diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml index 81a6610d7b0..433f063bd93 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml @@ -1,5 +1,5 @@ id: 4465ebde-b381-45f7-ad08-7d818070a11c -name: Critical or High Severity Detections by User +name: Common Event Format (CEF) via AMA - Critical or High Severity Detections by User description: | 'Creates an incident when a large number of Critical or High severity CrowdStrike Falcon sensor detections is triggered by a single user within 1 hour. The rule uses the CrowdStrikeFalconEventStream table, filters for DetectionSummaryEvent records with Severity set to Critical or High, and alerts when detections for a single DstUserName exceed the configured threshold of 15. Review DstHostName, SrcIpAddr, FileName, FileHash, and Message for investigation context.' severity: High @@ -59,5 +59,5 @@ customDetails: FileName: FileName FileHash: FileHash Total: Total -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml index 7fd5badee37..8a7958d6ef3 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml @@ -1,5 +1,5 @@ id: f7d298b2-726c-42a5-bbac-0d7f9950f527 -name: Critical Severity Detection +name: Common Event Format (CEF) via AMA - Critical Severity Detection description: | 'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with Critical severity. The rule queries CrowdStrikeFalconEventStream for DetectionSummaryEvent records where Severity is Critical, summarizes detections by host, source IP, user, activity, technique, file details, hash, and message, and raises an incident for each matching result.' severity: High @@ -59,5 +59,5 @@ customDetails: DetectionHost: DstHostName DetectionUser: DstUserName DetectionSourceIp: SrcIpAddr -version: 1.0.5 +version: 1.0.6 kind: Scheduled