Page Comparison

Table of Contents

minLevel	1
maxLevel	3
outline	true
style	default
type	list
printable	true

edr.crowdstrike.falconstreaming.agents

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
device_id	`str`	-
cid	`str`	-
agent_load_flags	`str`	-
agent_local_time	`timestamp`	-
agent_version	`str`	-
bios_manufacturer	`str`	-
bios_version	`str`	-
build_number	`str`	-
config_id_base	`str`	-
config_id_build	`str`	-
config_id_platform	`str`	-
cpu_signature	`str`	-
external_ip	`ip4`	-
mac_address	`str`	-
hostname2	`str`	-
first_seen	`timestamp`	-
last_seen	`timestamp`	-
local_ip	`ip4`	-
major_version	`str`	-
minor_version	`str`	-
os_version	`str`	-
os_build	`str`	-
platform_id	`str`	-
platform_name	`str`	-
policies	`str`	-
reduced_functionality_mode	`str`	-
device_policies__prevention__policy_type	`str`	-
device_policies__prevention__policy_id	`str`	-
device_policies__prevention__applied	`bool`	-
device_policies__prevention__settings_hash	`str`	-
device_policies__prevention__assigned_date	`str`	-
device_policies__prevention__applied_date	`str`	-
device_policies__prevention__rule_groups	`str`	-
device_policies__sensor_update__policy_type	`str`	-
device_policies__sensor_update__policy_id	`str`	-
device_policies__sensor_update__applied	`bool`	-
device_policies__sensor_update__settings_hash	`str`	-
device_policies__sensor_update__assigned_date	`str`	-
device_policies__sensor_update__applied_date	`str`	-
device_policies__sensor_update__uninstall_protection	`str`	-
device_policies__device_control__policy_type	`str`	-
device_policies__device_control__policy_id	`str`	-
device_policies__device_control__applied	`bool`	-
device_policies__device_control__assigned_date	`str`	-
device_policies__device_control__applied_date	`str`	-
device_policies__global_config__policy_type	`str`	-
device_policies__global_config__policy_id	`str`	-
device_policies__global_config__applied	`bool`	-
device_policies__global_config__settings_hash	`str`	-
device_policies__global_config__assigned_date	`str`	-
device_policies__global_config__applied_date	`str`	-
device_policies__remote_response__policy_type	`str`	-
device_policies__remote_response__policy_id	`str`	-
device_policies__remote_response__applied	`bool`	-
device_policies__remote_response__settings_hash	`str`	-
device_policies__remote_response__assigned_date	`str`	-
device_policies__remote_response__applied_date	`str`	-
device_policies__firewall__policy_type	`str`	-
device_policies__firewall__policy_id	`str`	-
device_policies__firewall__applied	`bool`	-
device_policies__firewall__assigned_date	`str`	-
device_policies__firewall__applied_date	`str`	-
device_policies__firewall__rule_set_id	`str`	-
groups	`str`	-
group_hash	`str`	-
product_type	`str`	-
product_type_desc	`str`	-
provision_status	`str`	-
serial_number	`str`	-
service_pack_major	`str`	-
service_pack_minor	`str`	-
pointer_size	`str`	-
status	`str`	-
system_manufacturer	`str`	-
system_product_name	`str`	-
tags	`str`	-
modified_timestamp	`timestamp`	-
slow_changing_modified_timestamp	`timestamp`	-
meta__version	`str`	-
instance_id	`str`	-
service_provider	`str`	-
service_provider_account_id	`str`	-
machine_domain	`str`	-
ou	`str`	-
site_name	`str`	-
zone_group	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert

Field	Type	Extra field
eventdate	`timestamp`	-
machine	`str`	-
activity_id	`str`	-
agent_id	`str`	-
aggregate_id	`str`	-
cid	`str`	-
composite_id	`str`	-
confidence	`int4`	-
context_timestamp	`timestamp`	-
crawl_edge_ids_sensor	`str`	-
crawl_vertex_ids_sensor	`str`	-
crawled_timestamp	`str`	-
created_timestamp	`str`	-
data_domains	`str`	-
description	`str`	-
display_name	`str`	-
end_time	`timestamp`	-
falcon_host_link	`str`	-
id	`str`	-
ldap_search_query_attack	`str`	-
name	`str`	-
objective	`str`	-
pattern_id	`int4`	-
poly_id	`str`	-
product	`str`	-
scenario	`str`	-
seconds_to_resolved	`int4`	-
seconds_to_triaged	`int4`	-
severity	`int4`	-
severity_name	`str`	-
show_in_ui	`bool`	-
source_account_domain	`str`	-
source_account_name	`str`	-
source_account_object_guid	`str`	-
source_account_object_sid	`str`	-
source_account_upn	`str`	-
source_endpoint_account_object_guid	`str`	-
source_endpoint_account_object_sid	`str`	-
source_endpoint_address_ipv4	`ip4`	-
source_endpoint_host_name	`str`	-
source_endpoint_address_ip	`str`	-
source_endpoint_sensor_id	`str`	-
source_products	`str`	-
source_vendors	`str`	-
start_time	`timestamp`	-
status	`str`	-
tactic	`str`	-
tactic_id	`str`	-
target_account_name	`str`	-
target_domain_controller_host_name	`str`	-
target_domain_controller_object_guid	`str`	-
target_domain_controller_object_sid	`str`	-
target_endpoint_account_object_guid	`str`	-
target_endpoint_account_object_sid	`str`	-
target_endpoint_host_name	`str`	-
target_endpoint_sensor_id	`str`	-
technique	`str`	-
technique_id	`str`	-
timestamp	`timestamp`	-
type	`str`	-
updated_timestamp	`str`	-
username	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
target_name	`str`	-
target_user_uuid	`str`	-
target_cid	`str`	-
roles	`str`	-
scope	`str`	-
actor_user	`str`	-
actor_user_uuid	`str`	-
actor_cid	`str`	-
subscriptions	`str`	-
APIClientID	`str`	-
appId	`str`	-
eventType2	`str`	-
partition	`str`	-
offset2	`str`	-
id	`str`	-
name	`str`	-
trace_id	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Field	Type	Extra Label
eventdate	`timestamp`	-
hostname	`str`	-
behavior_id	`str`	-
detection_ids	`str`	-
cid	`str`	-
aid	`str`	-
pattern_id	`int4`	-
template_instance_id	`int4`	-
timestamp	`timestamp`	-
cmdline	`str`	-
filepath	`str`	-
domain	`str`	-
pattern_disposition	`int4`	-
pattern_disposition_details__indicator	`bool`	-
pattern_disposition_details__detect	`bool`	-
pattern_disposition_details__inddet_mask	`bool`	-
pattern_disposition_details__sensor_only	`bool`	-
pattern_disposition_details__rooting	`bool`	-
pattern_disposition_details__kill_process	`bool`	-
pattern_disposition_details__kill_subprocess	`bool`	-
pattern_disposition_details__quarantine_machine	`bool`	-
pattern_disposition_details__quarantine_file	`bool`	-
pattern_disposition_details__policy_disabled	`bool`	-
pattern_disposition_details__kill_parent	`bool`	-
pattern_disposition_details__operation_blocked	`bool`	-
pattern_disposition_details__process_blocked	`bool`	-
pattern_disposition_details__registry_operation_blocked	`bool`	-
pattern_disposition_details__critical_process_disabled	`bool`	-
pattern_disposition_details__bootup_safeguard_enabled	`bool`	-
pattern_disposition_details__fs_operation_blocked	`bool`	-
pattern_disposition_details__handle_operation_downgraded	`bool`	-
pattern_disposition_details__kill_action_failed	`bool`	-
pattern_disposition_details__blocking_unsupported_or_disabled	`bool`	-
pattern_disposition_details__suspend_process	`bool`	-
pattern_disposition_details__suspend_parent	`bool`	-
sha256	`str`	-
user_name	`str`	-
tactic	`str`	-
tactic_id	`str`	-
technique	`str`	-
technique_id	`str`	-
objective	`str`	-
compound_tto	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
AgentIdString	`str`	-
DeviceId	`str`	-
ComputerName	`str`	-
ProcessId	`str`	-
ParentProcessId	`str`	-
ProcessStartTime	`timestamp`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
MD5String	`str`	-
SHA256String	`str`	-
DomainName	`str`	-
IPv4	`str`	-
IPv6	`str`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.external_api

