Skip to content

upodated SPL based on new raw events #3898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
patel-bhavin merged 4 commits into from
Feb 10, 2026
+18 −17
Merged

upodated SPL based on new raw events #3898

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
559c523
upodated SPL based on new raw events
bpluta-splunk Feb 6, 2026
b0f5c70
updating dataset link and data source file
patel-bhavin Feb 9, 2026
e01aa73
Merge branch 'develop' into cs_update
ljstella Feb 9, 2026
cc95645
Merge branch 'develop' into cs_update
patel-bhavin Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion data_sources/crowdstrike_falcon_stream_alert.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ output_fields:
- user
- process
- file_name
- DetectName
- Name
example_log: |
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 12570031, "eventType": "DetectionSummaryEvent", "eventCreationTime": 1748883058001, "version": "1.0"}, "event": {"ProcessStartTime": 1748883033, "ProcessEndTime": 1748883033, "ProcessId": 25482595567828, "ParentProcessId": 25482588177316, "ComputerName": "CROWDFAL1", "UserName": "Administrator", "DetectName": "Suspicious Activity", "DetectDescription": "For evaluation only - benign, no action needed.", "Severity": 2, "SeverityName": "Low", "FileName": "choice.exe", "FilePath": "\\Device\\HarddiskVolume2\\Windows\\System32", "CommandLine": "choice /m crowdstrike_sample_detection", "SHA256String": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5String": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SHA1String": "0000000000000000000000000000000000000000", "MachineDomain": "CROWDFAL1", "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/12e75112bdc44ac7a60b5ad1d2765303/10907785292170?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "SensorId": "12e75112bdc44ac7a60b5ad1d2765303", "DetectId": "ldt:12e75112bdc44ac7a60b5ad1d2765303:10907785292170", "LocalIP": "10.1.17.3", "MACAddress": "00-50-56-aa-64-1f", "Tactic": "Malware", "Technique": "Malicious File", "Objective": "Falcon Detection Method", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false}, "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", "ParentCommandLine": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"\"C:\\CS_Script.bat\"\"", "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "GrandparentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "HostGroups": "0ebde3fe33d547fc9bbe24f50be44da8,fd63f5073f644377a8150e9c1e5a86d0", "PatternId": 10197}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.5.0", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}

33 changes: 17 additions & 16 deletions detections/endpoint/crowdstrike_falcon_stream_alerts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,39 @@
name: CrowdStrike Falcon Stream Alerts
id: cb6af2b3-29ab-441c-8d8d-679811c8b014
version: 1
date: '2025-05-12'
version: 2
date: '2026-02-06'
author: Bryan Pluta, Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
- CrowdStrike Falcon Stream Alert
description: The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.
search: |
`crowdstrike_stream` metadata.eventType IN (DetectionSummaryEvent,IdpDetectionSummaryEvent)
`crowdstrike_stream` metadata.eventType IN (XdrDetectionSummaryEvent,IdpDetectionSummaryEvent,EppDetectionSummaryEvent)
| rename event.* as *
| eval risk_score=case(severity="Critical", 500, severity="High", 250, severity="Medium", 100, severity="Low", 25, severity="Informational", 0)
| eval risk_score=case(Severity<20, 0, Severity<40 AND Severity>=20, 25, Severity<60 AND Severity>=40, 100, Severity<80 AND Severity>=60, 250, Severity>=80, 500)
| eval user=coalesce(lower(SourceAccountName),lower(UserName))
| eval dest=coalesce(ComputerName,SourceEndpointHostName)
| eval mitre_technique = case(!match(DetectName, "(NGAV|Intel Detection)"), Technique)
| eval dest=coalesce(HostNames,SourceEndpointHostName)
| eval mitre_technique = case(!match(Name, "(NGAV
|Intel Detection)"), Technique)
| join type=left mitre_technique
[| inputlookup append=t mitre_attack_lookup
| fields mitre_technique mitre_technique_id ]
[| inputlookup append=t mitre_attack_lookup
| fields mitre_technique mitre_technique_id ]
| eval annotations.mitre_attack = mitre_technique_id
| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.ComputerName=" + $ComputerName$ +"*"),"")
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $ComputerName$ +"*"),"")
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.HostNames=" + $HostNames$ +"*"),"")
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $HostNames$ +"*"),"")
| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
| rename "metadata.eventType" as eventType
| eval title = case(DetectName=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),DetectName=="Intel Detection", ("RR - CS - " + DetectName),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + DetectName + " - " + Technique) )
| eval title = case(Name=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),Name=="Intel Detection", ("RR - CS - " + Name),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + Name + " - " + Technique) )
| eval user_append = if(NOT isnull(user)," by " + user,"")
| eval dest_append = if(NOT isnull(dest)," on " + dest,"")
| eval description = case(DetectName=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + DetectName),DetectName=="Intel Detection", ("CS " + DetectName + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
| eval description = case(Name=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + Name),Name=="Intel Detection", ("CS " + Name + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
| eval description = description + user_append + dest_append
| eval gid=DetectId, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
| eval gid=id, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
| rename DetectId as detection_id, FalconHostLink as detection_url
| table _time source detection_id detection_url title risk_score description Severity severity ComputerName dest Tactic Technique user UserName Objective DetectName DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
| rename id as detection_id, FalconHostLink as detection_url
| table _time source detection_id detection_url title risk_score description Severity severity HostNames dest Tactic Technique user UserName Objective Name DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
| `crowdstrike_falcon_stream_alerts_filter`
how_to_implement: In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the `crowdstrike_stream` macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
known_false_positives: False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.
Expand Down Expand Up @@ -89,6 +90,6 @@ tags:
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.log
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_2.log
source: CrowdStrike:Event:Streams
sourcetype: CrowdStrike:Event:Streams:JSON