Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Rules: CS EventStream Audit Events #1307

Merged
merged 18 commits into from
Aug 16, 2024
Merged

New Rules: CS EventStream Audit Events #1307

merged 18 commits into from
Aug 16, 2024

Conversation

ben-githubs
Copy link
Contributor

Background

The Crowdstrike Eventstreams log source includes several audit events which provide security value. These detections provide some baseline coverage against these logs.

Changes

  • multiple new detections, covering user management and IP allowlist activity

Testing

  • Added multiple unit tests for each detection

@ben-githubs ben-githubs requested a review from a team as a code owner July 26, 2024 20:40
@github-actions GitHub Actions
Copy link

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@ben-githubs
Copy link
Contributor Author

Would love some eyes on the IP allowlisting rules. I'm concerned they may be too noisy!

arielkr256
arielkr256 reviewed Aug 5, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great start! Left a few comments.

TODO: update pack

rules/crowdstrike_rules/event_stream_rules/crowdstrike_admin_role_assigned.py Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_user_created.yml Outdated Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_password_change.yml Outdated Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_single_ip_allowlisted.py Outdated Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_single_ip_allowlisted.py Outdated Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_single_ip_allowlisted.yml Show resolved Hide resolved
rules/crowdstrike_rules/event_stream_rules/crowdstrike_user_deleted.yml Outdated Show resolved Hide resolved
arielkr256
arielkr256 approved these changes Aug 16, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@arielkr256 arielkr256 enabled auto-merge August 16, 2024 17:24
@arielkr256 arielkr256 merged commit 98c4c4a into release Aug 16, 2024
6 checks passed
@arielkr256 arielkr256 deleted the ben/new/cs_eventstreams_audit_rules branch August 16, 2024 17:25
@arielkr256 arielkr256 added the enhancement New feature or request label Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ben-githubs @arielkr256