edr.crowdstrike
Introduction
The tags beginning with edr.crowdstrike identify events generated by Crowdstrike.
Tag structure
The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type |
---|---|---|
edr | crowdstrike | cannon |
All the available tables receive data from a single tag (edr.crowdstrike.cannon) and are then classified into different tables according to the log type. The valid data tables include:
- edr.crowdstrike.cannon
- edr.crowdstrike.cannon.asepvalueupdate
- edr.crowdstrike.cannon.channelversionrequired
- edr.crowdstrike.cannon.dnsrequest
- edr.crowdstrike.cannon.endofprocess
- edr.crowdstrike.cannon.neighborlistip4
- edr.crowdstrike.cannon.networkconnectip4
- edr.crowdstrike.cannon.other
- edr.crowdstrike.cannon.processrollup2
- edr.crowdstrike.cannon.processrollup2stats
- edr.crowdstrike.cannon.sensorheartbeat
- edr.crowdstrike.cannon.syntheticprocessrollup2
How is the data sent to Devo?
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. Get in touch with us to start sending your data to the Devo platform.
Log samples
The following are sample logs sent to each of the edr.crowdstrike tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
- edr.crowdstrike.cannon
- edr.crowdstrike.cannon.asepvalueupdate
- edr.crowdstrike.cannon.channelversionrequired
- edr.crowdstrike.cannon.dnsrequest
- edr.crowdstrike.cannon.endofprocess
- edr.crowdstrike.cannon.neighborlistip4
- edr.crowdstrike.cannon.networkconnectip4
- edr.crowdstrike.cannon.other
- edr.crowdstrike.cannon.processrollup2
- edr.crowdstrike.cannon.processrollup2stats
- edr.crowdstrike.cannon.sensorheartbeat
- edr.crowdstrike.cannon.syntheticprocessrollup2
edr.crowdstrike.cannon
2021-04-06 08:19:23.211 collector-44434356e7daa251-7b58fc79c5-h295q=35.205.115.35 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"4116864046","Timeout":"600","aip":"165.225.202.220","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","ProcessCount":"5","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"sh -c launchctl enable system/com.kace.patching-asus 2>&1","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"009c6c5e-96af-11eb-8114-06b1122a1f57","EffectiveTransmissionClass":"2","aid":"1791a646600d4191a28dae8ea3927efe","timestamp":"1617696393862","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-06 09:15:55.328 collector-44434356e7daa251-7b58fc79c5-gws4q=55.165.95.505 edr.crowdstrike.cannon: {"AgentLoadFlags":"0","AgentLocalTime":"1617358176","AgentTimeOffset":"2020.314","AgentVersion":"6.16.12903.0","BiosManufacturer":"Apple Inc.","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14346.0.0,0)","ChassisType":"Laptop","City":"Amsterdam","ComputerName":"FVFZN0MZLYWR","ConfigIDBuild":"12903","Continent":"Europe","Country":"Netherlands","FalconGroupingTags":"none","FirstSeen":"1598371419.0","HostHiddenStatus":"Visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"none","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookAir8,2","Time":"1617698981.569","Timezone":"Europe/Amsterdam","Version":"Catalina","aid":"51d163964c8942a687589e2304593f52","aip":"165.225.28.30","cid":"1e09935edb764b1d866c260fab34c575","event_platform":"Mac"} 2021-04-06 09:15:55.315 collector-44434356e7daa251-7b58fc79c5-gws4q=55.165.95.505 edr.crowdstrike.cannon: {"AgentLoadFlags":"0","AgentLocalTime":"1615226637","AgentTimeOffset":"1447.458","AgentVersion":"6.16.12903.0","BiosManufacturer":"Apple Inc.","BiosVersion":"426.0.0.0.0","ChassisType":"Laptop","City":"Melbourne","ComputerName":"C02RX18HH3QF","ConfigIDBuild":"12903","Continent":"Oceania","Country":"Australia","FalconGroupingTags":"none","FirstSeen":"1600881857.0","HostHiddenStatus":"Visible","MachineDomain":"CORP","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"none","ServicePackMajor":"none","SiteName":"Azure","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookAir7,2","Time":"1617698978.23","Timezone":"Australia/Melbourne","Version":"Catalina (10.15)","aid":"d501eb9e05f24983a07b5ec6493d87b2","aip":"165.225.243.35","cid":"1e09935edb764b1d866c260fab34c575","event_platform":"Mac"} 2021-04-06 08:19:23.209 collector-44434356e7daa251-7b58fc79c5-h295q=35.241.123.53 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"347304242636942820","SourceProcessId":"347304242636942820","aip":"85.145.30.144","SessionProcessId":"347304242636942820","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"08aec833-96af-11eb-a869-024422783679","EffectiveTransmissionClass":"2","Tags":"12094627905582, 12094627906234","timestamp":"1617696407404","ProcessGroupId":"347304242636942820","event_simpleName":"ProcessRollup2","RawProcessId":"1434","GID":"0","ConfigStateHash":"4116864046","SVGID":"0","MD5HashData":"50c7a421faf5bacdf89a3921752ab755","SHA256HashData":"87477a57c83ce40d53ae865d806f30d437c0b0eba37db244014319db2fb1a934","ConfigBuild":"1007.4.0012903.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.08000000-0100-0000-0000-000000000000","TargetProcessId":"348315942373125956","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1617696407.321","aid":"2fde523e75984c4ca7fb3c540b6af1f3","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Field transformation | Extra fields |
---|---|---|---|---|
AuthenticationId |
|
| ||
ClientComputerName |
|
| ||
CommandLine |
|
| ||
ComputerName |
|
| ||
ConfigBuild |
|
| ||
ConfigStateHash |
|
| ||
ContextProcessId |
|
| ||
EffectiveTransmissionClass |
|
| ||
Entitlements |
|
| ||
FileName |
|
|
| |
FilePath |
|
|
| |
FirstIP4Record |
|
| ||
FullFilePath |
|
|
| |
ImageFileName |
|
| ||
ImageSubsystem |
|
| ||
IntegrityLevel |
|
| ||
LocalAddressIP4 |
|
| ||
LocalPort |
|
| ||
MD5HashData |
|
| ||
ParentAuthenticationId |
|
| ||
ParentProcessId |
|
| ||
PhysicalAddress |
|
| ||
ProcessCreateFlags |
|
| ||
ProcessEndTime |
| |||
ProcessParameterFlags |
|
| ||
ProcessStartTime |
|
| ||
ProcessSxsFlags |
|
| ||
Protocol |
|
| ||
RawProcessId |
|
| ||
RemoteAddressIP4 |
|
| ||
RemotePort |
|
| ||
SHA1HashData |
|
| ||
SHA256HashData |
|
| ||
SourceProcessId |
|
| ||
SourceThreadId |
|
| ||
TargetFileName |
|
| ||
TargetProcessId |
|
| ||
TokenType |
|
| ||
UserSid |
|
| ||
aid |
|
| ||
aip |
|
| ||
cid |
|
| ||
event_platform |
|
| ||
event_simpleName |
|
|
| |
eventdate |
|
| ||
id |
|
| ||
name |
|
| ||
rawMessage |
|
| ||
tagGroup |
|
| ||
timestamp |
|
| ||
event_simpleName_json |
| ✓ | ||
timestamp_str |
| ✓ | ||
SystemManufacturer |
| ✓ | ||
SystemProductName |
| ✓ | ||
AgentVersion |
| ✓ | ||
ConfigIDBuild |
| ✓ | ||
WinOSVersion |
| ✓ | ||
OSXVersion |
| ✓ | ||
BiosManufacturer |
| ✓ | ||
BiosVersion |
| ✓ | ||
AgentLoadFlags |
| ✓ | ||
AgentLocalTime |
| ✓ | ||
UserName |
| ✓ | ||
LogoffTime |
| ✓ | ||
UserIsAdmin |
| ✓ | ||
LogonType |
| ✓ | ||
LogonTime |
| ✓ | ||
LogonServer |
| ✓ | ||
LogonDomain |
| ✓ | ||
ApplicationName |
| ✓ | ||
CommandCount |
| ✓ | ||
CommandHistory |
| ✓ | ||
VolumeDeviceType |
| ✓ | ||
VolumeDriveLetter |
| ✓ | ||
VolumeFileSystemDriver |
| ✓ | ||
VolumeName |
| ✓ | ||
VolumeMountPoint |
| ✓ | ||
LocalAddressIP4_str |
| ✓ | ||
RemoteAddressIP4_str |
| ✓ | ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ |
edr.crowdstrike.cannon.asepvalueupdate
2021-04-09 07:59:53.810 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"AsepFlags":"1","ContextThreadId":"55205328602174","aip":"165.225.208.246","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ONEDRIVE.EXE","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"","id":"0e72e80a-9908-11eb-ab12-02fc1b602cbb","EffectiveTransmissionClass":"3","RegStringValue":"","timestamp":"1617954544613","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954543.842","ConfigStateHash":"2585295952","RegType":"3","ContextProcessId":"1496586776437","AsepClass":"23","AsepIndex":"40","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"MitigationOptions","AsepValueType":"0","RegBinaryValue":"010100000000100000001111010100000000000000000000","Entitlements":"15","name":"AsepValueUpdateV7","aid":"7341900971fd423396e86485c3f34ee6","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":""} 2021-04-09 07:59:54.901 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"RegNumericValue":"1033","AsepFlags":"1","ContextThreadId":"27485236266173","aip":"78.16.160.123","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"","id":"c79e37ec-9907-11eb-a56a-0661ae29273d","EffectiveTransmissionClass":"3","RegStringValue":"409","timestamp":"1617954425778","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954426.988","ConfigStateHash":"2585295952","RegType":"4","ContextProcessId":"638706279818","AsepClass":"10","AsepIndex":"279","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"SystemLcid","AsepValueType":"0","Entitlements":"15","name":"AsepValueUpdateV7","aid":"fd0dd3108b304897a4966372458b3065","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":""} 2021-04-09 07:53:44.695 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"AsepFlags":"1","ContextThreadId":"27480604675074","aip":"78.16.160.123","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\ZoomLauncher\\shell\\open\\command","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"\" \"--url=%1\"","id":"287e320a-9907-11eb-a56a-0661ae29273d","EffectiveTransmissionClass":"3","RegStringValue":"\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" \"--url=%1\"","timestamp":"1617954158811","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954160.234","ConfigStateHash":"2585295952","RegType":"1","ContextProcessId":"638376378083","AsepClass":"19","AsepIndex":"322","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"","AsepValueType":"0","TargetSHA256HashData":"febd502cd28e262ba16167ebef93a89fb83d1d8107fa2e2a470a519b215861c2","Entitlements":"15","name":"AsepValueUpdateV7","aid":"fd0dd3108b304897a4966372458b3065","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files (x86)\\Zoom\\bin\\Zoom.exe"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
AsepClass |
|
| |
AsepFlags |
|
| |
AsepIndex |
|
| |
AsepValueType |
|
| |
AuthenticationId |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
ContextProcessId |
|
| |
