[edr.crowdstrike.falconstreaming.agents] [edr.crowdstrike.falconstreaming.auth_activity] [edr.crowdstrike.falconstreaming.behaviors] [edr.crowdstrike.falconstreaming.customer_ioc] [edr.crowdstrike.falconstreaming.detection_summary] Anchor |
---|
| edr.crowdstrike.falconstreaming.agents |
---|
| edr.crowdstrike.falconstreaming.agents |
---|
| edr.crowdstrike.falconstreaming.agentsField | Type | Extra Field |
---|
eventdate | timestamp
| - | hostname | str
| - | device_id | str
| - | cid | str
| - | agent_load_flags | str
| - | agent_local_time | timestamp
| - | agent_version | str
| - | bios_manufacturer | str
| - | bios_version | str
| - | build_number | str
| - | config_id_base | str
| - | config_id_build | str
| - | config_id_platform | str
| - | cpu_signature | str
| - | external_ip | ip4
| - | mac_address | str
| - | hostname2 | str
| - | first_seen | timestamp
| - | last_seen | timestamp
| - | local_ip | ip4
| - | major_version | str
| - | minor_version | str
| - | os_version | str
| - | os_build | str
| - | platform_id | str
| - | platform_name | str
| - | policies | str
| - | reduced_functionality_mode | str
| - | device_policies__prevention__policy_type | str
| - | device_policies__prevention__policy_id | str
| - | device_policies__prevention__applied | bool
| - | device_policies__prevention__settings_hash | str
| - | device_policies__prevention__assigned_date | str
| - | device_policies__prevention__applied_date | str
| - | device_policies__prevention__rule_groups | str
| - | device_policies__sensor_update__policy_type | str
| - | device_policies__sensor_update__policy_id | str
| - | device_policies__sensor_update__applied | bool
| - | device_policies__sensor_update__settings_hash | str
| - | device_policies__sensor_update__assigned_date | str
| - | device_policies__sensor_update__applied_date | str
| - | device_policies__sensor_update__uninstall_protection | str
| - | device_policies__device_control__policy_type | str
| - | device_policies__device_control__policy_id | str
| - | device_policies__device_control__applied | bool
| - | device_policies__device_control__assigned_date | str
| - | device_policies__device_control__applied_date | str
| - | device_policies__global_config__policy_type | str
| - | device_policies__global_config__policy_id | str
| - | device_policies__global_config__applied | bool
| - | device_policies__global_config__settings_hash | str
| - | device_policies__global_config__assigned_date | str
| - | device_policies__global_config__applied_date | str
| - | device_policies__remote_response__policy_type | str
| - | device_policies__remote_response__policy_id | str
| - | device_policies__remote_response__applied | bool
| - | device_policies__remote_response__settings_hash | str
| - | device_policies__remote_response__assigned_date | str
| - | device_policies__remote_response__applied_date | str
| - | device_policies__firewall__policy_type | str
| - | device_policies__firewall__policy_id | str
| - | device_policies__firewall__applied | bool
| - | device_policies__firewall__assigned_date | str
| - | device_policies__firewall__applied_date | str
| - | device_policies__firewall__rule_set_id | str
| - | groups | str
| - | group_hash | str
| - | product_type | str
| - | product_type_desc | str
| - | provision_status | str
| - | serial_number | str
| - | service_pack_major | str
| - | service_pack_minor | str
| - | pointer_size | str
| - | status | str
| - | system_manufacturer | str
| - | system_product_name | str
| - | tags | str
| - | modified_timestamp | timestamp
| - | slow_changing_modified_timestamp | timestamp
| - | meta__version | str
| - | instance_id | str
| - | service_provider | str
| - | service_provider_account_id | str
| - | machine_domain | str
| - | ou | str
| - | site_name | str
| - | zone_group | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.auth_activity |
---|
| edr.crowdstrike.falconstreaming.auth_activity |
---|
| edr.crowdstrike.falconstreaming.auth_activity Field | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | target_name | str
| - | target_user_uuid | str
| - | target_cid | str
| - | roles | str
| - | scope | str
| - | actor_user | str
| - | actor_user_uuid | str
| - | actor_cid | str
| - | subscriptions | str
| - | APIClientID | str
| - | appId | str
| - | eventType2 | str
| - | partition | str
| - | offset2 | str
| - | id | str
| - | name | str
| - | trace_id | str
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.behaviors |
---|
| edr.crowdstrike.falconstreaming.behaviors |
---|
| edr.crowdstrike.falconstreaming.behaviorsField | Type | Extra Label |
---|
eventdate | timestamp
| - | hostname | str
| - | behavior_id | str
| - | detection_ids | str
| - | cid | str
| - | aid | str
| - | pattern_id | int4
| - | template_instance_id | int4
