How to Create Custom Rules with CrowdStrike
Introduction
This document and video will illustrate the power and flexibility of Custom IOA’s (Indicators of Attack). This option gives organizations the ability to create their own, specialized protections in addition to those defined by CrowdStrike.
Video
What are Custom IOA’s?
CrowdStrike uses the detailed event data collected by the Falcon agent to develop rules or indicators that identify and prevent fileless attacks that leverage bad behaviors. Over time, CrowdStrike tunes and expands those built in indicators to offer immediate protection against the latest attacks.
In addition to the included global IOAs, there is also an option to create custom rules in the Falcon Platform. This gives customers the ability to create behavioral detections based on what they know about their specific applications and environment.
How is a Custom IOA created?
Custom IOA rule groups can be found in the Configuration app.
We will first be prompted to create a rule group for a defined platform. Once the rule group is defined, we will have the option to add a new rule.
For each new rule, we will be prompted to specify the “rule type” including options like process creation, file creation, network connection and domain name. Depending on the rule type, the options for “action to take” will vary. In this example, we have defined a “process creation” rule with the action “block execution” at an “informational” severity level with the corresponding rule name and description.
Finally, we define the details of the rule using regex syntax. In this case, we want to define the parent image filename as cmd.exe and the image filename as calc.exe. This will prevent any execution of calc.exe from the command line.
After saving the rule, we then want to enable it and enter a comment for the audit log if needed.
How are custom detections reflected in the UI?
This event is an example of a detection based on a custom rule. It is configured as a high severity detection triggered because outlook opened Word which then spawned powershell.
Directly from the details pane, we can click on the custom rule responsible for this detection to see the details of the configuration.
Is it possible to search for detections triggered by a specific rule?
In the IOA rule group, we can see the detect rule for Outlook, as well as any other rules defined for that group. For each one, we can choose to “view detections” to see if a given rule has been triggered in our environment. In this example, we will investigate the domain name rule configured for prevention.
For this rule, there is one alert. The green shield confirms that the process was prevented as a result of the custom rule.
Closing
Custom Indicators of Attack are available to enable companies to create organization specific rules in addition to the protections provided by CrowdStrike. These additional detections and preventions can be defined based on specific tools and expected behaviors to further enhance the value of the Falcon platform for your organization.
