Versions Compared

Old Version 24

changes.mady.by.user Former user

Saved on

compared with

New Version 25

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rw ui tabs macro
Rw tab
titleTables 1-5

[edr.crowdstrike.falconstreaming.agents] [edr.crowdstrike.falconstreaming.auth_activity] [edr.crowdstrike.falconstreaming.behaviors] [edr.crowdstrike.falconstreaming.customer_ioc] [edr.crowdstrike.falconstreaming.detection_summary]

Anchor
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

device_id

str

-

cid

str

-

agent_load_flags

str

-

agent_local_time

timestamp

-

agent_version

str

-

bios_manufacturer

str

-

bios_version

str

-

build_number

str

-

config_id_base

str

-

config_id_build

str

-

config_id_platform

str

-

cpu_signature

str

-

external_ip

ip4

-

mac_address

str

-

hostname2

str

-

first_seen

timestamp

-

last_seen

timestamp

-

local_ip

ip4

-

major_version

str

-

minor_version

str

-

os_version

str

-

os_build

str

-

platform_id

str

-

platform_name

str

-

policies

str

-

reduced_functionality_mode

str

-

device_policies__prevention__policy_type

str

-

device_policies__prevention__policy_id

str

-

device_policies__prevention__applied

bool

-

device_policies__prevention__settings_hash

str

-

device_policies__prevention__assigned_date

str

-

device_policies__prevention__applied_date

str

-

device_policies__prevention__rule_groups

str

-

device_policies__sensor_update__policy_type

str

-

device_policies__sensor_update__policy_id

str

-

device_policies__sensor_update__applied

bool

-

device_policies__sensor_update__settings_hash

str

-

device_policies__sensor_update__assigned_date

str

-

device_policies__sensor_update__applied_date

str

-

device_policies__sensor_update__uninstall_protection

str

-

device_policies__device_control__policy_type

str

-

device_policies__device_control__policy_id

str

-

device_policies__device_control__applied

bool

-

device_policies__device_control__assigned_date

str

-

device_policies__device_control__applied_date

str

-

device_policies__global_config__policy_type

str

-

device_policies__global_config__policy_id

str

-

device_policies__global_config__applied

bool

-

device_policies__global_config__settings_hash

str

-

device_policies__global_config__assigned_date

str

-

device_policies__global_config__applied_date

str

-

device_policies__remote_response__policy_type

str

-

device_policies__remote_response__policy_id

str

-

device_policies__remote_response__applied

bool

-

device_policies__remote_response__settings_hash

str

-

device_policies__remote_response__assigned_date

str

-

device_policies__remote_response__applied_date

str

-

device_policies__firewall__policy_type

str

-

device_policies__firewall__policy_id

str

-

device_policies__firewall__applied

bool

-

device_policies__firewall__assigned_date

str

-

device_policies__firewall__applied_date

str

-

device_policies__firewall__rule_set_id

str

-

groups

str

-

group_hash

str

-

product_type

str

-

product_type_desc

str

-

provision_status

str

-

serial_number

str

-

service_pack_major

str

-

service_pack_minor

str

-

pointer_size

str

-

status

str

-

system_manufacturer

str

-

system_product_name

str

-

tags

str

-

modified_timestamp

timestamp

-

slow_changing_modified_timestamp

timestamp

-

meta__version

str

-

instance_id

str

-

service_provider

str

-

service_provider_account_id

str

-

machine_domain

str

-

ou

str

-

site_name

str

-

zone_group

str

-

hostchain

str

tag

str

rawMessage

str

 
Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity 

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

target_name

str

-

target_user_uuid

str

-

target_cid

str

-

roles

str

-

scope

str

-

actor_user

str

-

actor_user_uuid

str

-

actor_cid

str

-

subscriptions

str

-

APIClientID

str

-

appId

str

-

eventType2

str

-

partition

str

-

offset2

str

-

id

str

-

name

str

-

trace_id

str

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

behavior_id

str

-

detection_ids

str

-

cid

str

-

aid

str

-

pattern_id

int4

-

template_instance_id

int4

-

timestamp

timestamp

-

cmdline

str

-

filepath

str

-

domain

str

-

pattern_disposition

int4

-

pattern_disposition_details__indicator

