Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel3
outlinetruefalse
styledefault
typelist
printabletrue

edr.crowdstrike.falconstreaming.incidents

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

incident_id

str

-

incident_type

int4

-

cid

str

-

host_ids

str

-

hosts

str

-

created

timestamp

-

start

timestamp

-

end

timestamp

-

state

str

-

status

int4

-

tactics

str

-

techniques

str

-

objectives

str

-

fine_score

int4

-

lmra_host_ids

str

-

lm_types

int4

-

tags

str

-

modified_timestamp

str

-

users

str

-

hostchain

str

tag

str

rawMessage

str

edr.crowdstrike.falconstreaming.incident_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

State

str

-

IncidentID

str

-

IncidentStartTime

timestamp

-

IncidentEndTime

timestamp

-

FineScore

float8

-

FalconHostLink

str

-

jsonEvent

json

-

rawMessage

str

hostchain

str

tag

str

Anchor
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary
edr.crowdstrike.falconstreaming.mobile_detection_summary

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

customerIDString

str

 

 

offset

int4

 

 

eventType

str

 

 

eventCreationTime

timestamp

 

 

version

str

 

 

sensorId

str

 

 

mobileDetectionId

int4

 

 

computerName

str

 

 

userName

str

 

 

contextTimeStamp

timestamp

 

 

detectId

str

Code Block
isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux

compositeId

detectId_aux

detectName

str

Code Block
isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux

detectName_aux

name

detectDescription

str

Code Block
isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux

description

detectDescription_aux

compositeId

str

 

 

name

str

 

 

description

str

 

 

tactic

str

 

 

tacticId

str

 

 

technique

str

 

 

techniqueId

str

 

 

objective

str

 

 

severity

int4

 

 

falconHostLink

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other
edr.crowdstrike.falconstreaming.other

Field

Type

Extra Field

eventdate

timestamp

-

eventType

str

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary
edr.crowdstrike.falconstreaming.recon_notification_summary

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

notificationId

str

-

highlights_str

str

-

matchedTimestamp

timestamp

-

ruleId

str

-

ruleName

str

-

ruleTopic

str

-

rulePriority

str

-

itemId

str

-

itemType

str

-

itemPostedTimestamp

timestamp

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session
edr.crowdstrike.falconstreaming.remote_response_session

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

SessionId

str

-

UserName

str

-

HostnameField

str

-

StartTimestamp

timestamp

-

EndTimestamp

timestamp

-

Commands

json

-

jsonEvent

json

-

rawMessage

str

hostchain

str

tag

str

edr.crowdstrike.falconstreaming.scheduled_report_notification

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

userUUID

str

-

userID

str

-

executionID

str

-

reportID

str

-

reportName

str

-

reportType

str

-

reportFileReference

str

-

status

int4

-

statusMessage

str

-

executionStart

timestamp

-

executionDuration

int4

-

reportFileName

str

-

resultCount

int4

-

resultID

str

-

searchWindowStart

timestamp

-

searchWindowEnd

timestamp

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_groups

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

group_id

str

-

group_name

str

-

group_description

str

-

group_assignment_rule

str

-

old_group_assignment_rule

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

tag

str

rawMessage

str