What Changed
Two new ASIM AlertEvent parsers are added for CrowdStrike Falcon:
- ASimAlertEventCrowdStrikeFalcon - the union/umbrella parser (source-agnostic entry point)
- vimAlertEventCrowdStrikeFalcon - the filtering parser supporting time-range, IP, hostname, username, tactic/technique, severity, and alert verdict parameters
Both normalise data from the CrowdStrikeDetections custom table (populated by the CrowdStrike Falcon CCF connector) into the ASIM AlertEvent schema v0.1.
The umbrella parsers ASimAlertEvent (v0.1.4 to v0.1.5) and imAlertEvent (v0.1.4 to v0.1.5) are updated to fan out to the new CrowdStrike sub-parsers via _ASim_AlertEvent_CrowdStrikeFalcon and _Im_AlertEvent_CrowdStrikeFalcon respectively.
A CI custom table definition (CrowdStrikeDetections.json) and sample ingested logs (CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv) are added to support KQL validation.
Parser Impact
Schema: ASIM AlertEvent Source table: CrowdStrikeDetections (CCF-ingested custom table)
Field mappings of note:
| ASIM Field | Source Field / Logic |
|---|---|
| AlertId / EventOriginalUid | Id |
| AlertStatus | Status mapped: new/in_progress to Active, else Closed |
| DetectionMethod | Derived: User Defined Blocked List, Threat Intelligence, Antivirus, or EDR based on Objective + EventOriginalSubType + rule name patterns |
| EventSeverity | SeverityName normalised: High/Critical to High; Medium to Medium; Low to Low; else Informational |
| AttackTactics / AttackTechniques | Extracted from TacticId/Technique/TechniqueId fields; MITRE technique rendered as Technique Name (TID) |
| IndicatorType | Mapped from IocContext[0].ioc_type: ipv4/ipv6 to Ip, domain to Host, hash_sha256 to File |
| ThreatName | IocContext[0].ioc_value |
| Username | coalesce(UserPrincipal, UserName) - UPN preferred |
| DvcId / DvcIdType | Device.device_id / Other |
| DvcDomainType | FQDN when Device.hostinfo.domain is populated |
When pack=true, the following raw fields are packed into AdditionalFields: Device, GlobalPrevalence, GrandparentDetails, LocalPrevalence, ParentDetails, PatternDispositionDetails, Objective.
No prior ASIM normalisation existed for CrowdStrike Falcon AlertEvent data. Environments with the CrowdStrike Falcon CCF connector deployed had a blind spot in any source-agnostic detection or hunting query using imAlertEvent or ASimAlertEvent - this parser closes that gap.
Several IndicatorType mappings (User, Process, Registry, URL, Cloud Resource, Application, Email, Mailbox, Logon Session) are commented out pending future implementation; detections referencing those indicator categories will return empty IndicatorType for CrowdStrike sources until those mappings are added.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md
Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml
Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv