From 634e1db7d42c48a8d5d0c46b0ee85000ae58d3b9 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Tue, 16 Jun 2026 13:15:38 +0200 Subject: [PATCH 1/2] CrowdStrike Falcon ASIM AlertEvent Parser --- .../ARM/ASimAlertEvent/ASimAlertEvent.json | 2 +- .../ASimAlertEventCrowdStrikeFalcon.json | 36 ++ .../ASimAlertEventCrowdStrikeFalcon/README.md | 21 ++ .../ARM/FullDeploymentAlertEvent.json | 40 +++ .../ARM/imAlertEvent/imAlertEvent.json | 2 +- .../vimAlertEventCrowdStrikeFalcon/README.md | 21 ++ .../vimAlertEventCrowdStrikeFalcon.json | 36 ++ .../CHANGELOG/ASimAlertEvent.md | 4 + .../ASimAlertEventCrowdStrikeFalcon.md | 5 + .../ASimAlertEvent/CHANGELOG/imAlertEvent.md | 4 + .../vimAlertEventCrowdStrikeFalcon.md | 5 + .../Parsers/ASimAlertEvent.yaml | 8 +- .../ASimAlertEventCrowdStrikeFalcon.yaml | 247 ++++++++++++++ .../ASimAlertEvent/Parsers/imAlertEvent.yaml | 8 +- .../vimAlertEventCrowdStrikeFalcon.yaml | 310 ++++++++++++++++++ ...dStrike_Falcon_AlertEvent_IngestedLogs.csv | 26 ++ 16 files changed, 767 insertions(+), 8 deletions(-) create mode 100644 Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json create mode 100644 Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md create mode 100644 Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md create mode 100644 Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json create mode 100644 Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md create mode 100644 Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md create mode 100644 Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml create mode 100644 Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json index fb469969b89..cf2978d3c8a 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAlertEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),\n ASimAlertEventCrowdStrikeFalcon (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json new file mode 100644 index 00000000000..17d85628783 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAlertEventCrowdStrikeFalcon')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for CrowdStrike Falcon", + "category": "ASIM", + "FunctionAlias": "ASimAlertEventCrowdStrikeFalcon", + "query": "let parser = (\n disabled: bool=false,\n pack: bool=false\n){\n CrowdStrikeDetections\n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = CreatedTimestamp,\n EventType = \"Alert\",\n EventProduct = \"Falcon\",\n EventVendor = \"CrowdStrike\",\n EventSchema = \"AlertEvent\",\n EventSchemaVersion = \"0.1\",\n DvcIpAddr = tostring(Device.local_ip),\n DvcHostname = tostring(Device.hostname),\n DvcDomain = tostring(Device.hostinfo.domain),\n DvcDomainType = iif(isnotempty(Device.hostinfo.domain), \"FQDN\", \"\"),\n DvcId = tostring(Device.device_id),\n DvcIdType = iff(isnotempty(Device.device_id), \"Other\", \"\"),\n EventProductVersion = tostring(Device.agent_version),\n DvcOs = tostring(Device.platform_name),\n DvcOsVersion = extract(@\"([\\d\\.]+)\", 1, tostring(Device.os_version))\n | project-rename\n EventStartTime = CreatedTimestamp,\n EventOriginalUid = Id,\n EventMessage = Description,\n EventOriginalSeverity = SeverityName,\n EventOriginalSubType = Scenario,\n EventOriginalType = DetectionType,\n EventReportUrl = FalconHostLink,\n DvcOriginalAction = PatternDispositionDescription\n | extend\n AlertId = EventOriginalUid,\n EventUid = _ItemId,\n AlertDescription = EventMessage,\n AlertStatus = iif(\n Status in (\"new\", \"in_progress\"), \"Active\",\n \"Closed\"\n ),\n DetectionMethod = case(\n Objective == \"Falcon Detection Method\" and (\n Name contains_cs \"Policy\"\n or Name contains_cs \"CustomTemplate\"\n or Name has_cs \"CustomerIOC\"\n ), \"User Defined Blocked List\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType == \"intel_detection\", \"Threat Intelligence\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType in (\"NGAV\", \"known_malware\", \"\"), \"Antivirus\",\n \"EDR\"\n ),\n EventSeverity = case(\n EventOriginalSeverity in (\"High\", \"Critical\"), \"High\",\n EventOriginalSeverity == \"Medium\", \"Medium\",\n EventOriginalSeverity == \"Low\", \"Low\",\n \"Informational\"\n ),\n EventSubType = iif(EventOriginalSubType == \"suspicious_activity\", \"Suspicious Activity\", \"Threat\"),\n Rule = Name,\n RuleNumber = toint(MitreAttack[0].pattern_id),\n RuleName = Name,\n RuleDescription = EventMessage,\n ThreatName = tostring(IocContext[0].ioc_value),\n IndicatorType = case(\n IocContext[0].ioc_type in (\"ipv4\", \"ipv6\"), \"Ip\",\n // IocContext[0].ioc_type == \"\", \"User\",\n // IocContext[0].ioc_type == \"\", \"Process\",\n // IocContext[0].ioc_type == \"\", \"Registry\",\n // IocContext[0].ioc_type == \"\", \"Url\",\n IocContext[0].ioc_type == \"domain\", \"Host\",\n // IocContext[0].ioc_type == \"\", \"Cloud Resource\",\n // IocContext[0].ioc_type == \"\", \"Application\",\n IocContext[0].ioc_type in (\"hash_sha256\"), \"File\",\n // IocContext[0].ioc_type == \"\", \"Email\",\n // IocContext[0].ioc_type == \"\", \"Mailbox\",\n // IocContext[0].ioc_type == \"\", \"Logon Session\",\n \"\"\n ),\n AttackTactics = iif(TacticId startswith_cs \"TA\", Tactic, \"\"),\n AttackTechniques = iif(TechniqueId startswith_cs \"T\", strcat(Technique, \" (\", TechniqueId, \")\"), \"\"),\n ThreatOriginalRiskLevel = tostring(Severity),\n ThreatOriginalConfidence = tostring(Confidence),\n UserIdType = case(\n isnotempty(UserId) and UserId startswith_cs \"S-\", \"SID\",\n isnotempty(UserId), \"Other\",\n \"\"\n ),\n Username = coalesce(UserPrincipal, UserName),\n FileName = Filename,\n FilePath = Filepath,\n FileSHA1 = Sha1,\n FileSHA256 = Sha256\n | project-rename\n AlertName = Name,\n AlertOriginalStatus = Status,\n ThreatRiskLevel = Severity,\n ThreatConfidence = Confidence,\n ProcessCommandLine = Cmdline,\n ProcessName = Filename\n | extend\n UsernameType = case(\n Username contains \"@\", \"UPN\",\n isnotempty(Username), \"Simple\",\n \"\"\n ),\n User = Username,\n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n AdditionalFields = iif(\n pack, bag_pack(\n \"Device\", Device,\n \"GlobalPrevalence\", GlobalPrevalence,\n \"GrandparentDetails\", GrandparentDetails,\n \"LocalPrevalence\", LocalPrevalence,\n \"ParentDetails\", ParentDetails,\n \"PatternDispositionDetails\", PatternDispositionDetails,\n \"Objective\", Objective\n ),\n dynamic(null)\n )\n | project\n TimeGenerated\n , Type\n , AdditionalFields\n , AlertDescription\n , AlertId\n , AlertName\n , AlertOriginalStatus\n , AlertStatus\n // , AlertVerdict\n // , AttackRemediationSteps\n , AttackTactics\n , AttackTechniques\n , DetectionMethod\n // , DvcAction\n // , DvcDescription\n , DvcDomain\n , DvcDomainType\n // , DvcFQDN\n , DvcHostname\n , DvcId\n , DvcIdType\n // , DvcInterface\n , DvcIpAddr\n // , DvcMacAddr\n , DvcOriginalAction\n , DvcOs\n , DvcOsVersion\n // , DvcScope\n // , DvcScopeId\n // , DvcZone\n // , EmailMessageId\n // , EmailSubject\n , EventCount\n , EventEndTime\n , EventMessage\n , EventOriginalSeverity\n , EventOriginalSubType\n , EventOriginalType\n , EventOriginalUid\n // , EventOwner\n , EventProduct\n , EventProductVersion\n , EventReportUrl\n //, EventResult\n , EventSchema\n , EventSchemaVersion\n , EventSeverity\n , EventStartTime\n , EventSubType\n , EventType\n , EventUid\n , EventVendor\n //, FileMD5\n , FileName\n , FilePath\n , FileSHA1\n , FileSHA256\n //, FileSize\n , Hostname\n //, IndicatorAssociation\n , IndicatorType\n , IpAddr\n //, OriginalUserType\n , ProcessCommandLine\n //, ProcessFileCompany\n , ProcessId\n , ProcessName\n // , RegistryKey\n // , RegistryValue\n // , RegistryValueData\n // , RegistryValueType\n , Rule\n , RuleDescription\n , RuleName\n , RuleNumber\n //, ThreatCategory\n , ThreatConfidence\n // , ThreatFirstReportedTime\n // , ThreatId\n // , ThreatIsActive\n // , ThreatLastReportedTime\n , ThreatName\n // , ThreatOriginalCategory\n , ThreatOriginalConfidence\n , ThreatOriginalRiskLevel\n , ThreatRiskLevel\n // , Url\n , User\n , UserId\n , UserIdType\n , Username\n , UsernameType\n // , UserScope\n // , UserScopeId\n // , UserSessionId\n // , UserType\n};\nparser(\n pack=pack,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md new file mode 100644 index 00000000000..7908bc5a975 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md @@ -0,0 +1,21 @@ +# CrowdStrike Falcon ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for CrowdStrike Falcon. + +This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json) diff --git a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json index 116a6320df8..0e49a03e95a 100644 --- a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json +++ b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json @@ -78,6 +78,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAlertEventCrowdStrikeFalcon", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -198,6 +218,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAlertEventCrowdStrikeFalcon", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json index f27cd3a9228..49ea065a2a6 100644 --- a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json +++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAlertEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventBitdefenderGravityZone (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),\n vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventBitdefenderGravityZone (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),\n vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),\n vimAlertEventCrowdStrikeFalcon (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False" } diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md new file mode 100644 index 00000000000..8aa906f8192 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md @@ -0,0 +1,21 @@ +# CrowdStrike Falcon ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for CrowdStrike Falcon. + +This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventCrowdStrikeFalcon%2FvimAlertEventCrowdStrikeFalcon.