Link Search Menu Expand Document

Falcon_Incident

ID: 100127

Description:

CrowdStrike Falcon Grouped One or More Security Events into a Security Incident. The report for the incident can be viewed by following the FalconHostLink in the details.

Repository: Fluency Group: CrowdStrike Type: event

Default Status:

Enabled

Tags:    
Incident Falcon CrowdStrike
     

Selector:

Query:

Filters:

Field MUST hit
@event_type @falcon
@falcon.eventType IncidentSummaryEvent
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@falcon.event.HostID asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
FalconHostLink @falcon.event.FalconHostLink
EventType @falcon.eventType
LateralMovement @falcon.event.LateralMovement
IncidentStartTime @falcon.event.IncidentStartTime
IncidentEndTime @falcon.event.IncidentEndTime
State @falcon.event.State

Correlation Rules:

First Occurrence:

Name Window Fields
NewIncident 10 days @falcon.event.FalconHostLink
  Risks: ML_NEW_ALERT

History:

User Date
ke*y@fluencysecurity.com 2020 Nov 25 09:24:33 EST
ke*y@fluencysecurity.com 2020 Nov 30 17:49:14 EST
ke*y@fluencysecurity.com 2020 Nov 30 17:54:42 EST
ke*y@fluencysecurity.com 2020 Dec 21 09:16:55 EST
ho*d@fluencysecurity.com 2021 Apr 22 08:52:46 EDT
ke*y@fluencysecurity.com 2021 Aug 25 08:09:51 EDT
ho*d@fluencysecurity.com 2021 Aug 31 16:03:14 EDT
ho*d@fluencysecurity.com 2021 Aug 31 16:04:49 EDT
ho*d@fluencysecurity.com 2021 Sep 30 12:14:01 EDT

This page was automatically created/formatted on Wed, 2021 Oct 13 18:38:25 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)