Hello Everyone,

Looking some help in finetuning QR rules to trigger offenses for the event stream received from Crowdstrike App with critical/high/medium detections.

Any help on this regard is highly appreciated as my team is new to QR technology.

Thanks.

Hi,

provided you are using the latest DSM for cowdstrike your events should get normalized successfully. Based on that you easily identify those events in Log Activity you want your QR rules to trigger on. Easiest way is to test on the specific QID you are looking for, and create an offense. Combine that with more specific tests for user, IP and network objects. Store those objects to test on in your rule in refsets. Using case manager app for finetuning your rule helps a lot.

BR Karl

Hi Karl, Thanks for the response. Much Appreciated.

Sure, using Crowdstrike (CS) App, managed to get the event stream coming. Also, created a custom rule to trigger offense for every detection received from CS.

Looks like the rule works fine, however, can see events associated with "Custom Rule Engine-8" log source type are also part of the offense, along with "CrowdStrike Detection" log source. This keeps me thinking what is the other log source is about ? as most of them are "Stored" category. Also worried is that it may eat up our EPS.

Any advise here. Thanks.