Crowdstrike
Use the IBM Security QRadar Custom Properties for Crowdstrike Content Extension to closely monitor your Crowdstrike deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Crowdstrike Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Crowdstrike Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Action | Yes | 1 | objective=(.*?)\t |
Action Result | No | 1 | outcome=(.*?)\t |
Alert Severity | No | 1 | sev=(.*?)\t |
Connection Direction | No | 1 | connDir=(.*?)\t |
Detection Engine | No | 1 | scanResultEngine=(.*?)\t |
Disposition | No | 1 | patternDisposition=(.*?)\t |
DNS Request Domain | No | 1 | dnsRequestdomain=(.*?)\t |
DNS Request Type | No | 1 | requestType=(.*?)\t |
Domain | No | 1 | domain=(.*?)(?:\t|$|\|) |
File Directory | Yes | 1 | docAccessedFilePath=(.*?)(?:\t|$) exeWrittenFilePath=(.*?)(?:\t|$|\|) filePath=(.*?)\t |
File Extension | Yes | 1 | fileName=.*?\.(.*?)\t exeWrittenFileName=.*?\.(.*?)(?:\t|$|\|) docAccessedFileName=.*?\.(.*?)(?:\t|$|\|) |
Filename | Yes | 1 | exeWrittenFileName=(.*?)(?:\t|$|\|) fileName=(.*?)\t docAccessedFileName=(.*?)(?:\t|$|\|) |
MD5 Hash | Yes | 1 | md5=(.*?)\t |
Message | No | 1 | description=(.*?)\t |
Process CommandLine | Yes | 1 | commandLine=(.*?)\t |
Resource | Yes | 1 | resource=(.*?)(?:\t|$|\|) |
Service Name | Yes | 1 | serviceName=(.*?)\t |
SHA256 Hash | Yes | 1 | sha256=(.*?)\t |
Tactic | No | 1 | tactic=(.*?)(?:\t|$|\|) |
Technique | No | 1 | technique=(.*?)(?:\t|$|\|) |
Threat Name | Yes | 1 | scanResultName=(.*?)\t |
TLS or SSL protocol level | No | 1 | proto=(.*?)\t |
URL | Yes | 1 | url=(.*?)(?:\t|$|\|) |
UrlHost | Yes | 1 | url=(?:(?:http|ftp|tcp|ssl|https|tunnel):\/\/)(.*?)(?=\s|\\|\"|\/|\:) |