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventCrowdStrikeFalcon%2FvimAlertEventCrowdStrikeFalcon.json) diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json new file mode 100644 index 00000000000..3e10b50a1d7 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAlertEventCrowdStrikeFalcon')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for CrowdStrike Falcon", + "category": "ASIM", + "FunctionAlias": "vimAlertEventCrowdStrikeFalcon", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false\n){\n CrowdStrikeDetections\n | where not(disabled)\n | where (isnull(starttime) or CreatedTimestamp >= starttime)\n and (isnull(endtime) or CreatedTimestamp <= endtime)\n | where ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Device.local_ip, ipaddr_has_any_prefix))\n | where ((array_length(hostname_has_any) == 0) or Device.hostname has_any (hostname_has_any))\n // The tactics & techniques also include CrowdStrike pseudo-values (CS-prefixed), these are filtered out later\n | where ((array_length(attacktactics_has_any) == 0) or Tactic has_any (attacktactics_has_any) or TacticId has_any (attacktactics_has_any))\n | where ((array_length(attacktechniques_has_any) == 0) or Technique has_any (attacktechniques_has_any) or TechniqueId has_any (attacktechniques_has_any))\n | where (array_length(threatcategory_has_any) == 0) //Parser does not support ThreatCategory\n | where (array_length(alertverdict_has_any) == 0) //Parser does not support AlertVerdict\n | extend\n EventCount = int(1),\n EventEndTime = CreatedTimestamp,\n EventType = \"Alert\",\n EventProduct = \"Falcon\",\n EventVendor = \"CrowdStrike\",\n EventSchema = \"AlertEvent\",\n EventSchemaVersion = \"0.1\",\n DvcIpAddr = tostring(Device.local_ip),\n DvcHostname = tostring(Device.hostname),\n DvcDomain = tostring(Device.hostinfo.domain),\n DvcDomainType = iif(isnotempty(Device.hostinfo.domain), \"FQDN\", \"\"),\n DvcId = tostring(Device.device_id),\n DvcIdType = iff(isnotempty(Device.device_id), \"Other\", \"\"),\n EventProductVersion = tostring(Device.agent_version),\n DvcOs = tostring(Device.platform_name),\n DvcOsVersion = extract(@\"([\\d\\.]+)\", 1, tostring(Device.os_version))\n | project-rename\n EventStartTime = CreatedTimestamp,\n EventOriginalUid = Id,\n EventMessage = Description,\n EventOriginalSeverity = SeverityName,\n EventOriginalSubType = Scenario,\n EventOriginalType = DetectionType,\n EventReportUrl = FalconHostLink,\n DvcOriginalAction = PatternDispositionDescription\n | extend\n AlertId = EventOriginalUid,\n EventUid = _ItemId,\n AlertDescription = EventMessage,\n AlertStatus = iif(\n Status in (\"new\", \"in_progress\"), \"Active\",\n \"Closed\"\n ),\n DetectionMethod = case(\n Objective == \"Falcon Detection Method\" and (\n Name contains_cs \"Policy\"\n or Name contains_cs \"CustomTemplate\"\n or Name has_cs \"CustomerIOC\"\n ), \"User Defined Blocked List\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType == \"intel_detection\", \"Threat Intelligence\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType in (\"NGAV\", \"known_malware\", \"\"), \"Antivirus\",\n \"EDR\"\n ),\n EventSeverity = case(\n EventOriginalSeverity in (\"High\", \"Critical\"), \"High\",\n EventOriginalSeverity == \"Medium\", \"Medium\",\n EventOriginalSeverity == \"Low\", \"Low\",\n \"Informational\"\n ),\n EventSubType = iif(EventOriginalSubType == \"suspicious_activity\", \"Suspicious Activity\", \"Threat\"),\n Rule = Name,\n RuleNumber = toint(MitreAttack[0].pattern_id),\n RuleName = Name,\n RuleDescription = EventMessage,\n ThreatName = tostring(IocContext[0].ioc_value),\n IndicatorType = case(\n IocContext[0].ioc_type in (\"ipv4\", \"ipv6\"), \"Ip\",\n // IocContext[0].ioc_type == \"\", \"User\",\n // IocContext[0].ioc_type == \"\", \"Process\",\n // IocContext[0].ioc_type == \"\", \"Registry\",\n // IocContext[0].ioc_type == \"\", \"Url\",\n IocContext[0].ioc_type == \"domain\", \"Host\",\n // IocContext[0].ioc_type == \"\", \"Cloud Resource\",\n // IocContext[0].ioc_type == \"\", \"Application\",\n IocContext[0].ioc_type in (\"hash_sha256\"), \"File\",\n // IocContext[0].ioc_type == \"\", \"Email\",\n // IocContext[0].ioc_type == \"\", \"Mailbox\",\n // IocContext[0].ioc_type == \"\", \"Logon Session\",\n \"\"\n ),\n AttackTactics = iif(TacticId startswith_cs \"TA\", Tactic, \"\"),\n AttackTechniques = iif(TechniqueId startswith_cs \"T\", strcat(Technique, \" (\", TechniqueId, \")\"), \"\"),\n ThreatOriginalRiskLevel = tostring(Severity),\n ThreatOriginalConfidence = tostring(Confidence),\n UserIdType = case(\n isnotempty(UserId) and UserId startswith_cs \"S-\", \"SID\",\n isnotempty(UserId), \"Other\",\n \"\"\n ),\n Username = coalesce(UserPrincipal, UserName),\n FileName = Filename,\n FilePath = Filepath,\n FileSHA1 = Sha1,\n FileSHA256 = Sha256\n | where ((array_length(username_has_any) == 0) or Username has_any (username_has_any))\n | where ((array_length(attacktactics_has_any) == 0) or AttackTactics has_any (attacktactics_has_any))\n | where ((array_length(attacktechniques_has_any) == 0) or AttackTechniques has_any (attacktechniques_has_any))\n | where ((array_length(eventseverity_has_any) == 0) or EventSeverity has_any (eventseverity_has_any))\n | project-rename\n AlertName = Name,\n AlertOriginalStatus = Status,\n ThreatRiskLevel = Severity,\n ThreatConfidence = Confidence,\n ProcessCommandLine = Cmdline,\n ProcessName = Filename\n | extend\n UsernameType = case(\n Username contains \"@\", \"UPN\",\n isnotempty(Username), \"Simple\",\n \"\"\n ),\n User = Username,\n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n AdditionalFields = iif(\n pack, bag_pack(\n \"Device\", Device,\n \"GlobalPrevalence\", GlobalPrevalence,\n \"GrandparentDetails\", GrandparentDetails,\n \"LocalPrevalence\", LocalPrevalence,\n \"ParentDetails\", ParentDetails,\n \"PatternDispositionDetails\", PatternDispositionDetails,\n \"Objective\", Objective\n ),\n dynamic(null)\n )\n | project\n TimeGenerated\n , Type\n , AdditionalFields\n , AlertDescription\n , AlertId\n , AlertName\n , AlertOriginalStatus\n , AlertStatus\n // , AlertVerdict\n // , AttackRemediationSteps\n , AttackTactics\n , AttackTechniques\n , DetectionMethod\n // , DvcAction\n // , DvcDescription\n , DvcDomain\n , DvcDomainType\n // , DvcFQDN\n , DvcHostname\n , DvcId\n , DvcIdType\n // , DvcInterface\n , DvcIpAddr\n // , DvcMacAddr\n , DvcOriginalAction\n , DvcOs\n , DvcOsVersion\n // , DvcScope\n // , DvcScopeId\n // , DvcZone\n // , EmailMessageId\n // , EmailSubject\n , EventCount\n , EventEndTime\n , EventMessage\n , EventOriginalSeverity\n , EventOriginalSubType\n , EventOriginalType\n , EventOriginalUid\n // , EventOwner\n , EventProduct\n , EventProductVersion\n , EventReportUrl\n //, EventResult\n , EventSchema\n , EventSchemaVersion\n , EventSeverity\n , EventStartTime\n , EventSubType\n , EventType\n , EventUid\n , EventVendor\n //, FileMD5\n , FileName\n , FilePath\n , FileSHA1\n , FileSHA256\n //, FileSize\n , Hostname\n //, IndicatorAssociation\n , IndicatorType\n , IpAddr\n //, OriginalUserType\n , ProcessCommandLine\n //, ProcessFileCompany\n , ProcessId\n , ProcessName\n // , RegistryKey\n // , RegistryValue\n // , RegistryValueData\n // , RegistryValueType\n , Rule\n , RuleDescription\n , RuleName\n , RuleNumber\n //, ThreatCategory\n , ThreatConfidence\n // , ThreatFirstReportedTime\n // , ThreatId\n // , ThreatIsActive\n // , ThreatLastReportedTime\n , ThreatName\n // , ThreatOriginalCategory\n , ThreatOriginalConfidence\n , ThreatOriginalRiskLevel\n , ThreatRiskLevel\n // , Url\n , User\n , UserId\n , UserIdType\n , Username\n , UsernameType\n // , UserScope\n // , UserScopeId\n // , UserSessionId\n // , UserType\n};\nparser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n pack=pack,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md index ea83ef1b344..397deedf1d0 100644 --- a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md +++ b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md @@ -1,5 +1,9 @@ # Changelog for ASimAlertEvent.yaml +## Version 0.1.4 + +- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488) + ## Version 0.1.3 - (2026-06-04) Palo Alto XDR - AlertEvent ASIM Parser - [PR #14401](https://github.com/Azure/Azure-Sentinel/pull/14401) diff --git a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md new file mode 100644 index 00000000000..795236415de --- /dev/null +++ b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md @@ -0,0 +1,5 @@ +# Changelog for ASimAlertEventCrowdStrikeFalcon.yaml + +## Version 0.1.0 + +- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488) diff --git a/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md b/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md index 638cc76d24a..5ab1e6e7785 100644 --- a/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md +++ b/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md @@ -1,5 +1,9 @@ # Changelog for imAlertEvent.yaml +## Version 0.1.4 + +- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488) + ## Version 0.1.3 - (2026-06-04) Palo Alto XDR - AlertEvent ASIM Parser - [PR #14401](https://github.com/Azure/Azure-Sentinel/pull/14401) diff --git a/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md b/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md new file mode 100644 index 00000000000..7f4b3cf431c --- /dev/null +++ b/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md @@ -0,0 +1,5 @@ +# Changelog for vimAlertEventCrowdStrikeFalcon.yaml + +## Version 0.1.0 + +- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488) diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml index 025da4f35e0..20d1946bbf0 100644 --- a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: Alert Event ASIM parser - Version: '0.1.3' - LastUpdated: Jun 03, 2026 + Version: '0.1.4' + LastUpdated: Jun 16, 2026 Product: Name: Source agnostic Normalization: @@ -23,6 +23,7 @@ Parsers: - _ASim_AlertEvent_SentinelOneSingularity - _ASim_AlertEvent_CiscoSecureEndpoint - _ASim_AlertEvent_PaloAltoXDR + - _ASim_AlertEvent_CrowdStrikeFalcon ParserParams: - Name: pack Type: bool @@ -37,6 +38,7 @@ ParserQuery: | ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))), ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))), ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack), - ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack) + ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack), + ASimAlertEventCrowdStrikeFalcon (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack) }; parser (pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml new file mode 100644 index 00000000000..39160118b34 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml @@ -0,0 +1,247 @@ +Parser: + Title: Alert Event ASIM parser for CrowdStrike Falcon + Version: "0.1.0" + LastUpdated: Jun 16, 2026 +Product: + Name: CrowdStrike Falcon +Normalization: + Schema: AlertEvent + Version: "0.1" +References: + - Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema. +ParserName: ASimAlertEventCrowdStrikeFalcon +EquivalentBuiltInParser: _ASim_AlertEvent_CrowdStrikeFalcon +ParserParams: + - Name: disabled + Type: bool + Default: false + - Name: pack + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled: bool=false, + pack: bool=false + ){ + CrowdStrikeDetections + | where not(disabled) + | extend + EventCount = int(1), + EventEndTime = CreatedTimestamp, + EventType = "Alert", + EventProduct = "Falcon", + EventVendor = "CrowdStrike", + EventSchema = "AlertEvent", + EventSchemaVersion = "0.1", + DvcIpAddr = tostring(Device.local_ip), + DvcHostname = tostring(Device.hostname), + DvcDomain = tostring(Device.hostinfo.domain), + DvcDomainType = iif(isnotempty(Device.hostinfo.domain), "FQDN", ""), + DvcId = tostring(Device.device_id), + DvcIdType = iff(isnotempty(Device.device_id), "Other", ""), + EventProductVersion = tostring(Device.agent_version), + DvcOs = tostring(Device.platform_name), + DvcOsVersion = extract(@"([\d\.]