What Changed
Updated two CrowdStrike Falcon detection rules and workbook following Content Doctor recommendations to improve content score. Changes include enhanced descriptions, MITRE ATT&CK mappings, query optimization, and alert customization features.
Detection Logic
Critical or High Severity Detections by User (v1.0.4 → v1.0.5)
- Primary data source: CrowdStrikeFalconEventStream
- Core logic: filters DetectionSummaryEvent records with Critical/High severity, groups by DstUserName, alerts when detections exceed threshold of 15 within 1 hour
- Entity types: Account, Host, IP, FileHash
- Added alertDetailsOverride with dynamic display names and customDetails for enriched context
Critical Severity Detection (v1.0.4 → v1.0.5)
- Primary data source: CrowdStrikeFalconEventStream
- Core logic: queries DetectionSummaryEvent records where Severity is Critical, summarizes by host/user/file details
- Entity types: Account, Host, IP, FileHash
- Added alertDetailsOverride and comprehensive customDetails including detection count, technique, activity, and file information
MITRE Mapping
Added tactics and techniques to both rules:
- Critical or High Severity rule: Impact, Defense Evasion (T1489 Service Stop, T1562 Impair Defenses)
- Critical Severity rule: Execution, Impact (T1204.002 Malicious File, T1499 Endpoint Denial of Service)
Workbook Enhancements
- Added introduction section with usage guidance
- Improved visualizations with proper naming conventions
- Added noDataMessage handling for better user experience
- Enhanced export capabilities with showExportToExcel options
Affected Files
Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml
Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml
Solutions/CrowdStrike Falcon Endpoint Protection/Workbooks/CrowdStrikeFalconEndpointProtection.json
(packaging artefacts: 3.3.5.zip, createUiDefinition.json, mainTemplate.json)