Page Comparison

...

How is the data sent to Devo?

...

Rw ui tabs macro

Rw tab

title	Tables 1-5

[edr.crowdstrike.falconstreaming.agents] [edr.crowdstrike.falconstreaming.auth_activity] [edr.crowdstrike.falconstreaming.behaviors] [edr.crowdstrike.falconstreaming.customer_ioc] [edr.crowdstrike.falconstreaming.detection_summary]

Anchor
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
device_id	`str`	-
cid	`str`	-
agent_load_flags	`str`	-
agent_local_time	`timestamp`	-
agent_version	`str`	-
bios_manufacturer	`str`	-
bios_version	`str`	-
build_number	`str`	-
config_id_base	`str`	-
config_id_build	`str`	-
config_id_platform	`str`	-
cpu_signature	`str`	-
external_ip	`ip4`	-
mac_address	`str`	-
hostname2	`str`	-
first_seen	`timestamp`	-
last_seen	`timestamp`	-
local_ip	`ip4`	-
major_version	`str`	-
minor_version	`str`	-
os_version	`str`	-
os_build	`str`	-
platform_id	`str`	-
platform_name	`str`	-
policies	`str`	-
reduced_functionality_mode	`str`	-
device_policies__prevention__policy_type	`str`	-
device_policies__prevention__policy_id	`str`	-
device_policies__prevention__applied	`bool`	-
device_policies__prevention__settings_hash	`str`	-
device_policies__prevention__assigned_date	`str`	-
device_policies__prevention__applied_date	`str`	-
device_policies__prevention__rule_groups	`str`	-
device_policies__sensor_update__policy_type	`str`	-
device_policies__sensor_update__policy_id	`str`	-
device_policies__sensor_update__applied	`bool`	-
device_policies__sensor_update__settings_hash	`str`	-
device_policies__sensor_update__assigned_date	`str`	-
device_policies__sensor_update__applied_date	`str`	-
device_policies__sensor_update__uninstall_protection	`str`	-
device_policies__device_control__policy_type	`str`	-
device_policies__device_control__policy_id	`str`	-
device_policies__device_control__applied	`bool`	-
device_policies__device_control__assigned_date	`str`	-
device_policies__device_control__applied_date	`str`	-
device_policies__global_config__policy_type	`str`	-
device_policies__global_config__policy_id	`str`	-
device_policies__global_config__applied	`bool`	-
device_policies__global_config__settings_hash	`str`	-
device_policies__global_config__assigned_date	`str`	-
device_policies__global_config__applied_date	`str`	-
device_policies__remote_response__policy_type	`str`	-
device_policies__remote_response__policy_id	`str`	-
device_policies__remote_response__applied	`bool`	-
device_policies__remote_response__settings_hash	`str`	-
device_policies__remote_response__assigned_date	`str`	-
device_policies__remote_response__applied_date	`str`	-
device_policies__firewall__policy_type	`str`	-
device_policies__firewall__policy_id	`str`	-
device_policies__firewall__applied	`bool`	-
device_policies__firewall__assigned_date	`str`	-
device_policies__firewall__applied_date	`str`	-
device_policies__firewall__rule_set_id	`str`	-
groups	`str`	-
group_hash	`str`	-
product_type	`str`	-
product_type_desc	`str`	-
provision_status	`str`	-
serial_number	`str`	-
service_pack_major	`str`	-
service_pack_minor	`str`	-
pointer_size	`str`	-
status	`str`	-
system_manufacturer	`str`	-
system_product_name	`str`	-
tags	`str`	-
modified_timestamp	`timestamp`	-
slow_changing_modified_timestamp	`timestamp`	-
meta__version	`str`	-
instance_id	`str`	-
service_provider	`str`	-
service_provider_account_id	`str`	-
machine_domain	`str`	-
ou	`str`	-
site_name	`str`	-
zone_group	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
target_name	`str`	-
target_user_uuid	`str`	-
target_cid	`str`	-
roles	`str`	-
scope	`str`	-
actor_user	`str`	-
actor_user_uuid	`str`	-
actor_cid	`str`	-
subscriptions	`str`	-
APIClientID	`str`	-
appId	`str`	-
eventType2	`str`	-
partition	`str`	-
offset2	`str`	-
id	`str`	-
name	`str`	-
trace_id	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Field	Type	Extra Label
eventdate	`timestamp`	-
hostname	`str`	-
behavior_id	`str`	-
detection_ids	`str`	-
cid	`str`	-
aid	`str`	-
pattern_id	`int4`	-
template_instance_id	`int4`	-
timestamp	`timestamp`	-
cmdline	`str`	-
filepath	`str`	-
domain	`str`	-
pattern_disposition	`int4`	-
pattern_disposition_details__indicator	`bool`	-
pattern_disposition_details__detect	`bool`	-
pattern_disposition_details__inddet_mask	`bool`	-
pattern_disposition_details__sensor_only	`bool`	-
pattern_disposition_details__rooting	`bool`	-
pattern_disposition_details__kill_process	`bool`	-
pattern_disposition_details__kill_subprocess	`bool`	-
pattern_disposition_details__quarantine_machine	`bool`	-
pattern_disposition_details__quarantine_file	`bool`	-
pattern_disposition_details__policy_disabled	`bool`	-
pattern_disposition_details__kill_parent	`bool`	-
pattern_disposition_details__operation_blocked	`bool`	-
pattern_disposition_details__process_blocked	`bool`	-
pattern_disposition_details__registry_operation_blocked	`bool`	-
pattern_disposition_details__critical_process_disabled	`bool`	-
pattern_disposition_details__bootup_safeguard_enabled	`bool`	-
pattern_disposition_details__fs_operation_blocked	`bool`	-
pattern_disposition_details__handle_operation_downgraded	`bool`	-
pattern_disposition_details__kill_action_failed	`bool`	-
pattern_disposition_details__blocking_unsupported_or_disabled	`bool`	-
pattern_disposition_details__suspend_process	`bool`	-
pattern_disposition_details__suspend_parent	`bool`	-
sha256	`str`	-
user_name	`str`	-
tactic	`str`	-
tactic_id	`str`	-
technique	`str`	-
technique_id	`str`	-
objective	`str`	-
compound_tto	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
AgentIdString	`str`	-
DeviceId	`str`	-
ComputerName	`str`	-
ProcessId	`str`	-
ParentProcessId	`str`	-
ProcessStartTime	`timestamp`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
MD5String	`str`	-
SHA256String	`str`	-
DomainName	`str`	-
IPv4	`str`	-
IPv6	`str`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 6-10

