Vendor: CrowdStrike Product: Falcon Rules Models MITRE TTPs Event Types Parsers 777 186 121 26 26 Use-Case Event Types/Parsers MITRE TTP Content Abnormal Authentication & Access app-activity ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 app-activity-failed ↳crowdstrike-config-change app-login ↳s-crowdstrike-app-login-5 ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳leef-crowdstrike-app-login authentication-failed ↳crowdstrike-auth-failed-1 ↳crowdstrike-auth-failed-2 batch-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 computer-logon ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created dlp-alert ↳crowdstrike-win-task-created dlp-email-alert-out-failed ↳crowdstrike-logon ↳crowdstrike-logon-2 failed-app-login ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 file-alert ↳crowdstrike-network-connection file-delete ↳crowdstrike-file-read-2 ↳crowdstrike-file-read-3 ↳s-crowdstrike-app-ransomware ↳crowdstrike-file-read ↳crowdstrike-file-operations-1 file-download ↳crowdstrike-file-alert file-read ↳crowdstrike-file-download ↳crowdstrike-file-download-1 file-write ↳crowdstrike-file-delete-1 ↳crowdstrike-file-operations-1 local-logon ↳falcon-dns-request ↳crowdstrike-logon ↳crowdstrike-logon-2 network-connection-failed ↳crowdstrike-process-network network-connection-successful ↳crowdstrike-usb-connect ↳crowdstrike-usb-insert process-alert ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login-3 ↳s-crowdstrike-app-login-2 ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳s-crowdstrike-app-login-10 ↳leef-crowdstrike-app-login process-created ↳crowdstrike-file-write-9 ↳crowdstrike-modify-binary ↳crowdstrike-file-write-4 ↳crowdstrike-file-write-10 ↳crowdstrike-file-write-3 ↳crowdstrike-file-write-11 ↳crowdstrike-file-write-2 ↳crowdstrike-file-write-12 ↳crowdstrike-file-write-1 ↳crowdstrike-file-write-13 ↳crowdstrike-file-write-14 ↳crowdstrike-file-write-8 ↳crowdstrike-file-write-7 ↳crowdstrike-file-write-6 ↳crowdstrike-file-write ↳crowdstrike-file-write-5 ↳crowdstrike-file-operations-1 process-network ↳crowdstrike-usb-alert remote-access ↳crowdstrike-logon ↳crowdstrike-logon-2 ↳crowdstrike-host-info ↳crowdstrike-user-identity remote-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 security-alert ↳crowdstrike-file-process-alert-2 ↳s-crowdstrike-process-alert ↳q-crowdstrike-process-alert-1 service-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 usb-activity ↳crowdstrike-security-alert-2 ↳s-crowdstrike-app-dll-alert ↳crowdstrike-security-alert-6 ↳leef-crowdstrike-dnsrequests ↳crowdstrike-security-alert-4 ↳crowdstrike-security-alert-5 ↳leef-crowdstrike-networkaccesses ↳leef-crowdstrike-documentsaccessed ↳cef-crowdstrike-alert ↳leef-crowdstrike-executableswritten ↳crowdstrike-security-alert ↳leef-crowdstrike-detectionsummaryevent ↳s-crowdstrike-security-alert ↳leef-crowdstrike-alert usb-insert ↳crowdstrike-usb-disconnect T1021 - Remote ServicesT1078 - Valid AccountsT1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services 72 Rules31 Models Account Manipulation app-activity ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 app-activity-failed ↳crowdstrike-config-change app-login ↳s-crowdstrike-app-login-5 ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳leef-crowdstrike-app-login authentication-failed ↳crowdstrike-auth-failed-1 ↳crowdstrike-auth-failed-2 batch-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 computer-logon ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created dlp-alert ↳crowdstrike-win-task-created dlp-email-alert-out-failed ↳crowdstrike-logon ↳crowdstrike-logon-2 failed-app-login ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 file-alert ↳crowdstrike-network-connection file-delete ↳crowdstrike-file-read-2 ↳crowdstrike-file-read-3 ↳s-crowdstrike-app-ransomware ↳crowdstrike-file-read ↳crowdstrike-file-operations-1 file-download ↳crowdstrike-file-alert file-read ↳crowdstrike-file-download ↳crowdstrike-file-download-1 file-write ↳crowdstrike-file-delete-1 ↳crowdstrike-file-operations-1 local-logon ↳falcon-dns-request ↳crowdstrike-logon ↳crowdstrike-logon-2 network-connection-failed ↳crowdstrike-process-network network-connection-successful ↳crowdstrike-usb-connect ↳crowdstrike-usb-insert process-alert ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login-3 ↳s-crowdstrike-app-login-2 ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳s-crowdstrike-app-login-10 ↳leef-crowdstrike-app-login process-created ↳crowdstrike-file-write-9 ↳crowdstrike-modify-binary ↳crowdstrike-file-write-4 ↳crowdstrike-file-write-10 ↳crowdstrike-file-write-3 ↳crowdstrike-file-write-11 ↳crowdstrike-file-write-2 ↳crowdstrike-file-write-12 ↳crowdstrike-file-write-1 ↳crowdstrike-file-write-13 ↳crowdstrike-file-write-14 ↳crowdstrike-file-write-8 ↳crowdstrike-file-write-7 ↳crowdstrike-file-write-6 ↳crowdstrike-file-write ↳crowdstrike-file-write-5 ↳crowdstrike-file-operations-1 process-network ↳crowdstrike-usb-alert remote-access ↳crowdstrike-logon ↳crowdstrike-logon-2 ↳crowdstrike-host-info ↳crowdstrike-user-identity remote-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 security-alert ↳crowdstrike-file-process-alert-2 ↳s-crowdstrike-process-alert ↳q-crowdstrike-process-alert-1 service-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 usb-activity ↳crowdstrike-security-alert-2 ↳s-crowdstrike-app-dll-alert ↳crowdstrike-security-alert-6 ↳leef-crowdstrike-dnsrequests ↳crowdstrike-security-alert-4 ↳crowdstrike-security-alert-5 ↳leef-crowdstrike-networkaccesses ↳leef-crowdstrike-documentsaccessed ↳cef-crowdstrike-alert ↳leef-crowdstrike-executableswritten ↳crowdstrike-security-alert ↳leef-crowdstrike-detectionsummaryevent ↳s-crowdstrike-security-alert ↳leef-crowdstrike-alert usb-insert ↳crowdstrike-usb-disconnect T1003 - OS Credential DumpingT1047 - Windows Management InstrumentationT1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1175 - T1175T1531 - Account Access Removal 22 Rules9 Models Next Page -->> ATT&CK Matrix for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobScriptingSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionTraffic SignalingBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsTraffic SignalingTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesUse Alternate Authentication Material: Pass the HashIndicator Removal on HostPre-OS BootFile and Directory Permissions ModificationXSL Script ProcessingDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationExploitation for Defense EvasionHijack Execution FlowProcess InjectionValid Accounts: Local AccountsSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingInput CaptureUnsecured CredentialsMan-in-the-MiddleSteal or Forge Kerberos TicketsSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Network Service ScanningAccount DiscoveryDomain Trust DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop Protocol Email CollectionInput CaptureAudio CaptureArchive Collected DataMan-in-the-MiddleEmail Collection: Email Forwarding Rule Non-Standard PortData EncodingData Encoding: Standard EncodingRemote Access SoftwareDynamic ResolutionTraffic SignalingIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyProxy: External ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over Physical MediumAutomated Exfiltration Account Access RemovalResource HijackingData Encrypted for ImpactInhibit System Recovery