bool

-

pattern_disposition_details__detect

bool

-

pattern_disposition_details__inddet_mask

bool

-

pattern_disposition_details__sensor_only

bool

-

pattern_disposition_details__rooting

bool

-

pattern_disposition_details__kill_process

bool

-

pattern_disposition_details__kill_subprocess

bool

-

pattern_disposition_details__quarantine_machine

bool

-

pattern_disposition_details__quarantine_file

bool

-

pattern_disposition_details__policy_disabled

bool

-

pattern_disposition_details__kill_parent

bool

-

pattern_disposition_details__operation_blocked

bool

-

pattern_disposition_details__process_blocked

bool

-

pattern_disposition_details__registry_operation_blocked

bool

-

pattern_disposition_details__critical_process_disabled

bool

-

pattern_disposition_details__bootup_safeguard_enabled

bool

-

pattern_disposition_details__fs_operation_blocked

bool

-

pattern_disposition_details__handle_operation_downgraded

bool

-

pattern_disposition_details__kill_action_failed

bool

-

pattern_disposition_details__blocking_unsupported_or_disabled

bool

-

pattern_disposition_details__suspend_process

bool

-

pattern_disposition_details__suspend_parent

bool

-

sha256

str

-

user_name

str

-

tactic

str

-

tactic_id

str

-

technique

str

-

technique_id

str

-

objective

str

-

compound_tto

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

AgentIdString

str

-

DeviceId

str

-

ComputerName

str

-

ProcessId

str

-

ParentProcessId

str

-

ProcessStartTime

timestamp

-

FileName

str

-

FilePath

str

-

CommandLine

str

-

MD5String

str

-

SHA256String

str

-

DomainName

str

-

IPv4

str

-

IPv6

str

-

jsonEvent

json

-

rawMessage

str

hostchain

str

tag

str

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ProcessStartTime

int8

-

ProcessEndTime

int8

-

ProcessId

int8

-

ParentProcessId

int8

-

ComputerName

str

-

UserName

str

-

DetectName

str

-

DetectDescription

str

-

Severity

int8

-

SeverityName

str

-

FileName

str

-

FilePath

str

-

CommandLine

str

-

SHA256String

str

-

MD5String

str

-

SHA1String

str

-

MachineDomain

str

-

ExecutablesWritten

json

-

FalconHostLink

str

-

SensorId

str

-

IOCType

str

-

IOCValue

str

-

DetectId

str

-

new_state

str

-

quarantined_file_id

str

-

action_taken

str

-

LocalIP

str

-

MACAddress

str

-

Tactic

str

-

Technique

str

-

Objective

str

-

UserId

str

-

UserIp

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

int8

-

ScanResults_Engine_str

str

-

ScanResults_ResultName_str

str

-

ScanResults_Version_str

str

-

ScanResults_Detected_str

str

-

PatternDispositionDescription

str

-

PatternDispositionValue

int8

-

PatternDispositionFlags_Indicator

bool

-

PatternDispositionFlags_Detect

bool

-

PatternDispositionFlags_InddetMask

bool

-

PatternDispositionFlags_SensorOnly

bool

-

PatternDispositionFlags_Rooting

bool

-

PatternDispositionFlags_KillProcess

bool

-

PatternDispositionFlags_KillSubProcess

bool

-

PatternDispositionFlags_QuarantineMachine

bool

-

PatternDispositionFlags_QuarantineFile

bool

-

PatternDispositionFlags_PolicyDisabled

bool

-

PatternDispositionFlags_KillParent

bool

-

PatternDispositionFlags_OperationBlocked

bool

-

PatternDispositionFlags_ProcessBlocked

bool

-

PatternDispositionFlags_SuspendParent

bool

-

PatternDispositionFlags_KillActionFailed

bool

-

PatternDispositionFlags_HandleOperationDowngraded

bool

-

PatternDispositionFlags_SuspendProcess

bool

-

PatternDispositionFlags_CriticalProcessDisabled

bool

-

PatternDispositionFlags_BootupSafeguardEnabled

bool

-

PatternDispositionFlags_RegistryOperationBlocked

bool

-

PatternDispositionFlags_BlockingUnsupportedOrDisabled

bool

-

PatternDispositionFlags_FsOperationBlocked

bool

-

ParentImageFileName

str

-

ParentCommandLine

str

-

GrandparentImageFileName

str

-

GrandparentCommandLine

str

-

QuarantineFiles_ImageFileName_str

str

-

QuarantineFiles_SHA256HashData_str

str

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 6-10

[edr.crowdstrike.falconstreaming.external_api] [edr.crowdstrike.falconstreaming.firewall_match] [edr.crowdstrike.falconstreaming.identity_protection] [edr.crowdstrike.falconstreaming.idp_detection_summary] [edr.crowdstrike.falconstreaming.incidents]

