Crowdstrike

Use the IBM® QRadar® Custom Properties for Crowdstrike Content Extension to closely monitor your Crowdstrike deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Crowdstrike Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Crowdstrike Content Extension 1.0.0.

Table 1. Custom Properties in IBM Security QRadar Custom Properties for Crowdstrike Content Extension 1.0.0
Name Optimized Capture Group Regex
Action Yes 1 objective=(.*?)\t
Action Result No 1 outcome=(.*?)\t
Alert Severity No 1 sev=(.*?)\t
Connection Direction No 1 connDir=(.*?)\t
Detection Engine No 1 scanResultEngine=(.*?)\t
Disposition No 1 patternDisposition=(.*?)\t
DNS Request Domain No 1 dnsRequestdomain=(.*?)\t
DNS Request Type No 1 requestType=(.*?)\t
Domain No 1 domain=(.*?)(?:\t|$|\|)
File Directory Yes 1 docAccessedFilePath=(.*?)(?:\t|$)

exeWrittenFilePath=(.*?)(?:\t|$|\|)

filePath=(.*?)\t
File Extension Yes 1 fileName=.*?\.(.*?)\t

exeWrittenFileName=.*?\.(.*?)(?:\t|$|\|)

docAccessedFileName=.*?\.(.*?)(?:\t|$|\|)
Filename Yes 1 exeWrittenFileName=(.*?)(?:\t|$|\|)

fileName=(.*?)\t

docAccessedFileName=(.*?)(?:\t|$|\|)
MD5 Hash Yes 1 md5=(.*?)\t
Message No 1 description=(.*?)\t
Process CommandLine Yes 1 commandLine=(.*?)\t
Resource Yes 1 resource=(.*?)(?:\t|$|\|)
Service Name Yes 1 serviceName=(.*?)\t
SHA256 Hash Yes 1 sha256=(.*?)\t
Tactic No 1 tactic=(.*?)(?:\t|$|\|)
Technique No 1 technique=(.*?)(?:\t|$|\|)
Threat Name Yes 1 scanResultName=(.*?)\t
TLS or SSL protocol level No 1 proto=(.*?)\t
URL Yes 1 url=(.*?)(?:\t|$|\|)
UrlHost Yes 1 url=(?:(?:http|ftp|tcp|ssl|https|tunnel):\/\/)(.*?)(?=\s|\\|\"|\/|\:)