From 559c523b70c9a2742420a455e3d72220fffae431 Mon Sep 17 00:00:00 2001
From: Bryan Pluta <bpluta@splunk.com>
Date: Fri, 6 Feb 2026 08:40:05 -0600
Subject: [PATCH 1/2] upodated SPL based on new raw events

---
 .../crowdstrike_falcon_stream_alerts.yml      | 31 ++++++++++---------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
index c4764d3e33..ca126e1bf4 100644
--- a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
+++ b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
@@ -1,7 +1,7 @@
 name: CrowdStrike Falcon Stream Alerts
 id: cb6af2b3-29ab-441c-8d8d-679811c8b014
-version: 1
-date: '2025-05-12'
+version: 2
+date: '2026-02-06'
 author: Bryan Pluta, Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -9,30 +9,31 @@ data_source:
 - CrowdStrike Falcon Stream Alert
 description: The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.  
 search: |
-  `crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent) 
+  `crowdstrike_stream` metadata.eventType IN (XdrDetectionSummaryEvent,IdpDetectionSummaryEvent,EppDetectionSummaryEvent) 
   | rename event.* as * 
-  | eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0) 
+  | eval risk_score=case(Severity<20, 0, Severity<40 AND Severity>=20, 25, Severity<60 AND Severity>=40, 100, Severity<80 AND Severity>=60, 250, Severity>=80, 500) 
   | eval user=coalesce(lower(SourceAccountName),lower(UserName)) 
-  | eval dest=coalesce(ComputerName,SourceEndpointHostName)
-  | eval mitre_technique = case(!match(DetectName, "(NGAV|Intel Detection)"), Technique)
+  | eval dest=coalesce(HostNames,SourceEndpointHostName)
+  | eval mitre_technique = case(!match(Name, "(NGAV
+  |Intel Detection)"), Technique)
   | join type=left mitre_technique 
-      [| inputlookup append=t mitre_attack_lookup 
-      | fields mitre_technique mitre_technique_id ] 
+   [| inputlookup append=t mitre_attack_lookup 
+    | fields mitre_technique mitre_technique_id ] 
   | eval annotations.mitre_attack = mitre_technique_id
   | eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
-  | eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
-  | eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"") 
+  | eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.HostNames=" + $HostNames$ +"*"),"")
+  | eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $HostNames$ +"*"),"") 
   | eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
   | rename "metadata.eventType" as eventType
-  | eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) ) 
+  | eval title = case(Name=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),Name=="Intel Detection", ("RR - CS - " + Name),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + Name + " - " + Technique) ) 
   | eval user_append = if(NOT isnull(user)," by " + user,"") 
   | eval dest_append = if(NOT isnull(dest)," on " + dest,"") 
-  | eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) ) 
+  | eval description = case(Name=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + Name),Name=="Intel Detection", ("CS " + Name + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) ) 
   | eval description = description + user_append + dest_append
-  | eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId 
+  | eval gid=id, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId 
   | eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
-  | rename DetectId as detection_id, FalconHostLink as detection_url 
-  | table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
+  | rename id as detection_id, FalconHostLink as detection_url 
+  | table _time source detection_id detection_url title risk_score description Severity severity HostNames dest Tactic Technique user UserName Objective Name DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
   | `crowdstrike_falcon_stream_alerts_filter`
 how_to_implement: In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the `crowdstrike_stream` macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
 known_false_positives: False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.

From b0f5c7020c0ff88064541243437f8f8d50143903 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Mon, 9 Feb 2026 13:02:35 +0530
Subject: [PATCH 2/2] updating dataset link and data source file

---
 data_sources/crowdstrike_falcon_stream_alert.yml         | 2 +-
 detections/endpoint/crowdstrike_falcon_stream_alerts.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data_sources/crowdstrike_falcon_stream_alert.yml b/data_sources/crowdstrike_falcon_stream_alert.yml
index 94bff160b2..9e15c4f910 100644
--- a/data_sources/crowdstrike_falcon_stream_alert.yml
+++ b/data_sources/crowdstrike_falcon_stream_alert.yml
@@ -147,7 +147,7 @@ output_fields:
 - user
 - process
 - file_name
-- DetectName
+- Name
 example_log: |
   {"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 12570031, "eventType": "DetectionSummaryEvent", "eventCreationTime": 1748883058001, "version": "1.0"}, "event": {"ProcessStartTime": 1748883033, "ProcessEndTime": 1748883033, "ProcessId": 25482595567828, "ParentProcessId": 25482588177316, "ComputerName": "CROWDFAL1", "UserName": "Administrator", "DetectName": "Suspicious Activity", "DetectDescription": "For evaluation only - benign, no action needed.", "Severity": 2, "SeverityName": "Low", "FileName": "choice.exe", "FilePath": "\\Device\\HarddiskVolume2\\Windows\\System32", "CommandLine": "choice  /m crowdstrike_sample_detection", "SHA256String": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5String": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SHA1String": "0000000000000000000000000000000000000000", "MachineDomain": "CROWDFAL1", "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/12e75112bdc44ac7a60b5ad1d2765303/10907785292170?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "SensorId": "12e75112bdc44ac7a60b5ad1d2765303", "DetectId": "ldt:12e75112bdc44ac7a60b5ad1d2765303:10907785292170", "LocalIP": "10.1.17.3", "MACAddress": "00-50-56-aa-64-1f", "Tactic": "Malware", "Technique": "Malicious File", "Objective": "Falcon Detection Method", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false}, "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", "ParentCommandLine": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"\"C:\\CS_Script.bat\"\"", "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "GrandparentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "HostGroups": "0ebde3fe33d547fc9bbe24f50be44da8,fd63f5073f644377a8150e9c1e5a86d0", "PatternId": 10197}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.5.0", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
 
diff --git a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
index ca126e1bf4..1e8eda68fc 100644
--- a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
+++ b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
@@ -90,6 +90,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_2.log
     source: CrowdStrike:Event:Streams
     sourcetype: CrowdStrike:Event:Streams:JSON