+)", 1, tostring(Device.os_version)) + | project-rename + EventStartTime = CreatedTimestamp, + EventOriginalUid = Id, + EventMessage = Description, + EventOriginalSeverity = SeverityName, + EventOriginalSubType = Scenario, + EventOriginalType = DetectionType, + EventReportUrl = FalconHostLink, + DvcOriginalAction = PatternDispositionDescription + | extend + AlertId = EventOriginalUid, + EventUid = _ItemId, + AlertDescription = EventMessage, + AlertStatus = iif( + Status in ("new", "in_progress"), "Active", + "Closed" + ), + DetectionMethod = case( + Objective == "Falcon Detection Method" and ( + Name contains_cs "Policy" + or Name contains_cs "CustomTemplate" + or Name has_cs "CustomerIOC" + ), "User Defined Blocked List", + Objective == "Falcon Detection Method" and EventOriginalSubType == "intel_detection", "Threat Intelligence", + Objective == "Falcon Detection Method" and EventOriginalSubType in ("NGAV", "known_malware", ""), "Antivirus", + "EDR" + ), + EventSeverity = case( + EventOriginalSeverity in ("High", "Critical"), "High", + EventOriginalSeverity == "Medium", "Medium", + EventOriginalSeverity == "Low", "Low", + "Informational" + ), + EventSubType = iif(EventOriginalSubType == "suspicious_activity", "Suspicious Activity", "Threat"), + Rule = Name, + RuleNumber = toint(MitreAttack[0].pattern_id), + RuleName = Name, + RuleDescription = EventMessage, + ThreatName = tostring(IocContext[0].ioc_value), + IndicatorType = case( + IocContext[0].ioc_type in ("ipv4", "ipv6"), "Ip", + // IocContext[0].ioc_type == "", "User", + // IocContext[0].ioc_type == "", "Process", + // IocContext[0].ioc_type == "", "Registry", + // IocContext[0].ioc_type == "", "Url", + IocContext[0].ioc_type == "domain", "Host", + // IocContext[0].ioc_type == "", "Cloud Resource", + // IocContext[0].ioc_type == "", "Application", + IocContext[0].ioc_type in ("hash_sha256"), "File", + // IocContext[0].ioc_type == "", "Email", + // IocContext[0].ioc_type == "", "Mailbox", + // IocContext[0].ioc_type == "", "Logon Session", + "" + ), + AttackTactics = iif(TacticId startswith_cs "TA", Tactic, ""), + AttackTechniques = iif(TechniqueId startswith_cs "T", strcat(Technique, " (", TechniqueId, ")"), ""), + ThreatOriginalRiskLevel = tostring(Severity), + ThreatOriginalConfidence = tostring(Confidence), + UserIdType = case( + isnotempty(UserId) and UserId startswith_cs "S-", "SID", + isnotempty(UserId), "Other", + "" + ), + Username = coalesce(UserPrincipal, UserName), + FileName = Filename, + FilePath = Filepath, + FileSHA1 = Sha1, + FileSHA256 = Sha256 + | project-rename + AlertName = Name, + AlertOriginalStatus = Status, + ThreatRiskLevel = Severity, + ThreatConfidence = Confidence, + ProcessCommandLine = Cmdline, + ProcessName = Filename + | extend + UsernameType = case( + Username contains "@", "UPN", + isnotempty(Username), "Simple", + "" + ), + User = Username, + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + AdditionalFields = iif( + pack, bag_pack( + "Device", Device, + "GlobalPrevalence", GlobalPrevalence, + "GrandparentDetails", GrandparentDetails, + "LocalPrevalence", LocalPrevalence, + "ParentDetails", ParentDetails, + "PatternDispositionDetails", PatternDispositionDetails, + "Objective", Objective + ), + dynamic(null) + ) + | project + TimeGenerated + , Type + , AdditionalFields + , AlertDescription + , AlertId + , AlertName + , AlertOriginalStatus + , AlertStatus + // , AlertVerdict + // , AttackRemediationSteps + , AttackTactics + , AttackTechniques + , DetectionMethod + // , DvcAction + // , DvcDescription + , DvcDomain + , DvcDomainType + // , DvcFQDN + , DvcHostname + , DvcId + , DvcIdType + // , DvcInterface + , DvcIpAddr + // , DvcMacAddr + , DvcOriginalAction + , DvcOs + , DvcOsVersion + // , DvcScope + // , DvcScopeId + // , DvcZone + // , EmailMessageId + // , EmailSubject + , EventCount + , EventEndTime + , EventMessage + , EventOriginalSeverity + , EventOriginalSubType + , EventOriginalType + , EventOriginalUid + // , EventOwner + , EventProduct + , EventProductVersion + , EventReportUrl + //, EventResult + , EventSchema + , EventSchemaVersion + , EventSeverity + , EventStartTime + , EventSubType + , EventType + , EventUid + , EventVendor + //, FileMD5 + , FileName + , FilePath + , FileSHA1 + , FileSHA256 + //, FileSize + , Hostname + //, IndicatorAssociation + , IndicatorType + , IpAddr + //, OriginalUserType + , ProcessCommandLine + //, ProcessFileCompany + , ProcessId + , ProcessName + // , RegistryKey + // , RegistryValue + // , RegistryValueData + // , RegistryValueType + , Rule + , RuleDescription + , RuleName + , RuleNumber + //, ThreatCategory + , ThreatConfidence + // , ThreatFirstReportedTime + // , ThreatId + // , ThreatIsActive + // , ThreatLastReportedTime + , ThreatName + // , ThreatOriginalCategory + , ThreatOriginalConfidence + , ThreatOriginalRiskLevel + , ThreatRiskLevel + // , Url + , User + , UserId + , UserIdType + , Username + , UsernameType + // , UserScope + // , UserScopeId + // , UserSessionId + // , UserType + }; + parser( + pack=pack, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml index 67b66f60b4d..488308f2846 100644 --- a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml +++ b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: Alert Event ASIM filtering parser - Version: '0.1.3' - LastUpdated: Jun 03, 2026 + Version: '0.1.4' + LastUpdated: Jun 16, 2026 Product: Name: Source agnostic Normalization: @@ -23,6 +23,7 @@ Parsers: - _Im_AlertEvent_SentinelOneSingularity - _Im_AlertEvent_CiscoSecureEndpoint - _Im_AlertEvent_PaloAltoXDR + - _Im_AlertEvent_CrowdStrikeFalcon ParserParams: - Name: starttime Type: datetime @@ -79,6 +80,7 @@ ParserQuery: | vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))), vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))), vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack), - vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack) + vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack), + vimAlertEventCrowdStrikeFalcon (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack) }; parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml new file mode 100644 index 00000000000..8faffb615b8 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml @@ -0,0 +1,310 @@ +Parser: + Title: Alert Event ASIM parser for CrowdStrike Falcon + Version: "0.1.0" + LastUpdated: Jun 16, 2026 +Product: + Name: CrowdStrike Falcon +Normalization: + Schema: AlertEvent + Version: "0.1" +References: + - Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema. +ParserName: vimAlertEventCrowdStrikeFalcon +EquivalentBuiltInParser: _Im_AlertEvent_CrowdStrikeFalcon +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false + - Name: pack + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false, + pack: bool=false + ){ + CrowdStrikeDetections + | where not(disabled) + | where (isnull(starttime) or CreatedTimestamp >= starttime) + and (isnull(endtime) or CreatedTimestamp <= endtime) + | where ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Device.local_ip, ipaddr_has_any_prefix)) + | where ((array_length(hostname_has_any) == 0) or Device.hostname has_any (hostname_has_any)) + // The tactics & techniques also include CrowdStrike pseudo-values (CS-prefixed), these are filtered out later + | where ((array_length(attacktactics_has_any) == 0) or Tactic has_any (attacktactics_has_any) or TacticId has_any (attacktactics_has_any)) + | where ((array_length(attacktechniques_has_any) == 0) or Technique has_any (attacktechniques_has_any) or TechniqueId has_any (attacktechniques_has_any)) + | where (array_length(threatcategory_has_any) == 0) //Parser does not support ThreatCategory + | where (array_length(alertverdict_has_any) == 0) //Parser does not support AlertVerdict + | extend + EventCount = int(1), + EventEndTime = CreatedTimestamp, + EventType = "Alert", + EventProduct = "Falcon", + EventVendor = "CrowdStrike", + EventSchema = "AlertEvent", + EventSchemaVersion = "0.1", + DvcIpAddr = tostring(Device.local_ip), + DvcHostname = tostring(Device.hostname), + DvcDomain = tostring(Device.hostinfo.domain), + DvcDomainType = iif(isnotempty(Device.hostinfo.domain), "FQDN", ""), + DvcId = tostring(Device.device_id), + DvcIdType = iff(isnotempty(Device.device_id), "Other", ""), + EventProductVersion = tostring(Device.agent_version), + DvcOs = tostring(Device.platform_name), + DvcOsVersion = extract(@"([\d\.]+)", 1, tostring(Device.os_version)) + | project-rename + EventStartTime = CreatedTimestamp, + EventOriginalUid = Id, + EventMessage = Description, + EventOriginalSeverity = SeverityName, + EventOriginalSubType = Scenario, + EventOriginalType = DetectionType, + EventReportUrl = FalconHostLink, + DvcOriginalAction = PatternDispositionDescription + | extend + AlertId = EventOriginalUid, + EventUid = _ItemId, + AlertDescription = EventMessage, + AlertStatus = iif( + Status in ("new", "in_progress"), "Active", + "Closed" + ), + DetectionMethod = case( + Objective == "Falcon Detection Method" and ( + Name contains_cs "Policy" + or Name contains_cs "CustomTemplate" + or Name has_cs "CustomerIOC" + ), "User Defined Blocked List", + Objective == "Falcon Detection Method" and EventOriginalSubType == "intel_detection", "Threat Intelligence", + Objective == "Falcon Detection Method" and EventOriginalSubType in ("NGAV", "known_malware", ""), "Antivirus", + "EDR" + ), + EventSeverity = case( + EventOriginalSeverity in ("High", "Critical"), "High", + EventOriginalSeverity == "Medium", "Medium", + EventOriginalSeverity == "Low", "Low", + "Informational" + ), + EventSubType = iif(EventOriginalSubType == "suspicious_activity", "Suspicious Activity", "Threat"), + Rule = Name, + RuleNumber = toint(MitreAttack[0].pattern_id), + RuleName = Name, + RuleDescription = EventMessage, + ThreatName = tostring(IocContext[0].ioc_value), + IndicatorType = case( + IocContext[0].ioc_type in ("ipv4", "ipv6"), "Ip", + // IocContext[0].ioc_type == "", "User", + // IocContext[0].ioc_type == "", "Process", + // IocContext[0].ioc_type == "", "Registry", + // IocContext[0].ioc_type == "", "Url", + IocContext[0].ioc_type == "domain", "Host", + // IocContext[0].ioc_type == "", "Cloud Resource", + // IocContext[0].ioc_type == "", "Application", + IocContext[0].ioc_type in ("hash_sha256"), "File", + // IocContext[0].ioc_type == "", "Email", + // IocContext[0].ioc_type == "", "Mailbox", + // IocContext[0].ioc_type == "", "Logon Session", + "" + ), + AttackTactics = iif(TacticId startswith_cs "TA", Tactic, ""), + AttackTechniques = iif(TechniqueId startswith_cs "T", strcat(Technique, " (", TechniqueId, ")"), ""), + ThreatOriginalRiskLevel = tostring(Severity), + ThreatOriginalConfidence = tostring(Confidence), + UserIdType = case( + isnotempty(UserId) and UserId startswith_cs "S-", "SID", + isnotempty(UserId), "Other", + "" + ), + Username = coalesce(UserPrincipal, UserName), + FileName = Filename, + FilePath = Filepath, + FileSHA1 = Sha1, + FileSHA256 = Sha256 + | where ((array_length(username_has_any) == 0) or Username has_any (username_has_any)) + | where ((array_length(attacktactics_has_any) == 0) or AttackTactics has_any (attacktactics_has_any)) + | where ((array_length(attacktechniques_has_any) == 0) or AttackTechniques has_any (attacktechniques_has_any)) + | where ((array_length(eventseverity_has_any) == 0) or EventSeverity has_any (eventseverity_has_any)) + | project-rename + AlertName = Name, + AlertOriginalStatus = Status, + ThreatRiskLevel = Severity, + ThreatConfidence = Confidence, + ProcessCommandLine = Cmdline, + ProcessName = Filename + | extend + UsernameType = case( + Username contains "@", "UPN", + isnotempty(Username), "Simple", + "" + ), + User = Username, + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + AdditionalFields = iif( + pack, bag_pack( + "Device", Device, + "GlobalPrevalence", GlobalPrevalence, + "GrandparentDetails", GrandparentDetails, + "LocalPrevalence", LocalPrevalence, + "ParentDetails", ParentDetails, + "PatternDispositionDetails", PatternDispositionDetails, + "Objective", Objective + ), + dynamic(null) + ) + | project + TimeGenerated + , Type + , AdditionalFields + , AlertDescription + , AlertId + , AlertName + , AlertOriginalStatus + , AlertStatus + // , AlertVerdict + // , AttackRemediationSteps + , AttackTactics + , AttackTechniques + , DetectionMethod + // , DvcAction + // , DvcDescription + , DvcDomain + , DvcDomainType + // , DvcFQDN + , DvcHostname + , DvcId + , DvcIdType + // , DvcInterface + , DvcIpAddr + // , DvcMacAddr + , DvcOriginalAction + , DvcOs + , DvcOsVersion + // , DvcScope + // , DvcScopeId + // , DvcZone + // , EmailMessageId + // , EmailSubject + , EventCount + , EventEndTime + , EventMessage + , EventOriginalSeverity + , EventOriginalSubType + , EventOriginalType + , EventOriginalUid + // , EventOwner + , EventProduct + , EventProductVersion + , EventReportUrl + //, EventResult + , EventSchema + , EventSchemaVersion + , EventSeverity + , EventStartTime + , EventSubType + , EventType + , EventUid + , EventVendor + //, FileMD5 + , FileName + , FilePath + , FileSHA1 + , FileSHA256 + //, FileSize + , Hostname + //, IndicatorAssociation + , IndicatorType + , IpAddr + //, OriginalUserType + , ProcessCommandLine + //, ProcessFileCompany + , ProcessId + , ProcessName + // , RegistryKey + // , RegistryValue + // , RegistryValueData + // , RegistryValueType + , Rule + , RuleDescription + , RuleName + , RuleNumber + //, ThreatCategory + , ThreatConfidence + // , ThreatFirstReportedTime + // , ThreatId + // , ThreatIsActive + // , ThreatLastReportedTime + , ThreatName + // , ThreatOriginalCategory + , ThreatOriginalConfidence + , ThreatOriginalRiskLevel + , ThreatRiskLevel + // , Url + , User + , UserId + , UserIdType + , Username + , UsernameType + // , UserScope + // , UserScopeId + // , UserSessionId + // , UserType + }; + parser( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + pack=pack, + disabled=disabled + ) \ No newline at end of file diff --git a/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv b/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv new file mode 100644 index 00000000000..89ff42e9153 --- /dev/null +++ b/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv @@ -0,0 +1,26 @@ +TenantId,"TimeGenerated [UTC]",AdversaryIds,Behaviors,BehaviorsProcessed,"CreatedTimestamp [UTC]",DateUpdated,DetectionId,"FirstBehavior [UTC]",HostInfo,"LastBehavior [UTC]",MaxConfidence,MaxSeverity,MaxSeverityDisplayName,OverwatchNotes,AgentScanId,"UpdatedTimestamp [UTC]",EmailSent,SecondsToResolved,SecondsToTriaged,ShowInUi,Status,AllegedFiletype,ChildProcessIds,CloudIndicator,Cmdline,DetectionContext,Device,FalconHostLink,Filename,Filepath,GlobalPrevalence,GrandparentDetails,Incident,IndicatorId,IocContext,LocalPrevalence,LocalProcessId,LogonDomain,Md5,NetworkAccesses,OsName,ParentDetails,ParentProcessId,PatternDisposition,PatternDispositionDescription,PatternDispositionDetails,ProcessEndTime,ProcessId,ProcessStartTime,Quarantined,QuarantinedFiles,ScanId,Sha256,Sha1,TemplateInstanceId,TemplateInterfaceId,TemplateInterfaceName,TreeId,TreeRoot,TriggeringProcessGraphId,DetectionType,UserId,UserName,UserPrincipal,AssignedToName,AssignedToUid,AssignedToUuid,Cid,CompositeId,Confidence,"CrawledTimestamp [UTC]",Description,"EndTime [UTC]",Entities,EntityValues,Id,MitreAttack,Name,References,SourceEventModel,Tactics,TacticIds,Techniques,TechniqueIds,XdrDetectionId,AddedPrivileges,AggregateId,Objective,PolyId,PreviousPrivileges,Privileges,Scenario,Severity,SeverityName,SourceAccountDomain,SourceAccountName,SourceAccountObjectGuid,SourceAccountObjectSid,SourceAccountSamAccountName,SourceAccountUpn,Tactic,Technique,TacticId,TechniqueId,TemplateInstanceIdText,TemplateInterfaceIdText,SourceSystem,Type +"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 08:18:17.083",,,,"11/06/2026, 08:02:23.353",,,,,,,,,,,"11/06/2026, 08:06:23.099",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=1444332",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T18:08:53.2310000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""430277e91d0e4b79a254d543df474365"",""external_ip"":""10.171.6.227"",""first_seen"":""2025-10-06T09:08:40.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406174"",""last_seen"":""2026-06-11T07:31:11.0000000Z"",""local_ip"":""10.202.40.30"",""mac_address"":""af-e7-0f-73-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T07:31:51.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""14896"",""md5"":""663fb758a12bf5e237401dc65d9055f0"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:9880320112261"",""process_id"":""9880320112261"",""sha256"":""3bca0a9b2188105643f058c39f0999a92d686f650544124853606d61f77bd883"",""timestamp"":""2026-06-04T17:09:01.6690000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240","[]",common,17308,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe\"" "",""filename"":""Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""local_process_id"":""42868"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:10256759665133"",""process_id"":""10256759665133"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-11T08:03:25.0000000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",10256759665133,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781164862,10256761721621,1781164851,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,725852539520,10256761721621,"pid:430277e91d0e4b79a254d543df474365:10256761721621",ldt,"S-1-5-21-000000000-1431365391-3430335985-68688","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240",100,"11/06/2026, 08:06:23.099","A process triggered an informational severity custom rule.",,,,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:430277e91d0e4b79a254d543df474365:725852539520","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGEc0LYh5j54NNFOq9qo--zQAATiFO_PUGAywAH8r4VX51QR3kmB5cVD_90YOOY7bbWbP8JA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 08:18:17.083",,,,"11/06/2026, 08:02:23.389",,,,,,,,,,,"11/06/2026, 08:06:23.099",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=1444332",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T18:08:53.2310000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""430277e91d0e4b79a254d543df474365"",""external_ip"":""10.171.6.227"",""first_seen"":""2025-10-06T09:08:40.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406174"",""last_seen"":""2026-06-11T07:31:11.0000000Z"",""local_ip"":""10.202.40.30"",""mac_address"":""af-e7-0f-73-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T07:31:51.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""14896"",""md5"":""663fb758a12bf5e237401dc65d9055f0"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:9880320112261"",""process_id"":""9880320112261"",""sha256"":""3bca0a9b2188105643f058c39f0999a92d686f650544124853606d61f77bd883"",""timestamp"":""2026-06-04T17:09:01.6690000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264","[]",common,17308,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe\"" "",""filename"":""Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""local_process_id"":""42868"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:10256759665133"",""process_id"":""10256759665133"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-11T08:03:25.0000000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",10256759665133,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781164862,10256761721621,1781164851,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,725852539520,10256761721621,"pid:430277e91d0e4b79a254d543df474365:10256761721621",ldt,"S-1-5-21-000000000-1431365391-3430335985-68688","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264",100,"11/06/2026, 08:06:23.099","A process triggered an informational severity custom rule.",,,,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:430277e91d0e4b79a254d543df474365:725852539520","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGVrneEfMDMf0CvZynZoO2_AAATiFNitjbHowOE4gG2uPz8K_2ZXqzgYrLb7UKkWQAn5E9dA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 10:48:17.234",,,,"11/06/2026, 10:44:53.907",,,,,,,,,,,"11/06/2026, 10:44:58.158",true,4,0,true,closed,exe,"[""pid:af77fe7408fd42e5958e8578628dc531:25233157765596"",""pid:af77fe7408fd42e5958e8578628dc531:25233135042951"",""pid:af77fe7408fd42e5958e8578628dc531:25233122170361"",""pid:af77fe7408fd42e5958e8578628dc531:25233123111633"",""pid:af77fe7408fd42e5958e8578628dc531:25233164902524"",""pid:af77fe7408fd42e5958e8578628dc531:25233166787791"",""pid:af77fe7408fd42e5958e8578628dc531:25233180002745"",""pid:af77fe7408fd42e5958e8578628dc531:25233191341566"",""pid:af77fe7408fd42e5958e8578628dc531:25233162917029"",""pid:af77fe7408fd42e5958e8578628dc531:25233204789905"",""pid:af77fe7408fd42e5958e8578628dc531:25233208033264"",""pid:af77fe7408fd42e5958e8578628dc531:25233169213078"",""pid:af77fe7408fd42e5958e8578628dc531:25233170007683"",""pid:af77fe7408fd42e5958e8578628dc531:25236770413747"",""pid:af77fe7408fd42e5958e8578628dc531:25237274828029"",""pid:af77fe7408fd42e5958e8578628dc531:25238611790782"",""pid:af77fe7408fd42e5958e8578628dc531:25239518737581"",""pid:af77fe7408fd42e5958e8578628dc531:25239829024560"",""pid:af77fe7408fd42e5958e8578628dc531:25240090663930"",""pid:af77fe7408fd42e5958e8578628dc531:25240085632967"",""pid:af77fe7408fd42e5958e8578628dc531:25240090112771"",""pid:af77fe7408fd42e5958e8578628dc531:25240981272318"",""pid:af77fe7408fd42e5958e8578628dc531:25241276230919"",""pid:af77fe7408fd42e5958e8578628dc531:25241493298365"",""pid:af77fe7408fd42e5958e8578628dc531:25242034978753"",""pid:af77fe7408fd42e5958e8578628dc531:25242058170705"",""pid:af77fe7408fd42e5958e8578628dc531:25242060059071"",""pid:af77fe7408fd42e5958e8578628dc531:25242826620001"",""pid:af77fe7408fd42e5958e8578628dc531:25242811152656"",""pid:af77fe7408fd42e5958e8578628dc531:25242802913452"",""pid:af77fe7408fd42e5958e8578628dc531:25242613113705"",""pid:af77fe7408fd42e5958e8578628dc531:25242789931150"",""pid:af77fe7408fd42e5958e8578628dc531:25242995594822"",""pid:af77fe7408fd42e5958e8578628dc531:25243010571254"",""pid:af77fe7408fd42e5958e8578628dc531:25243016528285"",""pid:af77fe7408fd42e5958e8578628dc531:25242948618249"",""pid:af77fe7408fd42e5958e8578628dc531:25242982535787"",""pid:af77fe7408fd42e5958e8578628dc531:25243092994131"",""pid:af77fe7408fd42e5958e8578628dc531:25243130940362"",""pid:af77fe7408fd42e5958e8578628dc531:25243207726365"",""pid:af77fe7408fd42e5958e8578628dc531:25243203414811"",""pid:af77fe7408fd42e5958e8578628dc531:25243200530031"",""pid:af77fe7408fd42e5958e8578628dc531:25243209559602"",""pid:af77fe7408fd42e5958e8578628dc531:25243304024583"",""pid:af77fe7408fd42e5958e8578628dc531:25243326385084"",""pid:af77fe7408fd42e5958e8578628dc531:25243306370857"",""pid:af77fe7408fd42e5958e8578628dc531:25243343585541"",""pid:af77fe7408fd42e5958e8578628dc531:25243356132821"",""pid:af77fe7408fd42e5958e8578628dc531:25243328595010"",""pid:af77fe7408fd42e5958e8578628dc531:25243677094635""]",,"""C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-09T10:37:16.7560000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""af77fe7408fd42e5958e8578628dc531"",""external_ip"":""10.0.166.142"",""first_seen"":""2022-12-07T19:30:38.