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
deviceId	`str`	-
customerId	`str`	-
ipv	`str`	-
commandLine	`str`	-
connectionDirection	`str`	-
evEventType	`str`	-
flag_audit	`bool`	-
flag_log	`bool`	-
flag_monitor	`bool`	-
hostName	`str`	-
icmpCode	`str`	-
icmpType	`str`	-
imageFileName	`str`	-
localAddress	`ip4`	-
localPort	`str`	-
matchCount	`int4`	-
matchCountSinceLastReport	`int4`	-
networkProfile	`str`	-
pid	`str`	-
policyName	`str`	-
policyID	`str`	-
protocol	`str`	-
remoteAddress	`ip4`	-
remotePort	`str`	-
ruleAction	`str`	-
ruleDescription	`str`	-
ruleFamilyID	`str`	-
ruleGroupName	`str`	-
ruleName	`str`	-
ruleId	`str`	-
status	`str`	-
timestamp	`timestamp`	-
treeID	`str`	-
platform	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
incidentType	`str`	-
incidentDescription	`str`	-
severity	`int4`	-
severityName	`str`	-
startTime	`timestamp`	-
endTime	`timestamp`	-
identityProtectionIncidentId	`str`	-
userName	`str`	-
endpointName	`str`	-
endpointIp	`str`	-
category	`str`	-
numbersOfAlerts	`int4`	-
numberOfCompromisedEntities	`int4`	-
state	`str`	-
falconHostLink	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

customerIDString

str

offset

int4

eventType

str

eventCreationTime

timestamp

version

str

contextTimeStamp

int8

detectId

str

Code Block
isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux

compositeId

detectId_aux

detectName

str

Code Block
isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux

detectName_aux

name

detectDescription

str

Code Block
isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux

description

detectDescription_aux

compositeId

str

name

str

description

str

falconHostLink

str

startTime

int8

endTime

int8

severity

int4

tactic

str

technique

str

objective

str

sourceAccountDomain

str

sourceAccountName

str

sourceAccountObjectSid

str

sourceEndpointAccountObjectGuid

str

sourceEndpointAccountObjectSid

str

sourceEndpointHostName

str

sourceEndpointIpAddress

ip4

sourceEndpointSensorId

str

activityId

str

patternId

int4

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 1

New Version 2

Key

edr.crowdstrike.falconstreaming.agents

Anchor
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert

Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

edr.crowdstrike.falconstreaming.external_api

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary

Page Comparison

Versions Compared

Old Version 1

New Version 2

Key

edr.crowdstrike.falconstreaming.agents

Anchoredr.crowdstrike.falconstreaming.alertedr.crowdstrike.falconstreaming.alertedr.crowdstrike.falconstreaming.alert

Anchoredr.crowdstrike.falconstreaming.auth_activityedr.crowdstrike.falconstreaming.auth_activityedr.crowdstrike.falconstreaming.auth_activity

Anchoredr.crowdstrike.falconstreaming.behaviorsedr.crowdstrike.falconstreaming.behaviorsedr.crowdstrike.falconstreaming.behaviors

Anchoredr.crowdstrike.falconstreaming.customer_iocedr.crowdstrike.falconstreaming.customer_iocedr.crowdstrike.falconstreaming.customer_ioc

Anchoredr.crowdstrike.falconstreaming.detection_summaryedr.crowdstrike.falconstreaming.detection_summaryedr.crowdstrike.falconstreaming.detection_summary

edr.crowdstrike.falconstreaming.external_api

Anchoredr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_match

Anchordr.crowdstrike.falconstreaming.identity_protectiondr.crowdstrike.falconstreaming.identity_protectionedr.crowdstrike.falconstreaming.identity_protection

Anchoredr.crowdstrike.falconstreaming.idp_detection_summaryedr.crowdstrike.falconstreaming.idp_detection_summaryedr.crowdstrike.falconstreaming.idp_detection_summary

Anchor
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert
edr.crowdstrike.falconstreaming.alert

Anchor
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity
edr.crowdstrike.falconstreaming.auth_activity

Anchor
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors
edr.crowdstrike.falconstreaming.behaviors

Anchor
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc
edr.crowdstrike.falconstreaming.customer_ioc

Anchor
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary
edr.crowdstrike.falconstreaming.detection_summary

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Anchor
dr.crowdstrike.falconstreaming.identity_protection
dr.crowdstrike.falconstreaming.identity_protection
edr.crowdstrike.falconstreaming.identity_protection

Anchor
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary
edr.crowdstrike.falconstreaming.idp_detection_summary