ContextThreadId |
|
| |
ContextTimeStamp |
|
| |
Data1 |
|
| |
EffectiveTransmissionClass |
|
| |
RegStringValue |
| ||
Entitlements |
|
| |
RegNumericValue |
|
| |
RegObjectName |
|
| |
RegOperationType |
|
| |
RegType |
|
| |
RegValueName |
|
| |
TokenType |
|
| |
RegBinaryValue |
|
| |
TargetFileName |
| ||
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.channelversionrequired
2021-04-09 11:09:17.931 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"139","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2918023209","aip":"71.238.107.214","ChannelVersionRequired":"0","ChannelId":"208","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"a332d1d7-9922-11eb-ada3-06f148e29b03","EffectiveTransmissionClass":"0","aid":"23018dfd996c40c7be9eb77208f731a6","timestamp":"1617965961088","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 11:09:17.953 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"3","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2918023209","aip":"165.225.122.219","ChannelVersionRequired":"0","ChannelId":"10","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"b64cbff2-9922-11eb-a8c5-02feb8880353","EffectiveTransmissionClass":"0","aid":"3a1af6b03b0a4982b8898e7cd0e29553","timestamp":"1617965993135","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 11:09:17.975 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"73","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2585295952","aip":"165.225.196.194","ChannelVersionRequired":"0","ChannelId":"232","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"ChannelVersionRequiredV1","id":"963b4bf2-9922-11eb-b22a-02eefaa4927b","EffectiveTransmissionClass":"0","aid":"46be8f87eca546a4ac5654164a26bf52","timestamp":"1617965939333","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ChannelId |
|
| |
ChannelVersion |
|
| |
ChannelVersionRequired |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
EffectiveTransmissionClass |
|
| |
Entitlements |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.dnsrequest
2021-04-09 12:00:59.883 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"DnsResponseType":"2","IP4Records":"52.109.6.26;","ContextThreadId":"23764199475531","aip":"165.225.208.231","CNAMERecords":"prod.roaming1.live.com.akadns.net;us1.roaming1.live.com.akadns.net;","QueryStatus":"0","InterfaceIndex":"0","event_platform":"Win","DualRequest":"1","id":"0f4db7dc-992a-11eb-ae28-024b5e720a59","EffectiveTransmissionClass":"3","FirstIP4Record":"52.109.6.26","timestamp":"1617969148935","event_simpleName":"DnsRequest","ContextTimeStamp":"1617969148.178","ConfigStateHash":"2585295952","ContextProcessId":"747399737494","DomainName":"roaming.officeapps.live.com","RespondingDnsServer":"8.8.8.8","ConfigBuild":"1007.3.0012601.1","DnsRequestCount":"1","Entitlements":"15","name":"DnsRequestV4","aid":"b13e766e56b8456da46a8b54dc4572dd","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"28"} 2021-04-09 12:00:59.905 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"DnsRequest","ContextTimeStamp":"1617969109.156","ConfigStateHash":"2918023209","ContextProcessId":"348733400130856494","DomainName":"surveymonkey.jamfcloud.com","ContextThreadId":"0","aip":"165.225.28.51","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"fa3c9241-9929-11eb-958f-02a40a37d295","EffectiveTransmissionClass":"2","aid":"6986d4f96e1a4a3e92464db44d014c30","timestamp":"1617969113591","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"1"} 2021-04-09 11:55:58.094 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1617968458.301","ConfigStateHash":"2918023209","ContextProcessId":"345903110978295869","DomainName":"xmpp.zhumu.me","ContextThreadId":"0","aip":"165.225.243.35","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"73c01862-9928-11eb-99e9-0248ed9de6c7","EffectiveTransmissionClass":"2","aid":"a42d8f4f1f354bceb2b3762f8e0aecf2","timestamp":"1617968458464","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"1"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
ContextProcessId |
|
| |
ContextThreadId |
|
| |
ContextTimeStamp |
|
| |
DomainName |
| ||
Entitlements |
|
| |
RequestType |
|
| |
DnsResponseType |
|
| |
IP4Records |
|
| |
FirstIP4Record |
|
| |
CNAMERecords |
|
| |
IP6Records |
|
| |
FirstIP6Record |
|
| |
QueryStatus |
|
| |
DualRequest |
|
| |
RespondingDnsServer |
|
| |
DnsRequestCount |
|
| |
InterfaceIndex |
|
| |
EffectiveTransmissionClass |
|
| |
BoundingLimitCount |
|
| |
BoundingLimitDuration |
|
| |
TreeId |
|
| |
rawMessage |
| ||
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.endofprocess
2021-04-09 12:44:27.159 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"165.225.208.242","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"74bd0966-992e-11eb-b88a-0642ec650209","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1617971037102","event_simpleName":"EndOfProcess","RawProcessId":"25852","ContextTimeStamp":"1617971036.029","ConfigStateHash":"2918023209","ContextProcessId":"346942520916744874","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","ConfigBuild":"1007.4.0012903.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"346942520916744874","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"fcf145c19b07433593ab0aa2dc4e0d62","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 12:44:27.165 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ScreenshotsTakenCount":"0","ExitCode":"0","ParentProcessId":"601814509485","UserSid":"S-1-12-1-3303541727-1224872305-3705391750-2513421842","NetworkListenCount":"0","SuspiciousRawDiskReadCount":"0","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","ContextData":"","id":"88094ef5-992e-11eb-a3f4-02dbcc0f62f9","NewExecutableWrittenCount":"0","ExeAndServiceCount":"0","NetworkCloseCount":"0","SuspectStackCount":"0","CLICreationCount":"0","UnsignedModuleLoadCount":"0","UserTime":"1093750","event_simpleName":"EndOfProcess","RawProcessId":"59332","ContextTimeStamp":"1617971066.555","AllocateVirtualMemoryCount":"0","ContextProcessId":"601947963853","ServiceEventCount":"0","SnapshotFileOpenCount":"0","RemovableDiskFileWrittenCount":"0","InjectedDllCount":"0","ModuleLoadCount":"64","UserMemoryProtectExecutableCount":"2","NetworkCapableAsepWriteCount":"0","TargetProcessId":"601947963853","DnsRequestCount":"0","ArchiveFileWrittenCount":"0","Entitlements":"15","name":"EndOfProcessV15","ProcessStartTime":"1617971006.346","SetThreadContextCount":"0","SuspiciousCredentialModuleLoadCount":"0","aid":"64d66e62d6f942d887e4b48d7c72b7f0","cid":"1e09935edb764b1d866c260fab34c575","FileDeletedCount":"0","UserMemoryAllocateExecutableCount":"3","DirectoryCreatedCount":"0","NetworkConnectCountUdp":"0","QueueApcCount":"0","ContextThreadId":"39525180845435","aip":"174.114.225.21","SuspiciousFontLoadCount":"0","ConHostId":"60112","NetworkConnectCount":"0","BinaryExecutableWrittenCount":"0","CycleTime":"418479986","event_platform":"Win","ConHostProcessId":"601814509485","PrivilegedProcessHandleCount":"0","MaxThreadCount":"15","ImageSubsystem":"2","GenericFileWrittenCount":"0","EffectiveTransmissionClass":"3","ScriptEngineInvocationCount":"0","RunDllInvocationCount":"0","timestamp":"1617971069478","CreateProcessCount":"0","KernelTime":"937500","DirectoryEnumeratedCount":"0","ConfigStateHash":"2585295952","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","DocumentFileWrittenCount":"0","ProtectVirtualMemoryCount":"0","SHA256HashData":"175337a06386a331f7933c4c5e1b729179a0ce92a385d3f126c871d2976dfbf5","UserMemoryProtectExecutableRemoteCount":"0","ConfigBuild":"1007.3.0012601.1","UserMemoryAllocateExecutableRemoteCount":"0","ExecutableDeletedCount":"0","RegKeySecurityDecreasedCount":"0","InjectedThreadCount":"0","NetworkModuleLoadCount":"0"} 2021-04-09 12:44:27.166 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"174.127.158.149","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"6eb7b400-992e-11eb-bb6f-0243d64bb105","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1617971027001","event_simpleName":"EndOfProcess","RawProcessId":"2358","ContextTimeStamp":"1617971025.963","ConfigStateHash":"2918023209","ContextProcessId":"348891905675500933","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","SHA256HashData":"87477a57c83ce40d53ae865d806f30d437c0b0eba37db244014319db2fb1a934","ConfigBuild":"1007.4.0012903.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"348891905675500933","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"1a630baecc3b48c1b97683a4b72d7590","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ActivePrivilegeEscalationCount |
|
| |
AsepWrittenCount |
|
| |
BinaryExecutableWrittenCount |
|
| |
CLICreationCount |
|
| |
ConHostId |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
ContextProcessId |
|
| |
ContextThreadId |
|
| |
ContextTimeStamp |
|
| |
CycleTime |
|
| |
DirectoryCreatedCount |
|
| |
DirectoryEnumeratedCount |
|
| |
DnsRequestCount |
|
| |
EffectiveTransmissionClass |
|
| |
Entitlements |
|
| |
ExeAndServiceCount |
|
| |
ExecutableDeletedCount |
|
| |
ExitCode |
|
| |
FileDeletedCount |
|
| |
InjectedDllCount |
|
| |
InjectedThreadCount |
|
| |
KernelTime |
|
| |
MaxThreadCount |
|
| |
NamedObjectCount |
|
| |
NetworkBindCount |
|
| |
NetworkCapableAsepWriteCount |
|
| |
NetworkCloseCount |
|
| |
NetworkConnectCount |
|
| |
NetworkConnectCountUdp |
|
| |
NetworkListenCount |
|
| |
NetworkRecvAcceptCount |
|
| |
NewExecutableWrittenCount |
|
| |
PrivilegedProcessHandleCount |
|
| |
RawProcessId |
|
| |
RegKeySecurityDecreasedCount |
|
| |
RunDllInvocationCount |
|
| |
ScriptEngineInvocationCount |
|
| |
ServiceEventCount |
|
| |
SHA256HashData |
|
| |
SnapshotFileOpenCount |
|
| |
SuspectStackCount |
|
| |
SuspiciousCredentialModuleLoadCount |
|
| |
SuspiciousDnsRequestCount |
|
| |
SuspiciousRawDiskReadCount |
|
| |
TargetProcessId |
|
| |
UnsignedModuleLoadCount |
|
| |
UserMemoryAllocateExecutableCount |
|
| |
UserMemoryAllocateExecutableRemoteCount |
|
| |
UserMemoryProtectExecutableCount |
|
| |
UserMemoryProtectExecutableRemoteCount |
|
| |
UserSid |
|
| |
