Azure · Alekhya0824 · May 14, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
@@ -1,7 +1,10 @@
 id: 4465ebde-b381-45f7-ad08-7d818070a11c
 name: Critical or High Severity Detections by User
 description: |
-  'Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user'
+  'Creates an incident when a large number of Critical or High severity CrowdStrike Falcon sensor detections is
+  triggered by a single user within 1 hour. The rule uses the CrowdStrikeFalconEventStream table, filters for DetectionSummaryEvent
+  records with Severity set to Critical or High, and alerts when detections for a single DstUserName exceed the configured
+  threshold of 15. Review DstHostName, SrcIpAddr, FileName, FileHash, and Message for investigation context.'
 severity: High
 status: Available
 requiredDataConnectors:
@@ -12,42 +15,45 @@ queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
-tactics: []
-relevantTechniques: []
+tactics: 
+- Impact
+- DefenseEvasion
+relevantTechniques:
+- T1562
+- T1489
 query: |
   let timeframe = 1h;
   let threshold = 15; // update threshold value based on organization's preference
-  let NoteableEvents = CrowdStrikeFalconEventStream
+  let NotableEvents = CrowdStrikeFalconEventStream
   | where TimeGenerated > ago(timeframe)
   | where EventType == "DetectionSummaryEvent"
   | where Severity in ("Critical", "High")
-  | summarize Total = count() by DstUserName
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstUserName, DstHostName, SrcIpAddr, FileName, FileHash, Message
   | where Total > threshold;
-  CrowdStrikeFalconEventStream
-  | where TimeGenerated > ago(timeframe)
-  | where EventType == "DetectionSummaryEvent"
-  | where Severity in ("Critical", "High")
-  | join kind=inner (NoteableEvents) on DstUserName
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, FileName, FileHash, Message
+  NotableEvents
   | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
+  | project timestamp, StartTimeUtc, EndTimeUtc, DstUserName, DstHostName, SrcIpAddr, FileName, FileHash, FileHashAlgo, Message, Total, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity
 entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity
-  - entityType: FileHash
-    fieldMappings:
-      - identifier: Algorithm
-        columnName: FileHashAlgo
-      - identifier: Value
-        columnName: FileHashCustomEntity
-version: 1.0.4
+- entityType: Account
+  fieldMappings:
+  - identifier: FullName
+    columnName: AccountCustomEntity
+- entityType: Host
+  fieldMappings:
+  - identifier: FullName
+    columnName: HostCustomEntity
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: IPCustomEntity
+- entityType: FileHash
+  fieldMappings:
+  - identifier: Algorithm
+    columnName: FileHashAlgo
+  - identifier: Value
+    columnName: FileHashCustomEntity
+alertDetailsOverride:
+  alertDisplayNameFormat: 'CrowdStrike critical/high detections by user: {{DstUserName}}'
+  alertDescriptionFormat: User {{DstUserName}} generated {{Total}} critical/high detections from host {{DstHostName}}.
+version: 1.0.5
 kind: Scheduled
@@ -12,8 +12,10 @@ queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
-tactics: []
-relevantTechniques: []
+tactics:
+- Execution
+relevantTechniques:
+- T1204.002
 query: |
   let timeframe = 1h;
   CrowdStrikeFalconEventStream
@@ -22,24 +24,38 @@ query: |
   | where Severity == "Critical"
   | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message
   | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash, FileHashAlgo = "MD5"
+  | project StartTimeUtc, EndTimeUtc, Total, DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message, timestamp, AccountCustomEntity, HostCustomEntity, IPCustomEntity, FileHashCustomEntity, FileHashAlgo
 entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity
-  - entityType: FileHash
-    fieldMappings:
-      - identifier: Algorithm
-        columnName: FileHashAlgo
-      - identifier: Value
-        columnName: FileHashCustomEntity
-version: 1.0.4
-kind: Scheduled
+- entityType: Account
+  fieldMappings:
+  - identifier: FullName
+    columnName: AccountCustomEntity
+- entityType: Host
+  fieldMappings:
+  - identifier: FullName
+    columnName: HostCustomEntity
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: IPCustomEntity
+- entityType: FileHash
+  fieldMappings:
+  - identifier: Algorithm
+    columnName: FileHashAlgo
+  - identifier: Value
+    columnName: FileHashCustomEntity
+alertDetailsOverride:
+  alertDisplayNameFormat: CrowdStrike critical detection on {{DstHostName}}
+  alertDescriptionFormat: 'CrowdStrike reported {{Total}} critical detection(s) on {{DstHostName}} for {{DstUserName}}.'
+customDetails:
+  DetectionCount: Total
+  DetectionMessage: Message
+  DetectionTechnique: Technique
+  DetectionActivity: Activity
+  DetectionFileName: FileName
+  DetectionFilePath: FilePath
+  DetectionHost: DstHostName
+  DetectionUser: DstUserName
+  DetectionSourceIp: SrcIpAddr
+version: 1.0.5
+kind: Scheduled
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -183,7 +183,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user"
+                  "text": "Creates an incident when a large number of Critical or High severity CrowdStrike Falcon sensor detections is\ntriggered by a single user within 1 hour. The rule uses the CrowdStrikeFalconEventStream table, filters for DetectionSummaryEvent\nrecords with Severity set to Critical or High, and alerts when detections for a single DstUserName exceed the configured\nthreshold of 15. Review DstHostName, SrcIpAddr, FileName, FileHash, and Message for investigation context."
                 }
               }
             ]