Security Monitoring with CrowdStrike Falcon Events

Gain insights and visibility into CrowdStrike Falcon events

TL;DR

With the Panther log puller for CrowdStrike, teams can ingest CrowdStrike Falcon data, apply Python-based real-time detections, and search through historical data with SQL. Common security use cases for CrowdStrike and Panther include:

  • Monitoring DNS requests from endpoints
  • Searching IOCs across normalized CrowdStrike Falcon logs
  • Analyzing launched processes and network connections to correlate malware communications
  • And more!

In this spotlight, we’ll highlight how you can leverage Panther to get additional value from CrowdStrike Falcon events and add an extra layer of analysis, real-time alerting, and investigation capabilities with long-term storage. 

Using The Falcon Data Replicator

To get started, use Panther to collect CrowdStrike endpoint events by integrating with the CrowdStrike Falcon Data Replicator (FDR). For those that might not know, the raw event data generated by CrowdStrike is ingested into CrowdStrike ThreatGraph and used to detect sophisticated attacker behaviors by watching processes, network connections, and more. 

The CrowdStrike FDR allows teams to push raw event data from CrowdStrike’s Platform to an Amazon S3 bucket. This way, your data can be ingested, transformed, analyzed, and stored alongside the rest of your security telemetry.

How It Works

Panther extends CrowdStrike’s capabilities by ingesting and normalizing the data to make it easily searchable in order to investigate and understand the full scope of an incident. CrowdStrike stores the endpoint data temporarily, which can make it difficult to identify why an alert might have been triggered. This lack of visibility leads to gaps in the narrative and vulnerabilities in your environment. Panther enables you to utilize your aggregated CrowdStrike data and provides an additional layer of detection with real-time alerting. 

Panther normalizes and stores CrowdStrike logs into a highly-scalable security data lake for long-term retention, making it possible to run analytics over large amounts of FDR data. This gives teams full end-to-end context of their environments, as well as the ability to run forensics, triage alerts, and identify suspicious activity to quickly detect, investigate, and respond to potential breaches. 

When an alert is generated from the FDR data (or other logs), Panther will dispatch a notification to security teams to triage the alert in systems like PagerDuty, Slack, Jira, or Microsoft Teams. Simultaneously, the normalized FDR data will get pushed to a data lake, organized by event type (network connection, DNS query, process information, etc).

If you’re interested in learning more about how Panther extends your data lake, read what Snowflake CISO, Omer Singer, says about Snowflake & Panther, or check out the on-demand webinar “Replacing legacy SIEM with Panther & Snowflake.” (I don’t think you’ll regret it).

Detect and Investigate

With Panther, teams can onboard CrowdStrike Falcon, analyze with Python, and query with SQL, allowing teams to better:

  • Collect & normalize CrowdStrike Falcon data making it clean and easy to enable threat hunting 
  • Detect advanced threats and gain visibility across multiple environments 
  • Analyze & correlate other log sources with Falcon data to find patterns and identify suspicious behaviors
  • Investigate across all centralized security logs to correlate and baseline behaviors of an attackers activity to detect anomalous threats
  • Monitor in real-time using Python-based detections

For example, CrowdStrike collects NetworkListen events such as:

{
	"event_simpleName": "NetworkListenIP4",
	"name": "NetworkListenIP4MacV5",
	"aip": "205.71.189.87",
 	"aid": "919264958fc641d1ba0650e30300be14",
	"event_platform": "Mac",
	"timestamp": "2020-11-30 18:48:59.738",
	"LocalAddressIP4": "127.0.0.1",
	"RemoteAddressIP4": "0.0.0.0",
	"ConnectionFlags": 0,
	"Protocol": 6,
	"LocalPort": 22,
	"RemotePort": 0,
	"ConnectionDirection": 2,
	"p_any_ip_addresses": [
		"0.0.0.0",
		"127.0.0.1",
		"205.71.189.87"
	]
}Code language: JSON / JSON with Comments (json)

To add a detection, for example, for Mac’s listening on local port 22, the following Python rule could be used:

Resulting in the following alert:

These Python-based detections enable advanced analysis of events and add an extra layer of real-time security monitoring. But Panther can also be used to explore data to understand existing patterns in your fleet by using SQL. 

To keep with the previous example, the query below will show all port 22 listeners that may have started in the past:

And because Panther has all of the CrowdStrike Falcon data in a single place, you can join other tables to understand the process which opened this network listener:

Teams love Panther because of the flexibility and customization possible with Python and SQL.

Getting Started

Get started building a modern detection and response program without the pains and limitations of SIEMs. Panther, a cloud-native security analytics platform, ships with pre-built integrations, such as CrowdStrike, to make it easy to quickly analyze your data, triage alerts, and remediate incidents using the tools and data you have.

To learn more about using Panther together with Crowdstrike, contact us for a demo of Panther Enterprise!

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo