Document toolboxDocument toolbox

edr.crowdstrike: Table structure (Part 5)

Owned by Borja Moro Moreno
Last updated: Nov 25, 2024
3 min read

edr.crowdstrike.cannon.other

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigStateHash

str

-

ConnectionDirection

str

-

ConnectionFlags

str

-

ContextProcessId

str

-

ContextTimeStamp

str

-

Entitlements

str

-

InContext

str

-

LocalAddressIP4

ip4

-

LocalPort

str

-

Protocol

str

-

EffectiveTransmissionClass

str

-

RemoteAddressIP4

ip4

-

RemotePort

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.processrollup2

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

LinkName

str

-

AuthenticationId

str

-

CommandLine

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

FullFilePath

str

-

FilePath

str

-

ComputerName

str

-

UserName

str

-

FileName

str

-

ImageFileName

str

-

ImageSubsystem

str

-

IntegrityLevel

str

-

MD5HashData

str

-

ParentAuthenticationId

str

-

ParentProcessId

str

-

ProcessCreateFlags

str

-

ProcessEndTime

str

-

ProcessParameterFlags

str

-

ProcessStartTime

str

-

ProcessSxsFlags

str

-

RawProcessId

str

-

SHA1HashData

str

-

SHA256HashData

str

-

SourceProcessId

str

-

SourceThreadId

str

-

TargetProcessId

str

-

TokenType

str

-

UserSid

str

-

ParentBaseFileName

str

-

GrandParentBaseFileName

str

-

UID

str

-

RGID

str

-

RUID

str

-

GID

str

-

MachOSubType

str

-

ProcessGroupId

str

-

SessionProcessId

str

-

SVGID

str

-

SVUID

str

-

Tags

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.processrollup2stats

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

CommandLine

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

Entitlements

str

-

ProcessCount

str

-

SHA256HashData

str

-

Timeout

str

-

UID

str

-

EffectiveTransmissionClass

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.sensorheartbeat

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

ConfigBuild

str

-

ConfigIDBase

str

-

ConfigIDBuild

str

-

ConfigIDPlatform

str

-

ConfigStateHash

str

-

ConfigurationVersion

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

NetworkContainmentState

str

-

ProvisionState

str

-

SensorStateBitMap

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.cannon.syntheticprocessrollup2

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

aid

str

-

aip

ip4

-

cid

str

-

event_platform

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

AuthenticationId

str

-

CommandLine

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

ContextTimeStamp

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

ImageFileName

str

-

IntegrityLevel

str

-

ParentProcessId

str

-

ProcessStartTime

str

-

RawProcessId

str

-

SHA256HashData

str

-

SyntheticPR2Flags

str

-

TargetProcessId

str

-

UserSid

str

-

MD5HashData

str

-

UID

str

-

RGID

str

-

RUID

str

-

GID

str

-

ProcessGroupId

str

-

SessionProcessId

str

-

SHA1HashData

str

-

SourceProcessId

str

-

SVGID

str

-

SVUID

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

edr.crowdstrike.falcon_spotlight.vulnerabilities

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

id

str

 

cid

str

 

aid

str

 

created_timestamp

timestamp

 

closed_timestamp

timestamp

 

updated_timestamp

timestamp

 

status

str

 

cve__id

str

 

cve__base_score

float8

 

cve__severity

str

 

cve__exploit_status

int4

 

app__product_name_version

str

 

apps

str

 

host_info__hostname

str

 

host_info__local_ip

ip4

 

host_info__machine_domain

str

 

host_info__os_version

str

 

host_info__ou

str

 

host_info__site_name

str

 

host_info__system_manufacturer

str

 

host_info__groups

str

 

host_info__tags

str

 

host_info__platform

str

 

remediation__ids

str

 

hostchain

str

✓

tag

str

✓