Document toolboxDocument toolbox

edr.crowdstrike: Table structure (Part 2)

edr.crowdstrike.falconstreaming.incidents

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

incident_id

str

-

incident_type

int4

-

cid

str

-

host_ids

str

-

hosts

str

-

created

timestamp

-

start

timestamp

-

end

timestamp

-

state

str

-

status

int4

-

tactics

str

-

techniques

str

-

objectives

str

-

fine_score

int4

-

lmra_host_ids

str

-

lm_types

int4

-

tags

str

-

modified_timestamp

str

-

users

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.incident_summary

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

State

str

-

IncidentID

str

-

IncidentStartTime

timestamp

-

IncidentEndTime

timestamp

-

FineScore

float8

-

FalconHostLink

str

-

jsonEvent

json

-

rawMessage

str

✓

hostchain

str

✓

tag

str

✓

edr.crowdstrike.falconstreaming.mobile_detection_summary

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

customerIDString

str

 

 

 

offset

int4

 

 

 

eventType

str

 

 

 

eventCreationTime

timestamp

 

 

 

version

str

 

 

 

sensorId

str

 

 

 

mobileDetectionId

int4

 

 

 

computerName

str

 

 

 

userName

str

 

 

 

contextTimeStamp

timestamp

 

 

 

detectId

str

isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux

compositeId

detectId_aux

 

detectName

str

isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux

detectName_aux

name

 

detectDescription

str

isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux

description

detectDescription_aux

 

compositeId

str

 

 

 

name

str

 

 

 

description

str

 

 

 

tactic

str

 

 

 

tacticId

str

 

 

 

technique

str

 

 

 

techniqueId

str

 

 

 

objective

str

 

 

 

severity

int4

 

 

 

falconHostLink

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

edr.crowdstrike.falconstreaming.other

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

eventType

str

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.recon_notification_summary

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

notificationId

str

-

highlights_str

str

-

matchedTimestamp

timestamp

-

ruleId

str

-

ruleName

str

-

ruleTopic

str

-

rulePriority

str

-

itemId

str

-

itemType

str

-

itemPostedTimestamp

timestamp

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.remote_response_session

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

SessionId

str

-

UserName

str

-

HostnameField

str

-

StartTimestamp

timestamp

-

EndTimestamp

timestamp

-

Commands

json

-

jsonEvent

json

-

rawMessage

str

✓

hostchain

str

✓

tag

str

✓

edr.crowdstrike.falconstreaming.scheduled_report_notification

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

userUUID

str

-

userID

str

-

executionID

str

-

reportID

str

-

reportName

str

-

reportType

str

-

reportFileReference

str

-

status

int4

-

statusMessage

str

-

executionStart

timestamp

-

executionDuration

int4

-

reportFileName

str

-

resultCount

int4

-

resultID

str

-

searchWindowStart

timestamp

-

searchWindowEnd

timestamp

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_groups

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

group_id

str

-

group_name

str

-

group_description

str

-

group_assignment_rule

str

-

old_group_assignment_rule

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_quarantined_files

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

quarantined_file_id

str

-

action_taken

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