Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Creates an incident when a large number of Critical or High severity CrowdStrike Falcon sensor detections is triggered by a single user within 1 hour. The rule uses the CrowdStrikeFalconEventStream table, filters for DetectionSummaryEvent records with Severity set to Critical or High, and alerts when detections for a single DstUserName exceed the configured threshold of 15. Review DstHostName, SrcIpAddr, FileName, FileHash, and Message for investigation context.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | CrowdStrike Falcon Endpoint Protection |
| ID | 4465ebde-b381-45f7-ad08-7d818070a11c |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | Impact, DefenseEvasion |
| Techniques | T1489, T1562 |
| Required Connectors | CefAma |
| Source | View on GitHub |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to CrowdStrike Falcon Endpoint Protection