From 603304977e8c167d10e5809ea5424b420af1800e Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 10 May 2024 10:20:42 -0500 Subject: [PATCH] chore: Update crowdstrike integration schema and provision logic --- .../crowdstrike/schema/provision.py | 9 +- .../SOCFORTRESS_docker-compose.yml | 8 + .../data/SOCFORTRESS/cs.falconhoseclient.cfg | 1280 +++++++++++++++++ frontend/src/api/integrations.ts | 6 + .../CustomerIntegrationActions.vue | 37 +- 5 files changed, 1335 insertions(+), 5 deletions(-) create mode 100644 backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml create mode 100644 backend/data/SOCFORTRESS/cs.falconhoseclient.cfg diff --git a/backend/app/integrations/crowdstrike/schema/provision.py b/backend/app/integrations/crowdstrike/schema/provision.py index 1e4ed659..a5b26c4e 100644 --- a/backend/app/integrations/crowdstrike/schema/provision.py +++ b/backend/app/integrations/crowdstrike/schema/provision.py @@ -1,5 +1,6 @@ from typing import Any from typing import Dict +from typing import Optional from pydantic import BaseModel from pydantic import Field @@ -17,13 +18,13 @@ class ProvisionCrowdstrikeRequest(BaseModel): description="The integration name.", examples=["Crowdstrike"], ) - hot_data_retention: int = Field( - ..., + hot_data_retention: Optional[int] = Field( + 30, example=30, description="Number of days to retain hot data", ) - index_replicas: int = Field( - ..., + index_replicas: Optional[int] = Field( + 0, example=1, description="Number of replicas for the customer's Graylog instance", ) diff --git a/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml b/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml new file mode 100644 index 00000000..5e0e09fa --- /dev/null +++ b/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml @@ -0,0 +1,8 @@ +version: "3.8" + +services: + crowdstrike-connector-SOCFORTRESS: + image: ghcr.io/socfortress/crowdstrike-connector + volumes: + - /opt/CoPilot/data/data/SOCFORTRESS/cs.falconhoseclient.cfg:/opt/crowdstrike/etc/cs.falconhoseclient.cfg + restart: unless-stopped diff --git a/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg b/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg new file mode 100644 index 00000000..69f71d08 --- /dev/null +++ b/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg @@ -0,0 +1,1280 @@ +[Settings] +version = 3 +api_url = https://api.laggar.gcw.crowdstrike.com/sensors/entities/datafeed/v2 +request_token_url = https://api.laggar.gcw.crowdstrike.com/oauth2/token +app_id = SIEM-Connector-v2.0.0 + +enable_correlation_id = false +format_floats_as_scientific = true + +# API Client ID +client_id = 59b2a0df58364db2a5772b1d6f3dd60b +# API Client Secret +client_secret = fVR354s9rhb8a2UDdCmpGO0ikEBnxvSLcT176Ylj + +# Amount of time (in seconds) we will wait for a connect to complete. +connection_timeout = 10 +# Amount of time to wait (in seconds) for a server's response headers after fully writing the request. +read_timeout = 30 + +# Specify partition number 0 to n or 'all' (without quote) for all partitions +partition = all + +http_proxy = + +# Output formats +# Supported formats are +# 1.syslog: will output syslog format with flat key=value pairs uses the mapping configuration below. +; Use syslog format if CEF/LEEF output is required. +# 2.json: will output raw json format received from FalconHose API (default) +output_format = syslog + +# Will be true regardless if Syslog is not enabled +# If path does not exist or user has no permission, log file will be used +output_to_file = false +output_path = /var/log/crowdstrike/falconhoseclient/output + +# Offset file full filepath and filename +offset_path = /var/log/crowdstrike/falconhoseclient/stream_offsets + +[Output_File_Rotation] +# If the output is writing to a file, then the settings below will govern output file rotation +# +# If true, then the rotation rules will apply. If not, the client will continue to write to the same file. +rotate_file = true +# Maximum individual output file size in MB +max_size = 500 +# Number of backups of the output file to be stored +max_backups = 10 +# Maximum age of backup output files before it is deleted in DAYS +max_age = 30 + +[Logging] +verbose_log = true +# Maximum individual log file size in MB +max_size = 500 +# Number of backups to be stored +max_backups = 10 +# Maximum age of backup files before it is deleted in DAYS +max_age = 30 + +[Syslog] +send_to_syslog_server = true +host = ashgrl02.socfortress.local +port = 5556 +protocol = tcp + +# CEF/LEEF Headers, header_prefix will be appended before any other header information +# Within each mapping section, we can add __header.