Skip to main content

Responses are generated using AI and may contain mistakes.

Context ManagementContext Management Administration Guide

Enrichment Rules for CrowdStrike

Download the enrichment rules below and save them to a configuration file that can be imported into Log Stream.

"""EventEnrichers""" = [
    {
        """Name""" = """crowdstrike-src_host-2"""
        """DisplayName""" = """CrowdStrike asset ID to Source Host Lookup"""
        """Description""" = """CrowdStrike host by aid"""
        """Condition""" = """exists(aid) && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """src_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """vendor"""
            """UniversalFieldValues""" = [
                """CrowdStrike"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-src_host-1"""
        """DisplayName""" = """CrowdStrike Network Connection Assets In"""
        """Description""" = """CrowdStrike Network Connection Asset information"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && direction='1' && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """src_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """activity_type"""
            """UniversalFieldValues""" = [
                """dns-traffic""",
                """network-close""",
                """network-session""",
                """network-start""",
                """network-traffic"""
            ]
            """Outcome""" = [
                """fail""",
                """success"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-dest_host-3"""
        """DisplayName""" = """CrowdStrike Network Connection Assets Out"""
        """Description""" = """CrowdStrike Network Connection Asset information"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && direction='0' && HasContextKey('CrowdStrike Devices', aid)"""
        """Map""" = [
            {
                """Field""" = """dest_host"""
                """Value""" = """toLower(GetContextAttribute('CrowdStrike Devices', aid, 'hostname'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """activity_type"""
            """UniversalFieldValues""" = [
                """dns-traffic""",
                """network-close""",
                """network-session""",
                """network-start""",
                """network-traffic"""
            ]
            """Outcome""" = [
                """fail""",
                """success"""
            ]
        }
    }
    {
        """Name""" = """crowdstrike-user"""
        """DisplayName""" = """CrowdStrike asset ID to User Lookup"""
        """Description""" = """CrowdStrike User by asset ID"""
        """Condition""" = """InList(toLower(vendor), 'crowdstrike') && !exists(user) && exists(aid)"""
        """Map""" = [
            {
                """Field""" = """user"""
                """Value""" = """ToLower(GetDynamicContextAttribute('aid', 'user'))"""
            }
        ]
        """Filter""" = {
            """UniversalFieldName""" = """vendor"""
            """UniversalFieldValues""" = [
                """CrowdStrike"""
            ]
        }
    }
]