Link Search Menu Expand Document

Falcon_Detection_Event

ID: 100126

Description:

CrowdStrike Falcon Detection Event, an Endpoint Security alert

Multiple events add up to one or more Security Incidents (Identified elsewhere).

Repository: Fluency Group: CrowdStrike Type: event

Default Status:

Enabled

Tags:    
Detection Falcon CrowdStrike
     

Selector:

Query:

Filters:

Field MUST hit
@event_type @falcon
@falcon.eventType DetectionSummaryEvent
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@falcon.event.ComputerName asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
LocalIP @falcon.event.LocalIP
ComputerName @falcon.event.ComputerName
DetectID @falcon.event.DetectId
DetectName @falcon.event.DetectName
DetectDescription @falcon.event.DetectDescription
FalconHostLink @falcon.event.FalconHostLink
CommandLine @falcon.event.CommandLine
FileName @falcon.event.FileName
FilePath @falcon.event.FilePath
SHA256 @falcon.event.SHA256String
MachineDomain @falcon.event.MachineDomain
DispositionDescription @falcon.event.PatternDispositionDescription
SensorID @falcon.event.SensorId
SeverityName @falcon.event.SeverityName
Severity @falcon.event.Severity
EventType @falcon.eventType

Correlation Rules:

First Occurrence:

Name Window Fields
NewEventID 10 days @falcon.event.DetectId
  Risks: ML_NEW_ALERT
NewAgent 10 days @falcon.event.SensorId
  Risks: ML_NEW_ASSET

History:

User Date
ke*y@fluencysecurity.com 2020 Nov 25 09:20:40 EST
ke*y@fluencysecurity.com 2020 Nov 25 09:24:24 EST
ku*n@fluencysecurity.com 2020 Nov 25 11:37:18 EST
ke*y@fluencysecurity.com 2020 Nov 30 17:54:30 EST
ke*y@fluencysecurity.com 2020 Dec 21 09:16:43 EST
ho*d@fluencysecurity.com 2021 Apr 22 08:52:38 EDT
ke*y@fluencysecurity.com 2021 Aug 25 08:08:57 EDT
ho*d@fluencysecurity.com 2021 Aug 31 16:30:22 EDT
ho*d@fluencysecurity.com 2021 Sep 30 12:11:11 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)