{n} (note double underscore) where n is consecutive integer +# starting with 0 which will be added sequentially. +# Value of headers can be: +# 1. As specified: enclose by single-quote +# 2. Field value: just specify which field name +header_delim = | +header_prefix = CEF:0|CrowdStrike|FalconHost|1.0| + +# Character Escaping Setting +# Syntax Guidelines: +# - Enclose characters with double-quote i.e. "|" +# - From and To characters are delimited by colon +# - Character(s) that needs to be escaped is placed on the left side of a colon (:) and character to replace with is on the right i.e. "from":"to" +# - Multiple character escape setting is delimited by a common i.e. "from1":"to1","from2":"to2" and so on +# - header_prefix setting (above) will not be escaped +escape_header = "|":"\|","\\":"\\\\" +escape_ext = "\\":"\\\\","=":"\=","\n":"\\n","\r":"\\r" + +# Delimiter separating key and value, example: if the delimiter is '='(equal): filename=abc.txt +key_val_delim = = + +# Delimiter separating 2 key-value pairs , example: if the delimiter is ','(comma): filename=abc.txt,domain=www.google.com +# Note: For space just leave it empty +field_delim = + +val_enclosure = + +# These fields will be converted to time format, field name should be the key on the mapping section (RFC3339) +time_fields = deviceCustomDate1 +time_format = MMM dd yyyy HH:mm:ss + +# This will be use for filtering +event_type_field = metadata.eventType +event_subtype_field = event.subType + +# Max length of syslog line in bytes +max_length = 2048 + +# Send retry interval in seconds (applicable only for TCP) +retry_interval_secs = 10 + +# Static order fields +keys_ordered = true + +[EventTypeCollection] +DetectionSummaryEvent = true +AuthActivityAuditEvent = true +UserActivityAuditEvent = true +HashSpreadingEvent = true +RemoteResponseSessionStartEvent = true +RemoteResponseSessionEndEvent = true +FirewallMatchEvent = true +CSPMSearchStreamingEvent = true +CSPMIOAStreamingEvent = true +IncidentSummaryEvent = true +CustomerIOCEvent = true +IdentityProtectionEvent = true +ReconNotificationSummaryEvent = true +ScheduledReportNotificationEvent = true +MobileDetectionSummaryEvent = true +XdrDetectionSummaryEvent = true +IdpDetectionSummaryEvent = true + +# ---------------------------------------------------------------------------------------------------------------- +# Below configurations only applies if syslog is ENABLED (under Syslog: enabled=true +# ---------------------------------------------------------------------------------------------------------------- + +[EventSubTypeCollection] +# Format: _ = true/false +DetectionSummaryEvent_DnsRequests = true +DetectionSummaryEvent_NetworkAccesses = true +DetectionSummaryEvent_DocumentsAccessed = true +DetectionSummaryEvent_ScanResults = true +DetectionSummaryEvent_ExecutablesWritten = true +DetectionSummaryEvent_QuarantineFiles = true +HashSpreadingEvent_Sensors = true +RemoteResponseSessionEndEvent_Commands = true +MobileDetectionSummaryEvent_MobileAppsDetails = true +MobileDetectionSummaryEvent_MobileNetworkConnections = true +MobileDetectionSummaryEvent_MobileDnsRequests = true +MobileDetectionSummaryEvent_MountedVolumes = true +MobileDetectionSummaryEvent_Trampolines = true +MobileDetectionSummaryEvent_LoadedObjects = true +MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered = true +MobileDetectionSummaryEvent_RootAccessIndicators = true +MobileDetectionSummaryEvent_Certificates = true +MobileDetectionSummaryEvent_EnvironmentVariables = true +MobileDetectionSummaryEvent_SystemProperties = true + + +# FIELD MAPPINGS +# Section name format: OR _ +# Reserved keys: +# __header.{n} where n is integer starting with 0 +# +# There are 2 possible values for the mapping +# 1. Literals which will be used as-is (for labelling) should be enclosed by single quotes +# 2. Value based on incoming event +# +# If field mapping is not specified, then field will not appear in the results +# DetectName has been deprecated because CrowdStrike now supports MITRE framework + +[DetectionSummaryEvent] +__header.0 = metadata.eventType +__header.1 = metadata.eventType +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +cn1Label = 'ParentProcessId' +cn1 = event.ParentProcessId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +fname = event.FileName +filePath = event.FilePath +cs5Label = 'CommandLine' +cs5 = event.CommandLine +fileHash = event.MD5String +dntdom = event.MachineDomain +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + + +[DetectionSummaryEvent_DnsRequests] +__header.0 = 'DNS Request In A Detection Summary Event' +__header.1 = 'DNS Request In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +dntdom = event.MachineDomain +cs5Label = 'CommandLine' +cs5 = event.CommandLine +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'DNS Request Time' +deviceCustomDate1 = event.DnsRequests.LoadTime +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + + +[DetectionSummaryEvent_NetworkAccesses] +__header.0 = 'Network Access In A Detection Summary Event' +__header.1 = 'Network Access In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +cs5Label = 'CommandLine' +cs5 = event.CommandLine +dntdom = event.MachineDomain +src = event.NetworkAccesses.LocalAddress +c6a2 = event.NetworkAccesses.LocalAddress +dst = event.NetworkAccesses.RemoteAddress +c6a3 = event.NetworkAccesses.RemoteAddress +spt = event.NetworkAccesses.LocalPort +dpt = event.NetworkAccesses.RemotePort +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'Network Access Timestamp' +deviceCustomDate1 = event.NetworkAccesses.AccessTimestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + + +[DetectionSummaryEvent_DocumentsAccessed] +__header.0 = 'Document Access In A Detection Summary Event' +__header.1 = 'Document Access In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +dntdom = event.MachineDomain +cs2Label = 'AccessedDocFileName' +cs2 = event.DocumentsAccessed.FileName +cs3Label = 'AccessedDocFilePath' +cs3 = event.DocumentsAccessed.FilePath +cs5Label = 'CommandLine' +cs5 = event.CommandLine +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'Document Accessed Timestamp' +deviceCustomDate1 = event.DocumentsAccessed.Timestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + +[DetectionSummaryEvent_ScanResults] +__header.0 = 'AV Scan Results In A Detection Summary Event' +__header.1 = 'AV Scan Results In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +fileHash = event.MD5String +dntdom = event.MachineDomain +cs2Label = 'ScanResultEngine' +cs2 = event.ScanResults.Engine +cs1Label = 'ScanResultName' +cs1 = event.ScanResults.ResultName +cs4Label = 'ScanResultVersion' +cs4 = event.ScanResults.Version +cs5Label = 'CommandLine' +cs5 = event.CommandLine +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + +[DetectionSummaryEvent_ExecutablesWritten] +__header.0 = 'Executable Written In A Detection Summary Event' +__header.1 = 'Executable Written In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +dntdom = event.MachineDomain +cs2Label = 'WrittenExeFileName' +cs2 = event.ExecutablesWritten.FileName +cs3Label = 'WrittenExeFilePath' +cs3 = event.ExecutablesWritten.FilePath +cs5Label = 'CommandLine' +cs5 = event.CommandLine +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ExeWrittenTimestamp' +deviceCustomDate1 = event.ExecutablesWritten.Timestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + +[DetectionSummaryEvent_QuarantineFiles] +__header.0 = 'Quarantined Files In A Detection Summary Event' +__header.1 = 'Quarantined Files In A Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +cn2Label = 'ProcessId' +cn2 = event.ProcessId +dhost = event.ComputerName +duser = event.UserName +fname = event.FileName +filePath = event.FilePath +dntdom = event.MachineDomain +cs2Label = 'QuarantineFileSHA256' +cs2 = event.QuarantineFiles.SHA256HashData +cs3Label = 'QuarantineFilePath' +cs3 = event.QuarantineFiles.ImageFileName +cs5Label = 'CommandLine' +cs5 = event.CommandLine +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ExeWrittenTimestamp' +deviceCustomDate1 = event.ExecutablesWritten.Timestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective +patternDisposition = event.PatternDispositionDescription +outcome = event.PatternDispositionValue + +[UserActivityAuditEvent] +__header.0 = metadata.eventType +__header.1 = event.OperationName +__header.2 = '1' + +cat = metadata.eventType +destinationTranslatedAddress = event.UserIp +duser = event.UserId +deviceProcessName = event.ServiceName +cn3Label = 'Offset' +cn3 = metadata.offset +outcome = event.Success +rt = metadata.eventCreationTime + +[AuthActivityAuditEvent] +__header.0 = event.OperationName +__header.1 = event.OperationName +__header.2 = '1' + +cat = metadata.eventType +destinationTranslatedAddress = event.UserIp +duser = event.UserId +deviceProcessName = event.ServiceName +cn3Label = 'Offset' +cn3 = metadata.offset +outcome = event.Success +deviceCustomDate1Label = 'Timestamp' +deviceCustomDate1 = event.UTCTimestamp +rt = metadata.eventCreationTime + +[HashSpreadingEvent] +__header.0 = 'Hash Spreading Summary' +__header.1 = 'Hash Spreading Event-Summary' +__header.2 = '5' + +cat = event.ExecutionType +deviceCustomDate1Label = 'DocAccessTimestamp' +deviceCustomDate1 = event.AlertTime +fname=event.FileName +fileHash=event.SHA256String +deviceCustomDate2Label = 'HashSpreadingEventTime' +deviceCustomDate2 = metadata.eventCreationTime + +[HashSpreadingEvent_Sensors] +__header.0 = 'Hash Spreading Sensor' +__header.1 = 'Hash Spreading Event-Sensor Details' +__header.2 = '5' + +cat = event.ExecutionType +deviceCustomDate1Label = 'DocAccessTimestamp' +deviceCustomDate1 = event.AlertTime +fname = event.Sensors.Filename +fileHash=event.SHA256String +dhost = event.Sensors.HostnameField +deviceCustomDate2Label = 'HashSpreadingSensorEventTime' +deviceCustomDate2 = event.Sensors.LastWriteTime + +[RemoteResponseSessionStartEvent] +__header.0 = metadata.eventType +__header.1 = 'Remote Response Session Start event' +__header.2 = '1' + +cat = metadata.eventType +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime +dhost = event.HostnameField +duser = event.UserName +sessionStartTimestampLabel = 'RemoteResponseSessionStartTimestamp' +sessionStartTimestamp = event.StartTimestamp + +[RemoteResponseSessionEndEvent] +__header.0 = metadata.eventType +__header.1 = 'Remote Response Session End event' +__header.2 = '1' + +cat = metadata.eventType +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime +dhost = event.HostnameField +duser = event.UserName +sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp' +sessionEndTimestamp = event.EndTimestamp + +[RemoteResponseSessionEndEvent_Commands] +__header.0 = metadata.eventType +__header.1 = 'Remote Response Session End event' +__header.2 = '1' + +cat = metadata.eventType +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime +dhost = event.HostnameField +duser = event.UserName +sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp' +sessionEndTimestamp = event.EndTimestamp +cmdLabel = 'Command' +cmd = event.Commands + + +[FirewallMatchEvent] +__header.0 = metadata.eventType +__header.1 = 'Firewall Match event' +__header.2 = '1' + +cat = metadata.eventType +deviceId = event.DeviceId +ipVLabel = 'IpV' +ipV = event.IpV +cmdLineLabel = 'Command Line' +cmdLine = event.CommandLine +connectionDirectionLabel = 'Connection Direction' +connectionDirection = event.ConnectionDirection +eventType = event.EventType +flags = event.Flags +hostName = event.HostName +icmpCodeLabel = 'ICMP Code' +icmpCode = event.ICMPCode +icmpTypeLabel = 'ICMP Type' +icmpType = event.ICMPType +imageFileNameLabel = 'Image File Name' +imageFileName = event.ImageFileName +localAddressLabel = 'Local Address' +localAddress = event.LocalAddress +localPortLabel = 'Local Port' +localPort = event.LocalPort +matchCountLabel = 'Match Count' +matchCount = event.MatchCount +matchCountSinceLastReportLabel = 'Match Count Since Last Report' +matchCount = event.MatchCountSinceLastReport +networkProfileLabel = 'Network Profile' +networkProfile = event.NetworkProfile +PolicyNameLabel = 'Policy Name' +networkProfile = event.PolicyName +protocolLabel = 'Protocol' +protocol = event.Protocol +remoteAddressLabel = 'Remote Address' +remoteAddress = event.RemoteAddress +remotePortLabel = 'Remote Port' +remotePort = event.RemotePort +ruleActionLabel = 'Rule Action' +ruleAction = event.RuleAction +ruleDescriptionLabel = 'Rule Description' +ruleDescription = event.RuleDescription +ruleGroupNameLabel = 'Rule Group Name' +ruleGroupName = event.RuleGroupName +ruleNameLabel = 'Rule Name' +ruleName = event.RuleName +statusLabel = 'Status' +status = event.Status +cn3Label = 'Offset' +cn3 = metadata.offset +rt = metadata.eventCreationTime + + +[CSPMSearchStreamingEvent] +__header.0 = metadata.eventType +__header.1 = 'CSPM Search Streaming event' +__header.2 = '1' + +cat = metadata.eventType +accountIdLabel = 'AccountId' +accountId = event.AccountId +regionLabel = 'Region' +region = event.Region +resourceIdLabel = 'ResourceId' +resourceId = event.ResourceId +resourceIdTypeLabel = 'ResourceIdType' +resourceIdType = event.ResourceIdType +resourceNameLabel = 'ResourceName' +resourceName = event.ResourceName +resourceCreateTimeLabel = 'ResourceCreateTime' +resourceCreateTime = event.ResourceCreateTime +policyStatementLabel = 'PolicyStatement' +policyStatement = event.PolicyStatement +severityNameLabel = 'SeverityName' +severityName = event.SeverityName +cloudPlatformLabel = 'CloudPlatform' +cloudPlatform = event.CloudPlatform +cloudServiceLabel = 'CloudService' +cloudService = event.CloudService +dispositionLabel = 'Disposition' +disposition = event.Disposition +resourceUrlLabel = 'ResourceUrl' +resourceUrl = event.ResourceUrl +findingLabel = 'Finding' +finding = event.Finding +resourceAttributesLabel = 'ResourceAttributes' +resourceAttributes = event.ResourceAttributes +tagsLabel = 'Tags' +tags = event.Tags +timestampLabel = 'Timestamp' +timestamp = event.Timestamp + +[CSPMIOAStreamingEvent] +__header.0 = metadata.eventType +__header.1 = 'CSPM IOA Streaming event' +__header.2 = '1' + +cat = metadata.eventType +accountIdLabel = 'AccountId' +accountId = event.AccountId +policyStatementLabel = 'PolicyStatement' +policyStatement = event.PolicyStatement +cloudProviderLabel = 'CloudProvider' +cloudProvider = event.CloudProvider +cloudServiceLabel = 'CloudService' +cloudService = event.CloudService +severityNameLabel = 'SeverityName' +severityName = event.SeverityName +eventActionLabel = 'EventAction' +eventAction = event.EventAction +eventSourceLabel = 'EventSource' +eventSource = event.EventSource +eventCreatedTimeLabel = 'EventCreatedTimestamp' +eventCreatedTime = event.EventCreatedTimestamp +userIdLabel = 'UserId' +userId = event.UserId +userNameLabel = 'UserName' +userName = event.UserName +userSourceIpLabel = 'UserSourceIp' +userSourceIp = event.UserSourceIp +tacticLabel = 'Tactic' +tactic = event.Tactic +techniqueLabel = 'Technique' +technique = event.Technique + +[CustomerIOCEvent] +__header.0 = 'Indicator of Compromise' +cat = metadata.eventType +devTimeFormat='yyyy-MM-dd HH:mm:ss' +devTime = metadata.eventCreationTime +commandLine = event.CommandLine +resource = event.ComputerName +fileName = event.FileName +filePath = event.FilePath +dnsRequestDomain = event.DomainName +dstIPv4 = event.IPv4 +dstIPv6 = event.IPv6 +md5 = event.MD5String +sha1 = event.SHA1String +sha256 = event.SHA256String + +[IncidentSummaryEvent] +__header.0 = metadata.eventType +__header.1 = metadata.eventType +__header.2 = '5' +cat = metadata.eventType +cs1Label = 'FalconHostLink' +cs1 = event.FalconHostLink +cs2Label = 'State' +cs2 = event.State +cn3Label = 'FineScore' +cn3 = event.FineScore +deviceCustomDate1Label = 'IncidentStartTime' +deviceCustomDate1 = event.IncidentStartTime +deviceCustomDate2Label = 'IncidentEndTime' +deviceCustomDate2 = event.IncidentEndTime +deviceCustomDate2 = event.IncidentEndTime + +[IdentityProtectionEvent] +__header.0 = event.Category +__header.1 = event.Severity + +cat = event.Category +cs1Label = 'incidentType' +cs1 = event.IncidentType +severityNameLabel = 'severityName' +severityName = event.SeverityName +msg = event.IncidentDescription +deviceCustomDate1Label = 'startTime' +deviceCustomDate1 = event.StartTime +deviceCustomDate2Label = 'endTime' +deviceCustomDate2 = event.EndTime +cs2Label = 'identityProtectionIncidentId' +cs2 = event.IdentityProtectionIncidentId +duser = event.UserName +dhost = event.EndpointName +cs3Label = 'endpointIp' +cs3 = event.EndpointIp +cn1Label = 'numberOfCompromisedEntities' +cn1 = event.NumberOfCompromisedEntities +cn2Label = 'numbersOfAlerts' +cn2 = event.NumbersOfAlerts +cs4Label = 'falconHostLink' +cs4 = event.FalconHostLink +stateLabel = 'state' +state = event.State + +[ReconNotificationSummaryEvent] +__header.0 = metadata.eventType +__header.1 = 'Recon Notification Summary Event' +__header.2 = '1' + +cat = metadata.eventType +notificationIdLabel = 'NotificationId' +notificationId = event.NotificationId +highlightsLabel = 'MatchHighlights' +highlights = event.Highlights +matchedTimestampLabel = 'MatchTimestamp' +matchedTimestamp = event.MatchedTimestamp +ruleIdLabel = 'MonitoringRuleId' +ruleId = event.RuleId +ruleNameLabel = 'MonitoringRuleName' +ruleName = event.RuleName +ruleTopicLabel = 'MonitoringRuleTopic' +ruleTopic = event.RuleTopic +rulePriorityLabel = 'MonitoringRulePriority' +rulePriority = event.RulePriority +itemIdLabel = 'RawIntelligenceItemId' +itemId = event.ItemId +itemTypeLabel = 'RawIntelligenceItemType' +itemType = event.ItemType +itemPostedTimestampLabel = 'RawIntelligenceItemPostedTimestamp' +itemPostedTimestamp = event.ItemPostedTimestamp + +[ScheduledReportNotificationEvent] +__header.0 = metadata.eventType +__header.1 = 'Scheduled Report Notification Event' +__header.2 = '1' + +cat = metadata.eventType +userUUIDLabel = 'UserUUID' +userUUID = event.UserUUID +userIDLabel = 'UserID' +userID = event.UserID +executionIDLabel = 'ExecutionID' +executionID = event.ExecutionID +reportIDLabel = 'ReportID' +reportID = event.ReportID +reportNameLabel = 'ReportName' +reportName = event.ReportName +reportTypeLabel = 'ReportType' +reportType = event.ReportType +reportFileReferenceLabel = 'ReportFileReference' +reportFileReference = event.ReportFileReference +statusLabel = 'Status' +status = event.Status +statusMessageLabel = 'StatusMessage' +statusMessage = event.StatusMessage +executionMetadataLabel = 'ExecutionMetadata' +executionMetadata = event.ExecutionMetadata + +[MobileDetectionSummaryEvent] +__header.0 = metadata.eventType +__header.1 = metadata.eventType +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cn1Label = 'SELinuxEnforcementPolicy' +cn1 = event.SELinuxEnforcementPolicy +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_MobileAppsDetails] +__header.0 = 'Mobile Application Details In A Mobile Detection Summary Event' +__header.1 = 'Mobile Application Details In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'AppIdentifier' +cs1 = event.MobileAppsDetails.AppIdentifier +cs2Label = 'AppInstallerInformation' +cs2 = event.MobileAppsDetails.AppInstallerInformation +fname = event.MobileAppsDetails.ImageFileName +fileHash = event.MobileAppsDetails.SHA256HashData +cs3Label = 'DexFileHashes' +cs3 = event.MobileAppsDetails.DexFileHashes +cs4Label = 'AndroidAppVersionName' +cs4 = event.MobileAppsDetails.AndroidAppVersionName +cn1Label = 'HarmfulAppCategory' +cn1 = event.MobileAppsDetails.HarmfulAppCategory +cs5Label = 'AndroidComponentName' +cs5 = event.MobileAppsDetails.AndroidComponentName +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_MobileNetworkConnections] +__header.0 = 'Network Connection In A Mobile Detection Summary Event' +__header.1 = 'Network Connection In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'Protocol' +cs1 = event.MobileNetworkConnections.Protocol +cn1Label = 'ConnectionFlags' +cn1 = event.MobileNetworkConnections.ConnectionFlags +src = event.MobileNetworkConnections.LocalAddress +c6a2 = event.MobileNetworkConnections.LocalAddress +dst = event.MobileNetworkConnections.RemoteAddress +c6a3 = event.MobileNetworkConnections.RemoteAddress +spt = event.MobileNetworkConnections.LocalPort +dpt = event.MobileNetworkConnections.RemotePort +deviceDirection = MobileNetworkConnections.ConnectionDirection +request = event.MobileNetworkConnections.Url +cs2Label = 'AppIdentifier' +cs2 = event.MobileNetworkConnections.AppIdentifier +cs3Label = 'IsAndroidAppContainerized' +cs3 = event.MobileNetworkConnections.IsAndroidAppContainerized +cn2Label = 'ContextProcessId' +cn2 = event.MobileNetworkConnections.ContextProcessId +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'Network Connection Timestamp' +deviceCustomDate1 = event.MobileNetworkConnections.AccessTimestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_MobileDnsRequests] +__header.0 = 'Dns Request In A Mobile Detection Summary Event' +__header.1 = 'Dns Request In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +destinationDnsDomain = event.MobileDnsRequests.DomainName +cs1Label = 'RequestType' +cs1 = event.MobileDnsRequests.RequestType +cs2Label = 'AppIdentifier' +cs2 = event.MobileDnsRequests.AppIdentifier +dst = event.MobileDnsRequests.IpAddress +c6a3 = event.MobileDnsRequests.IpAddress +cn1Label = 'ContextProcessId' +cn1 = event.MobileDnsRequests.ContextProcessId +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'DNS Request Timestamp' +deviceCustomDate1 = event.MobileDnsRequests.AccessTimestamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_MountedVolumes] +__header.0 = 'Mounted Volume In A Mobile Detection Summary Event' +__header.1 = 'Mounted Volume In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'Type' +cs1 = event.MountedVolumes.Type +cs2Label = 'MountPoint' +cs2 = event.MountedVolumes.MountPoint +cs3Label = 'MountFlags' +cs3 = event.MountedVolumes.MountFlags +cs4Label = 'RealDeviceName' +cs4 = event.MountedVolumes.RealDeviceName +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_Trampolines] +__header.0 = 'Trampoline In A Mobile Detection Summary Event' +__header.1 = 'Trampoline In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'FunctionName' +cs1 = event.Trampolines.FunctionName +cs2Label = 'ExecutableBytes' +cs2 = event.Trampolines.ExecutableBytes +fname = event.Trampolines.ImageFileName +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_LoadedObjects] +__header.0 = 'Loaded Object In A Mobile Detection Summary Event' +__header.1 = 'Loaded Object In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +fname = event.LoadedObjects.FileName +fileHash = event.LoadedObjects.SHA256HashData +cs1Label = 'CodeSigningFlags' +cs1 = event.LoadedObjects.CodeSigningFlags +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered] +__header.0 = 'ObjectiveC Runtime Altered In A Mobile Detection Summary Event' +__header.1 = 'ObjectiveC Runtime Altered In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'MethodSignature' +cs1 = event.ObjectiveCRuntimesAltered.MethodSignature +fname = event.ObjectiveCRuntimesAltered.ImageFileName +cs2Label = 'ExpectedImageFileName' +cs2 = event.ObjectiveCRuntimesAltered.ExpectedImageFileName +cs3Label = 'SuspectAddress' +cs3 = event.ObjectiveCRuntimesAltered.SuspectAddress +cs4Label = 'ExpectedAddress' +cs4 = event.ObjectiveCRuntimesAltered.ExpectedAddress +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_RootAccessIndicators] +__header.0 = 'Root Access Indicators In A Mobile Detection Summary Event' +__header.1 = 'Root Access Indicators In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'LogcatMessage' +cs1 = event.RootAccessIndicators.LogcatMessage +cs2Label = 'AndroidStackTrace' +cs2 = event.RootAccessIndicators.AndroidStackTrace +cs3Label = 'HookedFunctionName' +cs3 = event.RootAccessIndicators.HookedFunctionName +cs4Label = 'AndroidInitServiceName' +cs4 = event.RootAccessIndicators.AndroidInitServiceName +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_Certificates] +__header.0 = 'Certificate In A Mobile Detection Summary Event' +__header.1 = 'Certificate In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'CertificateName' +cs1 = event.Certificates.Name +cs2Label = 'CertificateIssuer' +cs2 = event.Certificates.Issuer +cs3Label = 'CertificateFingerPrint' +cs3 = event.Certificates.FingerPrint +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_EnvironmentVariables] +__header.0 = 'Environment Variable In A Mobile Detection Summary Event' +__header.1 = 'Environment Variable In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'EnvironmentVariableName' +cs1 = event.EnvironmentVariables.Name +cs2Label = 'EnvironmentVariableValue' +cs2 = event.EnvironmentVariables.Value +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[MobileDetectionSummaryEvent_SystemProperties] +__header.0 = 'System Property In A Mobile Detection Summary Event' +__header.1 = 'System Property In A Mobile Detection Summary Event' +__header.2 = event.Severity + +cat = event.Tactic +externalId = event.SensorId +dhost = event.ComputerName +duser = event.UserName +msg = event.DetectDescription +dvcpid = event.ProcessId +cs1Label = 'SystemPropertyName' +cs1 = event.SystemProperties.Name +cs2Label = 'SystemPropertyValue' +cs2 = event.SystemProperties.Value +cs6Label = 'FalconHostLink' +cs6 = event.FalconHostLink +cn3Label = 'Offset' +cn3 = metadata.offset +deviceCustomDate1Label = 'ContextTimeStamp' +deviceCustomDate1 = event.ContextTimeStamp +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique +objective = event.Objective + +[XdrDetectionSummaryEvent] +__header.0 = metadata.eventType +__header.1 = 'XDR Detection Summary Event' +__header.2 = event.Severity + +cat = metadata.eventType +msg = event.Description +rt = metadata.eventCreationTime +tactics = event.Tactics +techniques = event.Techniques +xdrTypeLabel = 'XdrType' +xdrType = event.XdrType +authorLabel = 'Author' +author = event.Author + +scheduledSearchExecutionIdLabel = 'ScheduledSearchExecutionId' +scheduledSearchExecutionId = event.ScheduledSearchExecutionId +scheduledSearchIdLabel = 'ScheduledSearchId' +scheduledSearchId = event.ScheduledSearchId +scheduledSearchUserIdLabel = 'ScheduledSearchUserId' +scheduledSearchUserId = event.ScheduledSearchUserId +scheduledSearchUserUUIDLabel = 'ScheduledSearchUserUUID' +scheduledSearchUserUUID = event.ScheduledSearchUserUUID + +sourceProductsLabel = 'SourceProducts' +sourceProducts = event.SourceProducts +sourceVendorsLabel = 'SourceVendors' +sourceVendors = event.SourceVendors +dataDomainsLabel = 'DataDomains' +dataDomains = event.DataDomains +ipv4AddressesLabel = 'IPv4Addresses' +ipv4Addresses = event.IPv4Addresses +ipv6AddressesLabel = 'IPv6Addresses' +ipv6Addresses = event.IPv6Addresses +hostNamesLabel = 'HostNames' +hostNames = event.HostNames +domainNamesLabel = 'DomainNames' +domainNames = event.DomainNames +emailAddressesLabel = 'EmailAddresses' +emailAddresses = event.EmailAddresses +sha256HashesLabel = 'SHA256Hashes' +sha256Hashes = event.SHA256Hashes +md5HashesLabel = 'MD5Hashes' +md5Hashes = event.MD5Hashes +usersLabel = 'Users' +users = event.Users + +cn3Label = 'Offset' +cn3 = metadata.offset + + + +[IdpDetectionSummaryEvent] +__header.0 = metadata.eventType +__header.1 = 'Identity Protection Detection Summary Event' +__header.2 = event.Severity + +cat = metadata.eventType +msg = event.DetectDescription +rt = metadata.eventCreationTime +tactic = event.Tactic +technique = event.Technique + +targetServiceAccessIdentifierLabel = 'TargetServiceAccessIdentifier' +targetServiceAccessIdentifier = event.TargetServiceAccessIdentifier +targetEndpointSensorIdLabel = 'TargetEndpointSensorId' +targetEndpointSensorId = event.TargetEndpointSensorId +targetEndpointHostNameLabel = 'TargetEndpointHostName' +targetEndpointHostName = event.TargetEndpointHostName +targetEndpointAccountObjectSidLabel = 'TargetEndpointAccountObjectSid' +targetEndpointAccountObjectSid = event.TargetEndpointAccountObjectSid +targetEndpointAccountObjectGuidLabel = 'TargetEndpointAccountObjectGuid' +targetEndpointAccountObjectGuid = event.TargetEndpointAccountObjectGuid +targetAccountUpnLabel = 'TargetAccountUpn' +targetAccountUpn = event.TargetAccountUpn +targetAccountObjectSidLabel = 'TargetAccountObjectSid' +targetAccountObjectSid = event.TargetAccountObjectSid +targetAccountNameLabel = 'TargetAccountName' +targetAccountName = event.TargetAccountName +targetAccountDomainLabel = 'TargetAccountDomain' +targetAccountDomain = event.TargetAccountDomain +suspiciousMachineAccountAlterationTypeLabel = 'SuspiciousMachineAccountAlterationType' +suspiciousMachineAccountAlterationType = event.SuspiciousMachineAccountAlterationType +startTimeLabel = 'StartTime' +startTime = event.StartTime +ssoApplicationIdentifierLabel = 'SsoApplicationIdentifier' +ssoApplicationIdentifier = event.SsoApplicationIdentifier +sourceEndpointSensorIdLabel = 'SourceEndpointSensorId' +sourceEndpointSensorId = event.SourceEndpointSensorId +sourceEndpointIpReputationLabel = 'SourceEndpointIpReputation' +sourceEndpointIpReputation = event.SourceEndpointIpReputation +sourceEndpointIpAddressLabel = 'SourceEndpointIpAddress' +sourceEndpointIpAddress = event.SourceEndpointIpAddress +sourceEndpointHostNameLabel = 'SourceEndpointHostName' +sourceEndpointHostName = event.SourceEndpointHostName +sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectGuid' +sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectGuid +sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectSid' +sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectSid +sourceAccountUpnLabel = 'SourceAccountUpn' +sourceAccountUpn = event.SourceAccountUpn +sourceAccountObjectSidLabel = 'SourceAccountObjectSid' +sourceAccountObjectSid = event.SourceAccountObjectSid +sourceAccountNameLabel = 'SourceAccountName' +sourceAccountName = event.SourceAccountName +sourceAccountDomainLabel = 'SourceAccountDomain' +sourceAccountDomain = event.SourceAccountDomain +severityNameLabel = 'SeverityName' +severityName = event.SeverityName +rpcOpClassificationLabel = 'RpcOpClassification' +rpcOpClassification = event.RpcOpClassification +protocolAnomalyClassificationLabel = 'ProtocolAnomalyClassification' +protocolAnomalyClassification = event.ProtocolAnomalyClassification +previousPrivilegesLabel = 'PreviousPrivileges' +previousPrivileges = event.PreviousPrivileges +precedingActivityTimeStampLabel = 'PrecedingActivityTimeStamp' +precedingActivityTimeStamp = event.PrecedingActivityTimeStamp +patternIdLabel = 'PatternId' +patternId = event.PatternId +objectiveLabel = 'Objective' +objective = event.Objective +mostRecentActivityTimeStampLabel = 'MostRecentActivityTimeStamp' +mostRecentActivityTimeStamp = event.MostRecentActivityTimeStamp +locationCountryCodeLabel = 'LocationCountryCode' +locationCountryCode = event.LocationCountryCode +ldapSearchQueryAttackLabel = 'LdapSearchQueryAttack' +ldapSearchQueryAttack = event.LdapSearchQueryAttack +idpPolicyRuleTriggerLabel = 'IdpPolicyRuleTrigger' +idpPolicyRuleTrigger = event.IdpPolicyRuleTrigger +idpPolicyRuleNameLabel = 'IdpPolicyRuleName' +idpPolicyRuleName = event.IdpPolicyRuleName +idpPolicyRuleActionLabel = 'IdpPolicyRuleAction' +idpPolicyRuleAction = event.IdpPolicyRuleAction +falconHostLinkLabel = 'FalconHostLink' +falconHostLink = event.FalconHostLink +endTimeLabel = 'EndTime' +endTime = event.EndTime +detectNameLabel = 'DetectName' +detectName = event.DetectName +detectIdLabel = 'DetectId' +detectId = event.DetectId +contextTimeStampLabel = 'ContextTimeStamp' +contextTimeStamp = event.ContextTimeStamp +attemptOutcomeLabel = 'AttemptOutcome' +attemptOutcome = event.AttemptOutcome +anomalousTicketContentClassificationLabel = 'AnomalousTicketContentClassification' +anomalousTicketContentClassification = event.AnomalousTicketContentClassification +additionalSsoApplicationIdentifierLabel = 'AdditionalSsoApplicationIdentifier' +additionalSsoApplicationIdentifier = event.AdditionalSsoApplicationIdentifier +additionalLocationCountryCodeLabel = 'AdditionalLocationCountryCode' +additionalLocationCountryCode = event.AdditionalLocationCountryCode +additionalEndpointSensorIdLabel = 'AdditionalEndpointSensorId' +additionalEndpointSensorId = event.AdditionalEndpointSensorId +additionalEndpointIpAddressLabel = 'AdditionalEndpointIpAddress' +additionalEndpointIpAddress = event.AdditionalEndpointIpAddress +additionalEndpointHostNameLabel = 'AdditionalEndpointHostName' +additionalEndpointHostName = event.AdditionalEndpointHostName +additionalEndpointAccountObjectSidLabel = 'AdditionalEndpointAccountObjectSid' +additionalEndpointAccountObjectSid = event.AdditionalEndpointAccountObjectSid +additionalEndpointAccountObjectGuidLabel = 'AdditionalEndpointAccountObjectGuid' +additionalEndpointAccountObjectGuid = event.AdditionalEndpointAccountObjectGuid +additionalActivityIdLabel = 'AdditionalActivityId' +additionalActivityId = event.AdditionalActivityId +additionalAccountUpnLabel = 'AdditionalAccountUpn' +additionalAccountUpn = event.AdditionalAccountUpn +additionalAccountObjectSidLabel = 'AdditionalAccountObjectSid' +additionalAccountObjectSid = event.AdditionalAccountObjectSid +additionalAccountNameLabel = 'AdditionalAccountName' +additionalAccountName = event.AdditionalAccountName +additionalAccountDomainLabel = 'AdditionalAccountDomain' +additionalAccountDomain = event.AdditionalAccountDomain +addedPrivilegeLabel = 'AddedPrivilege' +addedPrivilege = event.AddedPrivilege +activityIdLabel = 'ActivityId' +activityId = event.ActivityId +accountCreationTimeStampLabel = 'AccountCreationTimeStamp' +accountCreationTimeStamp = event.AccountCreationTimeStamp + +cn3Label = 'Offset' +cn3 = metadata.offset diff --git a/frontend/src/api/integrations.ts b/frontend/src/api/integrations.ts index 18a419c9..19ac966a 100644 --- a/frontend/src/api/integrations.ts +++ b/frontend/src/api/integrations.ts @@ -54,6 +54,12 @@ export default { integration_name: integrationName }) }, + crowdstrikeProvision(customerCode: string, integrationName: string) { + return HttpClient.post(`/crowdstrike/provision`, { + customer_code: customerCode, + integration_name: integrationName + }) + }, office365Provision(customerCode: string, integrationName: string) { return HttpClient.post(`/office365/provision`, { customer_code: customerCode, diff --git a/frontend/src/components/customers/integrations/CustomerIntegrationActions.vue b/frontend/src/components/customers/integrations/CustomerIntegrationActions.vue index 648e039e..3ae6adfc 100644 --- a/frontend/src/components/customers/integrations/CustomerIntegrationActions.vue +++ b/frontend/src/components/customers/integrations/CustomerIntegrationActions.vue @@ -24,6 +24,18 @@ Deploy + + + Deploy + + loadingMimecastProvision.value || loadingOffice365Provision.value || loadingDelete.value) +const loading = computed(() => loadingMimecastProvision.value || loadingCrowdstrikeProvision.value || loadingOffice365Provision.value || loadingDelete.value) const serviceName = computed(() => integration.integration_service_name) const customerCode = computed(() => integration.customer_code) const isOffice365 = computed(() => serviceName.value === "Office365") const isMimecast = computed(() => serviceName.value === "Mimecast") +const isCrowdstrike = computed(() => serviceName.value === "Crowdstrike") watch(loading, val => { if (val) { @@ -127,6 +141,27 @@ function mimecastProvision() { }) } +function crowdstrikeProvision() { + loadingCrowdstrikeProvision.value = true + + Api.integrations + .crowdstrikeProvision(customerCode.value, serviceName.value) + .then(res => { + if (res.data.success) { + emit("deployed") + message.success(res.data?.message || "Customer integration successfully deployed.") + } else { + message.warning(res.data?.message || "An error occurred. Please try again later.") + } + }) + .catch(err => { + message.error(err.response?.data?.message || "An error occurred. Please try again later.") + }) + .finally(() => { + loadingCrowdstrikeProvision.value = false + }) +} + function handleDelete() { dialog.warning({ title: "Confirm",