[edr.crowdstrike.falconstreaming.external_api] [edr.crowdstrike.falconstreaming.firewall_match] [edr.crowdstrike.falconstreaming.identity_protection] [edr.crowdstrike.falconstreaming.idp_detection_summary] [edr.crowdstrike.falconstreaming.incidents]

Anchor
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
deviceId	`str`	-
customerId	`str`	-
ipv	`str`	-
commandLine	`str`	-
connectionDirection	`str`	-
evEventType	`str`	-
flag_audit	`bool`	-
flag_log	`bool`	-
flag_monitor	`bool`	-
hostName	`str`	-
icmpCode	`str`	-
icmpType	`str`	-
imageFileName	`str`	-
localAddress	`ip4`	-
localPort	`str`	-
matchCount	`int4`	-
matchCountSinceLastReport	`int4`	-
networkProfile	`str`	-
pid	`str`	-
policyName	`str`	-
policyID	`str`	-
protocol	`str`	-
remoteAddress	`ip4`	-
remotePort	`str`	-
ruleAction	`str`	-
ruleDescription	`str`	-
ruleFamilyID	`str`	-
ruleGroupName	`str`	-
ruleName	`str`	-
ruleId	`str`	-
status	`str`	-
timestamp	`timestamp`	-
treeID	`str`	-
platform	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
incidentType	`str`	-
incidentDescription	`str`	-
severity	`int4`	-
severityName	`str`	-
startTime	`timestamp`	-
endTime	`timestamp`	-
identityProtectionIncidentId	`str`	-
userName	`str`	-
endpointName	`str`	-
endpointIp	`str`	-
category	`str`	-
numbersOfAlerts	`int4`	-
numberOfCompromisedEntities	`int4`	-
state	`str`	-
falconHostLink	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
contextTimeStamp	`int8`	-
detectId	`str`	-
detectName	`str`	-
detectDescription	`str`	-
falconHostLink	`str`	-
startTime	`int8`	-
endTime	`int8`	-
severity	`int4`	-
tactic	`str`	-
technique	`str`	-
objective	`str`	-
sourceAccountDomain	`str`	-
sourceAccountName	`str`	-
sourceAccountObjectSid	`str`	-
sourceEndpointAccountObjectGuid	`str`	-
sourceEndpointAccountObjectSid	`str`	-
sourceEndpointHostName	`str`	-
sourceEndpointIpAddress	`ip4`	-
sourceEndpointSensorId	`str`	-
activityId	`str`	-
patternId	`int4`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
incident_id	`str`	-
incident_type	`int4`	-
cid	`str`	-
host_ids	`str`	-
hosts	`str`	-
created	`timestamp`	-
start	`timestamp`	-
end	`timestamp`	-
state	`str`	-
status	`int4`	-
tactics	`str`	-
techniques	`str`	-
objectives	`str`	-
fine_score	`int4`	-
lmra_host_ids	`str`	-
lm_types	`int4`	-
tags	`str`	-
modified_timestamp	`str`	-
users	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 11-15

[edr.crowdstrike.falconstreaming.incident_summary] [edr.crowdstrike.falconstreaming.mobile_detection_summary] [edr.crowdstrike.falconstreaming.other] [edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.remote_response_session]

Anchor
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
State	`str`	-
IncidentID	`str`	-
IncidentStartTime	`timestamp`	-
IncidentEndTime	`timestamp`	-
FineScore	`float8`	-
FalconHostLink	`str`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
sensorId	`str`	-
mobileDetectionId	`int4`	-
computerName	`str`	-
userName	`str`	-
contextTimeStamp	`timestamp`	-
detectId	`str`	-
detectName	`str`	-
detectDescription	`str`	-
tactic	`str`	-
tacticId	`str`	-
technique	`str`	-
techniqueId	`str`	-
objective	`str`	-
severity	`int4`	-
falconHostLink	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Field	Type	Extra Field
eventdate	`timestamp`	-
eventType	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
notificationId	`str`	-
highlights_str	`str`	-
matchedTimestamp	`timestamp`	-
ruleId	`str`	-
ruleName	`str`	-
ruleTopic	`str`	-
rulePriority	`str`	-
itemId	`str`	-
itemType	`str`	-
itemPostedTimestamp	`timestamp`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
SessionId	`str`	-
UserName	`str`	-
HostnameField	`str`	-
StartTimestamp	`timestamp`	-
EndTimestamp	`timestamp`	-
Commands	`json`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

Rw tab

title	Tables 16-20

[edr.crowdstrike.falconstreaming.user_activity_groups] [edr.crowdstrike.falconstreaming.user_activity_groups][edr.crowdstrike.falconstreaming.user_activity_quarantined_files] [edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy] [edr.crowdstrike.falconstreaming.user_activity_other]

Anchor
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
userUUID	`str`	-
userID	`str`	-
executionID	`str`	-
reportID	`str`	-
reportName	`str`	-
reportType	`str`	-
reportFileReference	`str`	-
status	`int4`	-
statusMessage	`str`	-
executionStart	`timestamp`	-
executionDuration	`int4`	-
reportFileName	`str`	-
resultCount	`int4`	-
resultID	`str`	-
searchWindowStart	`timestamp`	-
searchWindowEnd	`timestamp`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
group_id	`str`	-
group_name	`str`	-
group_description	`str`	-
group_assignment_rule	`str`	-
old_group_assignment_rule	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
UserId	`str`	-
UserIp	`ip4`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 21-25

[edr.crowdstrike.falconstreaming.recon_notification_summary] [edr.crowdstrike.falconstreaming.user_activity_devices] [edr.crowdstrike.falconstreaming.user_activity_prevention_policy] [edr.crowdstrike.falconstreaming.user_activity_ip_whitelist] [edr.crowdstrike.falconstreaming.vulnerabilities]

