elastic · tonymeehan · Mar 31, 2020 · Feb 21, 2020 · Feb 21, 2020 · Feb 21, 2020
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
diff --git a/filebeat/docs/images/siem-alerts-cs.jpg b/filebeat/docs/images/siem-alerts-cs.jpg
diff --git a/filebeat/docs/images/siem-events-cs.jpg b/filebeat/docs/images/siem-events-cs.jpg
diff --git a/filebeat/docs/modules/crowdstrike.asciidoc b/filebeat/docs/modules/crowdstrike.asciidoc
@@ -0,0 +1,92 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-crowdstrike]]
+[role="xpack"]
+
+:modulename: crowdstrike
+:has-dashboards: true
+
+== Crowdstrike module
+
+This is the filebeat module for the Crowdstrike Falcon using the Falcon https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem[SIEM Connector]. This module collects this data, converts it to ECS, and ingests it to view in the SIEM. By default, the Falcon SIEM connector outputs JSON formated Falcon Streaming API event data in JSON format.
+
+This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.
+
+include::../include/what-happens.asciidoc[]
+
+[float]
+=== Compatibility
+
+This input supports Crowdstrike Falcon SIEM-Connector-v2.0.
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Dashboards
+
+The best way to view Crowdstrike events and alert data is in the SIEM. 
+
+[role="screenshot"]
+image::./images/siem-alerts-cs.jpg[]
+
+[float]
+For alerts, go to Detections -> External alerts.
+
+[role="screenshot"]
+image::./images/siem-events-cs.jpg[]
+
+[float]
+And for all over event Crowdstrike Falcon event types, go to Host -> Events.
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: falcon_endpoint
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `falcon_endpoint` fileset settings
+
+The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+
+["source","yaml",subs="attributes"]
+-----
+var:
+  - name: paths
+    default:
+      - /var/log/crowdstrike/falconhoseclient/output
+-----
+
+include::../include/var-paths.asciidoc[]
+
+:fileset_ex: falcon_audit
+
+[float]
+==== `falcon_audit` fileset settings
+
+The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, and UserActivityAuditEvent events.
+
+["source","yaml",subs="attributes"]
+-----
+var:
+  - name: paths
+    default:
+      - /var/log/crowdstrike/falconhoseclient/output
+-----
+
+include::../include/var-paths.asciidoc[]
+
+
+:has-dashboards!:
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-crowdstrike,exported fields>> section.
+
diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc
@@ -11,6 +11,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-cef>>
   * <<filebeat-module-cisco>>
   * <<filebeat-module-coredns>>
+  * <<filebeat-module-crowdstrike>>
   * <<filebeat-module-elasticsearch>>
   * <<filebeat-module-envoyproxy>>
   * <<filebeat-module-googlecloud>>
@@ -54,6 +55,7 @@ include::modules/azure.asciidoc[]
 include::modules/cef.asciidoc[]
 include::modules/cisco.asciidoc[]
 include::modules/coredns.asciidoc[]
+include::modules/crowdstrike.asciidoc[]
 include::modules/elasticsearch.asciidoc[]
 include::modules/envoyproxy.asciidoc[]
 include::modules/googlecloud.asciidoc[]

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -333,6 +333,23 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#----------------------------- Crowdstrike Module -----------------------------
+- module: crowdstrike
+
+  falcon_endpoint:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  falcon_audit:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #---------------------------- Elasticsearch Module ----------------------------
 - module: elasticsearch
   # Server log

diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go
diff --git a/x-pack/filebeat/module/crowdstrike/_meta/config.yml b/x-pack/filebeat/module/crowdstrike/_meta/config.yml
@@ -0,0 +1,15 @@
+- module: crowdstrike
+
+  falcon_endpoint:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  falcon_audit:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
diff --git a/x-pack/filebeat/module/crowdstrike/_meta/docs.asciidoc b/x-pack/filebeat/module/crowdstrike/_meta/docs.asciidoc
@@ -0,0 +1,79 @@
+[role="xpack"]
+
+:modulename: crowdstrike
+:has-dashboards: true
+
+== Crowdstrike module
+
+This is the filebeat module for the Crowdstrike Falcon using the Falcon https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem[SIEM Connector]. This module collects this data, converts it to ECS, and ingests it to view in the SIEM. By default, the Falcon SIEM connector outputs JSON formated Falcon Streaming API event data in JSON format.
+
+This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.
-This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.
-This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.
+
+include::../include/what-happens.asciidoc[]
+
+[float]
+=== Compatibility
+
+This input supports Crowdstrike Falcon SIEM-Connector-v2.0.
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Dashboards
+
+The best way to view Crowdstrike events and alert data is in the SIEM. 
+
+[role="screenshot"]
+image::./images/siem-alerts-cs.jpg[]
+
+[float]
+For alerts, go to Detections -> External alerts.
+
+[role="screenshot"]
+image::./images/siem-events-cs.jpg[]
+
+[float]
+And for all over event Crowdstrike Falcon event types, go to Host -> Events.
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: falcon_endpoint
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `falcon_endpoint` fileset settings
+
+The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+
+["source","yaml",subs="attributes"]
+-----
+var:
+  - name: paths
+    default:
+      - /var/log/crowdstrike/falconhoseclient/output
+-----
+
+include::../include/var-paths.asciidoc[]
+
+:fileset_ex: falcon_audit
+
+[float]
+==== `falcon_audit` fileset settings
+
+The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, and UserActivityAuditEvent events.
+
+["source","yaml",subs="attributes"]
+-----
+var:
+  - name: paths
+    default:
+      - /var/log/crowdstrike/falconhoseclient/output
+-----
+
+include::../include/var-paths.asciidoc[]
+
+
+:has-dashboards!:
+
+:modulename!:
diff --git a/x-pack/filebeat/module/crowdstrike/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/_meta/fields.yml
@@ -0,0 +1,42 @@
+- key: crowdstrike
+  title: "Crowdstrike"
+  release: beta
+  description: >
+    Module for collecting Crowdstrike events.
+  fields:
+    - name: crowdstrike
+      type: group
+      description: >
+        Fields for Crowdstrike Falcon event and alert data.
+      fields:
+        - name: metadata
+          title: Metadata fields
+          description: >
+            Meta data fields for each event that include type and timestamp.
+          type: group
+          default_field: false
+          fields:
+            - name: eventType
+              type: text
+              description: >
+                DetectionSummaryEvent or IncidentSummaryEvent
+
+            - name: eventCreationTime
+              type: date
+              description: >
+                The time this event occurred on the endpoint in UTC UNIX_MS format.
+
+            - name: offset
+              type: integer
+              description: >
+                Offset number that tracks the location of the event in stream. This is used to identify unique detection events.
+
+            - name: customerIDString
+              type: text
+              description: >
+                Customer identifier
+
+            - name: version
+              type: text
+              description: >
+                Schema version
diff --git a/x-pack/filebeat/module/crowdstrike/_meta/images/siem-alerts-cs.jpg b/x-pack/filebeat/module/crowdstrike/_meta/images/siem-alerts-cs.jpg
diff --git a/x-pack/filebeat/module/crowdstrike/_meta/images/siem-events-cs.jpg b/x-pack/filebeat/module/crowdstrike/_meta/images/siem-events-cs.jpg
diff --git a/x-pack/filebeat/module/crowdstrike/falcon_audit/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon_audit/_meta/fields.yml
@@ -0,0 +1,61 @@
+- name: event
+  title: Event fields
+  description: >
+    Event data fields for each event and alert.
+  type: group
+  default_field: false
+  fields: 
+    - name: UserId
+      type: text
+      description: >
+        Email address or user ID associated with the event.
+
+    - name: UserIp
+      type: text
+      description: >
+        IP address associated with the user.
+
+    - name: OperationName
+      type: text
+      description: >
+        Event subtype.
+
+    - name: ServiceName
+      type: text
+      description: >
+        Service associated with this event.
+
+    - name: Success
+      type: boolean
+      description: >
+        Indicator of whether or not this event was successful.
+
+    - name: UTCTimestamp
+      type: date
+      description: >
+        Timestamp associated with this event in UTC UNIX format.
+
+    - name: AuditKeyValues
+      type: nested
+      description: >
+        Fields that were changed in this event.
+
+    - name: SessionId
+      type: text
+      description: >
+        Session ID of the remote response session.
+
+    - name: HostnameField
+      type: text
+      description: >
+        Host name of the machine for the remote session.
+
+    - name: StartTimestamp
+      type: date
+      description: >
+        Start time for the remote session in UTC UNIX format.
+
+    - name: EndTimestamp
+      type: date
+      description: >
+        End time for the remote session in UTC UNIX format.
diff --git a/x-pack/filebeat/module/crowdstrike/falcon_audit/config/falcon_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon_audit/config/falcon_audit.yml
@@ -0,0 +1,19 @@
+type: log
+paths:
+{{ range $i, $path := .paths }}
+ - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+
+# Crowdstrike Falcon SIEM connector logs are multiline JSON by default
+multiline.pattern: '^{'
+multiline.negate: true
+multiline.match: after
+multiline.max_lines: 5000
+multiline.timeout: 10
+
+processors:
+- script:
+    lang: javascript
+    id: crowdstrike_falcon_audit
+    file: ${path.home}/module/crowdstrike/falcon_audit/config/pipeline.js