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-403115"",""last_seen"":""2026-06-11T10:31:01.0000000Z"",""local_ip"":""192.168.68.69"",""mac_address"":""af-90-0f-8e-50-08"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T10:31:46.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","MsSense.exe","\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe",common,"{""cmdline"":""wininit.exe"",""filename"":""wininit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe"",""local_process_id"":""1176"",""md5"":""2cdb35ab7fce9327d8b8ad6a533df34d"",""process_graph_id"":""pid:af77fe7408fd42e5958e8578628dc531:25232941233373"",""process_id"":""25232941233373"",""sha256"":""1f592106643009e028cc583322d91e6895d16e12690178ba0690452516c7b911"",""timestamp"":""2026-06-09T16:37:23.3890000Z"",""user_graph_id"":""uid:af77fe7408fd42e5958e8578628dc531:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-403115$""}",,"ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840","[{""ioc_description"":""\\Device\\HarddiskVolume3\\$WINDOWS.~BT\\Work\\12\\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.26100.1_none_a518656df7c165fb\\SenseAP.exe"",""ioc_source"":""file_write"",""ioc_type"":""hash_sha256"",""ioc_value"":""80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28"",""sha256"":""80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28"",""type"":""module""}]",common,6936,CONTOSO,e01ffaf5cd82220a0fee64ca3dcd5c1d,"[{""access_timestamp"":""1781023049"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50968"",""protocol"":""TCP"",""remote_address"":""10.179.176.23"",""remote_port"":""135""},{""access_timestamp"":""1781023051"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50996"",""protocol"":""TCP"",""remote_address"":""72.153.100.13"",""remote_port"":""443""},{""access_timestamp"":""1781023085"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""51091"",""protocol"":""TCP"",""remote_address"":""10.179.176.23"",""remote_port"":""49669""},{""access_timestamp"":""1781023182"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53066"",""protocol"":""TCP"",""remote_address"":""13.89.178.26"",""remote_port"":""443""},{""access_timestamp"":""1781023183"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53069"",""protocol"":""TCP"",""remote_address"":""10.179.176.24"",""remote_port"":""49668""},{""access_timestamp"":""1781023183"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53068"",""protocol"":""TCP"",""remote_address"":""10.179.176.24"",""remote_port"":""135""},{""access_timestamp"":""1781023305"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53349"",""protocol"":""TCP"",""remote_address"":""52.168.117.171"",""remote_port"":""443""},{""access_timestamp"":""1781023327"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""57645"",""protocol"":""TCP"",""remote_address"":""104.208.16.92"",""remote_port"":""443""},{""access_timestamp"":""1781023447"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""55477"",""protocol"":""TCP"",""remote_address"":""52.168.112.66"",""remote_port"":""443""},{""access_timestamp"":""1781023546"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50274"",""protocol"":""TCP"",""remote_address"":""52.182.143.210"",""remote_port"":""443""}]",,"{""cmdline"":""C:\\WINDOWS\\system32\\services.exe"",""filename"":""services.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\services.exe"",""local_process_id"":""1252"",""md5"":""9231a3bd3ea5897debe82603f180b862"",""process_graph_id"":""pid:af77fe7408fd42e5958e8578628dc531:25232942625894"",""process_id"":""25232942625894"",""sha256"":""f58b4b4f816d81eb1d1f6b4931e7620f24bb0ad96d576535769fdb56ede8aec2"",""timestamp"":""2026-06-09T16:37:23.3890000Z"",""user_graph_id"":""uid:af77fe7408fd42e5958e8578628dc531:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-403115$""}",25232942625894,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",,25233068064868,1781023040,,,,80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28,0000000000000000000000000000000000000000,,,,936303458859,25233068064868,"pid:af77fe7408fd42e5958e8578628dc531:25233068064868",ldt,"S-1-5-18","host-403115$","host-403115$@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840",70,"11/06/2026, 10:44:53.907","A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.",,,,"ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840","[{""pattern_id"":5733,""tactic_id"":""CSTA0004"",""technique_id"":""CST0007"",""tactic"":""Machine Learning"",""technique"":""Sensor-based ML""}]","OnWrite-MLSensor-High",,,,,,,,,"aggind:af77fe7408fd42e5958e8578628dc531:936303458859","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGiOlF-659zFJNQ1wbU_h8mgAATiEVIZyG_M33YiGhbqYd6-tthS4rJerFs-zelmbFhEvGiA==",,,NGAV,70,High,,,,,,,"Machine Learning","Sensor-based ML",CSTA0004,CST0007,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:32:17.684",,,,,,,,,,,"09/06/2026, 15:36:17.231",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=69024",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992","[]",common,18456,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""local_process_id"":""27500"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247671128454"",""process_id"":""9247671128454"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:31:09.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247671128454,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019072,9247672693201,1781019071,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601298876249,9247672693201,"pid:f083f1b0ac7049588ff82226dba61f46:9247672693201",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992",100,"09/06/2026, 15:36:17.231","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601298876249","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGc6rwqj7AuTmPpUe8GnH7IwAATiEh6u_2L5S6RWrSclAtTPV3EHTEI0Q9v90U1sE7Y9qDDg==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:32:17.763",,,,,,,,,,,"09/06/2026, 15:36:17.140",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=69024",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760","[]",common,18456,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""local_process_id"":""27500"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247671128454"",""process_id"":""9247671128454"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:31:09.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247671128454,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019072,9247672693201,1781019071,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601298876249,9247672693201,"pid:f083f1b0ac7049588ff82226dba61f46:9247672693201",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760",100,"09/06/2026, 15:36:17.140","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601298876249","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG1_pykO7zrKsYR2TSM6NnPQAATiEgzASg3cpZO0DX98gjaUEWC3n9E8Ekroo2DuTKSPT6IQ==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:39:50.131",,,,,,,,,,,"09/06/2026, 15:43:50.125",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=658282",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456","[]",common,27780,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""local_process_id"":""24712"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247766896478"",""process_id"":""9247766896478"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:38:45.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247766896478,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019527,9247767553876,1781019526,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601299857219,9247767553876,"pid:f083f1b0ac7049588ff82226dba61f46:9247767553876",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456",100,"09/06/2026, 15:43:50.125","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601299857219","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGZ-4JDmAOZQwBqQJh_XA9vwAATiFD5ZxOTt26PjFcXgdR6fe3C48BpaUVu9DTYYOI2QY0vA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:39:50.191",,,,,,,,,,,"09/06/2026, 15:43:50.107",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=658282",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968","[]",common,27780,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""local_process_id"":""24712"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247766896478"",""process_id"":""9247766896478"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:38:45.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247766896478,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019527,9247767553876,1781019526,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601299857219,9247767553876,"pid:f083f1b0ac7049588ff82226dba61f46:9247767553876",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968",100,"09/06/2026, 15:43:50.107","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601299857219","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGYRWkvtl1pSwTfBOelddPPwAATiGBBCglOJN2tcXWfwqqDdMl80kLaZ9_PqQSVOL_mrmP5w==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:03:17.396",,,,"10/06/2026, 15:00:07.593",,,,,,,,,,,"10/06/2026, 15:00:11.930",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=330176",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T14:44:53.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T14:45:06.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344","[]",common,30024,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""local_process_id"":""29792"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12949582599611"",""process_id"":""12949582599611"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T14:58:58.