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
notificationId	`str`	-
highlights_str	`str`	-
matchedTimestamp	`timestamp`	-
ruleId	`str`	-
ruleName	`str`	-
ruleTopic	`str`	-
rulePriority	`str`	-
itemId	`str`	-
itemType	`str`	-
itemPostedTimestamp	`timestamp`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
SensorId	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
policy_id	`str`	-
devices_affected	`str`	-
policy_priority	`str`	-
old_policy_priority	`str`	-
policy_name	`str`	-
policy_description	`str`	-
policy_platform	`str`	-
policy_type	`str`	-
policy_assignment_rule	`str`	-
policy_enabled	`str`	-
policy_settings_AdwareExecution	`str`	-
old_policy_settings_AdwareExecution	`str`	-
policy_settings_ApplicationExploitationActivity	`str`	-
old_policy_settings_ApplicationExploitationActivity	`str`	-
policy_settings_BackupDeletion	`str`	-
old_policy_settings_BackupDeletion	`str`	-
policy_settings_ChopperWebshell	`str`	-
old_policy_settings_ChopperWebshell	`str`	-
policy_settings_Cryptowall	`str`	-
old_policy_settings_Cryptowall	`str`	-
policy_settings_CustomBlacklisting	`str`	-
old_policy_settings_CustomBlacklisting	`str`	-
policy_settings_DriveByDownload	`str`	-
old_policy_settings_DriveByDownload	`str`	-
policy_settings_FileAnalysis	`str`	-
old_policy_settings_FileAnalysis	`str`	-
policy_settings_FileAttributeAnalysis	`str`	-
old_policy_settings_FileAttributeAnalysis	`str`	-
policy_settings_FileEncryption	`str`	-
old_policy_settings_FileEncryption	`str`	-
policy_settings_ForceASLR	`str`	-
old_policy_settings_ForceASLR	`str`	-
policy_settings_ForceDEP	`str`	-
old_policy_settings_ForceDEP	`str`	-
policy_settings_HeapSprayPreallocation	`str`	-
old_policy_settings_HeapSprayPreallocation	`str`	-
policy_settings_Locky	`str`	-
old_policy_settings_Locky	`str`	-
policy_settings_WindowsLogonBypassStickyKeys	`str`	-
old_policy_settings_WindowsLogonBypassStickyKeys	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities

Field	Type	Extra Label
eventdate	`timestamp`	-
hostname	`str`	-
id	`str`	-
cid	`str`	-
aid	`str`	-
created_timestamp	`timestamp`	-
closed_timestamp	`timestamp`	-
updated_timestamp	`timestamp`	-
status	`str`	-
cve__id	`str`	-
cve__base_score	`float8`	-
cve__severity	`str`	-
cve__exploit_status	`int4`	-
app__product_name_version	`str`	-
apps	`str`	-
host_info__hostname	`str`	-
host_info__local_ip	`ip4`	-
host_info__machine_domain	`str`	-
host_info__os_version	`str`	-
host_info__ou	`str`	-
host_info__site_name	`str`	-
host_info__system_manufacturer	`str`	-
host_info__groups	`str`	-
host_info__tags	`str`	-
host_info__platform	`str`	-
remediation__ids	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 26-30

[edr.crowdstrike.falcon] [edr.crowdstrike.cannon] [edr.crowdstrike.cannon.associateindicator] [edr.crowdstrike.cannon.associatetreeidwithroot] [edr.crowdstrike.cannon.asepvalueupdate] [edr.crowdstrike.cannon.neighborlistip4]

Anchor
edr.crowdstrike.falcon
edr.crowdstrike.falcon
edr.crowdstrike.falcon

Field	Type	Extra Field
eventdate	`timestamp`	-
metadata_customerIDString	`str`	-
metadata_offset	`int4`	-
metadata_eventType	`str`	-
metadata_eventCreationTime	`int8`	-
metadata_version	`str`	-
event_ProcessStartTime	`int4`	-
event_ProcessEndTime	`int4`	-
event_ProcessId	`int8`	-
event_ParentProcessId	`int8`	-
event_ComputerName	`str`	-
event_UserName	`str`	-
event_DetectName	`str`	-
event_DetectDescription	`str`	-
event_Severity	`int4`	-
event_SeverityName	`str`	-
event_FileName	`str`	-
event_FilePath	`str`	-
event_CommandLine	`str`	-
event_SHA256String	`str`	-
event_MD5String	`str`	-
event_SHA1String	`str`	-
event_MachineDomain	`str`	-
event_ExecutablesWritten	`str`	-
event_FalconHostLink	`str`	-
event_SensorId	`str`	-
event_IOCType	`str`	-
event_IOCValue	`str`	-
event_DetectId	`str`	-
event_new_state	`str`	-
event_quarantined_file_id	`str`	-
event_action_taken	`str`	-
event_target_name	`str`	-
event_LocalIP	`str`	-
event_MACAddress	`str`	-
event_Tactic	`str`	-
event_Technique	`str`	-
event_Objective	`str`	-
event_group_id	`str`	-
event_group_name	`str`	-
event_old_group_name	`str`	-
event_group_description	`str`	-
event_old_group_description	`str`	-
event_group_assignment_rule	`str`	-
event_old_group_assignment_rule	`str`	-
event_policy_id	`str`	-
event_policy_name	`str`	-
event_old_policy_name	`str`	-
event_policy_description	`str`	-
event_policy_type	`str`	-
event_policy_enabled	`bool`	-
event_policy_platform	`str`	-
event_policy_assignment_rule	`str`	-
event_policy_settings_ReleaseID	`str`	-
event_old_policy_settings_ReleaseID	`str`	-
event_policy_settings_UninstallProtection	`str`	-
event_UserId	`str`	-
event_UserIp	`str`	-
event_OperationName	`str`	-
event_ServiceName	`str`	-
event_Success	`bool`	-
event_UTCTimestamp	`int8`	-
event_UTCTimestamp_formatted	`timestamp`	-
event_ScanResults_Engine_str	`str`	-
event_ScanResults_ResultName_str	`str`	-
event_ScanResults_Version_str	`str`	-
event_ScanResults_Detected_str	`str`	-
event_PatternDispositionDescription	`str`	-
event_PatternDispositionValue	`int4`	-
event_PatternDispositionFlags_Indicator	`bool`	-
event_PatternDispositionFlags_Detect	`bool`	-
event_PatternDispositionFlags_InddetMask	`bool`	-
event_PatternDispositionFlags_SensorOnly	`bool`	-
event_PatternDispositionFlags_Rooting	`bool`	-
event_PatternDispositionFlags_KillProcess	`bool`	-
event_PatternDispositionFlags_KillSubProcess	`bool`	-
event_PatternDispositionFlags_QuarantineMachine	`bool`	-
event_PatternDispositionFlags_QuarantineFile	`bool`	-
event_PatternDispositionFlags_PolicyDisabled	`bool`	-
event_PatternDispositionFlags_KillParent	`bool`	-
event_PatternDispositionFlags_OperationBlocked	`bool`	-
event_PatternDispositionFlags_ProcessBlocked	`bool`	-
event_ParentImageFileName	`str`	-
event_ParentCommandLine	`str`	-
event_GrandparentImageFileName	`str`	-
event_GrandparentCommandLine	`str`	-
event_QuarantineFiles_ImageFileName_str	`str`	-
event_QuarantineFiles_SHA256HashData_str	`str`	-
message	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon
edr.crowdstrike.cannon
edr.crowdstrike.cannon

