From 577613a654b8aa2439806c40b3cbfc376e46d10d Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 11 Jun 2026 18:54:57 +0530 Subject: [PATCH] Add CEF via AMA prefix to rules and bump versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update two CrowdStrike Falcon analytic rule YAMLs to prepend "Common Event Format (CEF) via AMA -" to the rule names (CriticalOrHighSeverityDetectionsByUser and CriticalSeverityDetection) and increment the version from 1.0.5 to 1.0.6. No functional logic changes — this clarifies the ingestion/source in the rule titles. --- .../CriticalOrHighSeverityDetectionsByUser.yaml | 4 ++-- .../Analytic Rules/CriticalSeverityDetection.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml index 81a6610d7b0..433f063bd93 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml @@ -1,5 +1,5 @@ id: 4465ebde-b381-45f7-ad08-7d818070a11c -name: Critical or High Severity Detections by User +name: Common Event Format (CEF) via AMA - Critical or High Severity Detections by User description: | 'Creates an incident when a large number of Critical or High severity CrowdStrike Falcon sensor detections is triggered by a single user within 1 hour. The rule uses the CrowdStrikeFalconEventStream table, filters for DetectionSummaryEvent records with Severity set to Critical or High, and alerts when detections for a single DstUserName exceed the configured threshold of 15. Review DstHostName, SrcIpAddr, FileName, FileHash, and Message for investigation context.' severity: High @@ -59,5 +59,5 @@ customDetails: FileName: FileName FileHash: FileHash Total: Total -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml index 7fd5badee37..8a7958d6ef3 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml @@ -1,5 +1,5 @@ id: f7d298b2-726c-42a5-bbac-0d7f9950f527 -name: Critical Severity Detection +name: Common Event Format (CEF) via AMA - Critical Severity Detection description: | 'Creates an incident when a CrowdStrike Falcon sensor detection is triggered with Critical severity. The rule queries CrowdStrikeFalconEventStream for DetectionSummaryEvent records where Severity is Critical, summarizes detections by host, source IP, user, activity, technique, file details, hash, and message, and raises an incident for each matching result.' severity: High @@ -59,5 +59,5 @@ customDetails: DetectionHost: DstHostName DetectionUser: DstUserName DetectionSourceIp: SrcIpAddr -version: 1.0.5 +version: 1.0.6 kind: Scheduled