowdstrike.cannon
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id. The aid (CrowdStrike Agent ID) field can also be tracked. Agent inactivity is very common.

Filtering

To discard a particular event_simpleName from the queue, use the built-in field mapping. Add a line filter rule. For example, if the ImageHash is not wanted:

      "services": {
        "aws_sqs_fdr_large": {
			"line_filter_rules": [
                [{"source": "record","key": "event","type": "match", "value": "ImageHash"}]
			]
		}
      }

Filtered data is permanently removed.