Volver al hub

List all Identity Protection Detections

List of all IDP detections.

Identitymonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#repo=detections ExternalApiType=Event_IdpDetectionSummaryEvent
| rename([[TargetEndpointHostName, TargetEndpoint], [SourceEndpointHostName, SourceEndpoint], [TargetAccountName, TargetAccount], [SourceAccountName, SourceAccount]])
| format("[FalconHostLink](%s)", field=[FalconHostLink], as="FalconHostLink")
| format(format="%s > %s", field=[Tactic, Technique], as=MITRE)
| groupBy([TargetAccount], function=([sum(Severity, as=Weight), count(DetectName, distinct=true, as=UniqueDetections), count(DetectName, as=TotalDetections), collect([MITRE, SourceEndpoint]), selectFromMax(field="@timestamp", include=[FalconHostLink])]))
| rename(field="FalconHostLink", as="Most Recent Detection")
| sort(Weight, order=desc, limit=200)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.