EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

CrowdStrike Falcon Stream Alerts

The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.

Detection Query

`crowdstrike_stream` metadata.eventType IN (XdrDetectionSummaryEvent,IdpDetectionSummaryEvent,EppDetectionSummaryEvent)
| rename event.* as *
| eval risk_score=case(Severity<20, 0, Severity<40 AND Severity>=20, 25, Severity<60 AND Severity>=40, 100, Severity<80 AND Severity>=60, 250, Severity>=80, 500)
| eval user=coalesce(lower(SourceAccountName),lower(UserName))
| eval dest=coalesce(HostNames,SourceEndpointHostName)
| eval mitre_technique = case(!match(Name, "(NGAV
|Intel Detection)"), Technique)
| join type=left mitre_technique
 [| inputlookup append=t mitre_attack_lookup
  | fields mitre_technique mitre_technique_id ]
| eval annotations.mitre_attack = mitre_technique_id
| eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
| eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.HostNames=" + $HostNames$ +"*"),"")
| eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $HostNames$ +"*"),"")
| eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
| rename "metadata.eventType" as eventType
| eval title = case(Name=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),Name=="Intel Detection", ("RR - CS - " + Name),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + Name + " - " + Technique) )
| eval user_append = if(NOT isnull(user)," by " + user,"")
| eval dest_append = if(NOT isnull(dest)," on " + dest,"")
| eval description = case(Name=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + Name),Name=="Intel Detection", ("CS " + Name + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
| eval description = description + user_append + dest_append
| eval gid=id, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
| eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
| rename id as detection_id, FalconHostLink as detection_url
| table _time source detection_id detection_url title risk_score description Severity severity HostNames dest Tactic Technique user UserName Objective Name DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
| `crowdstrike_falcon_stream_alerts_filter`

Author

Bryan Pluta, Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

CrowdStrike Falcon Stream Alert

References

Tags

Critical Alerts
Raw Content
name: CrowdStrike Falcon Stream Alerts
id: cb6af2b3-29ab-441c-8d8d-679811c8b014
version: 4
date: '2026-03-10'
author: Bryan Pluta, Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
    - CrowdStrike Falcon Stream Alert
description: The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.
search: |
    `crowdstrike_stream` metadata.eventType IN (XdrDetectionSummaryEvent,IdpDetectionSummaryEvent,EppDetectionSummaryEvent)
    | rename event.* as *
    | eval risk_score=case(Severity<20, 0, Severity<40 AND Severity>=20, 25, Severity<60 AND Severity>=40, 100, Severity<80 AND Severity>=60, 250, Severity>=80, 500)
    | eval user=coalesce(lower(SourceAccountName),lower(UserName))
    | eval dest=coalesce(HostNames,SourceEndpointHostName)
    | eval mitre_technique = case(!match(Name, "(NGAV
    |Intel Detection)"), Technique)
    | join type=left mitre_technique
     [| inputlookup append=t mitre_attack_lookup
      | fields mitre_technique mitre_technique_id ]
    | eval annotations.mitre_attack = mitre_technique_id
    | eval drilldown_user = if(NOT isnull(user), if(NOT isnull(SourceAccountName),("event.SourceAccountName=" + $SourceAccountName$),"event.UserName=" + $UserName$ ),"")
    | eval drilldown_dest = if(NOT isnull(dest), if(NOT isnull(SourceEndpointHostName),("event.SourceEndpointHostName=" + $SourceEndpointHostName$ +"*"),"event.HostNames=" + $HostNames$ +"*"),"")
    | eval drilldown_dest2 = if( NOT isnull(dest) AND NOT isnull(IOARuleInstanceID) AND Tactic=="Custom Intelligence", if(NOT isnull(SourceEndpointHostName),("dest=" + $SourceEndpointHostName$ +"*"),"dest=" + $HostNames$ +"*"),"")
    | eval annotations.drilldown_search = if(isnull(IOARuleInstanceID) AND Tactic!="Custom Intelligence", "`crowdstrike_stream` metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest, "`crowdstrike_stream` ((metadata.eventType=" + $metadata.eventType$ + " " + drilldown_user + " " + drilldown_dest + ") OR (event_simpleName IN (CustomIOABasicProcessDetectionInfoEvent,CustomIOADomainNameDetectionInfoEvent,CustomIOAFileWrittenDetectionInfoEvent,CustomIOANetworkConnectionDetectionInfoEvent) TemplateInstanceId=" + IOARuleInstanceID + " " + drilldown_dest2 + "))")
    | rename "metadata.eventType" as eventType
    | eval title = case(Name=="NGAV", ("RR - CS - " + Tactic + " - " + Technique),Name=="Intel Detection", ("RR - CS - " + Name),eventType=="IdpDetectionSummaryEvent", ("RR - CS - Identity Protection"),1==1, ("RR - CS - " + Name + " - " + Technique) )
    | eval user_append = if(NOT isnull(user)," by " + user,"")
    | eval dest_append = if(NOT isnull(dest)," on " + dest,"")
    | eval description = case(Name=="NGAV", ("CS " + Tactic + " - " + Technique + ": " + FileName),eventType=="IdpDetectionSummaryEvent", ("CS IdP" + " - " + Name),Name=="Intel Detection", ("CS " + Name + " - " + IOCType + ": " + IOCValue),1==1, (Objective + " - " + DetectDescription) )
    | eval description = description + user_append + dest_append
    | eval gid=id, display_id=FalconHostLink, file_hash=SHA256String, hash=MD5String, signature=IOCValue, ip='NetworkAccesses{}.RemoteAddress', process=CommandLine, pid=ProcessId
    | eval file_name = if(isnull('ExecutablesWritten{}.FileName'), FileName, 'ExecutablesWritten{}.FileName')
    | rename id as detection_id, FalconHostLink as detection_url
    | table _time source detection_id detection_url title risk_score description Severity severity HostNames dest Tactic Technique user UserName Objective Name DetectDescription gid, display_id, mitre_technique annotations.mitre_attack annotations.drilldown_search file_hash hash signature ip process pid file_name
    | `crowdstrike_falcon_stream_alerts_filter`
how_to_implement: In order to properly run this search, you need to ingest alerts data from CrowdStrike Event Stream, specifcally using the CrowdStrike Falcon Event Streams Technical Add-On. This add-on will collect alerts using the CrowdStrike:Event:Streams:JSON sourcetype. You will need to define the `crowdstrike_stream` macro to point to the proper index that contains the CrowdStrike:Event:Streams:JSON sourcetype.
known_false_positives: False positives may vary based on Crowdstrike configuration; monitor and filter out the alerts that are not relevant to your environment.
references:
    - https://www.crowdstrike.com/en-us/resources/guides/crowdstrike-falcon-event-streams-add-on-for-splunk-guide-v3/
    - https://splunkbase.splunk.com/app/5082
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View other CrowdStrike events for "$user$ on "$dest$"
      search: '$annotations.drilldown_search$'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $description$
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: file_name
          type: file_name
        - field: process
          type: process_name
        - field: ip
          type: ip_address
        - field: file_hash
          type: file_hash
        - field: hash
          type: file_hash
        - field: signature
          type: file_hash
tags:
    analytic_story:
        - Critical Alerts
    asset_type: Endpoint
    atomic_guid: []
    mitre_attack_id: []
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting this detection to manual test since otherwise we fail integration testing. This detection is also based on the mitre_attack_lookup lookup table which is not available in the ESCU app
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_2.log
          source: CrowdStrike:Event:Streams
          sourcetype: CrowdStrike:Event:Streams:JSON