UserTime |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.neighborlistip4
2021-04-09 13:29:00.575 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2918023209","NeighborList":"10-33-BF-8B-EE-99|10.0.0.1|1|1A-51-49-1A-8B-5B|10.0.0.5|0|6C-4A-85-32-F7-98|10.0.0.68|0|6E-AD-C0-FF-B4-B1|10.0.0.75|0|1C-F2-9A-4E-BA-36|10.0.0.177|0|B6-76-12-17-13-55|10.0.0.184|0|F0-EF-86-37-37-2B|10.0.0.193|0|00-80-92-7B-53-6C|10.0.0.198|0|50-02-91-14-E2-A1|10.0.0.226|0|","aip":"174.114.176.83","InterfaceIndex":"6","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"a1e2e9d7-9935-11eb-907f-062688f290d9","EffectiveTransmissionClass":"3","aid":"897ee36f5c714fcb809b1136b1f66c6b","timestamp":"1617974119325","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:29:02.248 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2585295952","NeighborList":"02-50-41-00-00-02|192.168.0.101|0|!!!!UNKNOWN!!!!;02-50-41-00-00-02|192.168.1.96|0|!!!!UNKNOWN!!!!;","aip":"165.225.196.233","InterfaceIndex":"24","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"NeighborListIP4V2","id":"df6f0f4a-9935-11eb-93f7-02cc23bb333b","EffectiveTransmissionClass":"3","aid":"35f4c119c32e48e394104cc6309e1bd3","timestamp":"1617974222584","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:29:03.038 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2585295952","NeighborList":"02-50-41-00-00-02|192.168.0.101|0|!!!!UNKNOWN!!!!;02-50-41-00-00-02|192.168.1.96|0|!!!!UNKNOWN!!!!;","aip":"165.225.196.233","InterfaceIndex":"24","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"NeighborListIP4V2","id":"1e275db5-9936-11eb-93f8-02cc23bb333b","EffectiveTransmissionClass":"3","aid":"35f4c119c32e48e394104cc6309e1bd3","timestamp":"1617974327811","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
EffectiveTransmissionClass |
|
| |
Entitlements |
|
| |
InterfaceIndex |
|
| |
NeighborList |
|
| |
rawMessage |
|
| |
tag |
|
| ✓ |
hostchain |
|
| ✓ |
edr.crowdstrike.cannon.networkconnectip4
2021-04-09 13:53:57.459 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"192.168.0.150","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975663.670","ConfigStateHash":"2585295952","ConnectionFlags":"0","ContextProcessId":"738719739861","RemotePort":"443","aip":"37.228.234.51","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","LocalPort":"59031","Entitlements":"15","name":"NetworkConnectIP4V5","id":"3a509a99-9939-11eb-a2f8-067e88e19e01","Protocol":"6","EffectiveTransmissionClass":"3","aid":"3abcbd5723e54e978874c27cde6bd35e","RemoteAddressIP4":"20.190.160.68","ConnectionDirection":"0","InContext":"0","timestamp":"1617975663547","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:53:57.468 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"127.0.0.1","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975649.557","ConfigStateHash":"2585295952","ConnectionFlags":"0","ContextProcessId":"571318780276","RemotePort":"52644","aip":"165.225.208.234","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","LocalPort":"61803","Entitlements":"15","name":"NetworkConnectIP4V5","id":"24272bf4-9939-11eb-adf6-067d20a67ffd","Protocol":"6","EffectiveTransmissionClass":"3","aid":"a0f9198183664268858d5fbb8535758a","RemoteAddressIP4":"127.0.0.1","ConnectionDirection":"0","InContext":"0","timestamp":"1617975626366","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:53:57.477 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975615.295","ConfigStateHash":"381236269","ConnectionFlags":"0","ContextProcessId":"348898307322358355","RemotePort":"443","aip":"165.225.243.10","ConfigBuild":"1007.4.0013402.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV5","id":"1d52f922-9939-11eb-9785-061eb7460571","Protocol":"6","EffectiveTransmissionClass":"3","aid":"9851078f4c6c4a2ba574138202e402ed","RemoteAddressIP4":"35.174.189.228","ConnectionDirection":"0","InContext":"0","timestamp":"1617975614909","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
ConnectionDirection |
|
| |
ConnectionFlags |
|
| |
ContextProcessId |
|
| |
ContextTimeStamp |
|
| |
Entitlements |
|
| |
InContext |
|
| |
LocalAddressIP4 |
|
| |
LocalPort |
|
| |
Protocol |
|
| |
EffectiveTransmissionClass |
|
| |
RemoteAddressIP4 |
|
| |
RemotePort |
|
| |
rawMessage |
|
| |
tag |
|
| ✓ |
hostchain |
|
| ✓ |
edr.crowdstrike.cannon.other
