Skip to main content

Context ManagementContext Management Administration Guide

Enrichment Rules for CrowdStrike

Download the enrichment rules below and save them to a configuration file that can be imported into Log Stream.

"""EventEnrichers""" = [
    {
        """Name""" = """crowdstrike-src_host-2"""
        """DisplayName""" = """CrowdStrike asset ID to Source Host Lookup"""
        """Description""" = """CrowdStrike host by aid"""
        """Condition""" = """exists(aid) && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """src_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """vendor"""
            """UniversalFieldValues""" = [
                """CrowdStrike"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-src_host-1"""
        """DisplayName""" = """CrowdStrike Network Connection Assets In"""
        """Description""" = """CrowdStrike Network Connection Asset information"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && direction='1' && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """src_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """activity_type"""
            """UniversalFieldValues""" = [
                """dns-traffic""",
                """network-close""",
                """network-session""",
                """network-start""",
                """network-traffic"""
            ]
            """Outcome""" = [
                """fail""",
                """success"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-dest_host-3"""
        """DisplayName""" = """CrowdStrike Network Connection Assets Out"""
        """Description""" = """CrowdStrike Network Connection Asset information"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && direction='0' && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """dest_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """activity_type"""
            """UniversalFieldValues""" = [
                """dns-traffic""",
                """network-close""",
                """network-session""",
                """network-start""",
                """network-traffic"""
            ]
            """Outcome""" = [
                """fail""",
                """success"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-user"""
        """DisplayName""" = """CrowdStrike asset ID to User Lookup"""
        """Description""" = """CrowdStrike User by asset ID"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && !exists(user) && exists(aid)"""
        """Map""" = [
            {
                """Field""" = """user"""
                """Value""" = """ToLower(GetDynamicContextAttribute('aid', 'user'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """vendor"""
            """UniversalFieldValues""" = [
                """CrowdStrike"""
            ]
        }
    }
]