Link Search Menu Expand Document

Falcon_Detection_Event

ID: 100424

Description:

CrowdStrike Falcon Detection Event - KLK

Repository: Group: CrowdStrikeES Type: event

Default Status:

Enabled

Tags:    
Detection Falcon CrowdStrike
     

Selector:

Query:

Filters:

Field MUST hit
event.module crowdstrike
crowdstrike.metadata.eventType DetectionSummaryEvent
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
crowdstrike.event.ComputerName asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
LocalIP crowdstrike.event.LocalIP
ComputerName crowdstrike.event.ComputerName
DetectID crowdstrike.event.DetectId
DetectName crowdstrike.event.DetectName
DetectDescription crowdstrike.event.DetectDescription
FalconHostLink crowdstrike.event.FalconHostLink
CommandLine crowdstrike.event.CommandLine
FileName crowdstrike.event.FileName
FilePath crowdstrike.event.FilePath
SHA256 crowdstrike.event.SHA256String
MachineDomain crowdstrike.event.MachineDomain
DispositionDescription crowdstrike.event.PatternDispositionDescription
SensorID crowdstrike.event.SensorId
SeverityName crowdstrike.event.SeverityName
Severity crowdstrike.event.Severity
EventType crowdstrike.metadata.eventType

Correlation Rules:

First Occurrence:

Name Window Fields
NewEventID 10 days crowdstrike.event.DetectId
  Risks: ML_NEW_ALERT
NewAgent 10 days crowdstrike.event.SensorId
  Risks: ML_NEW_ASSET

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)