mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-11-02 12:53:15 +00:00
24 lines
887 B
XML
24 lines
887 B
XML
<group name="crowdstrike,siemconnector">
|
|
<rule id="200850" level="5">
|
|
<field name="metadata.customerIDString">\.+</field>
|
|
<options>no_full_log</options>
|
|
<description>CrowdStrike Alert - $(event.OperationName)</description>
|
|
</rule>
|
|
<rule id="200851" level="1">
|
|
<if_sid>200850</if_sid>
|
|
<field name="event.OperationName">streamStopped</field>
|
|
<description>CrowdStrike Alert - Ignore Stream Stopped</description>
|
|
</rule>
|
|
<rule id="200852" level="1">
|
|
<if_sid>200850</if_sid>
|
|
<field name="event.OperationName">streamStarted</field>
|
|
<description>CrowdStrike Alert - Ignore Stream Started</description>
|
|
</rule>
|
|
<rule id="200853" level="8">
|
|
<if_sid>200850</if_sid>
|
|
<field name="event.Severity">\.+</field>
|
|
<options>no_full_log</options>
|
|
<description>CrowdStrike Alert - $(event.DetectDescription)</description>
|
|
</rule>
|
|
</group>
|