2021-04-09 13:05:38.268 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"Size":"14200","ContextThreadId":"1176882223876","MinorFunction":"0","aip":"98.207.239.141","IsOnNetwork":"0","FileIdentifier":"bc707c55ebfb3b418c23a5dd4fe9960f57f5040000000a00","event_platform":"Win","TokenType":"1","id":"b2c60095-9932-11eb-ae87-02c522068d43","FileObject":"18446679257958897152","EffectiveTransmissionClass":"3","timestamp":"1617972859166","event_simpleName":"PeFileWritten","ContextTimeStamp":"1617941033.926","UserName":"SM-PC1NTZHY$","ConfigStateHash":"3041407854","IsTransactedFile":"0","ContextProcessId":"43047570327","IrpFlags":"1028","SHA256HashData":"167ff65a1079c3374b280588c2069b47387c02a3bb266ce0f0036d1e351bad37","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","FileEcpBitmask":"0","MajorFunction":"18","IsOnRemovableDisk":"0","Entitlements":"15","name":"PeFileWrittenV14","OperationFlags":"0","aid":"5e09cf6af2fa44dbad70bf817899311e","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\3.0.6.15\\api-ms-win-core-file-l1-1-0.dll"} 2021-04-09 13:05:38.273 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"RegisterRawInputDevicesEtw","ContextTimeStamp":"1617972872.520","ConfigStateHash":"3608611488","EtwRawProcessId":"21908","ContextProcessId":"410758879045","aip":"165.225.209.6","EtwRawThreadId":"10288","ApiReturnValue":"1","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"RegisterRawInputDevicesEtwV1","id":"aa83b494-9932-11eb-9c80-02f3347e1ad9","EffectiveTransmissionClass":"3","aid":"40d54d290fb249d4874cfd957e3c2aed","timestamp":"1617972845310","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:05:38.277 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1617972841.216","GID":"0","ConfigStateHash":"2918023209","ContextProcessId":"348895714920688441","ContextThreadId":"0","aip":"86.92.111.243","Flags":"0","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"a83fe846-9932-11eb-aa4a-060a1b49bf57","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"1eac0bb9d8af42d498a529a0d140e2a2","TargetDirectoryName":"/private/var/folders/zb/lqtsq__s16z9wylcqvbkkj800000gn/C/com.apple.metadata.mdworker/12364.30906","timestamp":"1617972841510","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"/private/var/folders/zb/lqtsq__s16z9wylcqvbkkj800000gn/C/com.apple.metadata.mdworker/12364.30906"} 2021-04-30 07:50:48.727 collector-44434356e7daa251-7bf889b647-bbstk=54.86.233.29 edr.crowdstrike.cannon: {"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1619768064.491","GID":"0","ConfigStateHash":"3311018198","ContextProcessId":"352122003008913860","ContextThreadId":"0","aip":"165.225.243.20","Flags":"0","ConfigBuild":"1007.4.0013402.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"7c8bedd3-a986-11eb-b656-063c6f51de7d","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"bb4cdf98dfc543358d044639f5d3fe19","TargetDirectoryName":"/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868","timestamp":"1619768064518","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
| timestamp | |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
UserPrincipal | null | str | |
id |
| str | |
name |
|
| |
timestamp |
| timestamp | |
PhysicalAddress |
|
| |
IrpFlags |
|
| |
SHA256HashData |
|
| |
AuthenticationId |
|
| |
FileWrittenFlags |
|
| |
ConfigBuild |
|
| |
FileEcpBitmask |
|
| |
MajorFunction |
|
| |
IsOnRemovableDisk |
|
| |
Entitlements |
|
| |
OperationFlags |
|
| |
TargetFileName |
|
| |
LogonType | null | str | |
ConfigStateHash | 3311018198 | str | |
ContextProcessId | 352122003008913860 | str | |
ContextThreadId | 0 | str | |
ContextTimeStamp |
| timestamp | |
EffectiveTransmissionClass | 2 | str | |
Flags | 0 | str | |
GID | 0 | str | |
TargetDirectoryName | /private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868 | str | |
UID | 0 | str | |
UnixMode | 0 | str | |
VnodeType | 2 | str | |
message |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.processrollup2
2021-04-09 14:17:26.739 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"348898968328545355","SourceProcessId":"348898968328545355","aip":"162.224.86.2","SessionProcessId":"348898968328545355","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"auditd","id":"549abc55-993c-11eb-b676-02f31117c8fd","EffectiveTransmissionClass":"2","Tags":"341, 12094627905582, 12094627906234","timestamp":"1617976996144","ProcessGroupId":"348898968328545355","event_simpleName":"ProcessRollup2","RawProcessId":"9059","GID":"0","ConfigStateHash":"2918023209","SVGID":"0","MD5HashData":"4650ee728313c95bf7af51301de50c5d","SHA256HashData":"a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece","ConfigBuild":"1007.4.0012903.1","UID":"0","CommandLine":"/bin/sh /etc/security/audit_warn closefile /var/audit/20210409140316.20210409140316","TargetProcessId":"348904428165227517","ImageFileName":"/bin/sh","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1617976996.129","aid":"c1bd5ddf99cd43479774291721c02f7e","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 14:17:26.747 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ProcessCreateFlags":"12","IntegrityLevel":"16384","ParentProcessId":"154862993023","SourceProcessId":"154862993023","aip":"165.225.242.251","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-18","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"SearchIndexer.exe","ImageSubsystem":"3","id":"5b14f076-993c-11eb-b80c-06737e649339","EffectiveTransmissionClass":"3","SessionId":"0","Tags":"12094627905582, 12094627906234","timestamp":"1617977007011","event_simpleName":"ProcessRollup2","RawProcessId":"26644","ConfigStateHash":"2585295952","MD5HashData":"d4c0c10590da99309e3c36e66f99ee60","SHA256HashData":"dfe51b0739ed161f69afbb736460ebb7dd37372ff0659cbc20f4a9c850fbcc8c","ProcessSxsFlags":"64","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","CommandLine":"\"C:\\WINDOWS\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe708_ Global\\UsGthrCtrlFltPipeMssGthrPipe708 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ","ParentAuthenticationId":"999","TargetProcessId":"189978486187","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\SearchProtocolHost.exe","SourceThreadId":"6177925955139","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1617977006.575","ProcessParameterFlags":"24577","aid":"c67fd29871894b1d993e4b9b57c96583","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 14:17:26.750 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"WindowTitle":"C:\\WINDOWS\\system32\\net.