Critical Severity Detection

let timeframe = 1h;
CrowdStrikeFalconEventStream
| where TimeGenerated > ago(timeframe)
| where EventType == "DetectionSummaryEvent"
| where Severity == "Critical"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
| extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
| project StartTimeUtc, EndTimeUtc, Total, DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message, timestamp, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity, FileHashAlgo

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: FileHashAlgo
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
  entityType: FileHash
triggerOperator: gt
tactics:
- Execution
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
alertDetailsOverride:
  alertDescriptionFormat: CrowdStrike reported {{Total}} critical detection(s) on {{DstHostName}} for {{DstUserName}}.
  alertDisplayNameFormat: CrowdStrike critical detection on {{DstHostName}}
version: 1.0.5
query: |
  let timeframe = 1h;
  CrowdStrikeFalconEventStream
  | where TimeGenerated > ago(timeframe)
  | where EventType == "DetectionSummaryEvent"
  | where Severity == "Critical"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
  | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
  | project StartTimeUtc, EndTimeUtc, Total, DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message, timestamp, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity, FileHashAlgo  
triggerThreshold: 0
relevantTechniques:
- T1204.002
- T1499
queryPeriod: 1h
status: Available
severity: High
kind: Scheduled
customDetails:
  DetectionFilePath: FilePath
  DetectionFileName: FileName
  DetectionHost: DstHostName
  DetectionActivity: Activity
  DetectionMessage: Message
  DetectionCount: Total
  DetectionTechnique: Technique
  DetectionSourceIp: SrcIpAddr
  DetectionUser: DstUserName
name: Critical Severity Detection
queryFrequency: 1h
id: f7d298b2-726c-42a5-bbac-0d7f9950f527
description: |
    'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with Critical severity. The rule queries CrowdStrikeFalconEventStream for DetectionSummaryEvent records where Severity is Critical, summarizes detections by host, source IP, user, activity, technique, file details, hash, and message, and raises an incident for each matching result.'
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma