tools/config/crowdstrike.yml

title: Splunk used in Falcon Portal
order: 20
backends:
  - crowdstrike
logsources:
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      EventID: 1
  process_creation_1:
    category: process_creation
    product: windows

fieldmappings:
  EventID: EventID
  CommandLine: Commandline
  Command_Line: Commandline
  cmdline: Commandline
  Image: ImageFileName
  TargetFilename: TargetFilename
  image: ImageFileName
  image_path: ImageFileName
  OriginalFileName: ImageFileName
  sha1: SHA1HashData
  user: UserName
  TaskName: TaskName
  ParentImage: ParentBaseFileName
  parent_image: ParentBaseFileName
  ServiceName: ServiceName
docs: better title in crowdstrike config 2021-06-10 17:07:01 +02:00			`title: Splunk used in Falcon Portal`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`order: 20`
			`backends:`
			`- crowdstrike`
			`logsources:`
			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`EventID: 1`
			`process_creation_1:`
			`category: process_creation`
			`product: windows`

			`fieldmappings:`
			`EventID: EventID`
			`CommandLine: Commandline`
			`Command_Line: Commandline`
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support 2021-09-13 14:17:33 -05:00			`cmdline: Commandline`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`Image: ImageFileName`
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support 2021-09-13 14:17:33 -05:00			`TargetFilename: TargetFilename`
			`image: ImageFileName`
			`image_path: ImageFileName`
			`OriginalFileName: ImageFileName`
			`sha1: SHA1HashData`
			`user: UserName`
			`TaskName: TaskName`
			`ParentImage: ParentBaseFileName`
			`parent_image: ParentBaseFileName`
			`ServiceName: ServiceName`