| - | timestamp | timestamp
| - | cmdline | str
| - | filepath | str
| - | domain | str
| - | pattern_disposition | int4
| - | pattern_disposition_details__indicator | bool
| - | pattern_disposition_details__detect | bool
| - | pattern_disposition_details__inddet_mask | bool
| - | pattern_disposition_details__sensor_only | bool
| - | pattern_disposition_details__rooting | bool
| - | pattern_disposition_details__kill_process | bool
| - | pattern_disposition_details__kill_subprocess | bool
| - | pattern_disposition_details__quarantine_machine | bool
| - | pattern_disposition_details__quarantine_file | bool
| - | pattern_disposition_details__policy_disabled | bool
| - | pattern_disposition_details__kill_parent | bool
| - | pattern_disposition_details__operation_blocked | bool
| - | pattern_disposition_details__process_blocked | bool
| - | pattern_disposition_details__registry_operation_blocked | bool
| - | pattern_disposition_details__critical_process_disabled | bool
| - | pattern_disposition_details__bootup_safeguard_enabled | bool
| - | pattern_disposition_details__fs_operation_blocked | bool
| - | pattern_disposition_details__handle_operation_downgraded | bool
| - | pattern_disposition_details__kill_action_failed | bool
| - | pattern_disposition_details__blocking_unsupported_or_disabled | bool
| - | pattern_disposition_details__suspend_process | bool
| - | pattern_disposition_details__suspend_parent | bool
| - | sha256 | str
| - | user_name | str
| - | tactic | str
| - | tactic_id | str
| - | technique | str
| - | technique_id | str
| - | objective | str
| - | compound_tto | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.customer_ioc |
---|
| edr.crowdstrike.falconstreaming.customer_ioc |
---|
| edr.crowdstrike.falconstreaming.customer_iocField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | AgentIdString | str
| - | DeviceId | str
| - | ComputerName | str
| - | ProcessId | str
| - | ParentProcessId | str
| - | ProcessStartTime | timestamp
| - | FileName | str
| - | FilePath | str
| - | CommandLine | str
| - | MD5String | str
| - | SHA256String | str
| - | DomainName | str
| - | IPv4 | str
| - | IPv6 | str
| - | jsonEvent | json
| - | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.detection_summary |
---|
| edr.crowdstrike.falconstreaming.detection_summary |
---|
| edr.crowdstrike.falconstreaming.detection_summaryField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ProcessStartTime | int8
| - | ProcessEndTime | int8
| - | ProcessId | int8
| - | ParentProcessId | int8
| - | ComputerName | str
| - | UserName | str
| - | DetectName | str
| - | DetectDescription | str
| - | Severity | int8
| - | SeverityName | str
| - | FileName | str
| - | FilePath | str
| - | CommandLine | str
| - | SHA256String | str
| - | MD5String | str
| - | SHA1String | str
| - | MachineDomain | str
| - | ExecutablesWritten | json
| - | FalconHostLink | str
| - | SensorId | str
| - | IOCType | str
| - | IOCValue | str
| - | DetectId | str
| - | new_state | str
| - | quarantined_file_id | str
| - | action_taken | str
| - | LocalIP | str
| - | MACAddress | str
| - | Tactic | str
| - | Technique | str
| - | Objective | str
| - | UserId | str
| - | UserIp | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | int8
| - | ScanResults_Engine_str | str
| - | ScanResults_ResultName_str | str
| - | ScanResults_Version_str | str
| - | ScanResults_Detected_str | str
| - | PatternDispositionDescription | str
| - | PatternDispositionValue | int8
| - | PatternDispositionFlags_Indicator | bool
| - | PatternDispositionFlags_Detect | bool
| - | PatternDispositionFlags_InddetMask | bool
| - | PatternDispositionFlags_SensorOnly | bool
| - | PatternDispositionFlags_Rooting | bool
| - | PatternDispositionFlags_KillProcess | bool
| - | PatternDispositionFlags_KillSubProcess | bool
| - | PatternDispositionFlags_QuarantineMachine | bool
| - | PatternDispositionFlags_QuarantineFile | bool
| - | PatternDispositionFlags_PolicyDisabled | bool
| - | PatternDispositionFlags_KillParent | bool
| - | PatternDispositionFlags_OperationBlocked | bool
| - | PatternDispositionFlags_ProcessBlocked | bool
| - | PatternDispositionFlags_SuspendParent | bool
| - | PatternDispositionFlags_KillActionFailed | bool
| - | PatternDispositionFlags_HandleOperationDowngraded | bool
| - | PatternDispositionFlags_SuspendProcess | bool
| - | PatternDispositionFlags_CriticalProcessDisabled | bool
| - | PatternDispositionFlags_BootupSafeguardEnabled | bool
| - | PatternDispositionFlags_RegistryOperationBlocked | bool
| - | PatternDispositionFlags_BlockingUnsupportedOrDisabled | bool
| - | PatternDispositionFlags_FsOperationBlocked | bool
| - | ParentImageFileName | str
| - | ParentCommandLine | str
| - | GrandparentImageFileName | str
| - | GrandparentCommandLine | str
| - | QuarantineFiles_ImageFileName_str | str
| - | QuarantineFiles_SHA256HashData_str | str
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
[edr.crowdstrike.falconstreaming.external_api] [edr.crowdstrike.falconstreaming.firewall_match] [edr.crowdstrike.falconstreaming.identity_protection] [edr.crowdstrike.falconstreaming.idp_detection_summary] [edr.crowdstrike.falconstreaming.incidents] Anchor |
---|
| edr.crowdstrike.falconstreaming.external_api |
---|
| edr.crowdstrike.falconstreaming.external_api |
---|
| edr.crowdstrike.falconstreaming.external_apiField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ProcessStartTime | int8
| - | ProcessEndTime | int8
| - | ProcessId | int8
| - | ParentProcessId | int8
| - | ComputerName | str
| - | UserName | str
| - | DetectName | str
| - | DetectDescription | str
| - | Severity | int8
| - | SeverityName | str
| - | FileName | str
| - | FilePath | str
| - | CommandLine | str
| - | SHA256String | str
| - | MD5String | str
| - | SHA1String | str
| - | MachineDomain | str
| - | ExecutablesWritten | json
| - | FalconHostLink | str
| - | SensorId | str
| - | IOCType | str
| - | IOCValue | str
| - | DetectId | str
| - | new_state | str
| - | quarantined_file_id | str
| - | action_taken | str
| - | LocalIP | str
| - | MACAddress | str
| - | Tactic | str
| - | Technique | str
| - | Objective | str
| - | UserId | str
| - | UserIp | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | int8
| - | ScanResults_Engine_str | str
| - | ScanResults_ResultName_str | str
| - | ScanResults_Version_str | str
| - | ScanResults_Detected_str | str
| - | PatternDispositionDescription | str
| - | PatternDispositionValue | int8
| - | PatternDispositionFlags_Indicator | bool
| - | PatternDispositionFlags_Detect | bool
| - | PatternDispositionFlags_InddetMask | bool
| - | PatternDispositionFlags_SensorOnly | bool
| - | PatternDispositionFlags_Rooting | bool
| - | PatternDispositionFlags_KillProcess | bool
| - | PatternDispositionFlags_KillSubProcess | bool
| - | PatternDispositionFlags_QuarantineMachine | bool
| - | PatternDispositionFlags_QuarantineFile | bool
| - | PatternDispositionFlags_PolicyDisabled | bool
| - | PatternDispositionFlags_KillParent | bool
| - | PatternDispositionFlags_OperationBlocked | bool
| - | PatternDispositionFlags_ProcessBlocked | bool
| - | PatternDispositionFlags_SuspendParent | bool
| - | PatternDispositionFlags_KillActionFailed | bool
| - | PatternDispositionFlags_HandleOperationDowngraded | bool
| - | PatternDispositionFlags_SuspendProcess | bool
| - | PatternDispositionFlags_CriticalProcessDisabled | bool
| - | PatternDispositionFlags_BootupSafeguardEnabled | bool
| - | PatternDispositionFlags_RegistryOperationBlocked | bool
| - | PatternDispositionFlags_BlockingUnsupportedOrDisabled | bool
| - | PatternDispositionFlags_FsOperationBlocked | bool
| - | ParentImageFileName | str
| - | ParentCommandLine | str
| - | GrandparentImageFileName | str
| - | GrandparentCommandLine | str
| - | QuarantineFiles_ImageFileName_str | str
| - | QuarantineFiles_SHA256HashData_str | str
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.firewall_match |
---|
| edr.crowdstrike.falconstreaming.firewall_match |
---|
| edr.crowdstrike.falconstreaming.firewall_matchField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | deviceId | str
| - | customerId | str
| - | ipv | str
| - | commandLine | str
| - | connectionDirection | str
| - | evEventType | str
| - | flag_audit | bool
| - | flag_log | bool
| - | flag_monitor | bool
| - | hostName | str
| - | icmpCode | str
| - | icmpType | str
| - | imageFileName | str
| - | localAddress | ip4
| - | localPort | str
| - | matchCount | int4
| - | matchCountSinceLastReport | int4
| - | networkProfile | str
| - | pid | str
| - | policyName | str
| - | policyID | str
| - | protocol | str
| - | remoteAddress | ip4
| - | remotePort | str
| - | ruleAction | str
| - | ruleDescription | str
| - | ruleFamilyID | str
| - | ruleGroupName | str
| - | ruleName | str
| - | ruleId | str
| - | status | str
| - | timestamp | timestamp
| - | treeID | str
| - | platform | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| dr.crowdstrike.falconstreaming.identity_protection |
---|
| dr.crowdstrike.falconstreaming.identity_protection |
---|
| edr.crowdstrike.falconstreaming.identity_protectionField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int4
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | incidentType | str
| - | incidentDescription | str
| - | severity | int4
| - | severityName | str
| - | startTime | timestamp
| - | endTime | timestamp
| - | identityProtectionIncidentId | str
| - | userName | str
| - | endpointName | str
| - | endpointIp | str
| - | category | str
| - | numbersOfAlerts | int4
