I’m looking at Crowdstrike events and trying to get an overview of all the detections by first getting a count of unique severity, tactic, technique, description, product event type combinations.
events:
$e.metadata.log_type = "CS_ALERTS"
$e_product_evtype = $e.metadata.product_event_type
$e_desc = $e.metadata.description
$e_tactic = $e.security_result.attack_details.tactics.name
$e_technique = $e.security_result.attack_details.techniques.name
$e_severity = $e.security_result.severity
match:
$e_severity, $e_tactic, $e_technique, $e_desc, $e_product_evtype
outcome:
$event_count = count_distinct($e.metadata.id)
order:
$event_count descHowever I noticed that there are several severities with the value “UKNOWN_SEVERITY”
Doing a UDM search for this severity value gives results, but the UDM field looks like it has the proper values:
Based on Severity | Google Security Operations | Google Cloud Documentation - UNKNOWN_SEVERITY is the “The default severity level.” but this does not tell me much. I assume this is the value populated when there is no actual severity value from the logs, but this is not the case based on the CS_ALERTS example.
Am I missing something fundamental here? Any feedback would be appreciated!
