diff --git a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.xif b/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.xif deleted file mode 100644 index fb35d4cb..00000000 --- a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.xif +++ /dev/null @@ -1,78 +0,0 @@ -// SOC CrowdStrike Falcon Modeling Rules -// Dataset: crowdstrike_falcon_event_raw -// Version: 1.2 -// -// Changes from v1.1: -// FIXED: fromversion corrected to 6.10.0 (was incorrectly set to 8.3.1 -- caused 101704 upload rejection) -// FIXED: local_process_id declared in schema.json (was used in XIF but missing from schema) -// ADDED: xdm.event.id = composite_id (confirmed valid per XDM docs example) -// ADDED: xdm.source.host.device_id = device->device_id (confirmed valid per XDM field structure docs) -// ADDED: xdm.source.agent.identifier = agent_id (deferred -- verify with XQL probe before deploy) -// ADDED: xdm.observer.unique_identifier = agent_id (deferred -- verify with XQL probe before deploy) -// DEFERRED: xdm.target.ipv4/port via arrayindex -- needs XQL probe to confirm arrayindex works in XIF context -// -// Changes from v1.0 (shipped in 1.0.14): -// xdm.event.original_event_type = scenario (was incident_type) -// scenario is the CrowdStrike classification string (known_malware, credential_theft, etc.) -// -// XDM fields requested but NOT available in crowdstrike_falcon_event_raw EPP events: -// xdm.target.ipv6, xdm.source.ipv6 -- no IPv6 in CrowdStrike EPP device object -// xdm.source.port -- local port not emitted in EPP detections -// xdm.source.asn.* -- requires network telemetry -// xdm.source.location.* -- requires external geo enrichment -// xdm.intermediate.is_nat/is_proxy -- network flow concept; not in EPP events -// xdm.event.is_completed/duration -- not emitted by EPP -// xdm.target/source.sent_bytes/packets -- flow data; not in EPP detections -// xdm.source.user_agent -- HTTP context; not in EPP events -// xdm.source.process.container_id -- not in EPP detections -// xdm.source.host.device_category/model/manufacturer -- not in CS device object -// xdm.target.* -- EPP events are source-centric; no target host/agent -// xdm.source.interface -- not in EPP events - -[MODEL:dataset="crowdstrike_falcon_event_raw"] -filter product = "epp" -| alter - // -- Alert / Event Identity -------------------------------------------- - xdm.alert.severity = concat(to_string(severity), " - ", severity_name), - xdm.event.id = composite_id, - xdm.event.original_event_type = scenario, - xdm.event.description = description, - xdm.event.type = incident_type, - - // -- Source Host ------------------------------------------------------- - xdm.source.host.hostname = device -> hostname, - xdm.source.host.fqdn = device -> machine_domain, - xdm.source.host.os_family = device -> os_version, - xdm.source.host.device_id = device -> device_id, - xdm.source.ipv4 = device -> local_ip, - - // -- Source Agent ----------------------------------------------------- - xdm.source.agent.identifier = agent_id, - - // -- Source User ------------------------------------------------------- - xdm.source.user.username = user_name, - xdm.source.user.domain = device -> machine_domain, - xdm.source.user.groups = device -> groups[], - - // -- Source Process ---------------------------------------------------- - xdm.source.process.pid = to_integer(local_process_id), - xdm.source.process.name = parent_details -> filename, - xdm.source.process.command_line = parent_details -> cmdline, - xdm.source.process.executable.path = parent_details -> filepath, - xdm.source.process.executable.sha256 = parent_details -> sha256; - -// =========================================================================== -// DEFERRED -- verify with XQL probe before promoting to alter block -// -// xdm.observer.unique_identifier = agent_id -// dataset = crowdstrike_falcon_event_raw | filter product = "epp" -// | alter xdm.observer.unique_identifier = agent_id | fields xdm.observer.unique_identifier | limit 5 -// -// xdm.target.ipv4 = arrayindex(network_accesses,0)->remote_address -// dataset = crowdstrike_falcon_event_raw | filter product = "epp" -// | alter t = arrayindex(network_accesses,0)->remote_address | fields t | limit 5 -// Note: if arrayindex fails in XIF context, try: network_accesses[0]->remote_address -// -// xdm.target.port = to_integer(arrayindex(network_accesses,0)->remote_port) -// Only run after target.ipv4 probe succeeds. -// =========================================================================== diff --git a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.yml b/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.yml deleted file mode 100644 index fbd310a2..00000000 --- a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules.yml +++ /dev/null @@ -1,5 +0,0 @@ -fromversion: 6.10.0 -id: SOC_CrowdStrikeFalcon_ModelingRule -name: SOC CrowdStrike Falcon Modeling Rule -rules: "// SOC CrowdStrike Falcon Modeling Rules\n// Dataset: crowdstrike_falcon_event_raw\n// Version: 1.2\n//\n// Changes from v1.1:\n// FIXED: fromversion corrected to 6.10.0 (was incorrectly set to 8.3.1 — caused 101704 upload rejection)\n// FIXED: local_process_id declared in schema.json (was used in XIF but missing from schema)\n// ADDED: xdm.event.id = composite_id (confirmed valid per XDM docs example)\n// ADDED: xdm.source.host.device_id = device->device_id (confirmed valid per XDM field structure docs)\n// ADDED: xdm.source.agent.identifier = agent_id (deferred — verify with XQL probe before deploy)\n// ADDED: xdm.observer.unique_identifier = agent_id (deferred — verify with XQL probe before deploy)\n// DEFERRED: xdm.target.ipv4/port via arrayindex — needs XQL probe to confirm arrayindex works in XIF context\n//\n// Changes from v1.0 (shipped in 1.0.14):\n// xdm.event.original_event_type = scenario (was incident_type)\n// scenario is the CrowdStrike classification string (known_malware, credential_theft, etc.)\n//\n// XDM fields requested but NOT available in crowdstrike_falcon_event_raw EPP events:\n// xdm.target.ipv6, xdm.source.ipv6 — no IPv6 in CrowdStrike EPP device object\n// xdm.source.port — local port not emitted in EPP detections\n// xdm.source.asn.* — requires network telemetry\n// xdm.source.location.* — requires external geo enrichment\n// xdm.intermediate.is_nat/is_proxy — network flow concept; not in EPP events\n// xdm.event.is_completed/duration — not emitted by EPP\n// xdm.target/source.sent_bytes/packets — flow data; not in EPP detections\n// xdm.source.user_agent — HTTP context; not in EPP events\n// xdm.source.process.container_id — not in EPP detections\n// xdm.source.host.device_category/model/manufacturer — not in CS device object\n// xdm.target.* — EPP events are source-centric; no target host/agent\n// xdm.source.interface — not in EPP events\n\n[MODEL:dataset=\"crowdstrike_falcon_event_raw\"]\nfilter product = \"epp\"\n| alter\n // ── Alert / Event Identity ────────────────────────────────────────────\n xdm.alert.severity = concat(to_string(severity), \" - \", severity_name),\n xdm.event.id = composite_id,\n xdm.event.original_event_type = scenario,\n xdm.event.description = description,\n xdm.event.type = incident_type,\n\n // ── Source Host ───────────────────────────────────────────────────────\n xdm.source.host.hostname = device -> hostname,\n xdm.source.host.fqdn = device -> machine_domain,\n xdm.source.host.os_family = device -> os_version,\n xdm.source.host.device_id = device -> device_id,\n xdm.source.ipv4 = device -> local_ip,\n\n // ── Source Agent ─────────────────────────────────────────────────────\n xdm.source.agent.identifier = agent_id,\n\n // ── Source User ───────────────────────────────────────────────────────\n xdm.source.user.username = user_name,\n xdm.source.user.domain = device -> machine_domain,\n xdm.source.user.groups = device -> groups[],\n\n // ── Source Process ────────────────────────────────────────────────────\n xdm.source.process.pid = to_integer(local_process_id),\n xdm.source.process.name = parent_details -> filename,\n xdm.source.process.command_line = parent_details -> cmdline,\n xdm.source.process.executable.path = parent_details -> filepath,\n xdm.source.process.executable.sha256 = parent_details -> sha256;\n\n// ═══════════════════════════════════════════════════════════════════════════\n// DEFERRED — verify with XQL probe before promoting to alter block\n//\n// xdm.observer.unique_identifier = agent_id\n// dataset = crowdstrike_falcon_event_raw | filter product = \"epp\"\n// | alter xdm.observer.unique_identifier = agent_id | fields xdm.observer.unique_identifier | limit 5\n//\n// xdm.target.ipv4 = arrayindex(network_accesses,0)->remote_address\n// dataset = crowdstrike_falcon_event_raw | filter product = \"epp\"\n// | alter t = arrayindex(network_accesses,0)->remote_address | fields t | limit 5\n// Note: if arrayindex fails in XIF context, try: network_accesses[0]->remote_address\n//\n// xdm.target.port = to_integer(arrayindex(network_accesses,0)->remote_port)\n// Only run after target.ipv4 probe succeeds.\n// ═══════════════════════════════════════════════════════════════════════════\n" -schema: "{\n \"crowdstrike_falcon_event_raw\": {\n \"product\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"severity\": {\n \"type\": \"int\",\n \"is_array\": false\n },\n \"severity_name\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"incident_type\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"description\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"local_process_id\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"parent_process_id\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"composite_id\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"agent_id\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"device\": {\n \"type\": \"json\",\n \"is_array\": false\n },\n \"user_name\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"parent_details\": {\n \"type\": \"json\",\n \"is_array\": false\n },\n \"scenario\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"user_principal\": {\n \"type\": \"string\",\n \"is_array\": false\n },\n \"pattern_disposition_details\": {\n \"type\": \"json\",\n \"is_array\": false\n },\n \"network_accesses\": {\n \"type\": \"json\",\n \"is_array\": true\n },\n \"dns_requests\": {\n \"type\": \"json\",\n \"is_array\": true\n },\n \"files_written\": {\n \"type\": \"json\",\n \"is_array\": true\n }\n }\n}\n" diff --git a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules_schema.json b/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules_schema.json deleted file mode 100644 index c896bd8a..00000000 --- a/Packs/soc-crowdstrike-falcon/new-ModelingRules/SOCCrowdStrikeFalconModelingRules/SOCCrowdStrikeFalconModelingRules_schema.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "crowdstrike_falcon_event_raw": { - "product": { - "type": "string", - "is_array": false - }, - "severity": { - "type": "int", - "is_array": false - }, - "severity_name": { - "type": "string", - "is_array": false - }, - "incident_type": { - "type": "string", - "is_array": false - }, - "description": { - "type": "string", - "is_array": false - }, - "local_process_id": { - "type": "string", - "is_array": false - }, - "parent_process_id": { - "type": "string", - "is_array": false - }, - "composite_id": { - "type": "string", - "is_array": false - }, - "agent_id": { - "type": "string", - "is_array": false - }, - "device": { - "type": "json", - "is_array": false - }, - "user_name": { - "type": "string", - "is_array": false - }, - "parent_details": { - "type": "json", - "is_array": false - }, - "scenario": { - "type": "string", - "is_array": false - }, - "user_principal": { - "type": "string", - "is_array": false - }, - "pattern_disposition_details": { - "type": "json", - "is_array": false - }, - "network_accesses": { - "type": "json", - "is_array": true - }, - "dns_requests": { - "type": "json", - "is_array": true - }, - "files_written": { - "type": "json", - "is_array": true - } - } -}