| - | numberOfCompromisedEntities | int4
| - | state | str
| - | falconHostLink | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.idp_detection_summary |
---|
| edr.crowdstrike.falconstreaming.idp_detection_summary |
---|
| edr.crowdstrike.falconstreaming.idp_detection_summaryField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int4
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | contextTimeStamp | int8
| - | detectId | str
| - | detectName | str
| - | detectDescription | str
| - | falconHostLink | str
| - | startTime | int8
| - | endTime | int8
| - | severity | int4
| - | tactic | str
| - | technique | str
| - | objective | str
| - | sourceAccountDomain | str
| - | sourceAccountName | str
| - | sourceAccountObjectSid | str
| - | sourceEndpointAccountObjectGuid | str
| - | sourceEndpointAccountObjectSid | str
| - | sourceEndpointHostName | str
| - | sourceEndpointIpAddress | ip4
| - | sourceEndpointSensorId | str
| - | activityId | str
| - | patternId | int4
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.incidents |
---|
| edr.crowdstrike.falconstreaming.incidents |
---|
| edr.crowdstrike.falconstreaming.incidentsField | Type | Extra Field |
---|
eventdate | timestamp
| - | hostname | str
| - | incident_id | str
| - | incident_type | int4
| - | cid | str
| - | host_ids | str
| - | hosts | str
| - | created | timestamp
| - | start | timestamp
| - | end | timestamp
| - | state | str
| - | status | int4
| - | tactics | str
| - | techniques | str
| - | objectives | str
| - | fine_score | int4
| - | lmra_host_ids | str
| - | lm_types | int4
| - | tags | str
| - | modified_timestamp | str
| - | users | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
[edr.crowdstrike.falconstreaming.incident_summary] [edr.crowdstrike.falconstreaming.mobile_detection_summary] [edr.crowdstrike.falconstreaming.other] [edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.remote_response_session] Anchor |
---|
| edr.crowdstrike.falconstreaming.incident_summary |
---|
| edr.crowdstrike.falconstreaming.incident_summary |
---|
| edr.crowdstrike.falconstreaming.incident_summaryField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | State | str
| - | IncidentID | str
| - | IncidentStartTime | timestamp
| - | IncidentEndTime | timestamp
| - | FineScore | float8
| - | FalconHostLink | str
| - | jsonEvent | json
| - | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.mobile_detection_summary |
---|
| edr.crowdstrike.falconstreaming.mobile_detection_summary |
---|
| edr.crowdstrike.falconstreaming.mobile_detection_summaryField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int4
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | sensorId | str
| - | mobileDetectionId | int4
| - | computerName | str
| - | userName | str
| - | contextTimeStamp | timestamp
| - | detectId | str
| - | detectName | str
| - | detectDescription | str
| - | tactic | str
| - | tacticId | str
| - | technique | str
| - | techniqueId | str
| - | objective | str
| - | severity | int4
| - | falconHostLink | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.other |
---|
| edr.crowdstrike.falconstreaming.other |
---|
| edr.crowdstrike.falconstreaming.otherField | Type | Extra Field |
---|
eventdate | timestamp
| - | eventType | str
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summary |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summary |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summaryField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int4
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | notificationId | str
| - | highlights_str | str
| - | matchedTimestamp | timestamp
| - | ruleId | str
| - | ruleName | str
| - | ruleTopic | str
| - | rulePriority | str
| - | itemId | str
| - | itemType | str
| - | itemPostedTimestamp | timestamp
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.remote_response_session |
---|
| edr.crowdstrike.falconstreaming.remote_response_session |
---|
| edr.crowdstrike.falconstreaming.remote_response_sessionField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | SessionId | str
| - | UserName | str
| - | HostnameField | str
| - | StartTimestamp | timestamp
| - | EndTimestamp | timestamp
| - | Commands | json
| - | jsonEvent | json
| - | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
[edr.crowdstrike.falconstreaming.user_activity_groups] [edr.crowdstrike.falconstreaming.user_activity_groups][edr.crowdstrike.falconstreaming.user_activity_quarantined_files] [edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy] [edr.crowdstrike.falconstreaming.user_activity_other] Anchor |
---|
| edr.crowdstrike.falconstreaming.scheduled_report_notification |
---|
| edr.crowdstrike.falconstreaming.scheduled_report_notification |
---|
