Critical Severity Detection

Back


Id	f7d298b2-726c-42a5-bbac-0d7f9950f527
Rulename	Critical Severity Detection
Description	Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity
Severity	High
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
Version	1.0.4
Arm template	f7d298b2-726c-42a5-bbac-0d7f9950f527.json

KQL

let timeframe = 1h;
CrowdStrikeFalconEventStream
| where TimeGenerated > ago(timeframe)
| where EventType == "DetectionSummaryEvent"
| where Severity == "Critical"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
| extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"

YAML

description: |
    'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity'
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: FileHashAlgo
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
  entityType: FileHash
query: |
  let timeframe = 1h;
  CrowdStrikeFalconEventStream
  | where TimeGenerated > ago(timeframe)
  | where EventType == "DetectionSummaryEvent"
  | where Severity == "Critical"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
  | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"  
tactics: []
severity: High
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
relevantTechniques: []
id: f7d298b2-726c-42a5-bbac-0d7f9950f527
name: Critical Severity Detection
kind: Scheduled
triggerOperator: gt
version: 1.0.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma

ARM