...
Introduction
The tags beginning with edr.crowdstrike identify events generated by Crowdstrike.
...
The full tag must have 3 levels. The first two are fixed asedr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
...