| edr.crowdstrike.falconstreaming.scheduled_report_notificationField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | userUUID | str
| - | userID | str
| - | executionID | str
| - | reportID | str
| - | reportName | str
| - | reportType | str
| - | reportFileReference | str
| - | status | int4
| - | statusMessage | str
| - | executionStart | timestamp
| - | executionDuration | int4
| - | reportFileName | str
| - | resultCount | int4
| - | resultID | str
| - | searchWindowStart | timestamp
| - | searchWindowEnd | timestamp
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_groups |
---|
| edr.crowdstrike.falconstreaming.user_activity_groups |
---|
| edr.crowdstrike.falconstreaming.user_activity_groupsField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | group_id | str
| - | group_name | str
| - | group_description | str
| - | group_assignment_rule | str
| - | old_group_assignment_rule | str
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_quarantined_files |
---|
| edr.crowdstrike.falconstreaming.user_activity_quarantined_files |
---|
| edr.crowdstrike.falconstreaming.user_activity_quarantined_filesField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | quarantined_file_id | str
| - | action_taken | str
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy |
---|
| edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy |
---|
| edr.crowdstrike.falconstreaming.user_activity_sensor_update_policyField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | quarantined_file_id | str
| - | action_taken | str
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_other |
---|
| edr.crowdstrike.falconstreaming.user_activity_other |
---|
| edr.crowdstrike.falconstreaming.user_activity_otherField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | UserId | str
| - | UserIp | ip4
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
[edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.user_activity_devices] [edr.crowdstrike.falconstreaming.user_activity_prevention_policy] [edr.crowdstrike.falconstreaming.user_activity_ip_whitelist] [edr.crowdstrike.falconstreaming.vulnerabilities] Anchor |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summary |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summary |
---|
| edr.crowdstrike.falconstreaming.recon_notification_summaryField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int4
| - | eventType | str
| - | eventCreationTime | timestamp
| - | version | str
| - | notificationId | str
| - | highlights_str | str
| - | matchedTimestamp | timestamp
| - | ruleId | str
| - | ruleName | str
| - | ruleTopic | str
| - | rulePriority | str
| - | itemId | str
| - | itemType | str
| - | itemPostedTimestamp | timestamp
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_devices |
---|
| edr.crowdstrike.falconstreaming.user_activity_devices |
---|
| edr.crowdstrike.falconstreaming.user_activity_devicesField | Type | Extra Field |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | SensorId | str
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_prevention_policy |
---|
| edr.crowdstrike.falconstreaming.user_activity_prevention_policy |
---|
| edr.crowdstrike.falconstreaming.user_activity_prevention_policyField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | policy_id | str
| - | devices_affected | str
| - | policy_priority | str
| - | old_policy_priority | str
| - | policy_name | str
| - | policy_description | str
| - | policy_platform | str
| - | policy_type | str
| - | policy_assignment_rule | str
| - | policy_enabled | str
| - | policy_settings_AdwareExecution | str
| - | old_policy_settings_AdwareExecution | str
| - | policy_settings_ApplicationExploitationActivity | str
| - | old_policy_settings_ApplicationExploitationActivity | str
| - | policy_settings_BackupDeletion | str
| - | old_policy_settings_BackupDeletion | str
| - | policy_settings_ChopperWebshell | str
| - | old_policy_settings_ChopperWebshell | str
| - | policy_settings_Cryptowall | str
| - | old_policy_settings_Cryptowall | str
| - | policy_settings_CustomBlacklisting | str
| - | old_policy_settings_CustomBlacklisting | str
| - | policy_settings_DriveByDownload | str
| - | old_policy_settings_DriveByDownload | str
| - | policy_settings_FileAnalysis | str
| - | old_policy_settings_FileAnalysis | str
| - | policy_settings_FileAttributeAnalysis | str
| - | old_policy_settings_FileAttributeAnalysis | str
| - | policy_settings_FileEncryption | str
| - | old_policy_settings_FileEncryption | str
| - | policy_settings_ForceASLR | str
| - | old_policy_settings_ForceASLR | str
| - | policy_settings_ForceDEP | str
| - | old_policy_settings_ForceDEP | str
| - | policy_settings_HeapSprayPreallocation | str
| - | old_policy_settings_HeapSprayPreallocation | str