Field	Type	Extra Label
eventdate	`timestamp`	-
aid	`str`	-
aip	`str`	-
cid	`str`	-
event_platform	`str`	-
event_type	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
AuthenticationId	`str`	-
CommandLine	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
FullFilePath	`str`	-
FilePath	`str`	-
FileName	`str`	-
ImageFileName	`str`	-
ImageSubsystem	`str`	-
IntegrityLevel	`str`	-
MD5HashData	`str`	-
ParentAuthenticationId	`str`	-
ParentProcessId	`str`	-
ProcessCreateFlags	`str`	-
ProcessEndTime	`str`	-
ProcessParameterFlags	`str`	-
ProcessStartTime	`str`	-
ProcessSxsFlags	`str`	-
RawProcessId	`str`	-
SHA1HashData	`str`	-
SHA256HashData	`str`	-
SourceProcessId	`str`	-
SourceThreadId	`str`	-
TargetFileName	`str`	-
TargetProcessId	`str`	-
SessionProcessId	`str`	-
TokenType	`str`	-
UserSid	`str`	-
ComputerName	`str`	-
ClientComputerName	`str`	-
FirstIP4Record	`str`	-
PhysicalAddress	`str`	-
ContextProcessId	`str`	-
LocalAddressIP4	`ip4`	-
LocalPort	`str`	-
Protocol	`str`	-
RemoteAddressIP4	`ip4`	-
RemotePort	`str`	-
hostchain	`str`	✓
tag	`str`	✓
tagGroup	`str`	-
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
event_simpleName	`str`	-
ContextTimeStamp	`str`	-
ConfigStateHash	`str`	-
aip	`ip4`	-
SessionProcessId	`str`	-
ConfigBuild	`str`	-
PatternDisposition	`str`	-
event_platform	`str`	-
TargetProcessId	`str`	-
PatternId	`str`	-
Entitlements	`str`	-
name	`str`	-
id	`str`	-
EffectiveTransmissionClass	`str`	-
aid	`str`	-
timestamp	`str`	-
cid	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
event_simpleName	`str`	-
ContextTimeStamp	`str`	-
ConfigStateHash	`str`	-
aip	`ip4`	-
SessionProcessId	`str`	-
ConfigBuild	`str`	-
PatternDisposition	`str`	-
event_platform	`str`	-
TargetProcessId	`str`	-
TreeId	`str`	-
PatternId	`str`	-
Entitlements	`str`	-
name	`str`	-
TreeRoot	`str`	-
id	`str`	-
EffectiveTransmissionClass	`str`	-
aid	`str`	-
timestamp	`str`	-
cid	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
AsepClass	`str`	-
AsepFlags	`str`	-
AsepIndex	`str`	-
AsepValueType	`str`	-
AuthenticationId	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ContextProcessId	`str`	-
ContextThreadId	`str`	-
ContextTimeStamp	`str`	-
Data1	`str`	-
EffectiveTransmissionClass	`str`	-
RegStringValue	`str`	-
Entitlements	`str`	-
RegNumericValue	`str`	-
RegObjectName	`str`	-
RegOperationType	`str`	-
RegType	`str`	-
RegValueName	`str`	-
TokenType	`str`	-
RegBinaryValue	`str`	-
TargetFileName	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Rw tab

title	Tables 31 - 35

[edr.crowdstrike.cannon.channelversionrequired] [edr.crowdstrike.cannon.detectionexcluded] [edr.crowdstrike.cannon.dnsrequest] [edr.crowdstrike.cannon.endofprocess] [edr.crowdstrike.cannon.detectionexcluded]

Anchor
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ChannelId	`str`	-
ChannelVersion	`str`	-
ChannelVersionRequired	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

edr.crowdstrike.cannon.detectionexcluded

Anchor
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
event_simpleName	`str`	-
ContextTimeStamp	`str`	-
ConfigStateHash	`str`	-
aip	`ip4`	-
SessionProcessId	`str`	-
BoundingLimitCount	`str`	-
ConfigBuild	`str`	-
event_platform	`str`	-
CommandLine	`str`	-
TargetProcessId	`str`	-
PatternId	`str`	-
ImageFileName	`str`	-
ExclusionType	`str`	-
Entitlements	`str`	-
name	`str`	-
ExclusionSource	`str`	-
id	`str`	-
EffectiveTransmissionClass	`str`	-
aid	`str`	-
timestamp	`str`	-
cid	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ContextProcessId	`str`	-
ContextThreadId	`str`	-
ContextTimeStamp	`str`	-
DomainName	`str`	-
Entitlements	`str`	-
RequestType	`str`	-
DnsResponseType	`str`	-
IP4Records	`str`	-
FirstIP4Record	`str`	-
CNAMERecords	`str`	-
IP6Records	`str`	-
FirstIP6Record	`str`	-
QueryStatus	`str`	-
DualRequest	`str`	-
RespondingDnsServer	`str`	-
DnsRequestCount	`str`	-
InterfaceIndex	`str`	-
EffectiveTransmissionClass	`str`	-
BoundingLimitCount	`str`	-
BoundingLimitDuration	`str`	-
TreeId	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess

Field	Type	Extra Label
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ActivePrivilegeEscalationCount	`str`	-
AsepWrittenCount	`str`	-
BinaryExecutableWrittenCount	`str`	-
CLICreationCount	`str`	-
ConHostId	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ContextProcessId	`str`	-
ContextThreadId	`str`	-
ContextTimeStamp	`str`	-
CycleTime	`str`	-
DirectoryCreatedCount	`str`	-
DirectoryEnumeratedCount	`str`	-
DnsRequestCount	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
ExeAndServiceCount	`str`	-
ExecutableDeletedCount	`str`	-
ExitCode	`str`	-
FileDeletedCount	`str`	-
InjectedDllCount	`str`	-
InjectedThreadCount	`str`	-
KernelTime	`str`	-
MaxThreadCount	`str`	-
NamedObjectCount	`str`	-
NetworkBindCount	`str`	-
NetworkCapableAsepWriteCount	`str`	-
NetworkCloseCount	`str`	-
NetworkConnectCount	`str`	-
NetworkConnectCountUdp	`str`	-
NetworkListenCount	`str`	-
NetworkRecvAcceptCount	`str`	-
NewExecutableWrittenCount	`str`	-
PrivilegedProcessHandleCount	`str`	-
RawProcessId	`str`	-
RegKeySecurityDecreasedCount	`str`	-
RunDllInvocationCount	`str`	-
ScriptEngineInvocationCount	`str`	-
ServiceEventCount	`str`	-
SHA256HashData	`str`	-
SnapshotFileOpenCount	`str`	-
SuspectStackCount	`str`	-
SuspiciousCredentialModuleLoadCount	`str`	-
SuspiciousDnsRequestCount	`str`	-
SuspiciousRawDiskReadCount	`str`	-
TargetProcessId	`str`	-
UnsignedModuleLoadCount	`str`	-
UserMemoryAllocateExecutableCount	`str`	-
UserMemoryAllocateExecutableRemoteCount	`str`	-
UserMemoryProtectExecutableCount	`str`	-
UserMemoryProtectExecutableRemoteCount	`str`	-
UserSid	`str`	-
UserTime	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
InterfaceIndex	`str`	-
NeighborList	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
event_simpleName	`str`	-
ContextTimeStamp	`str`	-
ConfigStateHash	`str`	-
aip	`ip4`	-
SessionProcessId	`str`	-
BoundingLimitCount	`str`	-
ConfigBuild	`str`	-
event_platform	`str`	-
CommandLine	`str`	-
TargetProcessId	`str`	-
PatternId	`str`	-
ImageFileName	`str`	-
ExclusionType	`str`	-
Entitlements	`str`	-
name	`str`	-
ExclusionSource	`str`	-
id	`str`	-
EffectiveTransmissionClass	`str`	-
aid	`str`	-
timestamp	`str`	-
cid	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 36-4142

[edr.crowdstrike.cannon.networkconnectip4] [edr.crowdstrike.cannon.other] [edr.crowdstrike.cannon.processrollup2] [edr.crowdstrike.cannon.sensorheartbeat] [edr.crowdstrike.cannon.processrollup2stats] [edr.crowdstrike.cannon.syntheticprocessrollup2] [edr.crowdstrike.falcon_spotlight.vulnerabilities]

Anchor
edr.crowdstrike.cannon.networkconnectip4
edr.crowdstrike.cannon.networkconnectip4
edr.crowdstrike.cannon.networkconnectip4

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ConnectionDirection	`str`	-
ConnectionFlags	`str`	-
ContextProcessId	`str`	-
ContextTimeStamp	`str`	-
Entitlements	`str`	-
InContext	`str`	-
LocalAddressIP4	`ip4`	-
LocalPort	`str`	-
Protocol	`str`	-
EffectiveTransmissionClass	`str`	-
RemoteAddressIP4	`ip4`	-
RemotePort	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.other
edr.crowdstrike.cannon.other
edr.crowdstrike.cannon.other

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ConnectionDirection	`str`	-
ConnectionFlags	`str`	-
ContextProcessId	`str`	-
ContextTimeStamp	`str`	-
Entitlements	`str`	-
InContext	`str`	-
LocalAddressIP4	`ip4`	-
LocalPort	`str`	-
Protocol	`str`	-
EffectiveTransmissionClass	`str`	-
RemoteAddressIP4	`ip4`	-
RemotePort	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.processrollup2
edr.crowdstrike.cannon.processrollup2
edr.crowdstrike.cannon.processrollup2

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
LinkName	`str`	-
AuthenticationId	`str`	-
CommandLine	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
FullFilePath	`str`	-
FilePath	`str`	-
ComputerName	`str`	-
UserName	`str`	-
FileName	`str`	-
ImageFileName	`str`	-
ImageSubsystem	`str`	-
IntegrityLevel	`str`	-
MD5HashData	`str`	-
ParentAuthenticationId	`str`	-
ParentProcessId	`str`	-
ProcessCreateFlags	`str`	-
ProcessEndTime	`str`	-
ProcessParameterFlags	`str`	-
ProcessStartTime	`str`	-
ProcessSxsFlags	`str`	-
RawProcessId	`str`	-
SHA1HashData	`str`	-
SHA256HashData	`str`	-
SourceProcessId	`str`	-
SourceThreadId	`str`	-
TargetProcessId	`str`	-
TokenType	`str`	-
UserSid	`str`	-
ParentBaseFileName	`str`	-
GrandParentBaseFileName	`str`	-
UID	`str`	-
RGID	`str`	-
RUID	`str`	-
GID	`str`	-
MachOSubType	`str`	-
ProcessGroupId	`str`	-
SessionProcessId	`str`	-
SVGID	`str`	-
SVUID	`str`	-
Tags	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.processrollup2stats
edr.crowdstrike.cannon.processrollup2stats
edr.crowdstrike.cannon.processrollup2stats

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
CommandLine	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
Entitlements	`str`	-
ProcessCount	`str`	-
SHA256HashData	`str`	-
Timeout	`str`	-
UID	`str`	-
EffectiveTransmissionClass	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.sensorheartbeat
edr.crowdstrike.cannon.sensorheartbeat
edr.crowdstrike.cannon.sensorheartbeat

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
ConfigBuild	`str`	-
ConfigIDBase	`str`	-
ConfigIDBuild	`str`	-
ConfigIDPlatform	`str`	-
ConfigStateHash	`str`	-
ConfigurationVersion	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
NetworkContainmentState	`str`	-
ProvisionState	`str`	-
SensorStateBitMap	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2

Field	Type	Extra Field
eventdate	`timestamp`	-
aid	`str`	-
aip	`ip4`	-
cid	`str`	-
event_platform	`str`	-
event_simpleName	`str`	-
id	`str`	-
name	`str`	-
timestamp	`timestamp`	-
AuthenticationId	`str`	-
CommandLine	`str`	-
ConfigBuild	`str`	-
ConfigStateHash	`str`	-
ContextTimeStamp	`str`	-
EffectiveTransmissionClass	`str`	-
Entitlements	`str`	-
ImageFileName	`str`	-
IntegrityLevel	`str`	-
ParentProcessId	`str`	-
ProcessStartTime	`str`	-
RawProcessId	`str`	-
SHA256HashData	`str`	-
SyntheticPR2Flags	`str`	-
TargetProcessId	`str`	-
UserSid	`str`	-
MD5HashData	`str`	-
UID	`str`	-
RGID	`str`	-
RUID	`str`	-
GID	`str`	-
ProcessGroupId	`str`	-
SessionProcessId	`str`	-
SHA1HashData	`str`	-
SourceProcessId	`str`	-
SVGID	`str`	-
SVUID	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	-

Anchor
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.falcon_spotlight.vulnerabilities

Field	Type	Extra field
eventdate	`timestamp`
hostname	`str`
id	`str`
cid	`str`
aid	`str`
created_timestamp	`timestamp`
closed_timestamp	`timestamp`
updated_timestamp	`timestamp`
status	`str`
cve__id	`str`
cve__base_score	`float8`
cve__severity	`str`
cve__exploit_status	`int4`
app__product_name_version	`str`
apps	`str`
host_info__hostname	`str`
host_info__local_ip	`ip4`
host_info__machine_domain	`str`
host_info__os_version	`str`
host_info__ou	`str`
host_info__site_name	`str`
host_info__system_manufacturer	`str`
host_info__groups	`str`
host_info__tags	`str`
host_info__platform	`str`
remediation__ids	`str`
hostchain	`str`	✓
tag	`str`	✓

Product / Services	Tags	Data tables
Crowdstrike	`edr.crowdstrike.cannon`	`edr.crowdstrike.cannon`
	`edr.crowdstrike.cannon.additionalhostinfo`	`edr.crowdstrike.cannon.additionalhostinfo`
	`edr.crowdstrike.cannon.agentconnect`	`edr.crowdstrike.cannon.agentconnect`
	`edr.crowdstrike.cannon.agentonline`	`edr.crowdstrike.cannon.agentonline`
	`edr.crowdstrike.cannon.arcfilewritten`	`edr.crowdstrike.cannon.arcfilewritten`
	`edr.crowdstrike.cannon.asepkeyupdate`	`edr.crowdstrike.cannon.asepkeyupdate`
	`edr.crowdstrike.cannon.asepvalueupdate`	`edr.crowdstrike.cannon.asepvalueupdate`
	`edr.crowdstrike.cannon.associateindicator`	`edr.crowdstrike.cannon.associateindicator`
	`edr.crowdstrike.cannon.associatetreeidwithroot`	`edr.crowdstrike.cannon.associatetreeidwithroot`
	`edr.crowdstrike.cannon.billinginfo`	`edr.crowdstrike.cannon.billinginfo`
	`edr.crowdstrike.cannon.bitsjobcreated`	`edr.crowdstrike.cannon.bitsjobcreated`
	`edr.crowdstrike.cannon.bmpfilewritten`	`edr.crowdstrike.cannon.bmpfilewritten`
	`edr.crowdstrike.cannon.cabfilewritten`	`edr.crowdstrike.cannon.cabfilewritten`
	`edr.crowdstrike.cannon.channeldatadownloadcomplete`	`edr.crowdstrike.cannon.channeldatadownloadcomplete`
	`edr.crowdstrike.cannon.channelversionrequired`	`edr.crowdstrike.cannon.channelversionrequired`
	`edr.crowdstrike.cannon.detectionexcluded`	`edr.crowdstrike.cannon.detectionexcluded`
	`edr.crowdstrike.cannon.dnsrequest`	`edr.crowdstrike.cannon.dnsrequest`
	`edr.crowdstrike.cannon.endofprocess`	`edr.crowdstrike.cannon.endofprocess`
	`edr.crowdstrike.cannon.neighborlistip4`	`edr.crowdstrike.cannon.neighborlistip4`
	`edr.crowdstrike.cannon.networkconnectip4`	`edr.crowdstrike.cannon.networkconnectip4`
	`edr.crowdstrike.cannon.other`	`edr.crowdstrike.cannon.other`
	`edr.crowdstrike.cannon.processrollup2`	`edr.crowdstrike.cannon.processrollup2`
	`edr.crowdstrike.cannon.processrollup2stats`	`edr.crowdstrike.cannon.processrollup2stats`
	`edr.crowdstrike.cannon.sensorheartbeat`	`edr.crowdstrike.cannon.sensorheartbeat`
	`edr.crowdstrike.cannon.syntheticprocessrollup2`	`edr.crowdstrike.cannon.syntheticprocessrollup2`
	`edr.crowdstrike.falconstreaming.agents`	`edr.crowdstrike.falconstreaming.agents`
	`edr.crowdstrike.falconstreaming.auth_activity`	`edr.crowdstrike.falconstreaming.auth_activity`
	`edr.crowdstrike.falconstreaming.behaviors`	`edr.crowdstrike.falconstreaming.behaviors`
	`edr.crowdstrike.falconstreaming.customer_ioc`	`edr.crowdstrike.falconstreaming.customer_ioc`
	`edr.crowdstrike.falconstreaming.detection_summary`	`edr.crowdstrike.falconstreaming.detection_summary`
	`edr.crowdstrike.falconstreaming.external_api`	`edr.crowdstrike.falconstreaming.external_api`
	`edr.crowdstrike.falconstreaming.firewall_match`	`edr.crowdstrike.falconstreaming.firewall_match`
	`edr.crowdstrike.falconstreaming.identity_protection`	`edr.crowdstrike.falconstreaming.identity_protection`
	`edr.crowdstrike.falconstreaming.idp_detection_summary`	`edr.crowdstrike.falconstreaming.idp_detection_summary`
	`edr.crowdstrike.falconstreaming.incidents`	`edr.crowdstrike.falconstreaming.incidents`
	`edr.crowdstrike.falconstreaming.incident_summary`	`edr.crowdstrike.falconstreaming.incident_summary`
	`edr.crowdstrike.falconstreaming.mobile_detection_summary`	`edr.crowdstrike.falconstreaming.mobile_detection_summary`
	`edr.crowdstrike.falconstreaming.other`	`edr.crowdstrike.falconstreaming.other`
	`edr.crowdstrike.falconstreaming.recon_notification_summary`	`edr.crowdstrike.falconstreaming.recon_notification_summary`
	`edr.crowdstrike.falconstreaming.remote_response_session`	`edr.crowdstrike.falconstreaming.remote_response_session`
	`edr.crowdstrike.falconstreaming.scheduled_report_notification`	`edr.crowdstrike.falconstreaming.scheduled_report_notification`
	`edr.crowdstrike.falconstreaming.user_activity_groups`	`edr.crowdstrike.falconstreaming.user_activity_groups`
	`edr.crowdstrike.falconstreaming.user_activity_quarantined_files`	`edr.crowdstrike.falconstreaming.user_activity_quarantined_files`
	`edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy`	`edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy`
	`edr.crowdstrike.falconstreaming.user_activity_other`	`edr.crowdstrike.falconstreaming.user_activity_other`
	`edr.crowdstrike.falconstreaming.recon_notification_summary`	`edr.crowdstrike.falconstreaming.recon_notification_summary`
	`edr.crowdstrike.falconstreaming.user_activity_devices`	`edr.crowdstrike.falconstreaming.user_activity_devices`
	`edr.crowdstrike.falconstreaming.user_activity_detections`	`edr.crowdstrike.falconstreaming.user_activity_detections`
	`edr.crowdstrike.falconstreaming.user_activity_ip_whitelist`	`edr.crowdstrike.falconstreaming.user_activity_ip_whitelist`
	`edr.crowdstrike.falconstreaming.vulnerabilities`	`edr.crowdstrike.falconstreaming.vulnerabilities`
	`edr.crowdstrike.falcon`	`edr.crowdstrike.falcon`
	`edr.crowdstrike.falcon_spotlight.vulnerabilities`	`edr.crowdstrike.falcon_spotlight.vulnerabilities`

