crowdstrike: add support for cspm events in FDR data stream

Author: navnit-elastic

packages/crowdstrike/_dev/benchmark/rally/fdr-benchmark/config.yml

@@ -28,6 +28,8 @@ fields:
       - ActiveDirectoryInteractiveDomain
       - Event_EppDetectionSummaryEvent
       - userinfo
+      - cspm_ioa
+      - cspm_iom
   - name: event_platform
     enum:
       - Win
@@ -180,3 +182,69 @@ fields:
       - Interactive
       - Network
       - Terminal Server
+
+# cspm
+  - name: policy_severity
+    range:
+      min: 0
+      max: 4
+  - name: Severity
+    range:
+      min: 0
+      max: 4
+  - name: cloud_region
+    enum:
+      - us-west-1
+      - us-west-2
+      - us-east-1
+      - us-east-2
+      - eu-central-1
+      - ap-south-1
+      - ap-northeast-1
+      - ap-southeast-1
+      - sa-east-1
+      - ca-central-1
+  - name: cloud_provider
+    enum:
+      - aws
+      - azure
+      - gcp
+  - name: event_created
+    period: -24h
+  - name: vertex_type
+    value: ioa
+  - name: user_identity_user_name
+    cardinality: 10000
+  - name: disposition
+    value: Failed
+  - name: account
+    range:
+      min: 100000000000
+      max: 999999999999
+    cardinality: 10
+  - name: mitre_attack_technique
+    enum:
+      - Account Manipulation
+      - Cloud Infrastructure Discovery
+      - Cloud Instance Metadata API
+      - Cloud Service Dashboard
+      - Cloud Storage Object Discovery
+      - Data from Cloud Storage
+      - Data Destruction
+      - Phishing
+      - Resource Hijacking
+      - Valid Accounts
+  - name: mitre_attack_tactic
+    enum:
+      - Reconnaissance
+      - Resource Development
+      - Initial Access
+      - Execution
+      - Persistence
+      - Privilege Escalation
+      - Defense Evasion
+      - Credential Access
+      - Discovery
+      - Lateral Movement
+  - name: ResourceId
+    cardinality: 10000

packages/crowdstrike/_dev/benchmark/rally/fdr-benchmark/fields.yml

@@ -560,3 +560,89 @@
   type: keyword
 - name: DownloadServer
   type: keyword
+- name: mitre_attack_technique
+  type: keyword
+- name: cloud_service_friendly
+  type: keyword
+- name: policy_severity
+  type: integer
+- name: event_type
+  type: keyword
+- name: event_name
+  type: keyword
+- name: mitre_attack_tactic
+  type: keyword
+- name: event_source
+  type: keyword
+- name: account
+  type: integer
+- name: cloud_region
+  type: keyword
+- name: event_category
+  type: keyword
+- name: cloud_provider
+  type: keyword
+- name: attack_types
+  type: keyword
+- name: event_created
+  type: date
+- name: user_identity_principal_id
+  type: keyword
+- name: policy_id
+  type: integer
+- name: request_id
+  type: keyword
+- name: vertex_type
+  type: keyword
+- name: cid
+  type: keyword
+- name: vertex_id
+  type: keyword
+- name: user_identity_user_name
+  type: keyword
+- name: policy_description
+  type: text
+- name: user_identity_arn
+  type: keyword
+- name: source_ip_address
+  type: ip
+- name: user_identity_account_id
+  type: integer
+- name: user_identity_mfa_authenticated
+  type: boolean
+- name: user_agent
+  type: keyword
+- name: cloudplatform
+  type: integer
+- name: service
+  type: keyword
+- name: event_id
+  type: keyword
+- name: read_only
+  type: boolean
+- name: policy_statement
+  type: text
+- name: management_event
+  type: boolean
+- name: user_identity_access_key_id
+  type: keyword
+- name: internal_only
+  type: boolean
+- name: cloud_asset_type
+  type: integer
+- name: mitre_attack_tactics_url
+  type: keyword
+- name: resource_url
+  type: keyword
+- name: finding
+  type: text
+- name: disposition
+  type: keyword
+- name: pci_benchmark_ids
+  type: keyword
+- name: ResourceId
+  type: keyword
+- name: ResourceIdType
+  type: keyword
+- name: ResourceCreateTime
+  type: date

packages/crowdstrike/_dev/benchmark/rally/fdr-benchmark/template.ndjson

@@ -24,9 +24,9 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
 
 - `vulnerability` dataset: It retrieves all the vulnerabilities in your environment, providing information such as severity, status, confidence levels, remediation guidance, and affected hosts, as detected by the CrowdStrike Falcon platform, via the Falcon Spotlight Vulnerability API - `/spotlight/combined/vulnerabilities/v1`.
 
-3. **Falcon Data Replicator**: This Collect events in near real time from your endpoints and cloud workloads, identities and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
+3. **Falcon Data Replicator**: This collects events in near real-time from your endpoints, cloud workloads, identities, and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
 
-- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR).
+- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). In addition to the existing log types, the integration now includes support for parsing Cloud Security Posture Management (CSPM) Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events.
 
 4. **CrowdStrike Event Stream**: This streams security logs from CrowdStrike Event Stream, including authentication activity, cloud security posture management (CSPM), firewall logs, user activity, and XDR data. It captures real-time security events like user logins, cloud environment changes, network traffic, and advanced threat detections. The streaming integration provides continuous monitoring and analysis for proactive threat detection. It enhances visibility into user behavior, network security, and overall system health. This setup enables faster response capabilities to emerging security incidents. It includes the following datasets for receiving logs:
 

packages/crowdstrike/_dev/build/docs/README.md

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.7.0"
+  changes:
+    - description: Add support for CSPM IOA and IOM events in the FDR data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15783
 - version: "2.6.0"
   changes:
     - description: Add a fallback parsing command_line to populate the process name in the FDR data stream.

packages/crowdstrike/changelog.yml

@@ -0,0 +1 @@
+{"mitre_attack_technique":"Data Destruction","response_elements":"{\"requestId\":\"8db1ca21-4d8b-4c08-b7bc-a63186cd7740\",\"instancesSet\":{\"items\":[{\"currentState\":{\"code\":32,\"name\":\"shutting-down\"},\"previousState\":{\"code\":16,\"name\":\"running\"},\"instanceId\":\"i-0e244c4469aea5be0\"}]}}","cloud_service_friendly":"EC2","aws_account_id":"144492464627","policy_severity":1,"event_type":"AwsApiCall","event_name":"TerminateInstances","mitre_attack_tactic":"Impact","event_source":"ec2.amazonaws.com","account":"144492464627","cloud_region":"us-east-2","event_category":"Management","cloud_provider":"aws","attack_types":["Destruction"],"event_created":"2025-10-02T19:51:16Z","user_identity_principal_id":"AIDASDJDMBHZXZ7A56T2M","event-type":"cspm_policy_249","policy_id":249,"request_id":"8db1ca21-4d8b-4c08-b7bc-a63186cd7740","vertex_type":"ioa","cid":"bdc3e3474d8848f1b8dcf41d41669a14","request_parameters":"{\"instancesSet\":{\"items\":[{\"instanceId\":\"i-0e244c4469aea5be0\"}]},\"force\":false,\"skipOsShutdown\":false}","vertex_id":"249:c7c1f904-44bb-4690-9816-c510246c3b6a:ioa","user_identity_user_name":"buildkite","policy_description":"An IAM user was detected to have manually deleted an EC2 instance. This may indicate malicious activity in that it was not auto-scaling or some other automation that deleted the instance.","user_identity_arn":"arn:aws:iam::144492464627:user/services/buildkite","source_ip_address":"89.160.20.112","user_identity_account_id":"144492464627","user_identity_mfa_authenticated":"false","user_agent":"APN/1.0 HashiCorp/1.0 Terraform/1.12.1 (+https://www.terraform.io) terraform-provider-aws/4.61.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.232 (go1.19.7; linux; amd64)","cloudplatform":1,"service":"EC2","event_id":"c7c1f904-44bb-4690-9816-c510246c3b6a","read_only":false,"policy_statement":"EC2 instance manually deleted by IAM user","management_event":true,"user_identity_access_key_id":"AKIASDJDMBHZ3YGQZQ4Q"}

