CrowdStrike FDR events: reduce event size¶
Disclaimer
By using SPL2 templates for data processing (the “templates”), you understand and agree that templates are provided “as is”. Splunk disclaims any and all warranties, express or implied, including without limitation the implied warranties of merchantability, fitness for a particular purpose and warranties arising out of course of dealing or usage of trade or by statute or in law. Splunk specifically does not warrant that templates will meet your requirements, the operation or output of templates will be error-free, accurate, reliable, complete or uninterrupted.
Use case¶
Takes CrowdStrike FDR event data and removes fields from event that are not used for CIM mappings & security detections, removes null fields, droping not valueable events, removes events with same RemoteAddressIP4 and LocalAddressIP4.
Template details¶
Compatibility¶
This template is compatible with Splunk Add-on for CrowdStrike FDR v2.0.0 and higher.
Template description¶
This is a sample pipeline that reduces the size of CrowdStrike FDR events and extracts a few recommended event fields while preserving compatibility with the Splunk Common Information Model (CIM) and Security Detections. This pipeline takes data that has a source type “crowdstrike:events:sensor” and then does the following:
- removes fields that are put in function retains_only_escu_cim_fields
- drops events based on event_simpleName
- removes null fields in event
- drops events where RemoteAddressIP4 and LocalAddressIP4 are the same
Supported sourcetypes¶
This template supports following sourcetype:
crowdstrike:events:sensorwhich means that this pipeline processes only following sourcetype.
Events not matching any of the above sourcetypes are passed through the pipeline and the sourcetype is not changed.
Template outline¶
Template consists of one custom function followed by a pipeline that uses this function.
Functions¶
The following table shows all functions, including possible configuration options.
| Function | Description |
|---|---|
| drop_events_by_simple_name | Function to drop events based on event_simpleName. |
| simple_names_to_drop | event_simpleName that should be dropped. |
| remove_null_fields | This function removes null fields in event if there are any and keeps all other fields same. |
| drop_events_remote_local_ip_same | This function removes events where RemoteAddressIP4 and LocalAddressIP4 are the same. |
| retains_only_escu_cim_fields | This function removes all fields that is not used in CIM or ESCU detections. |
| process_crowdstrike_event | This function calls drop_events_by_simple_name, drop_events_remote_local_ip_same, remove_null_fields. |
Pipeline¶
The pipeline outline has the following stages:
- branch based on json if correct
- checks json to be correct, if it is correct one event goes to function process_crowdstrike_event
- if json is incorrect directly ingested without any adjustments
Configuration options¶
You can customize the index field based on the environment configuration. Additional configuration can be done using SPL2. By default function retains_only_escu_cim_fields is disabled, to enable it, uncomment it in function process_crowdstrike_event in order to achieve max reduction.