| - | policy_settings_Locky | str
| - | old_policy_settings_Locky | str
| - | policy_settings_WindowsLogonBypassStickyKeys | str
| - | old_policy_settings_WindowsLogonBypassStickyKeys | str
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.user_activity_ip_whitelist |
---|
| edr.crowdstrike.falconstreaming.user_activity_ip_whitelist |
---|
| edr.crowdstrike.falconstreaming.user_activity_ip_whitelistField | Type | Extra Label |
---|
eventdate | timestamp
| - | customerIDString | str
| - | offset | int8
| - | eventCreationTime | timestamp
| - | version | str
| - | eventType | str
| - | ServiceName | str
| - | OperationName | str
| - | UTCTimestamp | timestamp
| - | Success | bool
| - | UserId | str
| - | UserIp | ip4
| - | APIClientID | str
| - | AuditKeyValues | json
| - | jsonEvent | json
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.vulnerabilities |
---|
| edr.crowdstrike.falconstreaming.vulnerabilities |
---|
| edr.crowdstrike.falconstreaming.vulnerabilitiesField | Type | Extra Label |
---|
eventdate | timestamp
| - | hostname | str
| - | id | str
| - | cid | str
| - | aid | str
| - | created_timestamp | timestamp
| - | closed_timestamp | timestamp
| - | updated_timestamp | timestamp
| - | status | str
| - | cve__id | str
| - | cve__base_score | float8
| - | cve__severity | str
| - | cve__exploit_status | int4
| - | app__product_name_version | str
| - | apps | str
| - | host_info__hostname | str
| - | host_info__local_ip | ip4
| - | host_info__machine_domain | str
| - | host_info__os_version | str
| - | host_info__ou | str
| - | host_info__site_name | str
| - | host_info__system_manufacturer | str
| - | host_info__groups | str
| - | host_info__tags | str
| - | host_info__platform | str
| - | remediation__ids | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
[edr.crowdstrike.falcon] [edr.crowdstrike.cannon] [edr.crowdstrike.cannon.associateindicator] [edr.crowdstrike.cannon.associatetreeidwithroot] [edr.crowdstrike.cannon.asepvalueupdate] [edr.crowdstrike.cannon.neighborlistip4] Anchor |
---|
| edr.crowdstrike.falcon |
---|
| edr.crowdstrike.falcon |
---|
| edr.crowdstrike.falconField | Type | Extra Field |
---|
eventdate | timestamp
| - | metadata_customerIDString | str
| - | metadata_offset | int4
| - | metadata_eventType | str
| - | metadata_eventCreationTime | int8
| - | metadata_version | str
| - | event_ProcessStartTime | int4
| - | event_ProcessEndTime | int4
| - | event_ProcessId | int8
| - | event_ParentProcessId | int8
| - | event_ComputerName | str
| - | event_UserName | str
| - | event_DetectName | str
| - | event_DetectDescription | str
| - | event_Severity | int4
| - | event_SeverityName | str
| - | event_FileName | str
| - | event_FilePath | str
| - | event_CommandLine | str
| - | event_SHA256String | str
| - | event_MD5String | str
| - | event_SHA1String | str
| - | event_MachineDomain | str
| - | event_ExecutablesWritten | str
| - | event_FalconHostLink | str
| - | event_SensorId | str
| - | event_IOCType | str
| - | event_IOCValue | str
| - | event_DetectId | str
| - | event_new_state | str
| - | event_quarantined_file_id | str
| - | event_action_taken | str
| - | event_target_name | str
| - | event_LocalIP | str
| - | event_MACAddress | str
| - | event_Tactic | str
| - | event_Technique | str
| - | event_Objective | str
| - | event_group_id | str
| - | event_group_name | str
| - | event_old_group_name | str
| - | event_group_description | str
| - | event_old_group_description | str
| - | event_group_assignment_rule | str
| - | event_old_group_assignment_rule | str
| - | event_policy_id | str
| - | event_policy_name | str
| - | event_old_policy_name | str
| - | event_policy_description | str
| - | event_policy_type | str
| - | event_policy_enabled | bool
| - | event_policy_platform | str
| - | event_policy_assignment_rule | str
| - | event_policy_settings_ReleaseID | str
| - | event_old_policy_settings_ReleaseID | str
| - | event_policy_settings_UninstallProtection | str
| - | event_UserId | str
| - | event_UserIp | str
| - | event_OperationName | str
| - | event_ServiceName | str
| - | event_Success | bool
| - | event_UTCTimestamp | int8
| - | event_UTCTimestamp_formatted | timestamp
| - | event_ScanResults_Engine_str | str
| - | event_ScanResults_ResultName_str | str
| - | event_ScanResults_Version_str | str
| - | event_ScanResults_Detected_str | str
| - | event_PatternDispositionDescription | str
| - | event_PatternDispositionValue | int4
| - | event_PatternDispositionFlags_Indicator | bool
| - | event_PatternDispositionFlags_Detect | bool
| - | event_PatternDispositionFlags_InddetMask | bool
| - | event_PatternDispositionFlags_SensorOnly | bool
| - | event_PatternDispositionFlags_Rooting | bool
| - | event_PatternDispositionFlags_KillProcess | bool