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"8192","ParentProcessId":"1904245799874","SourceProcessId":"1904245799874","aip":"174.114.192.36","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-2969236542-3715907981-188815748-37132","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"Duo Device Health.exe","ImageSubsystem":"3","id":"67d6a08e-993c-11eb-a5e7-0699e0aa9677","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 12094627905582, 12094627906234, 211381110440233, 237494511599633","timestamp":"1617977028413","event_simpleName":"ProcessRollup2","RawProcessId":"25524","ConfigStateHash":"2585295952","MD5HashData":"31890a7de89936f922d44d677f681a7f","SHA256HashData":"7c4c7725e266f12aba8c50fd1598d4001201bca0e7aca901508307e365afff42","ProcessSxsFlags":"64","AuthenticationId":"8011425","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0012601.1","WindowFlags":"256","CommandLine":"\"net\" accounts","ParentAuthenticationId":"8011425","TargetProcessId":"1997820221753","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\net.exe","SourceThreadId":"78850645569265","CallStackModuleNames":"0<-1>\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll+0x9e504:0x1f5000:0x60a6ca36|\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll+0x11739:0x59000:0xafef9bb9|1+0x10f10|1+0x901a|\\Device\\HarddiskVolume3\\Windows\\System32\\wow64cpu.dll+0x17c3:0xa000:0x378bc3cd|4+0x11b9|1+0x38c9|1+0x32bd|0+0x74f89|0+0x74b73|0+0x74b1e|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\ntdll.dll+0x7381c:0x1a3000:0xa9ac4e88|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\KernelBase.dll+0xfe73e:0x214000:0xb610d74d|12+0xfda4c|\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\258d4259dd4377d917679ad4b058966e\\System.ni.dll+0x23cc02:0xa55000:0x5f7e6395|14+0x1aaaa4|14+0x1aa39c|[HEAP:4:RWX-:JIT-DOTNET::0x6efc000]+0x6efc6b4|17+0x505|17+0x36e|17+0x2e6|\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\218db16dceaef380c6daf35c6a48f313\\mscorlib.ni.dll+0x4af0c2:0x140e000:0x5f7e60f6|21+0x3f8537|21+0x4aefff|21+0x4aee73|21+0x4aecd7|21+0x4aeb92|\\Device\\HarddiskVolume3\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll+0xf036:0x7b0000:0x5f7e61bb|27+0x122da|27+0x1859b|27+0x1c0d73|27+0x1be1e6|27+0x1be271|27+0x1be162|27+0x1be351|27+0x1c0d0e|27+0x1c0c72|27+0x1c0956|27+0x1bec23|27+0xd4bb7|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\kernel32.dll+0x1fa29:0xf0000:0x7c5a840a|11+0x67c7e|11+0x67c4e","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1617977027.758","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"2bf4bbf2ed9640fda00a420fb32d8010","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-30 08:13:31.932 collector-44434356e7daa251-7bf889b647-bbstk=54.86.233.29 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"352351680691546742","SourceProcessId":"352351680691546742","aip":"165.225.242.251","SessionProcessId":"352351680691546742","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"auditd","id":"5d8acde7-a988-11eb-902b-02858566b481","EffectiveTransmissionClass":"2","Tags":"341, 12094627905582, 12094627906234","timestamp":"1619768871495","ProcessGroupId":"352351680691546742","event_simpleName":"ProcessRollup2","RawProcessId":"88976","GID":"0","ConfigStateHash":"3311018198","SVGID":"0","MD5HashData":"4650ee728313c95bf7af51301de50c5d","SHA256HashData":"a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece","ConfigBuild":"1007.4.0013402.1","UID":"0","CommandLine":"/bin/sh /etc/security/audit_warn expired /var/audit/20210430073143.20210430073143","TargetProcessId":"352662252720926336","ImageFileName":"/bin/sh","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1619768871.463","aid":"4070e2439eae4397a3f8f31e11f4e5fb","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Field transformation | Extra fields |
---|---|---|---|---|---|
eventdate |
|
| |||
aid |
|
| |||
aip |
|
| |||
cid |
|
| |||
event_platform |
|
| |||
event_simpleName | ProcessRollup2 | str | |||
id |
|
| |||
name |
|
| |||
timestamp |
|
| |||
LinkName |
|
| |||
AuthenticationId |
|
| |||
CommandLine |
|
| |||
ConfigBuild |
|
| |||
ConfigStateHash |
|
| |||
EffectiveTransmissionClass |
|
| |||
Entitlements |
|
| |||
FullFilePath |
|
| ImageFileName | ||
FilePath |
|
|
| ||
ComputerName |
|
|
| ||
UserName |
|
|
| ||
FileName |
|
|
| ||
ImageFileName |
