Versions Compared

Version Old Version 4 New Version 5
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Juan Tomás Alonso Nieto (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

The tags beginning with cef0.crowdstrike identifies events in CEF format generated by CrowdStrike Falcon Host.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags

Data tables

cef0.crowdstrike.falconhost

cef0.crowdstrike.falconhost

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.crowdstrike.falconhost

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

priorityCode

str

 

cefTag

str

 

cefVersion

str

 

embDeviceVendor

str

 

embDeviceProduct

str

 

deviceVersion

str

 

signatureID

str

 

name

str

 

severity

str

 

PolicyNameLabel

str

 

cat

str

 

cmdLine

str

 

cmdLineLabel

str

 

cn1

int8

 

cn1Label

str

 

cn2

int8

 

cn2Label

str

 

cn3

int8

 

cn3Label

str

 

connectionDirection

str

 

connectionDirectionLabel

str

 

cs1

str

 

cs1Label

str

 

cs6

str

 

cs6Label

str

 

deviceCustomDate1

timestamp

 

deviceCustomDate1Label

str

 

deviceId

str

 

dhost

str

 

eventType

str

 

externalID

str

 

fileHash

str

 

filePath

str

 

fname

str

 

hostName

str

 

icmpCodeLabel

str

 

imageFileName

str

 

imageFileNameLabel

str

 

ipVLabel

str

 

localAddress

str

 

localAddressLabel

str

 

localPort

str

 

localPortLabel

str

 

matchCount

str

 

matchCountLabel

str

 

matchCountSinceLastReport

str

 

matchCountSinceLastReportLabel

str

 

msg

str

 

networkProfile

str

 

networkProfileLabel

str

 

protocol

str

 

protocolLabel

str

 

remoteAddress

str

 

remoteAddressLabel

str

 

remotePort

str

 

remotePortLabel

str

 

rt

timestamp

 

ruleAction

str

 

ruleActionLabel

str

 

ruleDescriptionLabel

str

 

ruleGroupName

str

 

ruleGroupNameLabel

str

 

ruleName

str

 

ruleNameLabel

str

 

shost

str

 

sntdom

str

 

statusLabel

str

 

suser

str

 

duser

str

 

rawMessage

str

 

tag

str

cefTag

hostchain

str