Page Comparison

Table of Contents

minLevel	1
maxLevel	3
outline	true
style	default
type	list
printable	true

edr.crowdstrike.falconstreaming.incidents

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
incident_id	`str`	-
incident_type	`int4`	-
cid	`str`	-
host_ids	`str`	-
hosts	`str`	-
created	`timestamp`	-
start	`timestamp`	-
end	`timestamp`	-
state	`str`	-
status	`int4`	-
tactics	`str`	-
techniques	`str`	-
objectives	`str`	-
fine_score	`int4`	-
lmra_host_ids	`str`	-
lm_types	`int4`	-
tags	`str`	-
modified_timestamp	`str`	-
users	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.incident_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
State	`str`	-
IncidentID	`str`	-
IncidentStartTime	`timestamp`	-
IncidentEndTime	`timestamp`	-
FineScore	`float8`	-
FalconHostLink	`str`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

customerIDString

str

offset

int4

eventType

str

eventCreationTime

timestamp

version

str

sensorId

str

mobileDetectionId

int4

computerName

str

userName

str

contextTimeStamp

timestamp

detectId

str

Code Block
isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux

compositeId

detectId_aux

detectName

str

Code Block
isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux

detectName_aux

name

detectDescription

str

Code Block
isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux

description

detectDescription_aux

compositeId

str

name

str

description

str

tactic

str

tacticId

str

technique

str

techniqueId

str

objective

str

severity

int4

falconHostLink

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Field	Type	Extra Field
eventdate	`timestamp`	-
eventType	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
notificationId	`str`	-
highlights_str	`str`	-
matchedTimestamp	`timestamp`	-
ruleId	`str`	-
ruleName	`str`	-
ruleTopic	`str`	-
rulePriority	`str`	-
itemId	`str`	-
itemType	`str`	-
itemPostedTimestamp	`timestamp`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
SessionId	`str`	-
UserName	`str`	-
HostnameField	`str`	-
StartTimestamp	`timestamp`	-
EndTimestamp	`timestamp`	-
Commands	`json`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

edr.crowdstrike.falconstreaming.scheduled_report_notification

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
userUUID	`str`	-
userID	`str`	-
executionID	`str`	-
reportID	`str`	-
reportName	`str`	-
reportType	`str`	-
reportFileReference	`str`	-
status	`int4`	-
statusMessage	`str`	-
executionStart	`timestamp`	-
executionDuration	`int4`	-
reportFileName	`str`	-
resultCount	`int4`	-
resultID	`str`	-
searchWindowStart	`timestamp`	-
searchWindowEnd	`timestamp`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
group_id	`str`	-
group_name	`str`	-
group_description	`str`	-
group_assignment_rule	`str`	-
old_group_assignment_rule	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Field	Type	Extra Label
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
APIClientID	`str`	-
AuditKeyValues	`json`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Versions Compared

Old Version 1

New Version 2

Key

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incident_summary

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.scheduled_report_notification

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Page Comparison

Versions Compared

Old Version 1

New Version 2

Key

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incident_summary

Anchoredr.crowdstrike.falconstreaming.mobile_detection_summaryedr.crowdstrike.falconstreaming.mobile_detection_summaryedr.crowdstrike.falconstreaming.mobile_detection_summary

Anchoredr.crowdstrike.falconstreaming.otheredr.crowdstrike.falconstreaming.otheredr.crowdstrike.falconstreaming.other

Anchoredr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summaryedr.crowdstrike.falconstreaming.recon_notification_summary

Anchoredr.crowdstrike.falconstreaming.remote_response_sessionedr.crowdstrike.falconstreaming.remote_response_sessionedr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.scheduled_report_notification

Anchoredr.crowdstrike.falconstreaming.user_activity_groupsedr.crowdstrike.falconstreaming.user_activity_groupsedr.crowdstrike.falconstreaming.user_activity_groups

Anchoredr.crowdstrike.falconstreaming.user_activity_quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_files

Anchoredr.crowdstrike.falconstreaming.user_activity_sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy