CrowdStrike

Communication and Collaboration

CrowdStrike - Cybersecurity platform for endpoint protection and threat intelligence.

Detection Rules for CrowdStrike
These detection rules will focus on various aspects of Microsoft Teams such as chat activity, file sharing, meetings, and other collaboration features.

Provider: CrowdStrike

Detection Rule MITRE Tactic MITRE Technique Criticality
Malware Detected on Endpoint Defense Evasion T1036.004 - Masquerading Critical
Investigation Actions (APIs) Query CrowdStrike API for malware details
Use VirusTotal API to analyze file hash
Incident Creation Criteria Create incident if malware is confirmed and on multiple endpoints.
Privilege Escalation Attempt Privilege Escalation T1068 - Exploitation for Privilege Escalation High
Investigation Actions (APIs) Review logs for privilege escalation events
Use Threat Intelligence API for suspicious IP checks
Incident Creation Criteria Create incident if escalated privileges are used in high-risk actions.
Suspicious PowerShell Command Execution T1059.001 - PowerShell High
Investigation Actions (APIs) Check command details via CrowdStrike API
Use PowerShell logging for script analysis
Incident Creation Criteria Create incident if PowerShell is used to modify sensitive files or configurations.
Unusual Network Connection Command and Control T1071 - Application Layer Protocol Medium
Investigation Actions (APIs) Investigate IP addresses via Threat Intelligence API
Check connection patterns with CrowdStrike API
Incident Creation Criteria Create incident if connection patterns are repeated across endpoints.
Ransomware Encryption Activity Impact T1486 - Data Encrypted for Impact Web Protocols Critical
Investigation Actions (APIs) Monitor file encryption behavior via CrowdStrike API
Use VirusTotal to assess suspicious processes
Incident Creation Criteria Immediate incident if encryption is confirmed and targeting critical files.
Credential Dumping Credential Access T1003 - OS Credential Dumping High
Investigation Actions (APIs) Query CrowdStrike for credential access attempts
Verify with endpoint monitoring tools
Incident Creation Criteria Create incident if successful credential access is confirmed.
Remote Code Execution Lateral Movement T1210 - Exploitation of Remote Services Critical
Investigation Actions (APIs) Use CrowdStrike API to verify execution source
Check network logs for lateral movement attempts
Incident Creation Criteria Immediate incident if remote code execution targets multiple hosts.
Endpoint Persistence via Registry Keys Persistence T1547.001 - Registry Run Keys/Startup Folder Medium
Investigation Actions (APIs) Review registry changes using Endpoint Monitoring API
Monitor subsequent logon activities
Incident Creation Criteria Incident if persistence is tied to known malicious executables.
Suspicious File Modification Defense Evasion T1070.004 - Indicator Removal on Host Medium
Investigation Actions (APIs) Query file history and integrity checks
Use file scanning API (e.g., VirusTotal) to confirm safety
Incident Creation Criteria Create incident if file tampering is detected repeatedly on critical files.
Exfiltration of Sensitive Data Exfiltration T1048 - Exfiltration Over Alternative Protocol High
Investigation Actions (APIs) Monitor network traffic for data exfiltration patterns
Use DNS/IP reputation checks
Incident Creation Criteria Create incident if sensitive data exfiltration is confirmed.

APIs and Their Scopes

Detection / Hunting Rule Required API Scopes Required Description
MFA Failure GET /users/{userId}/login_history user:read:admin Retrieves user login history to identify MFA failures.
New Device Login GET /users/{userId}/login_history user:read:admin Accesses login history to check for new device logins.
Unusual Geolocation Access GET /users/{userId}/login_history user:read:admin Retrieves geolocation data for user logins.
Meeting Bombing Attempts GET /report/meetings meeting:read:admin Accesses meeting report data to analyze participant activity.
Suspicious Meeting Links GET /meetings/{meetingId} meeting:read:admin Retrieves meeting details, including chat logs and invites.
Data Leakage (Screen/File Sharing) GET /report/meetings meeting:read:admin Retrieves meeting reports to check for screen/file sharing activities.
High Number of Participants GET /report/meetings meeting:read:admin Accesses meeting participant lists to analyze spikes in attendance.
API Key Misuse GET /users/{userId}/api_keys user:read:admin Retrieves API key usage details for the user.
Admin Account Changes GET /users/{userId}/activity_logs user:read:admin Accesses admin activity logs for changes made by privileged accounts.
Configuration Drift GET /accounts/{accountId}/settings account:read:admin Retrieves current security settings for the account.
Recording Retrieval GET /meetings/{meetingId}/recordings recording:read:admin Accesses recordings for specific meetings.
Unusual Meeting Time Activity GET /report/meetings meeting:read:admin Retrieves meeting logs to identify unusual activity patterns.
Anomalous File Transfer GET /report/meetings meeting:read:admin Accesses meeting reports to check for file transfers.
External Participant Spike GET /report/meetings meeting:read:admin Retrieves meeting reports to analyze external participant logs.
Suspicious Admin API Calls GET /users/{userId}/activity_logs user:read:admin Accesses logs of admin API calls to track unusual activities.

Reports and Widgets for CISO

Report Name Widgets Description
Endpoint Threat Overview Threat Heatmap: Visualizes high-severity threats by location and endpoint Provides a detailed view of user login attempts, geolocation, and new devices accessing Zoom. Highlights potential brute-force attacks or unauthorized access attempts.
Top Threats: Lists the most frequent threats by severity and endpoint
Malware & Ransomware Activity Recent Malware Detections: Shows recent malware alerts with threat level Assists in monitoring malware and ransomware patterns, identifying trends, and assessing mitigation effectiveness.

Ransomware Attempt Count: Tracks ransomware attempt trends

Threat Detection Timeline: Timeline of ransomware and malware activity
Privilege Escalation Attempts Privilege Escalation Incidents: Lists recent privilege escalation attempts Helps assess potential insider threats and evaluate defenses against unauthorized access.

Successful Privilege Escalations: Shows successful attempts by endpoint

Escalation Source Heatmap: Visual distribution of attempted privilege escalations by endpoint
Lateral Movement & Network Activity Suspicious Network Connections: Visual representation of unusual IP connections Monitors for potential lateral movement and suspicious network activity, offering insights into network-based threats.

Lateral Movement Incidents: Lists lateral movement detections

Network Anomaly Trend: Tracks unusual network patterns over time
Credential Access Monitoring Credential Dump Attempts: Logs recent attempts for credential access Ensures visibility over credential dumping attempts and access to sensitive account information, protecting against unauthorized access.

Password Hashing Alerts: Detects use of password hash dumping tools

High-Risk Credential Usage: Lists usage of compromised credentials
Data Exfiltration Reports Data Transfer Anomalies: Monitors large, unusual data transfers Detects and analyzes potential data exfiltration patterns, helping prevent sensitive data leaks.

Suspicious Destination IPs: Lists destinations flagged as high risk

Data Exfiltration Timeline: Visual timeline of potential data exfiltration attempts
Persistence & Evasion Activity Persistence Mechanisms Detected: Lists persistence actions like registry alterations Monitors attempts to establish persistence and evade defenses, assisting in identifying stealthy or advanced persistent threats.

File Deletion and Modification Events: Tracks key file changes

Evasion Attempts Heatmap: Displays frequency of evasion attempts by endpoint
Incident Response Summary Total Incidents by Severity: Shows a breakdown of incidents by criticality Summarizes incident response metrics, enabling the CISO to assess response effectiveness and resource allocation for cybersecurity incidents.

Resolution Time Analysis: Average time taken to close incidents

Top Incident Categories: Lists top incident types by frequency