Anchor
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ProcessStartTime

int8

-

ProcessEndTime

int8

-

ProcessId

int8

-

ParentProcessId

int8

-

ComputerName

str

-

UserName

str

-

DetectName

str

-

DetectDescription

str

-

Severity

int8

-

SeverityName

str

-

FileName

str

-

FilePath

str

-

CommandLine

str

-

SHA256String

str

-

MD5String

str

-

SHA1String

str

-

MachineDomain

str

-

ExecutablesWritten

json

-

FalconHostLink

str

-

SensorId

str

-

IOCType

str

-

IOCValue

str

-

DetectId

str

-

new_state

str

-

quarantined_file_id

str

-

action_taken

str

-

LocalIP

str

-

MACAddress

str

-

Tactic

str

-

Technique

str

-

Objective

str

-

UserId

str

-

UserIp

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

int8

-

ScanResults_Engine_str

str

-

ScanResults_ResultName_str

str

-

ScanResults_Version_str

str

-

ScanResults_Detected_str

str

-

PatternDispositionDescription

str

-

PatternDispositionValue

int8

-

PatternDispositionFlags_Indicator

bool

-

PatternDispositionFlags_Detect

bool

-

PatternDispositionFlags_InddetMask

bool

-

PatternDispositionFlags_SensorOnly

bool

-

PatternDispositionFlags_Rooting

bool

-

PatternDispositionFlags_KillProcess

bool

-

PatternDispositionFlags_KillSubProcess

bool

-

PatternDispositionFlags_QuarantineMachine

bool

-

PatternDispositionFlags_QuarantineFile

bool

-

PatternDispositionFlags_PolicyDisabled

bool

-

PatternDispositionFlags_KillParent

bool

-

PatternDispositionFlags_OperationBlocked

bool

-

PatternDispositionFlags_ProcessBlocked

bool

-

PatternDispositionFlags_SuspendParent

bool

-

PatternDispositionFlags_KillActionFailed

bool

-

PatternDispositionFlags_HandleOperationDowngraded

bool

-

PatternDispositionFlags_SuspendProcess

bool

-

PatternDispositionFlags_CriticalProcessDisabled

bool

-

PatternDispositionFlags_BootupSafeguardEnabled

bool

-

PatternDispositionFlags_RegistryOperationBlocked

bool

-

PatternDispositionFlags_BlockingUnsupportedOrDisabled

bool

-

PatternDispositionFlags_FsOperationBlocked

bool

-

ParentImageFileName

str

-

ParentCommandLine

str

-

GrandparentImageFileName

str

-

GrandparentCommandLine

str

-

QuarantineFiles_ImageFileName_str

str

-

QuarantineFiles_SHA256HashData_str

str

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

deviceId

str

-

customerId

str

-

ipv

str

-

commandLine

str

-

connectionDirection

str

-

evEventType

str

-

flag_audit

bool

-

flag_log

bool

-

flag_monitor

bool

-

hostName

str

-

icmpCode

str

-

icmpType

str

-

imageFileName

str

-

localAddress

ip4

-

localPort

str

-

matchCount

int4

-

matchCountSinceLastReport

int4

-

networkProfile

str

-

pid

str

-

policyName

str

-

policyID

str

-

protocol

str

-

remoteAddress

ip4

-

remotePort

str

-

ruleAction

str

-

ruleDescription

str

-

ruleFamilyID

str

-

ruleGroupName

str

-

ruleName

str

-

ruleId

str

-

status

str

-

timestamp

timestamp

-

treeID

str

-

platform

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

incidentType

str

-

incidentDescription

str

-

severity

int4

-

severityName

str

-

startTime

timestamp

-

endTime

timestamp

-

identityProtectionIncidentId

str

-

userName

str

-

endpointName

str

-

endpointIp

str

-

category

str

-

numbersOfAlerts

int4

-

numberOfCompromisedEntities

int4

-

state

str

-

falconHostLink

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

contextTimeStamp

int8

-

detectId

str

-

detectName

str

-

detectDescription

str

-

falconHostLink

str

-

startTime

int8

-

endTime

int8

-

severity

int4

-

tactic

str

-

technique

str

-

objective

str

-

sourceAccountDomain

str

-

sourceAccountName

str

-

sourceAccountObjectSid

str

-

sourceEndpointAccountObjectGuid

str

-

sourceEndpointAccountObjectSid

str

-

sourceEndpointHostName

str

-

sourceEndpointIpAddress

ip4

-

sourceEndpointSensorId

str

-

activityId

str

-

patternId

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

incident_id

str

-

incident_type

int4

-

cid

str

-

host_ids

str

-

hosts

str

-

created

timestamp

-

start

timestamp

-

end

timestamp

-

state

str

-

status

int4

-

tactics

str

-

techniques

str

-

objectives

str

-

fine_score

int4

-

lmra_host_ids

str

-

lm_types

int4

-

tags

str

-

modified_timestamp

str

-

users

str

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 11-15

[edr.crowdstrike.falconstreaming.incident_summary] [edr.crowdstrike.falconstreaming.mobile_detection_summary] [edr.crowdstrike.falconstreaming.other] [edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.remote_response_session]

Anchor
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

State

str

-

IncidentID

str

-

IncidentStartTime

timestamp

-

IncidentEndTime

timestamp

-

FineScore

float8

-

FalconHostLink

str

-

jsonEvent

json

-

rawMessage

str

hostchain

str

tag

str

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

sensorId

str

-

mobileDetectionId

int4

-

computerName

str

-

userName

str

-

contextTimeStamp

timestamp

-

detectId

str

-

detectName

str

-

detectDescription

str

-

tactic

str

-

tacticId

str

-

technique

str

-

techniqueId

str

-

objective

str

-

severity

int4

-

falconHostLink

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Field

Type

Extra Field

eventdate

timestamp

-

eventType

str

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

notificationId

str

-

highlights_str

str

-

matchedTimestamp

timestamp

-

ruleId

str

-

ruleName

str

-

ruleTopic

str

-

rulePriority

str

-

itemId

str

-

itemType

str

-

itemPostedTimestamp

timestamp

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

SessionId

str

-

UserName

str

-

HostnameField

str

-

StartTimestamp

timestamp

-

EndTimestamp

timestamp

-

Commands

json

-

jsonEvent

json

-

rawMessage

str

hostchain

str

tag

str

Rw tab
titleTables 16-20

[edr.crowdstrike.falconstreaming.user_activity_groups] [edr.crowdstrike.falconstreaming.user_activity_groups][edr.crowdstrike.falconstreaming.user_activity_quarantined_files] [edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy] [edr.crowdstrike.falconstreaming.user_activity_other]

Anchor
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

userUUID

str

-

userID

str

-

executionID

str

-

reportID

str

-

reportName

str

-

reportType

str

-

reportFileReference

str

-

status

int4

-

statusMessage

str

-

executionStart

timestamp

-

executionDuration

int4

-

reportFileName

str

-

resultCount

int4

-

resultID

str

-

searchWindowStart

timestamp

-

searchWindowEnd

timestamp

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

group_id

str

-

group_name

str

-

group_description

str

-

group_assignment_rule

str

-

old_group_assignment_rule

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

UserId

str

-

UserIp

ip4

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 21-25

[edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.user_activity_devices] [edr.crowdstrike.falconstreaming.user_activity_prevention_policy] [edr.crowdstrike.falconstreaming.user_activity_ip_whitelist] [edr.crowdstrike.falconstreaming.vulnerabilities]

