Vendor: CrowdStrike

April 15, 2026 · View on GitHub

Product: Falcon

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
67818416833109
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted

account-switch
crowdstrike-falcon-json-user-switch-sudocommandattempt
crowdstrike-falcon-json-user-switch-sudocommandattempt
crowdstrike-falcon-json-user-switch-sudocommandattempt
crowdstrike-falcon-json-user-switch-sudocommandattempt

app-activity
crowdstrike-falcon-cef-file-success-info
crowdstrike-falcon-json-file-write-success-written
crowdstrike-falcon-sk4-file-write-success-written
crowdstrike-falcon-cef-file-write-success-written
crowdstrike-falcon-cef-file-write-success-fsvolumemounted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-cef-app-activity-deleteuser
crowdstrike-falcon-cef-app-activity-createuser
crowdstrike-falcon-cef-app-activity-grantuserroles
crowdstrike-falcon-cef-app-activity-revokeuserroles
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-sk4-app-activity-success-resetapiclientsecret
crowdstrike-falcon-json-app-activity-success-scriptcontrolscantelemetry
crowdstrike-falcon-json-app-activity-eambypassevent
crowdstrike-falcon-json-app-activity-idpentityriskscorechange
crowdstrike-falcon-json-app-activity-success-falcon_device
crowdstrike-falcon-sk4-app-activity-success-authactivityauditevent
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-cef-endpoint-notification-discovererdevicetype
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-cef-app-activity-useractivityauditevent-1
crowdstrike-falcon-cef-app-activity-useractivityauditevent

app-login
crowdstrike-falcon-json-app-login-streamstarted-1
crowdstrike-falcon-cef-app-login-accepteula
crowdstrike-falcon-json-app-login-createapi
crowdstrike-falcon-leef-app-login-falconhost
crowdstrike-falcon-json-app-login-twofactorauth
crowdstrike-falcon-json-app-login-streamstarted
crowdstrike-falcon-cef-app-login-authactivity
crowdstrike-falcon-json-app-login-apiactivityauditevent
crowdstrike-falcon-cef-app-login-success-assert-1
crowdstrike-falcon-json-app-login-success-assert
crowdstrike-falcon-json-app-login-userauth
crowdstrike-falcon-json-app-login-fdritemsexplorer
crowdstrike-falcon-cef-app-login-success-startevent
crowdstrike-falcon-json-app-login-sso
crowdstrike-falcon-sk4-app-login-authentication
crowdstrike-falcon-json-app-login-authentication

audit-log-clear
crowdstrike-falcon-kv-log-clear-eventlogcleared

authentication-failed
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1
crowdstrike-falcon-sk4-endpoint-login-userloginfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1
crowdstrike-falcon-sk4-endpoint-login-userloginfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1
crowdstrike-falcon-sk4-endpoint-login-userloginfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail
crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1
crowdstrike-falcon-sk4-endpoint-login-userloginfail

authentication-successful
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin

failed-app-login
crowdstrike-falcon-json-app-login-sso
crowdstrike-falcon-json-app-login-streamstarted-1
crowdstrike-falcon-cef-app-login-accepteula
crowdstrike-falcon-json-app-login-createapi
crowdstrike-falcon-leef-app-login-falconhost
crowdstrike-falcon-json-app-login-twofactorauth
crowdstrike-falcon-json-app-login-streamstarted
crowdstrike-falcon-cef-app-login-authactivity
crowdstrike-falcon-json-app-login-apiactivityauditevent
crowdstrike-falcon-json-app-login-success-assert
crowdstrike-falcon-json-app-login-userauth

local-logon
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin

remote-access
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin

remote-logon
crowdstrike-falcon-json-app-login-sso
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin

workstation-unlocked
crowdstrike-falcon-mix-endpoint-login-success-userlogon
crowdstrike-falcon-json-endpoint-login-userlogin
T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 44 Rules
  • 18 Models
Account Manipulationaccount-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted

app-activity
crowdstrike-falcon-cef-file-success-info
crowdstrike-falcon-json-file-write-success-written
crowdstrike-falcon-sk4-file-write-success-written
crowdstrike-falcon-cef-file-write-success-written
crowdstrike-falcon-cef-file-write-success-fsvolumemounted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-json-file-delete-success-deleted
crowdstrike-falcon-cef-app-activity-deleteuser
crowdstrike-falcon-cef-app-activity-createuser
crowdstrike-falcon-cef-app-activity-grantuserroles
crowdstrike-falcon-cef-app-activity-revokeuserroles
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-sk4-app-activity-success-resetapiclientsecret
crowdstrike-falcon-json-app-activity-success-scriptcontrolscantelemetry
crowdstrike-falcon-json-app-activity-eambypassevent
crowdstrike-falcon-json-app-activity-idpentityriskscorechange
crowdstrike-falcon-json-app-activity-success-falcon_device
crowdstrike-falcon-sk4-app-activity-success-authactivityauditevent
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-json-process-create-success-installedapplication
crowdstrike-falcon-json-process-create-success-configstateupdate
crowdstrike-falcon-json-process-create-success-currentsystemtags
crowdstrike-falcon-json-process-create-success-deliverlocalfxtocloud
crowdstrike-falcon-json-process-create-success-agentconnect
crowdstrike-falcon-json-app-activity-scriptcontrolscaninfo
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-sk4-endpoint-notification-timestamp
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-json-service-stop-success-hostedservicestopped
crowdstrike-falcon-cef-endpoint-notification-discovererdevicetype
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-cef-app-activity-useractivityauditevent-1
crowdstrike-falcon-cef-app-activity-useractivityauditevent

process-created
crowdstrike-falcon-json-process-create-processrollup2stats
crowdstrike-falcon-json-process-create-syntheticprocessrollup2
crowdstrike-falcon-json-process-create-success-processroll
crowdstrike-falcon-json-process-create-success-syntheticprocessroll
crowdstrike-falcon-json-process-create-success-processrollup
crowdstrike-falcon-json-process-create-success-processroll
crowdstrike-falcon-json-process-create-success-syntheticprocessroll
crowdstrike-falcon-json-process-create-success-processrollup
crowdstrike-falcon-json-process-create-success-processroll
crowdstrike-falcon-json-process-create-success-syntheticprocessroll
crowdstrike-falcon-json-process-create-success-processrollup
crowdstrike-falcon-json-process-create-success-processroll
crowdstrike-falcon-json-process-create-success-syntheticprocessroll
crowdstrike-falcon-json-process-create-success-processrollup
crowdstrike-falcon-json-process-create-success-servicestarted
crowdstrike-falcon-json-process-create-success-servicestarted
crowdstrike-falcon-json-process-create-success-servicestarted
crowdstrike-falcon-json-process-create-success-servicestarted
crowdstrike-falcon-json-process-create-processrollup2stats
crowdstrike-falcon-json-process-create-syntheticprocessrollup2
crowdstrike-falcon-json-process-create-processrollup2stats
crowdstrike-falcon-json-process-create-syntheticprocessrollup2
crowdstrike-falcon-json-process-create-processrollup2stats
crowdstrike-falcon-json-process-create-syntheticprocessrollup2
crowdstrike-falcon-json-process-create-processrollup2stats
crowdstrike-falcon-json-process-create-syntheticprocessrollup2
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
crowdstrike-falcon-sk4-app-activity-eventsimplename-1
crowdstrike-falcon-sk4-app-activity-eventsimplename
T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021 - Remote Services
T1021.003 - T1021.003
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218 - Signed Binary Proxy Execution
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559 - Inter-Process Communication
T1559.002 - T1559.002
  • 18 Rules
  • 8 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Replication Through Removable Media

Phishing

Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Software Deployment Tools

Scheduled Task/Job: At (Windows)

Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

OS Credential Dumping

Unsecured Credentials

Forced Authentication

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Software Deployment Tools

Replication Through Removable Media

Screen Capture

Email Collection

Audio Capture

Archive Collected Data

Email Collection: Email Forwarding Rule

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery