Volver al hub

Enriched Process Tree Association Events

The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information.

EDRdetection
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#event_simpleName=AssociateTreeIdWithRoot
| PatternId =~ match(file="falcon/investigate/detect_patterns.csv", column=PatternId, strict=false)
| select([@timestamp, aid, ComputerName, PatternId,name,scenario,scenarioFriendly,description,severity,show_in_ui,killchain_stage,tactic,technique,objective,pattern_updated])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.