From 44838eef7b60180a8599a43d7165e24852c35270 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 6 Dec 2024 18:50:11 +0530 Subject: [PATCH 01/11] created new doc- Crowdstrike Falcon FileVantage (Apps) --- blog-service/2024-12-11-apps.md | 14 ++ cid-redirects.json | 1 + .../product-list/product-list-a-l.md | 2 +- .../crowdstrike-falcon-filevantage.md | 175 ++++++++++++++++++ docs/integrations/saas-cloud/index.md | 6 + sidebars.ts | 1 + 6 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 blog-service/2024-12-11-apps.md create mode 100644 docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md diff --git a/blog-service/2024-12-11-apps.md b/blog-service/2024-12-11-apps.md new file mode 100644 index 0000000000..2058827e08 --- /dev/null +++ b/blog-service/2024-12-11-apps.md @@ -0,0 +1,14 @@ +--- +title: Crowdstrike Falcon FileVantage (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - crowdstrike-falcon-filevantage + - apps +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +We're excited to introduce the new Crowdstrike Falcon FileVantage app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Crowdstrike FileVantage source that collects FileVantage logs from CrowdStrike. It enables the detection of unauthorized or high-risk file changes, policy violations, and suspicious activities that may indicate potential threats or compliance breaches. [Learn more](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/). diff --git a/cid-redirects.json b/cid-redirects.json index 8e755c1315..8c2974456a 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2085,6 +2085,7 @@ "/cid/4019": "/docs/send-data/installed-collectors/sources/script-action", "/cid/4412": "/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory", "/cid/44122": "/docs/integrations/saas-cloud/crowdstrike-spotlight", + "/cid/44123": "/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage", "/cid/4020": "/docs/search/logreduce", "/cid/4021": "/docs/search/search-query-language/search-operators/accum", "/cid/40001": "/docs/search/search-query-language/search-operators/as", diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index e6569dc858..cee515bb7e 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -168,7 +168,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Couchbase](https://www.couchbase.com/) | Apps:
- [Couchbase](/docs/integrations/databases/couchbase/)
- [Couchbase - OpenTelemetry](/docs/integrations/databases/opentelemetry/couchbase-opentelemetry/) | | Thumbnail icon | [Cribl](https://cribl.io/) | Automation integration: [Cribl](/docs/platform-services/automation-service/app-central/integrations/cribl/)
Partner integration: [Cribl](https://docs.cribl.io/stream/destinations-sumo-logic/) | | Thumbnail icon | [Criminal IP](https://www.criminalip.io/) | Automation integration: [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip) | -| Thumbnail icon | [CrowdStrike](https://www.crowdstrike.com/) | Apps:
- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/)
- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)
- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight)
Automation integrations:
- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/)
- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/)
- [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/)
- [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/)
Cloud SIEM integrations:
- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md)
- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md)
Collectors:
- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/)
- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)
- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/)
- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)
- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/) | +| Thumbnail icon | [CrowdStrike](https://www.crowdstrike.com/) | Apps:
- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/)
- [Crowdstrike Falcon FileVantage](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/)
- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)
- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight)
Automation integrations:
- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/)
- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/)
- [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/)
- [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/)
Cloud SIEM integrations:
- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md)
- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md)
Collectors:
- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/)
- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)
- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/)
- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)
- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/) | | Thumbnail icon | [Cuckoo](https://cuckoo.readthedocs.io/en/latest/#) | Automation integration: [Cuckoo](/docs/platform-services/automation-service/app-central/integrations/cuckoo/) | | Thumbnail icon | [CyberArk](https://www.cyberark.com/) | Automation integrations:
- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/)
- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam)
Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md)
Collector: [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/) | | cyberint | [CyberInt](https://cyberint.com/) | Automation integration: [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) | diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md new file mode 100644 index 0000000000..05257eefc1 --- /dev/null +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -0,0 +1,175 @@ +--- +id: crowdstrike-falcon-filevantage +title: Crowdstrike Falcon FileVantage +sidebar_label: Crowdstrike Falcon FileVantage +description: Analyze CrowdStrike Falcon FileVantage data to identify unauthorized file changes, policy violations, and unusual activity indicating potential threats or compliance breaches. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic app for CrowdStrike Falcon FileVantage enables security analysts to monitor and analyze file integrity across your environment. Leveraging the CrowdStrike Falcon FileVantage data helps detect unauthorized or high-risk file changes, policy violations, and suspicious activity that may indicate potential threats or compliance breaches. + +Key features of the CrowdStrike Falcon FileVantage app include: + +- **File integrity monitoring**. Obtain a comprehensive overview of file changes, organized by severity and type, including write, delete, rename, and permission changes. Additionally, you can gain insights into file changes based on the operating system version and view detailed information, such as rule violations and suppressed changes. +- **Host based monitoring**. Monitor the hosts, users, and processes involved in the file modifications to identify anomalies. +- **Policy violation detection**. Identify high-risk file activities and policy violations, focusing on severity, suspicious file creations, and deletions. Analyzing trends over time helps detect spikes in malicious activity. + +Use cases for the CrowdStrike Falcon FileVantage app include: + +- **Security monitoring**. Detect unauthorized or unusual file activities in real time, such as critical file deletions or configuration changes. +- **Compliance**: Monitor adherence to file integrity policies and flag violations that might impact compliance with regulatory requirements. +- **Threat investigation**. Investigate suspicious file modifications to uncover potential breaches or insider threats. +- **Host Activity Analysis**. Analyze file changes at the host level to identify risky behaviors or compromised endpoints. + +The Sumo Logic app for Crowdstrike Falcon FileVantage is an essential tool for security teams. It provides the visibility and intelligence needed to detect and respond to file-related threats, ensuring data integrity and compliance across the organization. + +:::info +This app includes [built-in monitors](#crowdstrike-fdr-host-inventory-alerts). For details on creating custom monitors, refer to [Create monitors for CrowdStrike FDR Host Inventory app](#create-monitors-for-crowdstrike-fdr-host-inventory-app). +::: + +## Log types + +This App uses Sumo Logic’s [CrowdStrike FileVantage Source](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to collect the FileVantage logs from CrowdStrike. + +### Sample log message + +
+Event Log + +```json +{ + "id": "d456mnopq4567rstuvwx8901yzab5678fghij", + "cid": "e567rstuvwx8901yzab5678fghijklmopqrs", + "aid": "f678yzab5678fghijklmnoqrstuvwxyza345", + "platform_name": "Windows", + "ingestion_timestamp": "2024-11-27T10:05:50Z", + "entity_type": "FOLDER", + "entity_path": "D:\\Projects\\NewProject\\", + "is_from_different_mount_namespace": false, + "action_type": "CREATE", + "action_timestamp": "2024-11-27T10:05:50Z", + "severity": "HIGH", + "process_id": "3344556677889", + "process_image_file_name": "D:\\Tools\\project_tool.exe", + "user_id": "1100", + "user_name": "projectadmin", + "command_line": "project_tool.exe --new D:\\Projects\\NewProject\\", + "diff": {}, + "host": { + "name": "devserver01.example.com", + "os_version": "Windows 10", + "local_ip": "192.168.5.50", + "external_ip": "198.51.100.14", + "agent_version": "8.29.17000.0", + "containment_status": "normal", + "groups": [ + { + "name": "Development" + } + ] + }, + "policy": { + "name": "Project Folder Policy", + "rule_group": { + "name": "Project Folder Monitoring", + "rule": { + "base_path": "D:\\Projects\\" + } + } + }, + "is_suppressed": true, + "real_user_id": "1100", + "parent_process_image_file_name": "explorer.exe", + "grandparent_process_image_file_name": "cmd.exe", + "tags": [ + { + "name": "NewProject" + } + ], + "prevalence": { + "key": "14:14:FOLDER:CREATE:D:\\Projects\\NewProject\\::project_tool.exe:projectadmin", + "current": "RARE", + "reported": "RARE", + "computed_timestamp": "2024-11-27T10:06:50Z" + } +} +``` +
+ +### Sample queries + +```sql title="File Changes" +_sourceCategory="Labs/CrowdStrikeFalconFileVantage" entity_type file +| json "id", "is_suppressed", "severity", "entity_type", "action_type", "host.os_version", "platform_name", "host.name", "user_name", "policy.rule_group.name", "policy.rule_group.rule.base_path", "process_id", "process_image_file_name", "host.external_ip", "action_timestamp", "entity_path", "policy.name" as id, is_suppressed, severity, entity_type, action_type, os_version, platform_name, host_name, user_name, rule_group_name, rule_base_path, process_id, process_image_file_name, ip, action_timestamp, entity_path, policy_name nodrop + +| where action_type matches "{{action_type}}" and entity_type matches"{{entity_type}}" and entity_path matches"{{entity_path}}" and host_name matches"{{host_name}}" and user_name matches"{{user_name}}"and os_version matches"{{os_version}}" and rule_group_name matches"{{rule_group_name}}" and policy_name matches"{{policy_name}}" and severity matches"{{severity}}" + +| where toLowerCase(entity_type) matches "*file*" +| count by id, action_type +| count as frequency by action_type +| sort by frequency, action_type +``` + +## Set up collection + +Follow the instructions provided to set up [Cloud-to-Cloud Integration for Crowdstrike Falcon FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Crowdstrike Falcon FileVantage app is properly integrated and configured to collect and analyze your Crowdstrike Falcon FileVantage data. + +## Installing the Crowdstrike Falcon FileVantage app + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing Crowdstrike Falcon FileVantage dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Crowdstrike Falcon FileVantage - Overview** dashboard provides a comprehensive overview of file and directory activity, helping security analysts monitor file integrity and identify potential risks. It provides a total count of the file changes, categorizing them by severity—**Critical**, **High**, **Medium**, and **Low**—to prioritize investigations. Suppressed changes, which are ignored due to predefined policies, are also highlighted. + +Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. + +The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
Crowdstrike Falcon FileVantage Overview + + +### Security + +The **CrowdStrike Falcon FileVantage - Security** dashboard is tailored for security analysts to monitor high-risk file actions and potential policy violations. It categorizes file activities based on severity (**CRITICAL**, **HIGH**, **LOW**, **MEDIUM**) and action types, such as file creation, deletion, renaming, and attribute changes. This categorization helps analysts prioritize their responses to significant security events. + +The dashboard tracks high-risk actions over time, enabling security teams to identify patterns or spikes in suspicious activity. There is also a dedicated section for policy violations, which lists instances where file changes conflict with cnfigured security policies. This section includes details such as affected files, associated rules, and timestamps. + +Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. + +While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
Crowdstrike Falcon FileVantage Security + +## Create monitors for Crowdstrike Falcon FileVantage app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Crowdstrike Falcon FileVantage monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Crowdstrike Falcon FileVantage - Changes from Embargoed Geo Locations` | This alert identifies file activity originating from locations considered restricted or embargoed by the organization. It helps detect potentially unauthorized access or data exfiltration attempts from high-risk geographic areas. | Critical | Count > 0 | +| `Crowdstrike Falcon FileVantage - Suppressed Changes` | This alert captures file changes that have been intentionally excluded or suppressed due to pre-defined policies or filters. It provides visibility into the suppressed events for auditing or validation purposes. | Critical | Count > 0| +| `Crowdstrike Falcon FileVantage - Critical Changes` | This alert tracks high-severity file modifications, deletions, or access attempts flagged as critical by CrowdStrike Falcon FileVantage. These changes could indicate potential security incidents, such as unauthorized access or malicious activity. | Critical | Count > 0| + +## Upgrade/Downgrade the Crowdstrike Falcon FileVantage app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Crowdstrike Falcon FileVantage app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index 99031e8479..56de80f7b5 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -99,6 +99,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Analyze logs, events, and trends from your websites and apps on the Cloudflare network.

+
+
+ icon

CrowdStrike Falcon FileVantage

 +

Monitor and analyze file integrity.

+
+
icon

CrowdStrike FDR Host Inventory

 diff --git a/sidebars.ts b/sidebars.ts index 217745ea65..debd447602 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2456,6 +2456,7 @@ integrations: [ 'integrations/saas-cloud/cisco-umbrella', 'integrations/saas-cloud/citrix-cloud', 'integrations/saas-cloud/cloudflare', + 'integrations/saas-cloud/crowdstrike-falcon-filevantage', 'integrations/saas-cloud/crowdstrike-fdr-host-inventory', 'integrations/saas-cloud/crowdstrike-spotlight', 'integrations/saas-cloud/datadog', From e81b7ea8874f00dd668dc92b3d905d0196e895fe Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 6 Dec 2024 19:04:53 +0530 Subject: [PATCH 02/11] Corrected spelling errors --- blog-service/2024-12-11-apps.md | 4 +-- .../product-list/product-list-a-l.md | 2 +- .../crowdstrike-falcon-filevantage.md | 34 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/blog-service/2024-12-11-apps.md b/blog-service/2024-12-11-apps.md index 2058827e08..466ff62a21 100644 --- a/blog-service/2024-12-11-apps.md +++ b/blog-service/2024-12-11-apps.md @@ -1,5 +1,5 @@ --- -title: Crowdstrike Falcon FileVantage (Apps) +title: CrowdStrike Falcon FileVantage (Apps) image: https://help.sumologic.com/img/sumo-square.png keywords: - crowdstrike-falcon-filevantage @@ -11,4 +11,4 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -We're excited to introduce the new Crowdstrike Falcon FileVantage app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Crowdstrike FileVantage source that collects FileVantage logs from CrowdStrike. It enables the detection of unauthorized or high-risk file changes, policy violations, and suspicious activities that may indicate potential threats or compliance breaches. [Learn more](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/). +We're excited to introduce the new CrowdStrike Falcon FileVantage app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud CrowdStrike FileVantage source that collects FileVantage logs from CrowdStrike. It enables the detection of unauthorized or high-risk file changes, policy violations, and suspicious activities that may indicate potential threats or compliance breaches. [Learn more](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/). diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index cee515bb7e..10e625dd91 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -168,7 +168,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Couchbase](https://www.couchbase.com/) | Apps:
- [Couchbase](/docs/integrations/databases/couchbase/)
- [Couchbase - OpenTelemetry](/docs/integrations/databases/opentelemetry/couchbase-opentelemetry/) | | Thumbnail icon | [Cribl](https://cribl.io/) | Automation integration: [Cribl](/docs/platform-services/automation-service/app-central/integrations/cribl/)
Partner integration: [Cribl](https://docs.cribl.io/stream/destinations-sumo-logic/) | | Thumbnail icon | [Criminal IP](https://www.criminalip.io/) | Automation integration: [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip) | -| Thumbnail icon | [CrowdStrike](https://www.crowdstrike.com/) | Apps:
- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/)
- [Crowdstrike Falcon FileVantage](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/)
- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)
- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight)
Automation integrations:
- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/)
- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/)
- [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/)
- [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/)
Cloud SIEM integrations:
- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md)
- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md)
Collectors:
- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/)
- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)
- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/)
- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)
- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/) | +| Thumbnail icon | [CrowdStrike](https://www.crowdstrike.com/) | Apps:
- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/)
- [CrowdStrike Falcon FileVantage](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/)
- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)
- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight)
Automation integrations:
- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/)
- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/)
- [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/)
- [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/)
Cloud SIEM integrations:
- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md)
- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md)
Collectors:
- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/)
- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)
- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/)
- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)
- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/) | | Thumbnail icon | [Cuckoo](https://cuckoo.readthedocs.io/en/latest/#) | Automation integration: [Cuckoo](/docs/platform-services/automation-service/app-central/integrations/cuckoo/) | | Thumbnail icon | [CyberArk](https://www.cyberark.com/) | Automation integrations:
- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/)
- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam)
Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md)
Collector: [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/) | | cyberint | [CyberInt](https://cyberint.com/) | Automation integration: [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) | diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 05257eefc1..ad4501741f 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -1,7 +1,7 @@ --- id: crowdstrike-falcon-filevantage -title: Crowdstrike Falcon FileVantage -sidebar_label: Crowdstrike Falcon FileVantage +title: CrowdStrike Falcon FileVantage +sidebar_label: CrowdStrike Falcon FileVantage description: Analyze CrowdStrike Falcon FileVantage data to identify unauthorized file changes, policy violations, and unusual activity indicating potential threats or compliance breaches. --- @@ -24,10 +24,10 @@ Use cases for the CrowdStrike Falcon FileVantage app include: - **Threat investigation**. Investigate suspicious file modifications to uncover potential breaches or insider threats. - **Host Activity Analysis**. Analyze file changes at the host level to identify risky behaviors or compromised endpoints. -The Sumo Logic app for Crowdstrike Falcon FileVantage is an essential tool for security teams. It provides the visibility and intelligence needed to detect and respond to file-related threats, ensuring data integrity and compliance across the organization. +The Sumo Logic app for CrowdStrike Falcon FileVantage is an essential tool for security teams. It provides the visibility and intelligence needed to detect and respond to file-related threats, ensuring data integrity and compliance across the organization. :::info -This app includes [built-in monitors](#crowdstrike-fdr-host-inventory-alerts). For details on creating custom monitors, refer to [Create monitors for CrowdStrike FDR Host Inventory app](#create-monitors-for-crowdstrike-fdr-host-inventory-app). +This app includes [built-in monitors](#crowdstrike-falcon-filevantage-monitors). For details on creating custom monitors, refer to [Create monitors for CrowdStrike Falcon FileVantage app](#create-monitors-for-crowdstrike-falcon-filevantage-app). ::: ## Log types @@ -115,15 +115,15 @@ _sourceCategory="Labs/CrowdStrikeFalconFileVantage" entity_type file ## Set up collection -Follow the instructions provided to set up [Cloud-to-Cloud Integration for Crowdstrike Falcon FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Crowdstrike Falcon FileVantage app is properly integrated and configured to collect and analyze your Crowdstrike Falcon FileVantage data. +Follow the instructions provided to set up [Cloud-to-Cloud Integration for CrowdStrike Falcon FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your CrowdStrike Falcon FileVantage app is properly integrated and configured to collect and analyze your CrowdStrike Falcon FileVantage data. -## Installing the Crowdstrike Falcon FileVantage app +## Installing the CrowdStrike Falcon FileVantage app import AppInstall2 from '../../reuse/apps/app-install-v2.md'; -## Viewing Crowdstrike Falcon FileVantage dashboards +## Viewing CrowdStrike Falcon FileVantage dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; @@ -131,11 +131,11 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Overview -The **Crowdstrike Falcon FileVantage - Overview** dashboard provides a comprehensive overview of file and directory activity, helping security analysts monitor file integrity and identify potential risks. It provides a total count of the file changes, categorizing them by severity—**Critical**, **High**, **Medium**, and **Low**—to prioritize investigations. Suppressed changes, which are ignored due to predefined policies, are also highlighted. +The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehensive overview of file and directory activity, helping security analysts monitor file integrity and identify potential risks. It provides a total count of the file changes, categorizing them by severity—**Critical**, **High**, **Medium**, and **Low**—to prioritize investigations. Suppressed changes, which are ignored due to predefined policies, are also highlighted. Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. -The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
Crowdstrike Falcon FileVantage Overview +The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview ### Security @@ -146,29 +146,29 @@ The dashboard tracks high-risk actions over time, enabling security teams to ide Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. -While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
Crowdstrike Falcon FileVantage Security +While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security -## Create monitors for Crowdstrike Falcon FileVantage app +## Create monitors for CrowdStrike Falcon FileVantage app import CreateMonitors from '../../reuse/apps/create-monitors.md'; -### Crowdstrike Falcon FileVantage monitors +### CrowdStrike Falcon FileVantage monitors | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |:--|:--|:--|:--| -| `Crowdstrike Falcon FileVantage - Changes from Embargoed Geo Locations` | This alert identifies file activity originating from locations considered restricted or embargoed by the organization. It helps detect potentially unauthorized access or data exfiltration attempts from high-risk geographic areas. | Critical | Count > 0 | -| `Crowdstrike Falcon FileVantage - Suppressed Changes` | This alert captures file changes that have been intentionally excluded or suppressed due to pre-defined policies or filters. It provides visibility into the suppressed events for auditing or validation purposes. | Critical | Count > 0| -| `Crowdstrike Falcon FileVantage - Critical Changes` | This alert tracks high-severity file modifications, deletions, or access attempts flagged as critical by CrowdStrike Falcon FileVantage. These changes could indicate potential security incidents, such as unauthorized access or malicious activity. | Critical | Count > 0| +| `CrowdStrike Falcon FileVantage - Changes from Embargoed Geo Locations` | This alert identifies file activity originating from locations considered restricted or embargoed by the organization. It helps detect potentially unauthorized access or data exfiltration attempts from high-risk geographic areas. | Critical | Count > 0 | +| `CrowdStrike Falcon FileVantage - Suppressed Changes` | This alert captures file changes that have been intentionally excluded or suppressed due to pre-defined policies or filters. It provides visibility into the suppressed events for auditing or validation purposes. | Critical | Count > 0| +| `CrowdStrike Falcon FileVantage - Critical Changes` | This alert tracks high-severity file modifications, deletions, or access attempts flagged as critical by CrowdStrike Falcon FileVantage. These changes could indicate potential security incidents, such as unauthorized access or malicious activity. | Critical | Count > 0| -## Upgrade/Downgrade the Crowdstrike Falcon FileVantage app (Optional) +## Upgrade/Downgrade the CrowdStrike Falcon FileVantage app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; -## Uninstalling the Crowdstrike Falcon FileVantage app (Optional) +## Uninstalling the CrowdStrike Falcon FileVantage app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md'; From de0e342b7550f14196ed903e78692d58cd722eb7 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Fri, 6 Dec 2024 09:03:24 -0600 Subject: [PATCH 03/11] Fix spelling error --- docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index ad4501741f..9ea7296071 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -142,7 +142,7 @@ The dashboard also shows the monitoring rules that triggered the most changes, a The **CrowdStrike Falcon FileVantage - Security** dashboard is tailored for security analysts to monitor high-risk file actions and potential policy violations. It categorizes file activities based on severity (**CRITICAL**, **HIGH**, **LOW**, **MEDIUM**) and action types, such as file creation, deletion, renaming, and attribute changes. This categorization helps analysts prioritize their responses to significant security events. -The dashboard tracks high-risk actions over time, enabling security teams to identify patterns or spikes in suspicious activity. There is also a dedicated section for policy violations, which lists instances where file changes conflict with cnfigured security policies. This section includes details such as affected files, associated rules, and timestamps. +The dashboard tracks high-risk actions over time, enabling security teams to identify patterns or spikes in suspicious activity. There is also a dedicated section for policy violations, which lists instances where file changes conflict with configured security policies. This section includes details such as affected files, associated rules, and timestamps. Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. From 5676d73c2b7ddebc330be039575c1b490b2fc8ed Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 9 Dec 2024 09:17:01 +0530 Subject: [PATCH 04/11] Update docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 9ea7296071..fd39ba8b1a 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -32,7 +32,7 @@ This app includes [built-in monitors](#crowdstrike-falcon-filevantage-monitors). ## Log types -This App uses Sumo Logic’s [CrowdStrike FileVantage Source](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to collect the FileVantage logs from CrowdStrike. +This App uses Sumo Logic’s [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to collect the FileVantage logs from CrowdStrike. ### Sample log message From 9091f1999ddbdd2c89d39eeae83496973beb7f2a Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 9 Dec 2024 09:17:36 +0530 Subject: [PATCH 05/11] Update docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index fd39ba8b1a..6500638e08 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -135,7 +135,7 @@ The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehen Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. -The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview +The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview ### Security From 624c837f42400c988410a703f92016aa831ec034 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 9 Dec 2024 09:17:54 +0530 Subject: [PATCH 06/11] Update docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 6500638e08..13a535e618 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -146,7 +146,7 @@ The dashboard tracks high-risk actions over time, enabling security teams to ide Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. -While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security +While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security ## Create monitors for CrowdStrike Falcon FileVantage app From dd791e1e92834edc8e7878ddc9f1e45854e3ffad Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Mon, 9 Dec 2024 14:16:10 +0530 Subject: [PATCH 07/11] Update crowdstrike-falcon-filevantage.md --- .../saas-cloud/crowdstrike-falcon-filevantage.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 13a535e618..56558c49fa 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -24,15 +24,15 @@ Use cases for the CrowdStrike Falcon FileVantage app include: - **Threat investigation**. Investigate suspicious file modifications to uncover potential breaches or insider threats. - **Host Activity Analysis**. Analyze file changes at the host level to identify risky behaviors or compromised endpoints. -The Sumo Logic app for CrowdStrike Falcon FileVantage is an essential tool for security teams. It provides the visibility and intelligence needed to detect and respond to file-related threats, ensuring data integrity and compliance across the organization. +The Sumo Logic app for CrowdStrike Falcon FileVantage is an essential tool for security teams. It provides the visibility and intelligence needed to detect and respond to file-related threats, ensuring data integrity, and compliance across the organization. :::info -This app includes [built-in monitors](#crowdstrike-falcon-filevantage-monitors). For details on creating custom monitors, refer to [Create monitors for CrowdStrike Falcon FileVantage app](#create-monitors-for-crowdstrike-falcon-filevantage-app). +This app includes [built-in monitors](#crowdstrike-falcon-filevantage-monitors). For details on creating custom monitors, refer to the [Create monitors for CrowdStrike Falcon FileVantage app](#create-monitors-for-crowdstrike-falcon-filevantage-app). ::: ## Log types -This App uses Sumo Logic’s [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to collect the FileVantage logs from CrowdStrike. +This app uses Sumo Logic’s [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/) to collect the FileVantage logs from CrowdStrike platform. ### Sample log message @@ -131,16 +131,15 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Overview -The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehensive overview of file and directory activity, helping security analysts monitor file integrity and identify potential risks. It provides a total count of the file changes, categorizing them by severity—**Critical**, **High**, **Medium**, and **Low**—to prioritize investigations. Suppressed changes, which are ignored due to predefined policies, are also highlighted. +The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehensive overview of file and directory activity, helping security analysts monitor file integrity, and identify potential risks. It provides a total count of the file changes, categorizing them by severity: **Critical**, **High**, **Medium**, and **Low**, to prioritize investigations. Suppressed changes, which are ignored due to predefined policies are also highlighted. -Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. +Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, and/or **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview - ### Security -The **CrowdStrike Falcon FileVantage - Security** dashboard is tailored for security analysts to monitor high-risk file actions and potential policy violations. It categorizes file activities based on severity (**CRITICAL**, **HIGH**, **LOW**, **MEDIUM**) and action types, such as file creation, deletion, renaming, and attribute changes. This categorization helps analysts prioritize their responses to significant security events. +The **CrowdStrike Falcon FileVantage - Security** dashboard is tailored for security analysts to monitor high-risk file actions and potential policy violations. It categorizes file activities based on severity (**CRITICAL**, **HIGH**, **LOW**, and **MEDIUM**) and action types, such as file creation, deletion, renaming, and attribute changes. This categorization helps analysts prioritize their responses to significant security events. The dashboard tracks high-risk actions over time, enabling security teams to identify patterns or spikes in suspicious activity. There is also a dedicated section for policy violations, which lists instances where file changes conflict with configured security policies. This section includes details such as affected files, associated rules, and timestamps. From 087b3f1d70cbc5f06de52a6123562940610bc9e0 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Mon, 9 Dec 2024 14:18:41 +0530 Subject: [PATCH 08/11] Update 2024-12-11-apps.md --- blog-service/2024-12-11-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-service/2024-12-11-apps.md b/blog-service/2024-12-11-apps.md index 466ff62a21..abaad49c38 100644 --- a/blog-service/2024-12-11-apps.md +++ b/blog-service/2024-12-11-apps.md @@ -11,4 +11,4 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -We're excited to introduce the new CrowdStrike Falcon FileVantage app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud CrowdStrike FileVantage source that collects FileVantage logs from CrowdStrike. It enables the detection of unauthorized or high-risk file changes, policy violations, and suspicious activities that may indicate potential threats or compliance breaches. [Learn more](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/). +We're excited to introduce the new CrowdStrike Falcon FileVantage app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud CrowdStrike FileVantage source that collects FileVantage logs from the CrowdStrike platform. This app helps you detect unauthorized or high-risk file changes, policy violations, and suspicious activities that may indicate potential threats or compliance breaches. [Learn more](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/). From 9159e1df77045a8d900305b62ca300969c6c9fe4 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 9 Dec 2024 14:43:12 +0530 Subject: [PATCH 09/11] Updated the dashboard images --- .../integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 56558c49fa..6c5ae5c4a4 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -135,7 +135,7 @@ The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehen Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, and/or **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. -The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview +The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview ### Security @@ -145,7 +145,7 @@ The dashboard tracks high-risk actions over time, enabling security teams to ide Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. -While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security +While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security ## Create monitors for CrowdStrike Falcon FileVantage app From 4a8548f721c01b9de718b3df1e3768aeb54c0351 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 9 Dec 2024 15:48:24 +0530 Subject: [PATCH 10/11] Updated the images --- .../integrations/saas-cloud/crowdstrike-falcon-filevantage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md index 6c5ae5c4a4..b36f852326 100644 --- a/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md +++ b/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage.md @@ -135,7 +135,7 @@ The **CrowdStrike Falcon FileVantage - Overview** dashboard provides a comprehen Key metrics include file change types (**WRITE**, **RENAME**, **READ** **PERMISSION**, **OTHERS**, and/or **DELETE**), displayed in an easy-to-read pie chart for quick analysis. The dashboard tracks changes by operating system, identifies top hosts and users making changes, and highlights threats or anomalies. -The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview +The dashboard also shows the monitoring rules that triggered the most changes, assisting in policy refinement. A detailed table of recent file activities, including timestamps, hostnames, file paths, severities, and associated policies, is provided. Overall, the dashboard strengthens the detection and response to unauthorized or suspicious file activities.
CrowdStrike Falcon FileVantage Overview ### Security @@ -145,7 +145,7 @@ The dashboard tracks high-risk actions over time, enabling security teams to ide Additionally, security analysts can review file deletions with specific details, including file paths, user names, and originating countries. The severity trends are visually represented, providing a clear overview of security incidents over time and helping teams identify escalation points. -While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security +While the dashboard provides placeholders for tracking malicious file changes and directory changes, data in these sections requires specific configuration based on the environment. Finally, the **Host-Based Change Monitoring** table offers detailed insights into the hosts and host groups involved in file changes, assisting in pinpointing areas that need further investigation. Overall, this dashboard is a vital tool for ensuring file integrity and effectively mitigating risks.
CrowdStrike Falcon FileVantage Security ## Create monitors for CrowdStrike Falcon FileVantage app From 4ddc28c9ff9fd0b9840ac0f655ea75c3968436bd Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 9 Dec 2024 14:06:57 -0600 Subject: [PATCH 11/11] Change release note date to Dec 9 2024 --- blog-service/{2024-12-11-apps.md => 2024-12-09-apps.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-service/{2024-12-11-apps.md => 2024-12-09-apps.md} (100%) diff --git a/blog-service/2024-12-11-apps.md b/blog-service/2024-12-09-apps.md similarity index 100% rename from blog-service/2024-12-11-apps.md rename to blog-service/2024-12-09-apps.md