| - | event_PatternDispositionFlags_KillSubProcess | bool
| - | event_PatternDispositionFlags_QuarantineMachine | bool
| - | event_PatternDispositionFlags_QuarantineFile | bool
| - | event_PatternDispositionFlags_PolicyDisabled | bool
| - | event_PatternDispositionFlags_KillParent | bool
| - | event_PatternDispositionFlags_OperationBlocked | bool
| - | event_PatternDispositionFlags_ProcessBlocked | bool
| - | event_ParentImageFileName | str
| - | event_ParentCommandLine | str
| - | event_GrandparentImageFileName | str
| - | event_GrandparentCommandLine | str
| - | event_QuarantineFiles_ImageFileName_str | str
| - | event_QuarantineFiles_SHA256HashData_str | str
| - | message | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
Anchor |
---|
| edr.crowdstrike.cannon |
---|
| edr.crowdstrike.cannon |
---|
| edr.crowdstrike.cannonField | Type | Extra Label |
---|
eventdate | timestamp
| - | aid | str
| - | aip | str
| - | cid | str
| - | event_platform | str
| - | event_type | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | AuthenticationId | str
| - | CommandLine | str
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | EffectiveTransmissionClass | str
| - | Entitlements | str
| - | FullFilePath | str
| - | FilePath | str
| - | FileName | str
| - | ImageFileName | str
| - | ImageSubsystem | str
| - | IntegrityLevel | str
| - | MD5HashData | str
| - | ParentAuthenticationId | str
| - | ParentProcessId | str
| - | ProcessCreateFlags | str
| - | ProcessEndTime | str
| - | ProcessParameterFlags | str
| - | ProcessStartTime | str
| - | ProcessSxsFlags | str
| - | RawProcessId | str
| - | SHA1HashData | str
| - | SHA256HashData | str
| - | SourceProcessId | str
| - | SourceThreadId | str
| - | TargetFileName | str
| - | TargetProcessId | str
| - | SessionProcessId | str
| - | TokenType | str
| - | UserSid | str
| - | ComputerName | str
| - | ClientComputerName | str
| - | FirstIP4Record | str
| - | PhysicalAddress | str
| - | ContextProcessId | str
| - | LocalAddressIP4 | ip4
| - | LocalPort | str
| - | Protocol | str
| - | RemoteAddressIP4 | ip4
| - | RemotePort | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | tagGroup | str
| - | rawMessage | str
| - |
Anchor |
---|
| edr.crowdstrike.cannon.associateindicator |
---|
| edr.crowdstrike.cannon.associateindicator |
---|
| edr.crowdstrike.cannon.associateindicatorField | Type | Extra Field |
---|
eventdate | timestamp
| - | hostname | str
| - | event_simpleName | str
| - | ContextTimeStamp | str
| - | ConfigStateHash | str
| - | aip | ip4
| - | SessionProcessId | str
| - | ConfigBuild | str
| - | PatternDisposition | str
| - | event_platform | str
| - | TargetProcessId | str
| - | PatternId | str
| - | Entitlements | str
| - | name | str
| - | id | str
| - | EffectiveTransmissionClass | str
| - | aid | str
| - | timestamp | str
| - | cid | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.cannon.associatetreeidwithroot |
---|
| edr.crowdstrike.cannon.associatetreeidwithroot |
---|
| edr.crowdstrike.cannon.associatetreeidwithrootField | Type | Extra Field |
---|
eventdate | timestamp
| - | hostname | str
| - | event_simpleName | str
| - | ContextTimeStamp | str
| - | ConfigStateHash | str
| - | aip | ip4
| - | SessionProcessId | str
| - | ConfigBuild | str
| - | PatternDisposition | str
| - | event_platform | str
| - | TargetProcessId | str
| - | TreeId | str
| - | PatternId | str
| - | Entitlements | str
| - | name | str
| - | TreeRoot | str
| - | id | str
| - | EffectiveTransmissionClass | str
| - | aid | str
| - | timestamp | str
| - | cid | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.cannon.asepvalueupdate |
---|
| edr.crowdstrike.cannon.asepvalueupdate |
---|
| edr.crowdstrike.cannon.asepvalueupdateField | Type | Extra Field |
---|
eventdate | timestamp
| - | aid | str
| - | aip | ip4
| - | cid | str
| - | event_platform | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | AsepClass | str
| - | AsepFlags | str
| - | AsepIndex | str
| - | AsepValueType | str
| - | AuthenticationId | str
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | ContextProcessId | str
| - | ContextThreadId | str
| - | ContextTimeStamp | str
| - | Data1 | str
| - | EffectiveTransmissionClass | str
| - | RegStringValue | str
| - | Entitlements | str
| - | RegNumericValue | str
| - | RegObjectName | str
| - | RegOperationType | str
| - | RegType | str
| - | RegValueName | str
| - | TokenType | str
| - | RegBinaryValue | str
| - | TargetFileName | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
[edr.crowdstrike.cannon.channelversionrequired] [edr.crowdstrike.cannon.detectionexcluded] [edr.crowdstrike.cannon.dnsrequest] [edr.crowdstrike.cannon.endofprocess] Anchor |
---|
| edr.crowdstrike.cannon.channelversionrequired |
---|
| edr.crowdstrike.cannon.channelversionrequired |