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-ioa.log

@@ -0,0 +1,154 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-10-02T19:51:16.000Z",
+            "cloud": {
+                "account": {
+                    "id": "144492464627"
+                },
+                "provider": "aws",
+                "region": "us-east-2",
+                "service": {
+                    "name": "EC2"
+                }
+            },
+            "crowdstrike": {
+                "EventType": "AwsApiCall",
+                "SeverityName": "high",
+                "attack_types": [
+                    "Destruction"
+                ],
+                "aws_account_id": "144492464627",
+                "cid": "bdc3e3474d8848f1b8dcf41d41669a14",
+                "cloudplatform": "1",
+                "event-type": "cspm_policy_249",
+                "event_category": "Management",
+                "management_event": true,
+                "policy_severity": 1,
+                "read_only": false,
+                "request": {
+                    "id": "8db1ca21-4d8b-4c08-b7bc-a63186cd7740",
+                    "parameters": {
+                        "force": false,
+                        "instancesSet": {
+                            "items": [
+                                {
+                                    "instanceId": "i-0e244c4469aea5be0"
+                                }
+                            ]
+                        },
+                        "skipOsShutdown": false
+                    }
+                },
+                "response_elements": {
+                    "instancesSet": {
+                        "items": [
+                            {
+                                "currentState": {
+                                    "code": 32,
+                                    "name": "shutting-down"
+                                },
+                                "instanceId": "i-0e244c4469aea5be0",
+                                "previousState": {
+                                    "code": 16,
+                                    "name": "running"
+                                }
+                            }
+                        ]
+                    },
+                    "requestId": "8db1ca21-4d8b-4c08-b7bc-a63186cd7740"
+                },
+                "service": "EC2",
+                "user_identity_access_key_id": "AKIASDJDMBHZ3YGQZQ4Q",
+                "user_identity_account_id": "144492464627",
+                "user_identity_arn": "arn:aws:iam::144492464627:user/services/buildkite",
+                "user_identity_mfa_authenticated": false,
+                "vertex_id": "249:c7c1f904-44bb-4690-9816-c510246c3b6a:ioa",
+                "vertex_type": "ioa"
+            },
+            "event": {
+                "action": "TerminateInstances",
+                "category": [
+                    "configuration"
+                ],
+                "created": "2025-10-02T19:51:16.000Z",
+                "id": "c7c1f904-44bb-4690-9816-c510246c3b6a",
+                "kind": "alert",
+                "original": "{\"mitre_attack_technique\":\"Data Destruction\",\"response_elements\":\"{\\\"requestId\\\":\\\"8db1ca21-4d8b-4c08-b7bc-a63186cd7740\\\",\\\"instancesSet\\\":{\\\"items\\\":[{\\\"currentState\\\":{\\\"code\\\":32,\\\"name\\\":\\\"shutting-down\\\"},\\\"previousState\\\":{\\\"code\\\":16,\\\"name\\\":\\\"running\\\"},\\\"instanceId\\\":\\\"i-0e244c4469aea5be0\\\"}]}}\",\"cloud_service_friendly\":\"EC2\",\"aws_account_id\":\"144492464627\",\"policy_severity\":1,\"event_type\":\"AwsApiCall\",\"event_name\":\"TerminateInstances\",\"mitre_attack_tactic\":\"Impact\",\"event_source\":\"ec2.amazonaws.com\",\"account\":\"144492464627\",\"cloud_region\":\"us-east-2\",\"event_category\":\"Management\",\"cloud_provider\":\"aws\",\"attack_types\":[\"Destruction\"],\"event_created\":\"2025-10-02T19:51:16Z\",\"user_identity_principal_id\":\"AIDASDJDMBHZXZ7A56T2M\",\"event-type\":\"cspm_policy_249\",\"policy_id\":249,\"request_id\":\"8db1ca21-4d8b-4c08-b7bc-a63186cd7740\",\"vertex_type\":\"ioa\",\"cid\":\"bdc3e3474d8848f1b8dcf41d41669a14\",\"request_parameters\":\"{\\\"instancesSet\\\":{\\\"items\\\":[{\\\"instanceId\\\":\\\"i-0e244c4469aea5be0\\\"}]},\\\"force\\\":false,\\\"skipOsShutdown\\\":false}\",\"vertex_id\":\"249:c7c1f904-44bb-4690-9816-c510246c3b6a:ioa\",\"user_identity_user_name\":\"buildkite\",\"policy_description\":\"An IAM user was detected to have manually deleted an EC2 instance. This may indicate malicious activity in that it was not auto-scaling or some other automation that deleted the instance.\",\"user_identity_arn\":\"arn:aws:iam::144492464627:user/services/buildkite\",\"source_ip_address\":\"89.160.20.112\",\"user_identity_account_id\":\"144492464627\",\"user_identity_mfa_authenticated\":\"false\",\"user_agent\":\"APN/1.0 HashiCorp/1.0 Terraform/1.12.1 (+https://www.terraform.io) terraform-provider-aws/4.61.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.232 (go1.19.7; linux; amd64)\",\"cloudplatform\":1,\"service\":\"EC2\",\"event_id\":\"c7c1f904-44bb-4690-9816-c510246c3b6a\",\"read_only\":false,\"policy_statement\":\"EC2 instance manually deleted by IAM user\",\"management_event\":true,\"user_identity_access_key_id\":\"AKIASDJDMBHZ3YGQZQ4Q\"}",
+                "severity": 73,
+                "type": [
+                    "info",
+                    "change"
+                ]
+            },
+            "message": "EC2 instance manually deleted by IAM user",
+            "related": {
+                "ip": [
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "buildkite",
+                    "AIDASDJDMBHZXZ7A56T2M"
+                ]
+            },
+            "rule": {
+                "description": "An IAM user was detected to have manually deleted an EC2 instance. This may indicate malicious activity in that it was not auto-scaling or some other automation that deleted the instance.",
+                "id": "249",
+                "name": "EC2 instance manually deleted by IAM user"
+            },
+            "source": {
+                "address": "89.160.20.112",
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "domain": "ec2.amazonaws.com",
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "tactic": {
+                    "name": [
+                        "Impact"
+                    ]
+                },
+                "technique": {
+                    "name": [
+                        "Data Destruction"
+                    ]
+                }
+            },
+            "user": {
+                "id": "AIDASDJDMBHZXZ7A56T2M",
+                "name": "buildkite"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "aws-sdk-go",
+                "original": "APN/1.0 HashiCorp/1.0 Terraform/1.12.1 (+https://www.terraform.io) terraform-provider-aws/4.61.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.232 (go1.19.7; linux; amd64)",
+                "os": {
+                    "name": "Linux"
+                },
+                "version": "1.44.232"
+            }
+        }
+    ]
+}

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-ioa.log-expected.json

@@ -0,0 +1 @@
+{"event_simpleName":"CloudSecurityIOMEvaluation","cid":"bdc3e3474d8848f1b8dcf41d41669a14","crn":"aws|144492464627|global|AWS::Account|144492464627","created":"2025-10-13T03:59:08.974734575Z","firstDetected":"2025-10-08T13:03:26.203492662Z","lastDetected":"2025-10-13T03:59:08.974734575Z","revision":7,"ruleId":"abc16f84-2de2-4f2e-9f9c-d510f47b75fb","ruleName":"[Custom Test] EBS volume encryption is not enabled by default in all regions","legacyPolicyId":100056,"severity":"informational","status":"Unresolved","findings":[{"name":"Encryption Enabled","value":"False"},{"name":"Region","value":"[\"ca-central-1\",\"sa-east-1\",\"eu-central-1\",\"eu-west-1\",\"us-east-1\",\"us-east-2\",\"us-west-2\",\"ap-northeast-2\",\"ap-southeast-1\",\"ap-south-1\",\"us-west-1\",\"eu-west-3\",\"ap-northeast-3\",\"ap-southeast-2\",\"ap-northeast-1\",\"eu-west-2\",\"eu-north-1\"]"}],"url":"https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Volumes:","resource":{"accountId":"144492464627","cloudProvider":"aws","region":"global","captured":"2025-10-13T03:59:08.167485551Z","resourceId":"144492464627","resourceType":"AWS::Account","legacyResourceId":"144492464627","legacyResourceTypeId":116},"compliance":{"frameworks":["Amazon","CIS"],"versions":["11.2024","v1.0.0"],"benchmarkNames":["AWS Well-Architected Framework (Section 2 - Security) 11.2024","AWS Foundational Security Best Practices v1.0.0"],"sections":["SEC 8. How do you protect your data at rest?","EC2"],"requirements":["SEC08-BP03","EC2.7"]},"threat":{"framework":"MITRE ATT\u0026CK","technique":{"id":"T1530","name":"Data from Cloud Storage","reference":"https://attack.mitre.org/techniques/T1530/"},"tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009/"}}}