Critical Severity Detection

let timeframe = 1h;
CrowdStrikeFalconEventStream
| where TimeGenerated > ago(timeframe)
| where EventType == "DetectionSummaryEvent"
| where Severity == "Critical"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
| extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
| project StartTimeUtc, EndTimeUtc, Total, DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message, timestamp, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity, FileHashAlgo

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: FileHashAlgo
  - identifier: Value
    columnName: FileHashCustomEntity
tactics:
- Execution
- Impact
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
alertDetailsOverride:
  alertDisplayNameFormat: CrowdStrike critical detection on {{DstHostName}}
  alertDescriptionFormat: CrowdStrike reported {{Total}} critical detection(s) on {{DstHostName}} for {{DstUserName}}.
id: f7d298b2-726c-42a5-bbac-0d7f9950f527
severity: High
status: Available
customDetails:
  DetectionMessage: Message
  DetectionTechnique: Technique
  DetectionHost: DstHostName
  DetectionUser: DstUserName
  DetectionFileName: FileName
  DetectionActivity: Activity
  DetectionSourceIp: SrcIpAddr
  DetectionFilePath: FilePath
  DetectionCount: Total
query: |
  let timeframe = 1h;
  CrowdStrikeFalconEventStream
  | where TimeGenerated > ago(timeframe)
  | where EventType == "DetectionSummaryEvent"
  | where Severity == "Critical"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
  | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
  | project StartTimeUtc, EndTimeUtc, Total, DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message, timestamp, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity, FileHashAlgo  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.5
name: Critical Severity Detection
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1204.002
- T1499
description: |
    'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with Critical severity. The rule queries CrowdStrikeFalconEventStream for DetectionSummaryEvent records where Severity is Critical, summarizes detections by host, source IP, user, activity, technique, file details, hash, and message, and raises an incident for each matching result.'
triggerOperator: gt