---|
| edr.crowdstrike.cannon.channelversionrequiredField | Type | Extra Field |
---|
eventdate | timestamp
| - | aid | str
| - | aip | ip4
| - | cid | str
| - | event_platform | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | ChannelId | str
| - | ChannelVersion | str
| - | ChannelVersionRequired | str
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | EffectiveTransmissionClass | str
| - | Entitlements | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
Anchor |
---|
| edr.crowdstrike.cannon.detectionexcluded |
---|
| edr.crowdstrike.cannon.detectionexcluded |
---|
| edr.crowdstrike.cannon.detectionexcludedField | Type | Extra Field |
---|
eventdate | timestamp
| - | hostname | str
| - | event_simpleName | str
| - | ContextTimeStamp | str
| - | ConfigStateHash | str
| - | aip | ip4
| - | SessionProcessId | str
| - | BoundingLimitCount | str
| - | ConfigBuild | str
| - | event_platform | str
| - | CommandLine | str
| - | TargetProcessId | str
| - | PatternId | str
| - | ImageFileName | str
| - | ExclusionType | str
| - | Entitlements | str
| - | name | str
| - | ExclusionSource | str
| - | id | str
| - | EffectiveTransmissionClass | str
| - | aid | str
| - | timestamp | str
| - | cid | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequestField | Type | Extra Field |
---|
eventdate | timestamp
| - | aid | str
| - | aip | ip4
| - | cid | str
| - | event_platform | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | ContextProcessId | str
| - | ContextThreadId | str
| - | ContextTimeStamp | str
| - | DomainName | str
| - | Entitlements | str
| - | RequestType | str
| - | DnsResponseType | str
| - | IP4Records | str
| - | FirstIP4Record | str
| - | CNAMERecords | str
| - | IP6Records | str
| - | FirstIP6Record | str
| - | QueryStatus | str
| - | DualRequest | str
| - | RespondingDnsServer | str
| - | DnsRequestCount | str
| - | InterfaceIndex | str
| - | EffectiveTransmissionClass | str
| - | BoundingLimitCount | str
| - | BoundingLimitDuration | str
| - | TreeId | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
Anchor |
---|
| edr.crowdstrike.cannon.endofprocess |
---|
| edr.crowdstrike.cannon.endofprocess |
---|
| edr.crowdstrike.cannon.endofprocessField | Type | Extra Label |
---|
eventdate | timestamp
| - | aid | str
| - | aip | ip4
| - | cid | str
| - | event_platform | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | ActivePrivilegeEscalationCount | str
| - | AsepWrittenCount | str
| - | BinaryExecutableWrittenCount | str
| - | CLICreationCount | str
| - | ConHostId | str
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | ContextProcessId | str
| - | ContextThreadId | str
| - | ContextTimeStamp | str
| - | CycleTime | str
| - | DirectoryCreatedCount | str
| - | DirectoryEnumeratedCount | str
| - | DnsRequestCount | str
| - | EffectiveTransmissionClass | str
| - | Entitlements | str
| - | ExeAndServiceCount | str
| - | ExecutableDeletedCount | str
| - | ExitCode | str
| - | FileDeletedCount | str
| - | InjectedDllCount | str
| - | InjectedThreadCount | str
| - | KernelTime | str
| - | MaxThreadCount | str
| - | NamedObjectCount | str
| - | NetworkBindCount | str
| - | NetworkCapableAsepWriteCount | str
| - | NetworkCloseCount | str
| - | NetworkConnectCount | str
| - | NetworkConnectCountUdp | str
| - | NetworkListenCount | str
| - | NetworkRecvAcceptCount | str
| - | NewExecutableWrittenCount | str
| - | PrivilegedProcessHandleCount | str
| - | RawProcessId | str
| - | RegKeySecurityDecreasedCount | str
| - | RunDllInvocationCount | str
| - | ScriptEngineInvocationCount | str
| - | ServiceEventCount | str
| - | SHA256HashData | str
| - | SnapshotFileOpenCount | str
| - | SuspectStackCount | str
| - | SuspiciousCredentialModuleLoadCount | str
| - | SuspiciousDnsRequestCount | str
| - | SuspiciousRawDiskReadCount | str
| - | TargetProcessId | str
| - | UnsignedModuleLoadCount | str
| - | UserMemoryAllocateExecutableCount | str
| - | UserMemoryAllocateExecutableRemoteCount | str
| - | UserMemoryProtectExecutableCount | str
| - | UserMemoryProtectExecutableRemoteCount | str
| - | UserSid | str
| - | UserTime | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
Anchor |
---|
| edr.crowdstrike.cannon.neighborlistip4 |
---|
| edr.crowdstrike.cannon.neighborlistip4 |
---|
| edr.crowdstrike.cannon.neighborlistip4Field | Type | Extra Field |
---|
eventdate | timestamp
| - | aid | str
| - | aip | ip4
| - | cid | str
| - | event_platform | str
| - | event_simpleName | str
| - | id | str
| - | name | str
| - | timestamp | timestamp
| - | ConfigBuild | str
| - | ConfigStateHash | str
| - | EffectiveTransmissionClass | str
| - | Entitlements | str
| - | InterfaceIndex | str
| - | NeighborList | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| - |
|