Skip to content

- Changed from MITRE Tactic rules to single rule #527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
scottbrumley merged 1 commit into from
Feb 12, 2026
Merged

- Changed from MITRE Tactic rules to single rule #527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions ...wdStrike_Falcon_Endpoint_Alert_ta0043.yml → ... CrowdStrike Falcon - Endpoint Alerts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
fromversion: 6.10.0
rule_id: 0
action: ALERTS
alert_category: User Defined
alert_description: $alert_description
Expand Down Expand Up @@ -73,7 +72,7 @@ description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detecti
Event
drilldown_query_timeframe: ALERT
execution_mode: REAL_TIME
global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0043
global_rule_id: SOC CrowdStrike Falcon - Endpoint Alerts
investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry
is being collected

Expand All @@ -82,16 +81,19 @@ investigation_query_link: '// All (stitched) activity from host - assuming raw t
| filter agent_hostname = $hostname

| fields * '
is_enabled: true
lookup_mapping: []
mapping_strategy: CUSTOM
mitre_defs:
TA0043 - Reconnaissance: []
name: SOC CrowdStrike Falcon - Endpoint Alerts - Reconnaissance
mitre_defs: {}
name: SOC CrowdStrike Falcon - Endpoint Alerts
rule_id: 0
search_window: null
severity: User Defined
simple_schedule: null
suppression_duration: null
suppression_enabled: false
suppression_fields: null
timezone: null
user_defined_category: tactic
user_defined_severity: severity_name
xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\
Expand All @@ -103,8 +105,7 @@ xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: S
\ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\
\ mitre_tactic = tactic,\n mitre_tactic_id \
\ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\
\ = technique_id\n| filter mitre_tactic_id = \"TA0043\" or mitre_tactic = \"\
Reconnaissance\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\
\ = technique_id\n\n| filter product = \"epp\"\n\n// Extract fields from nested\
\ objects\n| alter \n hostname = device->hostname,\n domain\
\ = device->machine_domain,\n local_ip = device->local_ip,\n \
\ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\
Expand Down
125 changes: 0 additions & 125 deletions ...s/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml
View file
Open in desktop

This file was deleted.

127 changes: 0 additions & 127 deletions .../soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml
View file
Open in desktop

This file was deleted.

Loading