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

notificationId

str

-

highlights_str

str

-

matchedTimestamp

timestamp

-

ruleId

str

-

ruleName

str

-

ruleTopic

str

-

rulePriority

str

-

itemId

str

-

itemType

str

-

itemPostedTimestamp

timestamp

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

SensorId

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

policy_id

str

-

devices_affected

str

-

policy_priority

str

-

old_policy_priority

str

-

policy_name

str

-

policy_description

str

-

policy_platform

str

-

policy_type

str

-

policy_assignment_rule

str

-

policy_enabled

str

-

policy_settings_AdwareExecution

str

-

old_policy_settings_AdwareExecution

str

-

policy_settings_ApplicationExploitationActivity

str

-

old_policy_settings_ApplicationExploitationActivity

str

-

policy_settings_BackupDeletion

str

-

old_policy_settings_BackupDeletion

str

-

policy_settings_ChopperWebshell

str

-

old_policy_settings_ChopperWebshell

str

-

policy_settings_Cryptowall

str

-

old_policy_settings_Cryptowall

str

-

policy_settings_CustomBlacklisting

str

-

old_policy_settings_CustomBlacklisting

str

-

policy_settings_DriveByDownload

str

-

old_policy_settings_DriveByDownload

str

-

policy_settings_FileAnalysis

str

-

old_policy_settings_FileAnalysis

str

-

policy_settings_FileAttributeAnalysis

str

-

old_policy_settings_FileAttributeAnalysis

str

-

policy_settings_FileEncryption

str

-

old_policy_settings_FileEncryption

str

-

policy_settings_ForceASLR

str

-

old_policy_settings_ForceASLR

str

-

policy_settings_ForceDEP

str

-

old_policy_settings_ForceDEP

str

-

policy_settings_HeapSprayPreallocation

str

-

old_policy_settings_HeapSprayPreallocation

str

-

policy_settings_Locky

str

-

old_policy_settings_Locky

str

-

policy_settings_WindowsLogonBypassStickyKeys

str

-

old_policy_settings_WindowsLogonBypassStickyKeys

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

id

str

-

cid

str

-

aid

str

-

created_timestamp

timestamp

-

closed_timestamp

timestamp

-

updated_timestamp

timestamp

-

status

str

-

cve__id

str

-

cve__base_score

float8

-

cve__severity

str

-

cve__exploit_status

int4

-

app__product_name_version

str

-

apps

str

-

host_info__hostname

str

-

host_info__local_ip

ip4

-

host_info__machine_domain

str

-

host_info__os_version

str

-

host_info__ou

str

-

host_info__site_name

str

-

host_info__system_manufacturer

str

-

host_info__groups

str

-

host_info__tags

str

-

host_info__platform

str

-

remediation__ids

str

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 26-30

[edr.crowdstrike.falcon] [edr.crowdstrike.cannon] [edr.crowdstrike.cannon.associateindicator] [edr.crowdstrike.cannon.associatetreeidwithroot] [edr.crowdstrike.cannon.asepvalueupdate] [edr.crowdstrike.cannon.neighborlistip4]

