Corelight-sensor updates from CrowdStrike #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: James Lagermann <james.lagermann@corelight.com>
jlagermann
requested review from
sskcl,
jspackets,
niralishah-crest and
jayeshprajapaticrest
|
@niralishah-crest and @jayeshprajapaticrest |
jlagermann
commented
Apr 22, 2025
Comment on lines
524
to
+527
| // Log Fields | ||
| | case { | ||
| Vendor.level=* | ||
| | level = /::(?<log.level>.*)/; | ||
| * | ||
| | log.level := Vendor.severity.name; | ||
| Vendor.level=* | level = /::(?<log.level>.*)/; | ||
| * | log.level := Vendor.severity.name; |
There was a problem hiding this comment.
from CRWD
- should be here
Vendor.level? - here, I think you should extract the
log.levelfrom theVendor.levelnotlevelfield
Comment on lines
548
to
+551
| | source.bytes := coalesce([Vendor.orig_bytes, Vendor.orig_ip_bytes]) | ||
| | source.domain := rename(Vendor.domainname) | ||
| | lower(source.domain, as="source.domain") | ||
| | source.ip := rename(Vendor.id.orig_h) | ||
| | source.ip := rename(Vendor.client_src) | ||
| | source.ip := rename(Vendor.src) | ||
| | source.ip := rename(Vendor.dns_client) | ||
| | source.ip := rename(Vendor.client_addr) | ||
| | source.ip := rename(Vendor.data_channel.orig_h) | ||
| | source.mac := rename(Vendor.orig_l2_addr) | ||
| | source.mac := rename(Vendor.mac) | ||
| | source.port := rename(Vendor.host_p) | ||
| | source.port := rename(Vendor.id.orig_p) | ||
| | source.packets := rename(Vendor.orig_pkts) | ||
| | source.domain := lower(Vendor.domainname) | ||
| | source.ip := Vendor.id.orig_h | ||
| | source.ip := Vendor.client_src |
There was a problem hiding this comment.
from CRWD
- I wonder, if we should wrap it into case stmt to avoid overwrites in case single event can contain more than one such field?
Comment on lines
564
to
565
| | case { | ||
| // tx_hosts is an array by default containing multiple source IP's. Because of this, we'll map the all elements to related.ip. |
There was a problem hiding this comment.
from CRWD
- our CPS standard does not support related.* fields.
https://library.humio.com/logscale-parsing-standard/pasta-ecs.html
This section should be removed and mapped to other ecs fields.
Comment on lines
615
to
617
| | case { | ||
| // rx_hosts is an array by default containing multiple destination IP's. Because of this, we'll map the all elements to related.ip. | ||
| Vendor.rx_hosts[0] = * |
There was a problem hiding this comment.
from CRWD
- as previously stated our CPS standard does not support related.* fields. This should be removed or changed.
| | source.port := rename(Vendor.data_channel.orig_p); | ||
| !Vendor.data_channel.orig_p | source.port := Vendor.id.orig_p; | ||
| Vendor.id.orig_p = Vendor.data_channel.orig_p | source.port := Vendor.id.orig_p; | ||
| Vendor.id.orig_p != Vendor.data_channel.orig_p | source.port := Vendor.data_channel.orig_p; | ||
| *; | ||
| } | ||
|
|
There was a problem hiding this comment.
line 586-588
from CRWD
- can we support ipv6?
Comment on lines
+441
to
442
| // Event Categorization | ||
| | case { |
There was a problem hiding this comment.
from CRWD
- his is perfect examples to use a match()
Comment on lines
+467
to
+469
| _path = "http*" | ||
| | array:append("event.category[]", values=["network", "web"]) | ||
| | array:append("event.type[]", values=["connection", "protocol", "info"]); |
There was a problem hiding this comment.
from CRWD
- can be here set
accessfor event.type?
Comment on lines
+471
to
+487
| _path = "intel" | ||
| | event.kind := "alert" | ||
| | array:append("event.category[]", values=["threat", "network"]) | ||
| | array:append("event.type[]", values=["indicator"]) | ||
| | rule.name := "intel"; | ||
|
|
||
| _path = "suricata_corelight" | ||
| | event.kind := "alert" | ||
| | array:append("event.category[]", values=["threat", "network"]) | ||
| | array:append("event.type[]", values=["indicator"]) | ||
| | rule.name := Vendor.alert.signature; | ||
|
|
||
| _path = "notice" | ||
| | event.kind := "alert" | ||
| | array:append("event.category[]", values=["threat", "network"]) | ||
| | array:append("event.type[]", values=["indicator"]) | ||
| | rule.name := Vendor.msg; |
There was a problem hiding this comment.
from CRWD
- can you define type which corresponds to
networkcategory?
Comment on lines
+489
to
+491
| _path = "mysql" | ||
| | array:append("event.category[]", values=["network", "database"]) | ||
| | array:append("event.type[]", values=["connection", "protocol"]); |
There was a problem hiding this comment.
from CRWD
- can be here set
accesstype corresponding todatabasecategory?
Comment on lines
+509
to
+511
| _path = "smb_files" | ||
| | array:append("event.category[]", values=["network", "file"]) | ||
| | array:append("event.type[]", values=["connection", "protocol"]); |
There was a problem hiding this comment.
from CRWD
- can you define type which corresponds to
filecategory?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.