Document toolboxDocument toolbox

edr.crowdstrike: Table structure (Part 4)

Owned by Borja Moro Moreno
Last updated: Nov 25, 2024
4 min read

edr.crowdstrike.cannon.associatetreeidwithroot

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

ConfigBuild

str

-

PatternDisposition

str

-

event_platform

str

-

TargetProcessId

str

-

TreeId

str

-

PatternId

str

-

Entitlements

str

-

name

str

-

TreeRoot

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.cannon.asepvalueupdate

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

AsepClass

str

-

AsepFlags

str

-

AsepIndex

str

-

AsepValueType

str

-

AuthenticationId

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

Data1

str

-

EffectiveTransmissionClass

str

-

RegStringValue

str

-

Entitlements

str

-

RegNumericValue

str

-

RegObjectName

str

-

RegOperationType

str

-

RegType

str

-

RegValueName

str

-

TokenType

str

-

RegBinaryValue

str

-

TargetFileName

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.channelversionrequired

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ChannelId

str

-

ChannelVersion

str

-

ChannelVersionRequired

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.detectionexcluded

edr.crowdstrike.cannon.detectionexcluded

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

BoundingLimitCount

str

-

ConfigBuild

str

-

event_platform

str

-

CommandLine

str

-

TargetProcessId

str

-

PatternId

str

-

ImageFileName

str

-

ExclusionType

str

-

Entitlements

str

-

name

str

-

ExclusionSource

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.cannon.dnsrequest

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

DomainName

str

-

Entitlements

str

-

RequestType

str

-

DnsResponseType

str

-

IP4Records

str

-

FirstIP4Record

str

-

CNAMERecords

str

-

IP6Records

str

-

FirstIP6Record

str

-

QueryStatus

str

-

DualRequest

str

-

RespondingDnsServer

str

-

DnsRequestCount

str

-

InterfaceIndex

str

-

EffectiveTransmissionClass

str

-

BoundingLimitCount

str

-

BoundingLimitDuration

str

-

TreeId

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.endofprocess

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ActivePrivilegeEscalationCount

str

-

AsepWrittenCount

str

-

BinaryExecutableWrittenCount

str

-

CLICreationCount

str

-

ConHostId

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextProcessId

str

-

ContextThreadId

str

-

ContextTimeStamp

str

-

CycleTime

str

-

DirectoryCreatedCount

str

-

DirectoryEnumeratedCount

str

-

DnsRequestCount

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

ExeAndServiceCount

str

-

ExecutableDeletedCount

str

-

ExitCode

str

-

FileDeletedCount

str

-

InjectedDllCount

str

-

InjectedThreadCount

str

-

KernelTime

str

-

MaxThreadCount

str

-

NamedObjectCount

str

-

NetworkBindCount

str

-

NetworkCapableAsepWriteCount

str

-

NetworkCloseCount

str

-

NetworkConnectCount

str

-

NetworkConnectCountUdp

str

-

NetworkListenCount

str

-

NetworkRecvAcceptCount

str

-

NewExecutableWrittenCount

str

-

PrivilegedProcessHandleCount

str

-

RawProcessId

str

-

RegKeySecurityDecreasedCount

str

-

RunDllInvocationCount

str

-

ScriptEngineInvocationCount

str

-

ServiceEventCount

str

-

SHA256HashData

str

-

SnapshotFileOpenCount

str

-

SuspectStackCount

str

-

SuspiciousCredentialModuleLoadCount

str

-

SuspiciousDnsRequestCount

str

-

SuspiciousRawDiskReadCount

str

-

TargetProcessId

str

-

UnsignedModuleLoadCount

str

-

UserMemoryAllocateExecutableCount

str

-

UserMemoryAllocateExecutableRemoteCount

str

-

UserMemoryProtectExecutableCount

str

-

UserMemoryProtectExecutableRemoteCount

str

-

UserSid

str

-

UserTime

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.neighborlistip4

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

InterfaceIndex

str

-

NeighborList

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.detectionexcluded

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

BoundingLimitCount

str

-

ConfigBuild

str

-

event_platform

str

-

CommandLine

str

-

TargetProcessId

str

-

PatternId

str

-

ImageFileName

str

-

ExclusionType

str

-

Entitlements

str

-

name

str

-

ExclusionSource

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.cannon.networkconnectip4

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

ConnectionDirection

str

-

ConnectionFlags

str

-

ContextProcessId

str

-

ContextTimeStamp

str

-

Entitlements

str

-

InContext

str

-

LocalAddressIP4

ip4

-

LocalPort

str

-

Protocol

str

-

EffectiveTransmissionClass

str

-

RemoteAddressIP4

ip4

-

RemotePort

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-