| where event_type = "DetectionSummaryEvent"
| formatDate ( fromMillis ( event_time ), "MM/dd/yyyy HH:mm:ss:SSS" ) as event_time | json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time _sourceCategory = * Crowdstrike * DetectionSummaryEvent "PatternDispositionDescription" : "Prevention, process killed." ,
"Objective" : "Falcon Detection Method" , "CommandLine" : "C:\\Windows\\Explorer.EXE" , "FilePath" : "\\Device\\HarddiskVolume1\\Windows" , "DetectDescription" : "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity." , "customerIDString" : “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" , Sample Logs įor more information on Events, please refer to Streaming API Event Dictionary. The CrowdStrike Falcon Endpoint Protection App uses the following log types:įor more information on Events, please refer to the CrowdStrike Falcon Endpoint Protection Streaming API Event Dictionary.
This version of the CrowdStrike Falcon Endpoint Protection App and its collection process has been tested with SIEM Connector Version 2.1.0+001-siem-release-2.1.0. The CrowdStrike Falcon Endpoint Protection Platform is a cloud-native framework that protects endpoints to stop breaches and improve performance with the robust power of the cloud combined with an intelligent, lightweight endpoint agent. The dashboards in this app help identify threats and incidents, from which you can drill down to investigate further. The app allows you to analyze indicators of compromise (IOCs) by affected users, tactic, technique, and objective, and identify hosts on your network with the highest malware detections. The CrowdStrike Falcon Endpoint Protection App provides visibility into the security posture of your endpoints as analyzed by the CrowdStrike Falcon Endpoint Protection platform.
0 kommentar(er)
