edr.crowdstrike: Table structure (Part 1)

edr.crowdstrike.falconstreaming.agents

Field	Type	Extra Field
eventdate	`timestamp`	-
hostname	`str`	-
device_id	`str`	-
cid	`str`	-
agent_load_flags	`str`	-
agent_local_time	`timestamp`	-
agent_version	`str`	-
bios_manufacturer	`str`	-
bios_version	`str`	-
build_number	`str`	-
config_id_base	`str`	-
config_id_build	`str`	-
config_id_platform	`str`	-
cpu_signature	`str`	-
external_ip	`ip4`	-
mac_address	`str`	-
hostname2	`str`	-
first_seen	`timestamp`	-
last_seen	`timestamp`	-
local_ip	`ip4`	-
major_version	`str`	-
minor_version	`str`	-
os_version	`str`	-
os_build	`str`	-
platform_id	`str`	-
platform_name	`str`	-
policies	`str`	-
reduced_functionality_mode	`str`	-
device_policies__prevention__policy_type	`str`	-
device_policies__prevention__policy_id	`str`	-
device_policies__prevention__applied	`bool`	-
device_policies__prevention__settings_hash	`str`	-
device_policies__prevention__assigned_date	`str`	-
device_policies__prevention__applied_date	`str`	-
device_policies__prevention__rule_groups	`str`	-
device_policies__sensor_update__policy_type	`str`	-
device_policies__sensor_update__policy_id	`str`	-
device_policies__sensor_update__applied	`bool`	-
device_policies__sensor_update__settings_hash	`str`	-
device_policies__sensor_update__assigned_date	`str`	-
device_policies__sensor_update__applied_date	`str`	-
device_policies__sensor_update__uninstall_protection	`str`	-
device_policies__device_control__policy_type	`str`	-
device_policies__device_control__policy_id	`str`	-
device_policies__device_control__applied	`bool`	-
device_policies__device_control__assigned_date	`str`	-
device_policies__device_control__applied_date	`str`	-
device_policies__global_config__policy_type	`str`	-
device_policies__global_config__policy_id	`str`	-
device_policies__global_config__applied	`bool`	-
device_policies__global_config__settings_hash	`str`	-
device_policies__global_config__assigned_date	`str`	-
device_policies__global_config__applied_date	`str`	-
device_policies__remote_response__policy_type	`str`	-
device_policies__remote_response__policy_id	`str`	-
device_policies__remote_response__applied	`bool`	-
device_policies__remote_response__settings_hash	`str`	-
device_policies__remote_response__assigned_date	`str`	-
device_policies__remote_response__applied_date	`str`	-
device_policies__firewall__policy_type	`str`	-
device_policies__firewall__policy_id	`str`	-
device_policies__firewall__applied	`bool`	-
device_policies__firewall__assigned_date	`str`	-
device_policies__firewall__applied_date	`str`	-
device_policies__firewall__rule_set_id	`str`	-
groups	`str`	-
group_hash	`str`	-
product_type	`str`	-
product_type_desc	`str`	-
provision_status	`str`	-
serial_number	`str`	-
service_pack_major	`str`	-
service_pack_minor	`str`	-
pointer_size	`str`	-
status	`str`	-
system_manufacturer	`str`	-
system_product_name	`str`	-
tags	`str`	-
modified_timestamp	`timestamp`	-
slow_changing_modified_timestamp	`timestamp`	-
meta__version	`str`	-
instance_id	`str`	-
service_provider	`str`	-
service_provider_account_id	`str`	-
machine_domain	`str`	-
ou	`str`	-
site_name	`str`	-
zone_group	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.alert

Field	Type	Extra field
eventdate	`timestamp`	-
machine	`str`	-
activity_id	`str`	-
agent_id	`str`	-
aggregate_id	`str`	-
cid	`str`	-
composite_id	`str`	-
confidence	`int4`	-
context_timestamp	`timestamp`	-
crawl_edge_ids_sensor	`str`	-
crawl_vertex_ids_sensor	`str`	-
crawled_timestamp	`str`	-
created_timestamp	`str`	-
data_domains	`str`	-
description	`str`	-
display_name	`str`	-
end_time	`timestamp`	-
falcon_host_link	`str`	-
id	`str`	-
ldap_search_query_attack	`str`	-
name	`str`	-
objective	`str`	-
pattern_id	`int4`	-
poly_id	`str`	-
product	`str`	-
scenario	`str`	-
seconds_to_resolved	`int4`	-
seconds_to_triaged	`int4`	-
severity	`int4`	-
severity_name	`str`	-
show_in_ui	`bool`	-
source_account_domain	`str`	-
source_account_name	`str`	-
source_account_object_guid	`str`	-
source_account_object_sid	`str`	-
source_account_upn	`str`	-
source_endpoint_account_object_guid	`str`	-
source_endpoint_account_object_sid	`str`	-
source_endpoint_address_ipv4	`ip4`	-
source_endpoint_host_name	`str`	-
source_endpoint_address_ip	`str`	-
source_endpoint_sensor_id	`str`	-
source_products	`str`	-
source_vendors	`str`	-
start_time	`timestamp`	-
status	`str`	-
tactic	`str`	-
tactic_id	`str`	-
target_account_name	`str`	-
target_domain_controller_host_name	`str`	-
target_domain_controller_object_guid	`str`	-
target_domain_controller_object_sid	`str`	-
target_endpoint_account_object_guid	`str`	-
target_endpoint_account_object_sid	`str`	-
target_endpoint_host_name	`str`	-
target_endpoint_sensor_id	`str`	-
technique	`str`	-
technique_id	`str`	-
timestamp	`timestamp`	-
type	`str`	-
updated_timestamp	`str`	-
username	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.auth_activity

