edr.crowdstrike

Introduction

The tags beginning with edr.crowdstrike identify events generated by Crowdstrike.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services

Tags

Data tables

Crodwstrike

edr.crowdstrike.falconstreaming.agents

edr.crowdstrike.falconstreaming.auth_activity

edr.crowdstrike.falconstreaming.behaviors

edr.crowdstrike.falconstreaming.customer_ioc

edr.crowdstrike.falconstreaming.detection_summary

edr.crowdstrike.falconstreaming.external_api

edr.crowdstrike.falconstreaming.firewall_match

edr.crowdstrike.falconstreaming.identity_protection

edr.crowdstrike.falconstreaming.idp_detection_summary

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incident_summary

edr.crowdstrike.falconstreaming.mobile_detection_summary

edr.crowdstrike.falconstreaming.other

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.scheduled_report_notification

edr.crowdstrike.falconstreaming.user_activity_groups

edr.crowdstrike.falconstreaming.user_activity_quarantined_files

edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

edr.crowdstrike.falconstreaming.user_activity_other

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.user_activity_devices

edr.crowdstrike.falconstreaming.user_activity_detections

edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

edr.crowdstrike.falconstreaming.vulnerabilities

edr.crowdstrike.falcon

edr.crowdstrike.cannon

edr.crowdstrike.cannon.associateindicator

edr.crowdstrike.cannon.associatetreeidwithroot

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.detectionexcluded

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.syntheticprocessrollup2

edr.crowdstrike.falconstreaming.agents

edr.crowdstrike.falconstreaming.auth_activity

edr.crowdstrike.falconstreaming.behaviors

edr.crowdstrike.falconstreaming.customer_ioc

edr.crowdstrike.falconstreaming.detection_summary

edr.crowdstrike.falconstreaming.external_api

edr.crowdstrike.falconstreaming.firewall_match

edr.crowdstrike.falconstreaming.identity_protection

edr.crowdstrike.falconstreaming.idp_detection_summary

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incident_summary

edr.crowdstrike.falconstreaming.mobile_detection_summary

edr.crowdstrike.falconstreaming.other

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.scheduled_report_notification

edr.crowdstrike.falconstreaming.user_activity_groups

edr.crowdstrike.falconstreaming.user_activity_quarantined_files

edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

edr.crowdstrike.falconstreaming.user_activity_other

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.user_activity_devices

edr.crowdstrike.falconstreaming.user_activity_detections

edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

edr.crowdstrike.falconstreaming.vulnerabilities

edr.crowdstrike.falcon

edr.crowdstrike.cannon

edr.crowdstrike.cannon.associateindicator

edr.crowdstrike.cannon.associatetreeidwithroot

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.detectionexcluded

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.syntheticprocessrollup2

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. Get in touch with us to start sending your data to the Devo platform.

For Falcon Streaming, follow these instructions:

Get in touch with us to download the collector. Devo's CrowdStrike Falcon Streaming Collector collects audit and detection data.

This collector does the following:

Authenticates with the Falcon Streaming API.
Discovers available streams.
Creates a long-running stream connection to available streams.
As events come in, they are shipped into the Devo domain.
After an event is shipped to Devo, the offset id is saved to the state store to resume from the same
point if stopped.

Setup

Obtain access to the CrowdStrike API and acquire a client_id and client_secret for use.
1. The API scope necessary for the client is “Event Streams”.
  1. If you have errors discovering streams, check that this is added to the API role.
Add the CrowdStrike Falcon Streaming Collector to your domain and set your client_id and client_secret in the collector's parameters JSON.
Done! Once the collector is added and running, you will see your falcon data in the edr.crowdstrike.falconstreaming table.

Error/Troubleshooting

You get error (401) discovering streams - access denied, invalid bearer token.
- The URL Endpoint may not be correct. The default api_url setting is api.crowdstrike.com, but your customer may be configured with a different endpoint such as api.us-2.crowdstrike.com.
  - Update the api_url parameter and try again.
You get another error (not 401) regarding discovering streams.
- Check that “Event Streams” is part of the API scope for the credentials provided.

Table structure

These are the fields displayed in the tables: