Replies: 2 comments 5 replies
-
|
Hi! That's great👍LogScale was on my (quite long) todo list, I'm happy that it's done now 😉 My suggestion would be to merge the pipeline with the already existing CrowdStrike processing pipeline project. The pipeline you've created is much more complete than the existing one. As you already suggested to host it in SigmaHQ, I propose to Fork your project into the organization. I can then also setup the PyPI release actions in it. What do you think about renaming it then into pySigma-backend-crowdstrike? I think this name is not only shorter but also more appropriate, e.g. because the CrowdStrike data model is not specific to LogScale. Customers can also "buy" the logs via Falcon Data Replicator and ingest it into arbitrary platforms like Splunk and others. I also have the idea to implement a backend for creation of custom IOA rules from specific rule types like process creations, which would be also independent from LogScale. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @thomaspatzke, All good suggestions! Hopefully this is what you had in mind: https://github.com/moullos/pySigma-backend-crowdstrike It probably makes sense to replicate some of the functionality of the "falcon" pipeline to the "FDR" pipeline but I am not sure when I will get around to it. Let me know if this makes sense and I can open a pull request. |
Beta Was this translation helpful? Give feedback.
-
|
When I find some time I will then create the fork in SigmaHQ, give you admin permissions to it and prepare all the release stuff. Don't hurry with the pipelines, perhaps I can also support here. |
Beta Was this translation helpful? Give feedback.
-
|
Forked! |
Beta Was this translation helpful? Give feedback.
-
|
Just seen, it's a fork from the CrowdStrike pipeline projects 😉I think then it's better to merge your additions back to the original project, rename it and giving you the permissions on this. Then the whole CI setup is already in place and users from the pipeline project get redirected to the new one. I will take care of this! |
Beta Was this translation helpful? Give feedback.
-
|
Ok, here's the repo with the merged changes. I've sent you an invite for repo access. Next steps would be consolidating the two pipelines, as there's lots of overlap between them. This will likely result in moving content that is valid for FDR into the FDR pipeline and everything that is specific to the Falcon platform into this pipeline. This would ensure consistency between both and enable FDR users to utilize your great work. Because the changes are really big, this would get the 2.0 release under the new project name. |
Beta Was this translation helpful? Give feedback.
-
|
Great! I will start working on porting the new Falcon features to the FDR pipeline under a new branch. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone,
As CrowdStrike is gradually moving away from Splunk and now uses LogScale, I have created a pySigma backend and pipeline for LogScale and the CrowdStrike Falcon agent. This converts rules into the LogScale Query Language for telemetry collected through the CrowdStrike Falcon agent:
https://github.com/moullos/pySigma-backend-crowdstrikelogscale
I haven't published to PyPI yet and ideally I would like this to be part of the SigmaHQ repo.
Any feedback is welcome!
Beta Was this translation helpful? Give feedback.
All reactions