Anchor
edr.crowdstrike.falcon
edr.crowdstrike.falcon
edr.crowdstrike.falcon

Field

Type

Extra Field

eventdate

timestamp

-

metadata_customerIDString

str

-

metadata_offset

int4

-

metadata_eventType

str

-

metadata_eventCreationTime

int8

-

metadata_version

str

-

event_ProcessStartTime

int4

-

event_ProcessEndTime

int4

-

event_ProcessId

int8

-

event_ParentProcessId

int8

-

event_ComputerName

str

-

event_UserName

str

-

event_DetectName

str

-

event_DetectDescription

str

-

event_Severity

int4

-

event_SeverityName

str

-

event_FileName

str

-

event_FilePath

str

-

event_CommandLine

str

-

event_SHA256String

str

-

event_MD5String

str

-

event_SHA1String

str

-

event_MachineDomain

str

-

event_ExecutablesWritten

str

-

event_FalconHostLink

str

-

event_SensorId

str

-

event_IOCType

str

-

event_IOCValue

str

-

event_DetectId

str

-

event_new_state

str

-

event_quarantined_file_id

str

-

event_action_taken

str

-

event_target_name

str

-

event_LocalIP

str

-

event_MACAddress

str

-

event_Tactic

str

-

event_Technique

str

-

event_Objective

str

-

event_group_id

str

-

event_group_name

str

-

event_old_group_name

str

-

event_group_description

str

-

event_old_group_description

str

-

event_group_assignment_rule

str

-

event_old_group_assignment_rule

str

-

event_policy_id

str

-

event_policy_name

str

-

event_old_policy_name

str

-

event_policy_description

str

-

event_policy_type

str

-

event_policy_enabled

bool

-

event_policy_platform

str

-

event_policy_assignment_rule

str

-

event_policy_settings_ReleaseID

str

-

event_old_policy_settings_ReleaseID

str

-

event_policy_settings_UninstallProtection

str

-

event_UserId

str

-

event_UserIp

str

-

event_OperationName

str

-

event_ServiceName

str

-

event_Success

bool

-

event_UTCTimestamp

int8

-

event_UTCTimestamp_formatted

timestamp

-

event_ScanResults_Engine_str

str

-

event_ScanResults_ResultName_str

str

-

event_ScanResults_Version_str

str

-

event_ScanResults_Detected_str

str

-

event_PatternDispositionDescription

str

-

event_PatternDispositionValue

int4

-

event_PatternDispositionFlags_Indicator

bool

-

event_PatternDispositionFlags_Detect

bool

-

event_PatternDispositionFlags_InddetMask

bool

-

event_PatternDispositionFlags_SensorOnly

bool

-

event_PatternDispositionFlags_Rooting

bool

-

event_PatternDispositionFlags_KillProcess

bool

-

event_PatternDispositionFlags_KillSubProcess

bool

-

event_PatternDispositionFlags_QuarantineMachine

bool

-

event_PatternDispositionFlags_QuarantineFile

bool

-

event_PatternDispositionFlags_PolicyDisabled

bool

-

event_PatternDispositionFlags_KillParent

bool

-

event_PatternDispositionFlags_OperationBlocked

bool

-

event_PatternDispositionFlags_ProcessBlocked

bool

-

event_ParentImageFileName

str

-

event_ParentCommandLine

str

-

event_GrandparentImageFileName

str

-

event_GrandparentCommandLine

str

-

event_QuarantineFiles_ImageFileName_str

str

-

event_QuarantineFiles_SHA256HashData_str

str

-

message

str

-

hostchain

str

tag

str

rawMessage

str

-

Anchor
edr.crowdstrike.cannon
edr.crowdstrike.cannon
edr.crowdstrike.cannon

Field

Type

Extra Label

eventdate

timestamp

-

aid

str

-

aip

str

-

cid

str

-

event_platform

str

-

event_type

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

AuthenticationId

str

-

CommandLine

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

FullFilePath

str

-

FilePath

str

-

FileName

str

-

ImageFileName

str

-

ImageSubsystem

str

-

IntegrityLevel

str

-

MD5HashData

str

-

ParentAuthenticationId

str

-

ParentProcessId

str

-

ProcessCreateFlags

str

-

ProcessEndTime

str

-

ProcessParameterFlags

str

-

ProcessStartTime

str

-

ProcessSxsFlags

str

-

RawProcessId

str

-

SHA1HashData

str

-

SHA256HashData

str

-

SourceProcessId

str

-

SourceThreadId

str

-

TargetFileName

str

-

TargetProcessId

str

-

SessionProcessId

str

-

TokenType

str

-

UserSid

str

-

ComputerName

str

-

ClientComputerName

str

-

FirstIP4Record

str

-

PhysicalAddress

str

-

ContextProcessId

str

-