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12949582599611,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781103542,12949591128326,1781103540,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434521101653,12949591128326,"pid:9c6da4284205479fa6a544050e7f1ee4:12949591128326",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344",100,"10/06/2026, 15:00:07.593","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434521101653","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG_SXD5QYCsvUgJbW0WcfXBAAATiFtcKhJ6ZoBs5z7le2uHYomuPleGSoBhQXHF3Nwjtf8MA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:03:17.396",,,,"10/06/2026, 15:00:07.598",,,,,,,,,,,"10/06/2026, 15:00:11.840",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=330176",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T14:44:53.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T14:45:06.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576","[]",common,30024,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""local_process_id"":""29792"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12949582599611"",""process_id"":""12949582599611"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T14:58:58.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12949582599611,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781103542,12949591128326,1781103540,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434521101653,12949591128326,"pid:9c6da4284205479fa6a544050e7f1ee4:12949591128326",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576",100,"10/06/2026, 15:00:07.598","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434521101653","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGKDFvJm15O_C7b7uURvuFTQAATiFjLD0AS-oA8chrBw7-zvgKsOvP3LSfevPQfeJ6QMU6tw==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:03:17.126",,,,"09/06/2026, 15:56:41.900",,,,,,,,,,,"09/06/2026, 16:00:41.530",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=265276",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:55:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:56:22.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592","[]",common,38464,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""local_process_id"":""6228"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9248788220352"",""process_id"":""9248788220352"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:55:35.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9248788220352,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781020537,9248788647272,1781020536,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601300898780,9248788647272,"pid:f083f1b0ac7049588ff82226dba61f46:9248788647272",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592",100,"09/06/2026, 16:00:41.530","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601300898780","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG3z1r5nKdJpL6PBr7EieztQAATiHrYqKhyOTYhIhBJ7i2_rTvkmV84SeahE-DWv3CdZQgPA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:03:17.126",,,,"09/06/2026, 15:56:41.908",,,,,,,,,,,"09/06/2026, 16:00:41.536",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=265276",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:55:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:56:22.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104","[]",common,38464,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""local_process_id"":""6228"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9248788220352"",""process_id"":""9248788220352"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:55:35.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9248788220352,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781020537,9248788647272,1781020536,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601300898780,9248788647272,"pid:f083f1b0ac7049588ff82226dba61f46:9248788647272",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104",100,"09/06/2026, 16:00:41.536","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601300898780","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGB3wVzty9WXOXlL2IyaPK7wAATiGvSDbjsGcT6x2TOW5n4jv4PqBaItXOuyabemvKCc5amA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:18:17.659",,,,"10/06/2026, 15:07:44.606",,,,,,,,,,,"10/06/2026, 15:11:44.525",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=395712",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T15:11:30.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T15:11:37.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704","[]",common,34128,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""local_process_id"":""16676"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12950145987754"",""process_id"":""12950145987754"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T15:06:38.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12950145987754,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781104000,12950148427636,1781104000,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434522171600,12950148427636,"pid:9c6da4284205479fa6a544050e7f1ee4:12950148427636",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704",100,"10/06/2026, 15:11:44.525","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434522171600","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGlMN0YBtu7FAmpJabsBwGuwAATiFFM_-BzVLMX0hJoNNscLp49as-j-IrsNzBTJjKFNlQpQ==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:18:17.659",,,,"10/06/2026, 15:07:44.616",,,,,,,,,,,"10/06/2026, 15:11:44.533",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=395712",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T15:11:30.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T15:11:37.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192","[]",common,34128,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""local_process_id"":""16676"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12950145987754"",""process_id"":""12950145987754"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T15:06:38.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12950145987754,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781104000,12950148427636,1781104000,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434522171600,12950148427636,"pid:9c6da4284205479fa6a544050e7f1ee4:12950148427636",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192",100,"10/06/2026, 15:11:44.533","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434522171600","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG-9oJKgqdEO5qqULDGmSYwwAATiEA_n-72_Y3MDgiyG0L7JrbN2VZjwg37zlEcmOdnj4YAg==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:04.813",,,,,,,,,,,"09/06/2026, 16:28:05.983",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896",80,"09/06/2026, 16:28:05.983","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGj4A_mfJO_pWaYnYIE5w2yQAATiEkK9KGLsl1_mNaHyJHywh4COA2wcwYdGbWF6uhZ2wTdQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:04.827",,,,,,,,,,,"09/06/2026, 16:28:05.931",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920",60,"09/06/2026, 16:28:05.931","Process accessed NTDS.dit in a Volume Shadow Snapshot and subsequently wrote a file that may contain the NTDS database.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920","[{""pattern_id"":287,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsCopyFromVss,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGp45z-JbcFpo7YtXjM-c7_gAATiFM-2grSRDvDuKPQ81EZfVYNgHpT-WDaCQsHI13KhiGXQ==",,,"credential_theft",60,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:32.931",,,,,,,,,,,"09/06/2026, 16:28:34.748",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984",80,"09/06/2026, 16:28:34.748","Process accessed credential-containing NTDS.dit in a Volume Shadow Snapshot",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984","[{""pattern_id"":67,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsFileAccessedViaVss,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG5kDVCaRBmUQGdAdIodExYAAATiHcEzR4U2SLb593Lacm4Sb_WaOeIQUrQZQzjzb0KDzofQ==",,,"credential_theft",100,Critical,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:38.638",,,,,,,,,,,"09/06/2026, 16:28:38.675",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920",80,"09/06/2026, 16:28:38.675","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGaOJPfjuIMyIjwiOpj3dN2wAATiHSGYOdvBwHBhDctKKOFWhCF3-2alSaHgj5DVU_fT_qEA==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:38.640",,,,,,,,,,,"09/06/2026, 16:28:38.676",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456",80,"09/06/2026, 16:28:38.676","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGuvb4qh1ihLxX8pln2J_llwAATiH0LkL91XxdIbb7eC3eG4H6sc_DAgx4RjSKiZB79AZ8bw==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:16.051",,,,,,,,,,,"09/06/2026, 16:47:27.595",true,643,641,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448",60,"09/06/2026, 16:37:16.228","Process accessed NTDS.dit in a Volume Shadow Snapshot and subsequently wrote a file that may contain the NTDS database.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448","[{""pattern_id"":287,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsCopyFromVss,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG7Z8McykKRcr0DpGTubudAAAATiHU2me8uvlM3aSRli-_pR1UWc-_zkLFRzeMIWeibi5LzQ==",,,"credential_theft",60,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:16.055",,,,,,,,,,,"09/06/2026, 16:47:27.628",true,643,641,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424",80,"09/06/2026, 16:37:16.226","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGcve01n3NPEgK6Rynz59MbwAATiHonCaalOLkgY8D-1-8_3BDyroi4PczMI427EuICJXwbQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:18.950",,,,,,,,,,,"09/06/2026, 16:47:27.524",true,640,638,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832",80,"09/06/2026, 16:37:18.841","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG5oeW_AJoaZ7rKRd0RD-QEwAATiE0WSbZ5Xr_iozIB5uTlUfD9VRmnuO1UQP4oY2TXoQgoQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:18.972",,,,,,,,,,,"09/06/2026, 16:47:27.669",true,640,638,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880",80,"09/06/2026, 16:37:19.022","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG2NS-7D9iXXrd9oiCzGqp8AAATiFKXiMsUJUF5cpPT49uM2b28uajU1phnuPT7VRmf0_NUQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 20:03:16.769",,,,"09/06/2026, 19:59:14.332",,,,,,,,,,,"09/06/2026, 