Critical Severity Detection

let timeframe = 1h;
CrowdStrikeFalconEventStream
| where TimeGenerated > ago(timeframe)
| where EventType == "DetectionSummaryEvent"
| where Severity == "Critical"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
| extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
queryPeriod: 1h
description: |
    'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity'
triggerThreshold: 0
name: Critical Severity Detection
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: FileHashAlgo
  - identifier: Value
    columnName: FileHashCustomEntity
kind: Scheduled
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
queryFrequency: 1h
tactics: []
id: f7d298b2-726c-42a5-bbac-0d7f9950f527
status: Available
version: 1.0.4
query: |
  let timeframe = 1h;
  CrowdStrikeFalconEventStream
  | where TimeGenerated > ago(timeframe)
  | where EventType == "DetectionSummaryEvent"
  | where Severity == "Critical"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
  | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"  
severity: High
relevantTechniques: []