Detection rules › Panther
Crowdstrike IP Allowlist Changed
Updates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1556.009 Modify Authentication Process: Conditional Access Policies |
| Credential Access | T1556.009 Modify Authentication Process: Conditional Access Policies |
Rule body yaml
AnalysisType: rule
Filename: crowdstrike_ip_allowlist_changed.py
RuleID: "Crowdstrike.IpAllowlistChanged"
DisplayName: "Crowdstrike IP Allowlist Changed"
Enabled: true
LogTypes:
- Crowdstrike.EventStreams
Severity: Info
CreateAlert: false
Reports:
MITRE ATT&CK:
- TA0003:T1556.009 # Persistsnce: Modify Authentication Process: Conditional Access Policies
- TA0005:T1556.009 # Defense Evasion: Modify Authentication Process: Conditional Access Policies
- TA0006:T1556.009 # Credential Access: Modify Authentication Process: Conditional Access Policies
Description: Updates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Validate this action was authorized.
Tests:
- Name: A Single IP In Created Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1]"
},
{
"Key": "contexts",
"ValueString": "[API]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Multiple Single IPs In Created Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1 2.2.2.2 3.3.3.3/32]"
},
{
"Key": "contexts",
"ValueString": "[API UI OTHER]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Single IP Added to existing Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "old_group_name",
"ValueString": "my_allowlist"
},
{
"Key": "old_cidrs",
"ValueString": "[1.2.3.4/8]"
},
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "my_allowlist"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.2.3.4/8 32.32.32.32]"
},
{
"Key": "contexts",
"ValueString": "[API]"
},
{
"Key": "active",
"ValueString": "false"
},
{
"Key": "old_allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "old_description",
"ValueString": ""
},
{
"Key": "old_contexts",
"ValueString": "[API]"
},
{
"Key": "old_active",
"ValueString": "false"
}
],
"OperationName": "UpdateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 19:47:16.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-26 19:47:16.428000000",
"eventType": "AuthActivityAuditEvent",
"offset": 366148,
"version": "1.0"
}
}
- Name: CIDR Removed from existing Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "old_group_name",
"ValueString": "my_allowlist"
},
{
"Key": "old_cidrs",
"ValueString": "[1.2.3.4/8 8.8.8.8/12]"
},
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "my_allowlist"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.2.3.4/8]"
},
{
"Key": "contexts",
"ValueString": "[API]"
},
{
"Key": "active",
"ValueString": "false"
},
{
"Key": "old_allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "old_description",
"ValueString": ""
},
{
"Key": "old_contexts",
"ValueString": "[API]"
},
{
"Key": "old_active",
"ValueString": "false"
}
],
"OperationName": "UpdateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 19:47:16.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-26 19:47:16.428000000",
"eventType": "AuthActivityAuditEvent",
"offset": 366148,
"version": "1.0"
}
}
- Name: Only CIDR Ranges In Created Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1/12 2.2.2.2/8 3.3.3.3/4]"
},
{
"Key": "contexts",
"ValueString": "[API UI OTHER]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"metadata": {
"customerIDString": "fake_customer_id",
"offset": 341329,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": "2024-07-22 15:50:16.923000000",
"version": "1.0"
},
"event": {
"UserId": "sharkey@hobbiton.co",
"UserIp": "192.0.2.100",
"OperationName": "deleteUser",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": "2024-07-22 15:50:16.923000000",
"AuditKeyValues": [
{
"Key": "target_name",
"ValueString": "frodo.baggins@hobbiton.co"
}
]
}
}
Detection logic
Condition
event.OperationName in ["CreateAllowlistGroup", "UpdateAllowlistGroup"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.OperationName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
UserId | event.UserId |