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`timestamp`	-
Success	`bool`	-
UserId	`str`	-
UserIp	`ip4`	-
target_name	`str`	-
target_user_uuid	`str`	-
target_cid	`str`	-
roles	`str`	-
scope	`str`	-
actor_user	`str`	-
actor_user_uuid	`str`	-
actor_cid	`str`	-
subscriptions	`str`	-
APIClientID	`str`	-
appId	`str`	-
eventType2	`str`	-
partition	`str`	-
offset2	`str`	-
id	`str`	-
name	`str`	-
trace_id	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.behaviors

Field	Type	Extra Label
eventdate	`timestamp`	-
hostname	`str`	-
behavior_id	`str`	-
detection_ids	`str`	-
cid	`str`	-
aid	`str`	-
pattern_id	`int4`	-
template_instance_id	`int4`	-
timestamp	`timestamp`	-
cmdline	`str`	-
filepath	`str`	-
domain	`str`	-
pattern_disposition	`int4`	-
pattern_disposition_details__indicator	`bool`	-
pattern_disposition_details__detect	`bool`	-
pattern_disposition_details__inddet_mask	`bool`	-
pattern_disposition_details__sensor_only	`bool`	-
pattern_disposition_details__rooting	`bool`	-
pattern_disposition_details__kill_process	`bool`	-
pattern_disposition_details__kill_subprocess	`bool`	-
pattern_disposition_details__quarantine_machine	`bool`	-
pattern_disposition_details__quarantine_file	`bool`	-
pattern_disposition_details__policy_disabled	`bool`	-
pattern_disposition_details__kill_parent	`bool`	-
pattern_disposition_details__operation_blocked	`bool`	-
pattern_disposition_details__process_blocked	`bool`	-
pattern_disposition_details__registry_operation_blocked	`bool`	-
pattern_disposition_details__critical_process_disabled	`bool`	-
pattern_disposition_details__bootup_safeguard_enabled	`bool`	-
pattern_disposition_details__fs_operation_blocked	`bool`	-
pattern_disposition_details__handle_operation_downgraded	`bool`	-
pattern_disposition_details__kill_action_failed	`bool`	-
pattern_disposition_details__blocking_unsupported_or_disabled	`bool`	-
pattern_disposition_details__suspend_process	`bool`	-
pattern_disposition_details__suspend_parent	`bool`	-
sha256	`str`	-
user_name	`str`	-
tactic	`str`	-
tactic_id	`str`	-
technique	`str`	-
technique_id	`str`	-
objective	`str`	-
compound_tto	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.customer_ioc

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
AgentIdString	`str`	-
DeviceId	`str`	-
ComputerName	`str`	-
ProcessId	`str`	-
ParentProcessId	`str`	-
ProcessStartTime	`timestamp`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
MD5String	`str`	-
SHA256String	`str`	-
DomainName	`str`	-
IPv4	`str`	-
IPv6	`str`	-
jsonEvent	`json`	-
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

