Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Creates an incident when a CrowdStrike Falcon sensor detection is triggered with Critical severity. The rule queries CrowdStrikeFalconEventStream for DetectionSummaryEvent records where Severity is Critical, summarizes detections by host, source IP, user, activity, technique, file details, hash, and message, and raises an incident for each matching result.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | CrowdStrike Falcon Endpoint Protection |
| ID | f7d298b2-726c-42a5-bbac-0d7f9950f527 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | Execution, Impact |
| Techniques | T1204.002, T1499 |
| Required Connectors | CefAma |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CommonSecurityLog |
DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to CrowdStrike Falcon Endpoint Protection