Skip to main content
Question

triggers when a Crowdstrike Detect event

  • October 3, 2025
  • 6 replies
  • 70 views
S

 Meta:

    description = "Use case triggers when a Crowdstrike Detect event is generated"

 

  match:

    $log_id over 5m

 

  outcome:

 

    // Risk Score Weighting - Based on Detection Severity Output

 

    $risk_score = max(if($sec_event.security_result[0].severity = "INFORMATIONAL", 10, 0)) +

                    max(if($sec_event.security_result[0].severity = "MEDIUM", 50)) +

                    max(if($sec_event.security_result[0].severity = "HIGH", 70)) +

                    max(if($sec_event.security_result[0].severity = "CRITICAL", 100))

 

 

    $commandline = array_distinct($sec_event.principal.process.command_line)

    $log_type = array_distinct($sec_event.metadata.log_type)

    $hostname = array_distinct($sec_event.principal.asset.hostname)  

    $signature = array_distinct($sec_event.metadata.description)

    $url_back_to_product = array_distinct($sec_event.metadata.url_back_to_product)

    $src_user = array_distinct($sec_event.principal.user.userid)

    $target_user_sid = array_distinct($sec_event.target.user.windows_sid)

    $asset_id = array_distinct($sec_event.principal.asset.asset_id)

    $process_file_full_path = array_distinct($sec_event.principal.process.file.full_path)

    $principal_file_md5 = array_distinct($sec_event.principal.process.file.md5)

    $principal_file_sha1 = array_distinct($sec_event.principal.process.file.sha1)

    $principal_file_sha256 = array_distinct($sec_event.principal.process.file.sha256)

 

    $target_file_full_path = array_distinct($sec_event.target.file.full_path)

   

  condition:

    #sec_event >= 1

}



Could ypu please suggest me and optimise the query i tried in multiple ways in optimizing Sha files and the conditional values to triggers, but looking more optimized consistent way of results.



TIA.


 

ThankYou

6 replies

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • October 3, 2025

Hi ​@spanuganti .  Have you considered refactoring the way that you calculate the risk score?  In your current setup you are using a series of if statements, which you can refactor into an outcome block.  You can use this same strategy for other similar logical expressions.

 

I removed the code snippet which was malformed from my post.

S
  • spanugantiBronze 1
  • Author
  • October 3, 2025
Showing this error?

 

ThankYou
S
  • spanugantiBronze 1
  • Author
  • October 3, 2025

@jstoner Could you please help/suggest ?

ThankYou
S
  • spanugantiBronze 1
  • Author
  • October 3, 2025

@vaskenh  rule itself is showing an error. 

ThankYou
S
  • spanugantiBronze 1
  • Author
  • October 6, 2025

    description = "Detects CrowdStrike EDR events potentially related to T1078 (Valid Accounts) during Reconnaissance/Initial Access."

    yara_version = "YL2.0"

    rule_version = "1.10"

    rule_type = "ENDPOINT_DETECTION"

    priority = "Medium"

    severity = "Medium"

    kill_chain = "Reconnaissance"

    mitre_tactic = "TA0001"

    mitre_technique = "T1078"

    tactic_name = "Initial Access"

 

  events:

    // Event A: Crowdstrike EDR Detect event

    $a.metadata.log_type = "CS_EDR"

    // Use an aggregation ID for the match section

    $a.metadata.product_log_id = $log_id

 

    // Exclusion: Filter out known benign process paths efficiently

    not $a.target.file.full_path = "/opt/dynatrace/oneagent/agent/lib64/oneagentinstallaction"

   

  match:

    // Match events sharing the same CrowdStrike log ID within a 5-minute window.

    $log_id over 5m

 

  outcome:

    // **Risk Score Calculation (Corrected Syntax):**

    // We use math_max (or max, depending on the platform's exact function name) on each conditional check.

    // This ensures we get the highest risk score across all grouped events ($a) by summing the max possible score from each severity bucket.

    // Only one bucket will typically be non-zero.

    $risk_score =

        max(if($a.security_result[0].severity = "CRITICAL", 100, 0)) +

        max(if($a.security_result[0].severity = "HIGH", 70, 0)) +

        max(if($a.security_result[0].severity = "MEDIUM", 50, 0)) +

        max(if($a.security_result[0].severity = "INFORMATIONAL", 10, 0))


 

    // **Aggregation Variables:**

    // Use collect_set, which is the standard aggregation function for unique values.

