Custom CrowdStrike AV Event
AV Scan Results In A Detection Summary
Regex
.*\W+dhost=(\S+).duser=(\S+).fname=(\S+)\W+filePath=(.)\W+fileHash=(\S+)\W+dntdom=(\S+).\W+cs1=(.)\W+cs4Label.cs5=(.)\W+cs6Label=.technique=(.)\W+objective=(.)\W+patternDisposition=(.)\W+outcome=(\S+)
Original Log from CrowdStrike
CEF:0|CrowdStrike|FalconHost|1.0|AV Scan Results In A Detection Summary Event|AV Scan Results In A Detection Summary Event|2| cat=Machine Learning externalId=f68babc717194c41484e1fcac574b92f cn2Label=ProcessId cn2=938414133373 dhost=PC1 duser=User$ fname=GoogleUpdate.exe filePath=\Device\HarddiskVolume3\Program Files (x86)\Google\Update fileHash=9883ea0b5b8ae254e1bd6777abcab22a dntdom=umairworld.com cs2Label=ScanResultEngine cs2=Microsoft cs1Label=ScanResultName cs1=Trojan:Win32/Occamy.C cs4Label=ScanResultVersion cs4=1.1.15900.4 cs5Label=CommandLine cs5=”C:\Program Files (x86)\Google\Update\GoogleUpdate.exe” /ua /installsource scheduler cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/f68babc717194c41484e1fcac574b92f/167530043711?_cid=e47f8d6fccd8408665f27776814b0545 cn3Label=Offset cn3=2164 rt=1559539292000 technique=Cloud-based ML objective=Falcon Detection Method patternDisposition=Detection, standard detection. outcome=0
Detection
Group 1. | 233-245 | PC1 |
Group 2. | 252-265 | Username$ |
Group 3. | 272-288 | GoogleUpdate.exe |
Group 4. | 298-360 | \\Device\\HarddiskVolume3\\Program Files (x86)\\Google\\Update |
Group 5. | 370-402 | 9883ea0b5b8ae254e1bd6777abcab22a |
Group 6. | 410-414 | umairworld.com |
Group 7. | 483-504 | Trojan:Win32/Occamy.C |
Group 8. | 573-661 | “C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe” /ua /installsource scheduler |
Group 9. | 885-899 | Cloud-based ML |
Group 10. | 910-933 | Falcon Detection Method |
Group 11. | 953-983 | Detection, standard detection. |
Group 12. | 992-993 | 0 |