Crowdstrike User Deleted

AnalysisType: rule
Filename: crowdstrike_user_deleted.py
RuleID: "Crowdstrike.UserDeleted"
DisplayName: "Crowdstrike User Deleted"
Enabled: true
LogTypes:
  - Crowdstrike.EventStreams
Severity: High
Reports:
  MITRE ATT&CK:
    - TA0005:T1070 # Indicator Removal
Description: Someone has deleted multiple users.
DedupPeriodMinutes: 60
Threshold: 3
Runbook: Validate this action was authorized.
Tests:
  - Name: Successful User Deletion
    ExpectedResult: true
    Log:
      {
        "metadata": {
          "customerIDString": "fake_customer_id",
          "offset": 341329,
          "eventType": "AuthActivityAuditEvent",
          "eventCreationTime": "2024-07-22 15:50:16.923000000",
          "version": "1.0"
        },
        "event": {
          "UserId": "sharkey@hobbiton.co",
          "UserIp": "192.0.2.100",
          "OperationName": "deleteUser",
          "ServiceName": "CrowdStrike Authentication",
          "Success": true,
          "UTCTimestamp": "2024-07-22 15:50:16.923000000",
          "AuditKeyValues": [
            {
              "Key": "target_name",
              "ValueString": "frodo.baggins@hobbiton.co"
            }
          ]
        }
      }
  - Name: Unsuccessful User Deletion Attempt
    ExpectedResult: false
    Log:
      {
        "metadata": {
          "customerIDString": "fake_customer_id",
          "offset": 341329,
          "eventType": "AuthActivityAuditEvent",
          "eventCreationTime": "2024-07-22 15:50:16.923000000",
          "version": "1.0"
        },
        "event": {
          "UserId": "sharkey@hobbiton.co",
          "UserIp": "192.0.2.100",
          "OperationName": "deleteUser",
          "ServiceName": "CrowdStrike Authentication",
          "Success": false,
          "UTCTimestamp": "2024-07-22 15:50:16.923000000",
          "AuditKeyValues": [
            {
              "Key": "target_name",
              "ValueString": "frodo.baggins@hobbiton.co"
            }
          ]
        }
      }
  - Name: Unrelated Event
    ExpectedResult: false
    Log:
      {
        "event": {
          "AuditKeyValues": [
            {
              "Key": "target_uuid",
              "ValueString": "e70e5306-4a83-4a9f-9b59-a78c304c438b"
            },
            {
              "Key": "target_cid",
              "ValueString": "fake_customer_id"
            },
            {
              "Key": "actor_cid",
              "ValueString": "fake_customer_id"
            },
            {
              "Key": "trace_id",
              "ValueString": "652fc606f369ef3105925197b34f2c54"
            },
            {
              "Key": "target_name",
              "ValueString": "peregrin.took@hobbiton.co"
            },
            {
              "Key": "action_target_name",
              "ValueString": "peregrin.took@hobbiton.co"
            }
          ],
          "OperationName": "userAuthenticate",
          "ServiceName": "CrowdStrike Authentication",
          "Success": true,
          "UTCTimestamp": "2024-07-22 15:50:16.923000000",
          "UserId": "peregrin.took@hobbiton.co",
          "UserIp": "1.1.1.1"
        },
        "metadata": {
          "customerIDString": "fake_customer_id",
          "eventCreationTime": "2024-07-22 15:50:16.923000000",
          "eventType": "AuthActivityAuditEvent",
          "offset": 341329,
          "version": "1.0"
        }
      }