Page Comparison

Versions Compared

Old Version 30

New Version 31

Key

How is the data sent to Devo?

Anchoredr.crowdstrike.falconstreaming.agentsedr.crowdstrike.falconstreaming.agentsedr.crowdstrike.falconstreaming.agents

Anchoredr.crowdstrike.falconstreaming.auth_activityedr.crowdstrike.falconstreaming.auth_activityedr.crowdstrike.falconstreaming.auth_activity

Anchoredr.crowdstrike.falconstreaming.behaviorsedr.crowdstrike.falconstreaming.behaviorsedr.crowdstrike.falconstreaming.behaviors

Anchoredr.crowdstrike.falconstreaming.customer_iocedr.crowdstrike.falconstreaming.customer_iocedr.crowdstrike.falconstreaming.customer_ioc

Anchoredr.crowdstrike.falconstreaming.detection_summaryedr.crowdstrike.falconstreaming.detection_summaryedr.crowdstrike.falconstreaming.detection_summary

Anchoredr.crowdstrike.falconstreaming.external_apiedr.crowdstrike.falconstreaming.external_apiedr.crowdstrike.falconstreaming.external_api

Anchoredr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_match

Anchordr.crowdstrike.falconstreaming.identity_protectiondr.crowdstrike.falconstreaming.identity_protectionedr.crowdstrike.falconstreaming.identity_protection

Anchoredr.crowdstrike.falconstreaming.idp_detection_summaryedr.crowdstrike.falconstreaming.idp_detection_summaryedr.crowdstrike.falconstreaming.idp_detection_summary

Anchoredr.crowdstrike.falconstreaming.incidentsedr.crowdstrike.falconstreaming.incidentsedr.crowdstrike.falconstreaming.incidents

Anchoredr.crowdstrike.falconstreaming.incident_summaryedr.crowdstrike.falconstreaming.incident_summaryedr.crowdstrike.falconstreaming.incident_summary

Anchoredr.crowdstrike.falconstreaming.mobile_detection_summaryedr.crowdstrike.falconstreaming.mobile_detection_summaryedr.crowdstrike.falconstreaming.mobile_detection_summary

Anchoredr.crowdstrike.falconstreaming.otheredr.crowdstrike.falconstreaming.otheredr.crowdstrike.falconstreaming.other

Anchoredr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summary

Anchoredr.crowdstrike.falconstreaming.remote_response_sessionedr.crowdstrike.falconstreaming.remote_response_sessionedr.crowdstrike.falconstreaming.remote_response_session

Anchoredr.crowdstrike.falconstreaming.scheduled_report_notificationedr.crowdstrike.falconstreaming.scheduled_report_notificationedr.crowdstrike.falconstreaming.scheduled_report_notification

Anchoredr.crowdstrike.falconstreaming.user_activity_groupsedr.crowdstrike.falconstreaming.user_activity_groupsedr.crowdstrike.falconstreaming.user_activity_groups

Anchoredr.crowdstrike.falconstreaming.user_activity_quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_files

Anchoredr.crowdstrike.falconstreaming.user_activity_sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Anchoredr.crowdstrike.falconstreaming.user_activity_otheredr.crowdstrike.falconstreaming.user_activity_otheredr.crowdstrike.falconstreaming.user_activity_other

