SigmaHQ/tools/config/crowdstrike.yml

title: Splunk used in Falcon Portal
order: 20
backends:
  - crowdstrike
logsources:
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      EventID: 1
  process_creation_1:
    category: process_creation
    product: windows

fieldmappings:
  EventID: EventID
  CommandLine: Commandline
  Command_Line: Commandline
  Image: ImageFileName