LocalAddressIP4

ip4

-

LocalPort

str

-

Protocol

str

-

RemoteAddressIP4

ip4

-

RemotePort

str

-

hostchain

str

tag

str

tagGroup

str

-

rawMessage

str

-

Anchor
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

ConfigBuild

str

-

PatternDisposition

str

-

event_platform

str

-

TargetProcessId

str

-

PatternId

str

-

Entitlements

str

-

name

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

ConfigBuild

str

-

PatternDisposition

str

-

event_platform

str

-

TargetProcessId

str

-

TreeId

str

-

PatternId

str

-

Entitlements

str

-

name

str

-

TreeRoot

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

AsepClass

str

-

AsepFlags

str

-

AsepIndex

str

-

AsepValueType

str

-

AuthenticationId

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

Data1

str

-

EffectiveTransmissionClass

str

-

RegStringValue

str

-

Entitlements

str

-

RegNumericValue

str

-

RegObjectName

str

-

RegOperationType

str

-

RegType

str

-

RegValueName

str

-

TokenType

str

-

RegBinaryValue

str

-

TargetFileName

str

-

hostchain

str

tag

str

rawMessage

str

-

Rw tab
titleTables 31 - 35

[edr.crowdstrike.cannon.channelversionrequired] [edr.crowdstrike.cannon.detectionexcluded] [edr.crowdstrike.cannon.dnsrequest] [edr.crowdstrike.cannon.endofprocess]

Anchor
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ChannelId

str

-

ChannelVersion

str

-

ChannelVersionRequired

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

hostchain

str

tag

str

rawMessage

str

-

Anchor
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

BoundingLimitCount

str

-

ConfigBuild

str

-

event_platform

str

-

CommandLine

str

-

TargetProcessId

str

-

PatternId

str

-

ImageFileName

str

-

ExclusionType

str

-

Entitlements

str

-

name

str

-

ExclusionSource

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

DomainName

str

-

Entitlements

str

-

RequestType

str

-

DnsResponseType

str

-

IP4Records

str

-

FirstIP4Record

str

-

CNAMERecords

str

-

IP6Records

str

-

FirstIP6Record

str

-

QueryStatus

str

-

DualRequest

str

-

RespondingDnsServer

str

-

DnsRequestCount

str

-

InterfaceIndex

str

-

EffectiveTransmissionClass

str

-

BoundingLimitCount

str

-

BoundingLimitDuration

str

-

TreeId

str

-

hostchain

str

tag

str

rawMessage

str

-

Anchor
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess

Field

Type

Extra Label

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ActivePrivilegeEscalationCount

str

-

AsepWrittenCount

str

-

BinaryExecutableWrittenCount

str

-

CLICreationCount

str

-

ConHostId

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

CycleTime

str

-

DirectoryCreatedCount

str

-

DirectoryEnumeratedCount

str

-

DnsRequestCount

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

ExeAndServiceCount

str

-

ExecutableDeletedCount

str

-

ExitCode

str

-

FileDeletedCount

str

-

InjectedDllCount

str

-

InjectedThreadCount

str

-

KernelTime

str

-

MaxThreadCount

str

-

NamedObjectCount

str

-

NetworkBindCount

str

-

NetworkCapableAsepWriteCount

str

-

NetworkCloseCount

str

-

NetworkConnectCount

str

-

NetworkConnectCountUdp

str

-

NetworkListenCount

str

-

NetworkRecvAcceptCount

str

-

NewExecutableWrittenCount

str

-

PrivilegedProcessHandleCount

str

-

RawProcessId

str

-

RegKeySecurityDecreasedCount

str

-

RunDllInvocationCount

str

-

ScriptEngineInvocationCount

str

-

ServiceEventCount

str

-

SHA256HashData

str

-

SnapshotFileOpenCount

str

-

SuspectStackCount

str

-

SuspiciousCredentialModuleLoadCount

str

-

SuspiciousDnsRequestCount

str

-

SuspiciousRawDiskReadCount

str

-

TargetProcessId

str

-

UnsignedModuleLoadCount

str

-

UserMemoryAllocateExecutableCount

str

-

UserMemoryAllocateExecutableRemoteCount

str

-

UserMemoryProtectExecutableCount

str

-

UserMemoryProtectExecutableRemoteCount

str

-

UserSid

str

-

UserTime

str

-

hostchain

str

tag

str

rawMessage

str

-

Anchor
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

InterfaceIndex

str

-

NeighborList

str

-

hostchain

str

tag

str

rawMessage

str

-