Anchoredr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summary

Anchoredr.crowdstrike.falconstreaming.user_activity_devicesedr.crowdstrike.falconstreaming.user_activity_devicesedr.crowdstrike.falconstreaming.user_activity_devices

Anchoredr.crowdstrike.falconstreaming.user_activity_prevention_policyedr.crowdstrike.falconstreaming.user_activity_prevention_policyedr.crowdstrike.falconstreaming.user_activity_prevention_policy

Anchoredr.crowdstrike.falconstreaming.user_activity_ip_whitelistedr.crowdstrike.falconstreaming.user_activity_ip_whitelistedr.crowdstrike.falconstreaming.user_activity_ip_whitelist

Anchoredr.crowdstrike.falconstreaming.vulnerabilitiesedr.crowdstrike.falconstreaming.vulnerabilitiesedr.crowdstrike.falconstreaming.vulnerabilities

Anchoredr.crowdstrike.falconedr.crowdstrike.falconedr.crowdstrike.falcon

Anchoredr.crowdstrike.cannonedr.crowdstrike.cannonedr.crowdstrike.cannon

Anchoredr.crowdstrike.cannon.associateindicatoredr.crowdstrike.cannon.associateindicatoredr.crowdstrike.cannon.associateindicator

Anchoredr.crowdstrike.cannon.associatetreeidwithrootedr.crowdstrike.cannon.associatetreeidwithrootedr.crowdstrike.cannon.associatetreeidwithroot

Anchoredr.crowdstrike.cannon.asepvalueupdateedr.crowdstrike.cannon.asepvalueupdateedr.crowdstrike.cannon.asepvalueupdate

Anchoredr.crowdstrike.cannon.channelversionrequirededr.crowdstrike.cannon.channelversionrequirededr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.detectionexcluded

Anchoredr.crowdstrike.cannon.detectionexcludededr.crowdstrike.cannon.detectionexcludededr.crowdstrike.cannon.detectionexcluded

Anchoredr.crowdstrike.cannon.dnsrequestedr.crowdstrike.cannon.dnsrequestedr.crowdstrike.cannon.dnsrequest

Anchoredr.crowdstrike.cannon.endofprocessedr.crowdstrike.cannon.endofprocessedr.crowdstrike.cannon.endofprocess

Anchoredr.crowdstrike.cannon.neighborlistip4edr.crowdstrike.cannon.neighborlistip4edr.crowdstrike.cannon.neighborlistip4

Anchoredr.crowdstrike.cannon.detectionexcludededr.crowdstrike.cannon.detectionexcludededr.crowdstrike.cannon.detectionexcluded

Anchoredr.crowdstrike.cannon.networkconnectip4edr.crowdstrike.cannon.networkconnectip4edr.crowdstrike.cannon.networkconnectip4

Anchoredr.crowdstrike.cannon.otheredr.crowdstrike.cannon.otheredr.crowdstrike.cannon.other

Anchoredr.crowdstrike.cannon.processrollup2edr.crowdstrike.cannon.processrollup2edr.crowdstrike.cannon.processrollup2

Anchoredr.crowdstrike.cannon.processrollup2statsedr.crowdstrike.cannon.processrollup2statsedr.crowdstrike.cannon.processrollup2stats

Anchoredr.crowdstrike.cannon.sensorheartbeatedr.crowdstrike.cannon.sensorheartbeatedr.crowdstrike.cannon.sensorheartbeat

Anchoredr.crowdstrike.cannon.syntheticprocessrollup2edr.crowdstrike.cannon.syntheticprocessrollup2edr.crowdstrike.cannon.syntheticprocessrollup2

Anchoredr.crowdstrike.cannon.syntheticprocessrollup2edr.crowdstrike.cannon.syntheticprocessrollup2edr.crowdstrike.falcon_spotlight.vulnerabilities

Anchor
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents
edr.crowdstrike.falconstreaming.agents

Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

Anchor
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api
edr.crowdstrike.falconstreaming.external_api

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary

Anchor
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents
edr.crowdstrike.falconstreaming.incidents

Anchor
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary
edr.crowdstrike.falconstreaming.incident_summary

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Anchor
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification
edr.crowdstrike.falconstreaming.scheduled_report_notification

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Anchor
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_other

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Anchor
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_devices

Anchor
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_prevention_policy

Anchor
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

Anchor
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities
edr.crowdstrike.falconstreaming.vulnerabilities

Anchor
edr.crowdstrike.falcon
edr.crowdstrike.falcon
edr.crowdstrike.falcon

Anchor
edr.crowdstrike.cannon
edr.crowdstrike.cannon
edr.crowdstrike.cannon

Anchor
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator
edr.crowdstrike.cannon.associateindicator

Anchor
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot
edr.crowdstrike.cannon.associatetreeidwithroot

Anchor
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate
edr.crowdstrike.cannon.asepvalueupdate

Anchor
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired
edr.crowdstrike.cannon.channelversionrequired

Anchor
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded

Anchor
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest
edr.crowdstrike.cannon.dnsrequest

Anchor
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess
edr.crowdstrike.cannon.endofprocess

Anchor
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4
edr.crowdstrike.cannon.neighborlistip4

Anchor
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded
edr.crowdstrike.cannon.detectionexcluded

Anchor
edr.crowdstrike.cannon.networkconnectip4
edr.crowdstrike.cannon.networkconnectip4
edr.crowdstrike.cannon.networkconnectip4

Anchor
edr.crowdstrike.cannon.other
edr.crowdstrike.cannon.other
edr.crowdstrike.cannon.other

Anchor
edr.crowdstrike.cannon.processrollup2
edr.crowdstrike.cannon.processrollup2
edr.crowdstrike.cannon.processrollup2

Anchor
edr.crowdstrike.cannon.processrollup2stats
edr.crowdstrike.cannon.processrollup2stats
edr.crowdstrike.cannon.processrollup2stats

Anchor
edr.crowdstrike.cannon.sensorheartbeat
edr.crowdstrike.cannon.sensorheartbeat
edr.crowdstrike.cannon.sensorheartbeat

Anchor
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2

Anchor
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.falcon_spotlight.vulnerabilities