19:59:17.264",true,2,0,true,closed,exe,"[""pid:89a41ef152b24cdfa7a803fff0eab68c:23758189741944"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758193940407"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758200575452"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758242801321"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758257943177"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762397262465"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762623726895"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782675554226"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782854866792"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782967620435"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23783064978333"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23783077236115"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23786744901801"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23786760958186"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23787550708231"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23847356997520"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23849722536386"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23849798190025"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23853944352223"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23873812906746"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23875844366540"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898283561357"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898327191224"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898544793244"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899123749521"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899148559611"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899382792878"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899637692004"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900010596594"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900053091817"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900440922135"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900618471530"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900695862526"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23901119262291"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758178051634"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900461226474"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762373514102"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762850302267"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762693036531"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758317082341"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23873735797394"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758246166380"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758184030438"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762777114609"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758324773740"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762760772451"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762737186402"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900504564528"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899308005988"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23919814630705""]",,"C:\WINDOWS\Explorer.EXE",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T10:17:54.6200000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""89a41ef152b24cdfa7a803fff0eab68c"",""external_ip"":""10.0.64.93"",""first_seen"":""2022-04-06T22:47:20.0000000Z"",""groups"":[""78d26f89268b40288c2483eb1e7b242a"",""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Desktops"",""Desktops\\EndUserDevices"",""Desktops\\EndUserDevices\\Workstations"",""Desktops\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-402220"",""last_seen"":""2026-06-09T19:46:32.0000000Z"",""local_ip"":""10.200.2.11"",""mac_address"":""af-ef-0f-7b-50-9c"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T19:47:02.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Desktops"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC"",""tags"":[""FalconGroupingTags/Pilot-Hosts""]}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","explorer.exe","\Device\HarddiskVolume3\Windows\explorer.exe",common,"{""cmdline"":""winlogon.exe"",""filename"":""winlogon.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\winlogon.exe"",""local_process_id"":""1120"",""md5"":""72ff34390699af1e7c16b4f436c22994"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23755474475149"",""process_id"":""23755474475149"",""sha256"":""4d00732ae68a01660af9adcc145e747731f1fcd113d3850f153059d621054945"",""timestamp"":""2026-05-28T17:49:12.1700000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-402220$""}",,"ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888","[{""ioc_description"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""ioc_source"":""file_write"",""ioc_type"":""hash_sha256"",""ioc_value"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""md5"":""8fc8fcebec5d02ae5b06668122b38dc7"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""type"":""module""}]",common,13756,CONTOSO,8fc8fcebec5d02ae5b06668122b38dc7,"[{""access_timestamp"":""1780689752"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""49996"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780689752"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""49997"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""},{""access_timestamp"":""1780689754"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""50003"",""protocol"":""TCP"",""remote_address"":""52.96.121.50"",""remote_port"":""443""},{""access_timestamp"":""1780689754"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""50001"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52907"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52905"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52906"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780862792"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59391"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780862792"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59392"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780862793"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59393"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""}]",,"{""cmdline"":""C:\\Windows\\system32\\userinit.exe"",""filename"":""userinit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe"",""local_process_id"":""556"",""md5"":""f6adda386f70bfc095dcd12fb9ce174e"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758042279610"",""process_id"":""23758042279610"",""sha256"":""c389ea869e8e0708e4566c703e9b3212eb8e94ef03477da94ae4b1ec57ea6879"",""timestamp"":""2026-05-28T18:55:05.0000000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",23758042279610,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",,23758051604473,1779994505,,,,dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc,0000000000000000000000000000000000000000,,,,1142461939506,23758051604473,"pid:89a41ef152b24cdfa7a803fff0eab68c:23758051604473",ldt,"S-1-5-21-000000000-1431365391-3430335985-31583","contoso.user","contoso.user@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888",30,"09/06/2026, 19:59:14.332","A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.",,,,"ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888","[{""pattern_id"":5743,""tactic_id"":""CSTA0004"",""technique_id"":""CST0008"",""tactic"":""Machine Learning"",""technique"":""Cloud-based ML""}]","OnWrite-PrewittSensorDetect-Low",,,,,,,,,"aggind:89a41ef152b24cdfa7a803fff0eab68c:1142461939506","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGQzGKlGtyTvPxAS74jEnw2AAATiE06uGX-eYSAN8JzF9sUIZwCBHuznDoFouUWduFf5K_Aw==",,,NGAV,30,Low,,,,,,,"Machine Learning","Cloud-based ML",CSTA0004,CST0008,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 20:03:16.769",,,,"09/06/2026, 19:59:16.585",,,,,,,,,,,"09/06/2026, 20:01:33.608",true,0,0,true,new,exe,,,"""C:\LocalData\SyncHost.exe"" ",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T10:17:54.6200000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""89a41ef152b24cdfa7a803fff0eab68c"",""external_ip"":""10.206.64.93"",""first_seen"":""2022-04-06T22:47:20.0000000Z"",""groups"":[""78d26f89268b40288c2483eb1e7b242a"",""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Desktops"",""Desktops\\EndUserDevices"",""Desktops\\EndUserDevices\\Workstations"",""Desktops\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-402220"",""last_seen"":""2026-06-09T19:46:32.0000000Z"",""local_ip"":""10.200.2.11"",""mac_address"":""af-ef-0f-7b-50-9c"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T19:47:02.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Desktops"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC"",""tags"":[""FalconGroupingTags/Pilot-Hosts""]}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","SyncHost.exe","\Device\HarddiskVolume3\LocalData\SyncHost.exe",low,"{""cmdline"":""C:\\Windows\\system32\\userinit.exe"",""filename"":""userinit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe"",""local_process_id"":""556"",""md5"":""f6adda386f70bfc095dcd12fb9ce174e"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758042279610"",""process_id"":""23758042279610"",""sha256"":""c389ea869e8e0708e4566c703e9b3212eb8e94ef03477da94ae4b1ec57ea6879"",""timestamp"":""2026-05-28T18:55:05.0000000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",,"ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936","[{""ioc_description"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""ioc_source"":""library_load"",""ioc_type"":""hash_sha256"",""ioc_value"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""md5"":""8fc8fcebec5d02ae5b06668122b38dc7"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""type"":""module""}]",low,51076,CONTOSO,8fc8fcebec5d02ae5b06668122b38dc7,,,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13756"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758051604473"",""process_id"":""23758051604473"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-04T16:17:59.3630000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",23758051604473,2048,"Prevention, process was blocked from execution.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":true,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781035093,24068787437407,1781035093,,"[{""filename"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""id"":""89a41ef152b24cdfa7a803fff0eab68c_dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""state"":""quarantined""}]",,dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc,0000000000000000000000000000000000000000,,,,1142461939506,23758051604473,"pid:89a41ef152b24cdfa7a803fff0eab68c:24068787437407",ldt,"S-1-5-21-000000000-1431365391-3430335985-31583","contoso.user","contoso.user@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936",30,"09/06/2026, 19:59:16.585","This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",,,,"ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936","[{""pattern_id"":5700,""tactic_id"":""CSTA0004"",""technique_id"":""CST0007"",""tactic"":""Machine Learning"",""technique"":""Sensor-based ML""}]","MLSensor-Low",,,,,,,,,"aggind:89a41ef152b24cdfa7a803fff0eab68c:1142461939506","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGaa1CGy-SvMitNZiwJBRBuQAATiGXQXajUnYl5gJB6USFDkpwZQ1KOYHShewg6MqEbcS3Bg==",,,NGAV,30,Low,,,,,,,"Machine Learning","Sensor-based ML",CSTA0004,CST0007,,,,CrowdStrikeDetections +"3187578c-499a-423e-9c9d-af9a55e1b4db","14/06/2026, 22:18:17.727",,,,"14/06/2026, 22:08:19.867",,,,,,,,,,,"14/06/2026, 22:12:19.819",true,0,7,true,"in_progress",exe,,,"""C:\Program Files\Git\mingw64\bin\curl.exe"" -sL https://raw.githubusercontent.com/org/repo/main/install.ps1 -o C:/Users/CONTOS~1/AppData/Local/Temp/1/install.ps1",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-14T13:51:17.9950000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""b30c6fd50d674d7aa0320c9177391112"",""external_ip"":""10.10.76.6"",""first_seen"":""2025-05-20T20:22:28.