    $commandline = collect_set($a.principal.process.command_line)

    $log_type = collect_set($a.metadata.log_type)

    $hostname = collect_set($a.principal.asset.hostname)

    $signature = collect_set($a.metadata.description)

    $url_back_to_product = collect_set($a.metadata.url_back_to_product)

    $src_user = collect_set($a.principal.user.userid)

    $target_user_sid = collect_set($a.target.user.windows_sid)

    $asset_id = collect_set($a.principal.asset.asset_id)

    $process_file_full_path = collect_set($a.principal.process.file.full_path)

    $principal_file_md5 = collect_set($a.principal.process.file.md5)

    $principal_file_sha1 = collect_set($a.principal.process.file.sha1)

    $principal_file_sha256 = collect_set($a.principal.process.file.sha256)

    $target_file_full_path = collect_set($a.target.file.full_path)

   

  condition:

    // The most concise way to ensure at least one event matches.

    $a

}




where Im I missign gettig this logic error-- 

  • parsing: error with token: "("variable name must be prefixed by '$'line: 47 column: 31-32 Looking for suggestions. I ahve been trying since a week
ThankYou
S
  • spanugantiBronze 1
  • Author
  • October 6, 2025

 description = "Detects CrowdStrike EDR events potentially related to T1078 (Valid Accounts) during Reconnaissance/Initial Access."

    yara_version = "YL2.0"

    rule_version = "1.10"

    rule_type = "ENDPOINT_DETECTION"

    priority = "Medium"

    severity = "Medium"

    kill_chain = "Reconnaissance"

    mitre_tactic = "TA0001"

    mitre_technique = "T1078"

    tactic_name = "Initial Access"

 

  events:

    // Event A: Crowdstrike EDR Detect event

    $a.metadata.log_type = "CS_EDR"

    // Use an aggregation ID for the match section

    $a.metadata.product_log_id = $log_id

 

    // Exclusion: Filter out known benign process paths efficiently

    not $a.target.file.full_path =/cmd\.exe/ nocase

 

// Exclude common Edge and WebView processes launching themselves

    not $a.principal.process.file.full_path = /msedgewebview2\.exe/ nocase

// Exclude Docker processes (if they are known to be benign in our own environment)

    not $a.principal.process.file.full_path = /docker\.exe/ nocase

 

    // Exclude Microsoft URLs/IPs related to common telemetry or updates (st01.dsx.microsoft.com)

    // detection is on a network connection (target.url)

    not $a.target.url = /st0(1|2)\.dsx\.microsoft\.com/ nocase

 

  match:

    // Match events sharing the same CrowdStrike log ID within a 5-minute window.

    $log_id over 5m

 

  outcome:

    // **Risk Score Calculation (Corrected Syntax):**

    // We use math_max (or max, depending on the platform's exact function name) on each conditional check.

    // This ensures we get the highest risk score across all grouped events ($a) by summing the max possible score from each severity bucket.

    // Only one bucket will typically be non-zero.

    $risk_score =

        max(if($a.security_result[0].severity = "CRITICAL", 100, 0)) +

        max(if($a.security_result[0].severity = "HIGH", 70, 0)) +

        max(if($a.security_result[0].severity = "MEDIUM", 50, 0)) +

        max(if($a.security_result[0].severity = "INFORMATIONAL", 10, 0))


 

    // **Aggregation Variables:**

    // Use collect_set, which is the standard aggregation function for unique values.

    $commandline = array_distinct($a.principal.process.command_line)

    $log_type = array_distinct($a.metadata.log_type)

    $hostname = array_distinct($a.principal.asset.hostname)

    $signature = array_distinct($a.metadata.description)

    $url_back_to_product = array_distinct($a.metadata.url_back_to_product)

    $src_user = array_distinct($a.principal.user.userid)

    $target_user_sid = array_distinct($a.target.user.windows_sid)

    $asset_id = array_distinct($a.principal.asset.asset_id)

    $process_file_full_path = array_distinct($a.principal.process.file.full_path)

    $principal_file_md5 = array_distinct($a.principal.process.file.md5)

    $principal_file_sha1 = array_distinct($a.principal.process.file.sha1)

    $principal_file_sha256 = array_distinct($a.principal.process.file.sha256)

    $target_file_full_path = array_distinct($a.target.file.full_path)

   

  condition:

    // To ensure at least one event matches.

    $a

}



this is working, but getting 10,000 detections is this to be expected or need to be more optimized to avoid false positives or noise?

 

ThankYou
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.