edr.crowdstrike.falconstreaming.detection_summary

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.external_api

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventCreationTime	`timestamp`	-
version	`str`	-
eventType	`str`	-
ProcessStartTime	`int8`	-
ProcessEndTime	`int8`	-
ProcessId	`int8`	-
ParentProcessId	`int8`	-
ComputerName	`str`	-
UserName	`str`	-
DetectName	`str`	-
DetectDescription	`str`	-
Severity	`int8`	-
SeverityName	`str`	-
FileName	`str`	-
FilePath	`str`	-
CommandLine	`str`	-
SHA256String	`str`	-
MD5String	`str`	-
SHA1String	`str`	-
MachineDomain	`str`	-
ExecutablesWritten	`json`	-
FalconHostLink	`str`	-
SensorId	`str`	-
IOCType	`str`	-
IOCValue	`str`	-
DetectId	`str`	-
new_state	`str`	-
quarantined_file_id	`str`	-
action_taken	`str`	-
LocalIP	`str`	-
MACAddress	`str`	-
Tactic	`str`	-
Technique	`str`	-
Objective	`str`	-
UserId	`str`	-
UserIp	`str`	-
ServiceName	`str`	-
OperationName	`str`	-
UTCTimestamp	`int8`	-
ScanResults_Engine_str	`str`	-
ScanResults_ResultName_str	`str`	-
ScanResults_Version_str	`str`	-
ScanResults_Detected_str	`str`	-
PatternDispositionDescription	`str`	-
PatternDispositionValue	`int8`	-
PatternDispositionFlags_Indicator	`bool`	-
PatternDispositionFlags_Detect	`bool`	-
PatternDispositionFlags_InddetMask	`bool`	-
PatternDispositionFlags_SensorOnly	`bool`	-
PatternDispositionFlags_Rooting	`bool`	-
PatternDispositionFlags_KillProcess	`bool`	-
PatternDispositionFlags_KillSubProcess	`bool`	-
PatternDispositionFlags_QuarantineMachine	`bool`	-
PatternDispositionFlags_QuarantineFile	`bool`	-
PatternDispositionFlags_PolicyDisabled	`bool`	-
PatternDispositionFlags_KillParent	`bool`	-
PatternDispositionFlags_OperationBlocked	`bool`	-
PatternDispositionFlags_ProcessBlocked	`bool`	-
PatternDispositionFlags_SuspendParent	`bool`	-
PatternDispositionFlags_KillActionFailed	`bool`	-
PatternDispositionFlags_HandleOperationDowngraded	`bool`	-
PatternDispositionFlags_SuspendProcess	`bool`	-
PatternDispositionFlags_CriticalProcessDisabled	`bool`	-
PatternDispositionFlags_BootupSafeguardEnabled	`bool`	-
PatternDispositionFlags_RegistryOperationBlocked	`bool`	-
PatternDispositionFlags_BlockingUnsupportedOrDisabled	`bool`	-
PatternDispositionFlags_FsOperationBlocked	`bool`	-
ParentImageFileName	`str`	-
ParentCommandLine	`str`	-
GrandparentImageFileName	`str`	-
GrandparentCommandLine	`str`	-
QuarantineFiles_ImageFileName_str	`str`	-
QuarantineFiles_SHA256HashData_str	`str`	-
jsonEvent	`json`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.firewall_match

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int8`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
deviceId	`str`	-
customerId	`str`	-
ipv	`str`	-
commandLine	`str`	-
connectionDirection	`str`	-
evEventType	`str`	-
flag_audit	`bool`	-
flag_log	`bool`	-
flag_monitor	`bool`	-
hostName	`str`	-
icmpCode	`str`	-
icmpType	`str`	-
imageFileName	`str`	-
localAddress	`ip4`	-
localPort	`str`	-
matchCount	`int4`	-
matchCountSinceLastReport	`int4`	-
networkProfile	`str`	-
pid	`str`	-
policyName	`str`	-
policyID	`str`	-
protocol	`str`	-
remoteAddress	`ip4`	-
remotePort	`str`	-
ruleAction	`str`	-
ruleDescription	`str`	-
ruleFamilyID	`str`	-
ruleGroupName	`str`	-
ruleName	`str`	-
ruleId	`str`	-
status	`str`	-
timestamp	`timestamp`	-
treeID	`str`	-
platform	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.identity_protection

Field	Type	Extra Field
eventdate	`timestamp`	-
customerIDString	`str`	-
offset	`int4`	-
eventType	`str`	-
eventCreationTime	`timestamp`	-
version	`str`	-
incidentType	`str`	-
incidentDescription	`str`	-
severity	`int4`	-
severityName	`str`	-
startTime	`timestamp`	-
endTime	`timestamp`	-
identityProtectionIncidentId	`str`	-
userName	`str`	-
endpointName	`str`	-
endpointIp	`str`	-
category	`str`	-
numbersOfAlerts	`int4`	-
numberOfCompromisedEntities	`int4`	-
state	`str`	-
falconHostLink	`str`	-
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.crowdstrike.falconstreaming.idp_detection_summary

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
customerIDString	`str`
offset	`int4`
eventType	`str`
eventCreationTime	`timestamp`
version	`str`
contextTimeStamp	`int8`
detectId	`str`	isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux	compositeId detectId_aux
detectName	`str`	isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux	detectName_aux name
detectDescription	`str`	isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux	description detectDescription_aux
compositeId	`str`
name	`str`
description	`str`
falconHostLink	`str`
startTime	`int8`
endTime	`int8`
severity	`int4`
tactic	`str`
technique	`str`
objective	`str`
sourceAccountDomain	`str`
sourceAccountName	`str`
sourceAccountObjectSid	`str`
sourceEndpointAccountObjectGuid	`str`
sourceEndpointAccountObjectSid	`str`
sourceEndpointHostName	`str`
sourceEndpointIpAddress	`ip4`
sourceEndpointSensorId	`str`
activityId	`str`
patternId	`int4`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