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406336"",""last_seen"":""2026-06-14T21:46:27.0000000Z"",""local_ip"":""172.18.112.1"",""mac_address"":""af-5d-0f-15-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-14T22:09:25.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""contained"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","curl.exe","\Device\HarddiskVolume3\Program Files\Git\mingw64\bin\curl.exe",common,"{""cmdline"":""\""C:\\Program Files\\Git\\bin\\..\\usr\\bin\\bash.exe\"" --init-file \""c:\\Program Files\\Microsoft VS Code\\0958016b2a\\resources\\app/out/vs/workbench/contrib/terminal/common/scripts/shellIntegration-bash.sh\"""",""filename"":""bash.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\usr\\bin\\bash.exe"",""local_process_id"":""3816"",""md5"":""3844251db42236ae73c8f4ac65183daa"",""process_graph_id"":""pid:b30c6fd50d674d7aa0320c9177391112:33865939130608"",""process_id"":""33865939130608"",""sha256"":""92cff5f145d42f85b55aa3be8d3ad9827844a21ec4fbeaa1ddfe1dd4d76c6474"",""timestamp"":""2026-06-14T22:10:37.0000000Z"",""user_graph_id"":""uid:b30c6fd50d674d7aa0320c9177391112:S-1-5-21-000000000-1431365391-3430335985-79117"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-79117"",""user_name"":""contoso.user""}",,"ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920","[{""ioc_description"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\mingw64\\bin\\curl.exe"",""ioc_source"":""library_load"",""ioc_type"":""hash_sha256"",""ioc_value"":""ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac"",""md5"":""79419f51b3d67a793306b57b12cf52ae"",""sha256"":""ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac"",""type"":""module""}]",common,18140,CONTOSO,79419f51b3d67a793306b57b12cf52ae,,,"{""cmdline"":""\""C:\\Program Files\\Git\\bin\\..\\usr\\bin\\bash.exe\"" --init-file \""c:\\Program Files\\Microsoft VS Code\\0958016b2a\\resources\\app/out/vs/workbench/contrib/terminal/common/scripts/shellIntegration-bash.sh\"""",""filename"":""bash.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\usr\\bin\\bash.exe"",""local_process_id"":""14960"",""md5"":""3844251db42236ae73c8f4ac65183daa"",""process_graph_id"":""pid:b30c6fd50d674d7aa0320c9177391112:33866050338150"",""process_id"":""33866050338150"",""sha256"":""92cff5f145d42f85b55aa3be8d3ad9827844a21ec4fbeaa1ddfe1dd4d76c6474"",""timestamp"":""2026-06-14T22:07:17.0000000Z"",""user_graph_id"":""uid:b30c6fd50d674d7aa0320c9177391112:S-1-5-21-000000000-1431365391-3430335985-79117"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-79117"",""user_name"":""contoso.user""}",33866050338150,2048,"Prevention, process was blocked from execution.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":true,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781474837,33866052384653,1781474836,,,,ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac,0000000000000000000000000000000000000000,,,,545461656229,33866052384653,"pid:b30c6fd50d674d7aa0320c9177391112:33866052384653",ldt,"S-1-5-21-000000000-1431365391-3430335985-79117","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920",80,"14/06/2026, 22:12:19.819","A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line.",,,,"ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920","[{""pattern_id"":10166,""tactic_id"":""TA0002"",""technique_id"":""T1059.001"",""tactic"":""Execution"",""technique"":""PowerShell""}]",PShellDownloadRun,,,,,,,,,"aggind:b30c6fd50d674d7aa0320c9177391112:545461656229","Follow Through","AACNRXn2HKRAUJk3MJwFIbPGLqcHKD33O3-dk1QSobFDpwAATiH-i9ohRw4qJLIDo3wHX0AAtU8er3XMrHMhihW6jYKv4g==",,,"attacker_methodology",70,High,,,,,,,Execution,PowerShell,TA0002,"T1059.001",,,,CrowdStrikeDetections From 1ca5ce211d3c77d6c2683f2bf4f403937409ef64 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Wed, 17 Jun 2026 16:00:13 +0200 Subject: [PATCH 2/2] Add custom table definition --- .../CustomTables/CrowdStrikeDetections.json | 445 ++++++++++++++++++ 1 file changed, 445 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json b/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json new file mode 100644 index 00000000000..5ad6d7045f4 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json @@ -0,0 +1,445 @@ +{ + "Name": "CrowdStrikeDetections", + "Properties": [ + { + "name": "TenantId", + "type": "String" + }, + { + "name": "TimeGenerated", + "type": "DateTime" + }, + { + "name": "AdversaryIds", + "type": "Object" + }, + { + "name": "Behaviors", + "type": "Object" + }, + { + "name": "BehaviorsProcessed", + "type": "Object" + }, + { + "name": "CreatedTimestamp", + "type": "DateTime" + }, + { + "name": "DateUpdated", + "type": "String" + }, + { + "name": "DetectionId", + "type": "String" + }, + { + "name": "FirstBehavior", + "type": "DateTime" + }, + { + "name": "HostInfo", + "type": "Object" + }, + { + "name": "LastBehavior", + "type": "DateTime" + }, + { + "name": "MaxConfidence", + "type": "Int32" + }, + { + "name": "MaxSeverity", + "type": "Int32" + }, + { + "name": "MaxSeverityDisplayName", + "type": "String" + }, + { + "name": "OverwatchNotes", + "type": "String" + }, + { + "name": "AgentScanId", + "type": "String" + }, + { + "name": "UpdatedTimestamp", + "type": "DateTime" + }, + { + "name": "EmailSent", + "type": "SByte" + }, + { + "name": "SecondsToResolved", + "type": "Int32" + }, + { + "name": "SecondsToTriaged", + "type": "Int32" + }, + { + "name": "ShowInUi", + "type": "SByte" + }, + { + "name": "Status", + "type": "String" + }, + { + "name": "AllegedFiletype", + "type": "String" + }, + { + "name": "ChildProcessIds", + "type": "Object" + }, + { + "name": "CloudIndicator", + "type": "SByte" + }, + { + "name": "Cmdline", + "type": "String" + }, + { + "name": "DetectionContext", + "type": "Object" + }, + { + "name": "Device", + "type": "Object" + }, + { + "name": "FalconHostLink", + "type": "String" + }, + { + "name": "Filename", + "type": "String" + }, + { + "name": "Filepath", + "type": "String" + }, + { + "name": "GlobalPrevalence", + "type": "String" + }, + { + "name": "GrandparentDetails", + "type": "Object" + }, + { + "name": "Incident", + "type": "Object" + }, + { + "name": "IndicatorId", + "type": "String" + }, + { + "name": "IocContext", + "type": "Object" + }, + { + "name": "LocalPrevalence", + "type": "String" + }, + { + "name": "LocalProcessId", + "type": "String" + }, + { + "name": "LogonDomain", + "type": "String" + }, + { + "name": "Md5", + "type": "String" + }, + { + "name": "NetworkAccesses", + "type": "Object" + }, + { + "name": "OsName", + "type": "String" + }, + { + "name": "ParentDetails", + "type": "Object" + }, + { + "name": "ParentProcessId", + "type": "String" + }, + { + "name": "PatternDisposition", + "type": "Int32" + }, + { + "name": "PatternDispositionDescription", + "type": "String" + }, + { + "name": "PatternDispositionDetails", + "type": "Object" + }, + { + "name": "ProcessEndTime", + "type": "String" + }, + { + "name": "ProcessId", + "type": "String" + }, + { + "name": "ProcessStartTime", + "type": "String" + }, + { + "name": "Quarantined", + "type": "SByte" + }, + { + "name": "QuarantinedFiles", + "type": "Object" + }, + { + "name": "ScanId", + "type": "String" + }, + { + "name": "Sha256", + "type": "String" + }, + { + "name": "Sha1", + "type": "String" + }, + { + "name": "TemplateInstanceId", + "type": "Int32" + }, + { + "name": "TemplateInterfaceId", + "type": "Int32" + }, + { + "name": "TemplateInterfaceName", + "type": "String" + }, + { + "name": "TreeId", + "type": "String" + }, + { + "name": "TreeRoot", + "type": "String" + }, + { + "name": "TriggeringProcessGraphId", + "type": "String" + }, + { + "name": "DetectionType", + "type": "String" + }, + { + "name": "UserId", + "type": "String" + }, + { + "name": "UserName", + "type": "String" + }, + { + "name": "UserPrincipal", + "type": "String" + }, + { + "name": "AssignedToName", + "type": "String" + }, + { + "name": "AssignedToUid", + "type": "String" + }, + { + "name": "AssignedToUuid", + "type": "String" + }, + { + "name": "Cid", + "type": "String" + }, + { + "name": "CompositeId", + "type": "String" + }, + { + "name": "Confidence", + "type": "Int32" + }, + { + "name": "CrawledTimestamp", + "type": "DateTime" + }, + { + "name": "Description", + "type": "String" + }, + { + "name": "EndTime", + "type": "DateTime" + }, + { + "name": "Entities", + "type": "Object" + }, + { + "name": "EntityValues", + "type": "Object" + }, + { + "name": "Id", + "type": "String" + }, + { + "name": "MitreAttack", + "type": "Object" + }, + { + "name": "Name", + "type": "String" + }, + { + "name": "References", + "type": "Object" + }, + { + "name": "SourceEventModel", + "type": "String" + }, + { + "name": "Tactics", + "type": "Object" + }, + { + "name": "TacticIds", + "type": "Object" + }, + { + "name": "Techniques", + "type": "Object" + }, + { + "name": "TechniqueIds", + "type": "Object" + }, + { + "name": "XdrDetectionId", + "type": "String" + }, + { + "name": "AddedPrivileges", + "type": "Object" + }, + { + "name": "AggregateId", + "type": "String" + }, + { + "name": "Objective", + "type": "String" + }, + { + "name": "PolyId", + "type": "String" + }, + { + "name": "PreviousPrivileges", + "type": "String" + }, + { + "name": "Privileges", + "type": "String" + }, + { + "name": "Scenario", + "type": "String" + }, + { + "name": "Severity", + "type": "Int32" + }, + { + "name": "SeverityName", + "type": "String" + }, + { + "name": "SourceAccountDomain", + "type": "String" + }, + { + "name": "SourceAccountName", + "type": "String" + }, + { + "name": "SourceAccountObjectGuid", + "type": "String" + }, + { + "name": "SourceAccountObjectSid", + "type": "String" + }, + { + "name": "SourceAccountSamAccountName", + "type": "String" + }, + { + "name": "SourceAccountUpn", + "type": "String" + }, + { + "name": "Tactic", + "type": "String" + }, + { + "name": "Technique", + "type": "String" + }, + { + "name": "TacticId", + "type": "String" + }, + { + "name": "TechniqueId", + "type": "String" + }, + { + "name": "TemplateInstanceIdText", + "type": "String" + }, + { + "name": "TemplateInterfaceIdText", + "type": "String" + }, + { + "name": "SourceSystem", + "type": "String" + }, + { + "name": "Type", + "type": "String" + }, + { + "name": "_ItemId", + "type": "String" + } + ] +} \ No newline at end of file