|
| |||
ImageSubsystem |
|
| |||
IntegrityLevel |
|
| |||
MD5HashData |
|
| |||
ParentAuthenticationId |
|
| |||
ParentProcessId |
|
| |||
ProcessCreateFlags |
|
| |||
ProcessEndTime |
| ||||
ProcessParameterFlags |
|
| |||
ProcessStartTime |
|
| |||
ProcessSxsFlags |
|
| |||
RawProcessId |
|
| |||
SHA1HashData |
|
| |||
SHA256HashData |
|
| |||
SourceProcessId |
|
| |||
SourceThreadId |
|
| |||
TargetProcessId |
|
| |||
TokenType |
|
| |||
UserSid |
|
| |||
ParentBaseFileName |
|
| |||
GrandParentBaseFileName |
|
| |||
UID |
|
| |||
RGID |
|
| |||
RUID |
|
| |||
GID | 0 | str | |||
MachOSubType | 1 | str | |||
ProcessGroupId | 352351680691546750 | str | |||
SessionProcessId | 352351680691546750 | str | |||
SVGID | 0 | str | |||
SVUID | 0 | str | |||
Tags | 341, 12094627905582, 12094627906234 | str | |||
rawMessage |
|
| |||
hostchain |
|
| ✓ | ||
tag |
|
| ✓ |
edr.crowdstrike.cannon.processrollup2stats
2021-04-09 13:50:47.398 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2918023209","Timeout":"600","aip":"165.225.208.236","SHA256HashData":"87e561f9ebfde647eaf39939642c5a51932a8bfa441a366c6c3d81ff011cdc05","ProcessCount":"2","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"launchctl enable system/com.kace.patching-asus","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"cb086e20-9937-11eb-ba3d-06fef92fe9dd","EffectiveTransmissionClass":"2","aid":"8068046df4a6490987f0089b526a4667","timestamp":"1617975047351","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:50:47.415 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"381236269","Timeout":"600","aip":"165.225.243.10","SHA256HashData":"b0e1fa302c1fa8ab3626f0bd3771a2252a4590257fa928a8f88402051004916e","ProcessCount":"11","ConfigBuild":"1007.4.0013402.1","UID":"0","event_platform":"Mac","CommandLine":"/sbin/route delete -net 10.3.0.0/19 -ifp utun2","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"c62a6a94-9937-11eb-9784-061eb7460571","EffectiveTransmissionClass":"2","aid":"9851078f4c6c4a2ba574138202e402ed","timestamp":"1617975039185","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 13:50:47.436 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2918023209","Timeout":"600","aip":"165.225.28.45","SHA256HashData":"96f73ca8a47bf31bbcb48f1bc2bd73e76f6f63417be67b9adc0eb9733c657a34","ProcessCount":"4","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"/usr/sbin/networksetup -listallnetworkservices","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"aa24425b-9937-11eb-97ad-023f0be97253","EffectiveTransmissionClass":"2","aid":"42a912472bdb4ed792b6a08994696e89","timestamp":"1617974992168","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
CommandLine |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
Entitlements |
|
| |
ProcessCount |
|
| |
SHA256HashData |
|
| |
Timeout |
|
| |
UID |
|
| |
EffectiveTransmissionClass |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.sensorheartbeat
2021-04-09 14:56:41.491 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"165.225.60.238","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c9aa366d-9941-11eb-8244-060987fb5de7","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"5aea9aa9268f4812b9b24587eed349e3","ProvisionState":"1","timestamp":"1617979340023","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 14:56:41.653 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"165.225.209.8","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c11350f7-9941-11eb-839d-02f1fd9362ab","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"f4090914bbe94f4a8c57ca41d42b4c05","ProvisionState":"1","timestamp":"1617979325612","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 14:56:41.756 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"188.214.13.174","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c6e8bdb2-9941-11eb-acca-06b912d7ff79","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"9caeadd3386c480a82e39a519a33e538","ProvisionState":"1","timestamp":"1617979335399","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
|
| |
id |
|
| |
name |
|
| |
timestamp |
|
| |
ConfigBuild |
|
| |
ConfigIDBase |
|
| |
ConfigIDBuild |
|
| |
ConfigIDPlatform |
|
| |
ConfigStateHash |
|
| |
ConfigurationVersion |
|
| |
EffectiveTransmissionClass |
|
| |
Entitlements |
|
| |
NetworkContainmentState |
|
| |
ProvisionState |
|
| |
SensorStateBitMap |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
edr.crowdstrike.cannon.syntheticprocessrollup2
2021-04-09 15:29:53.739 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"ParentProcessId":"348913391379184902","SourceProcessId":"348913402982727632","aip":"165.225.208.240","SessionProcessId":"348913403033059284","SyntheticPR2Flags":"0","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","SVUID":"502","id":"f7814f69-9946-11eb-813f-02dd1444b789","EffectiveTransmissionClass":"2","timestamp":"1617981564413","ProcessGroupId":"19303","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"19303","ContextTimeStamp":"1617981561.971","GID":"20","ConfigStateHash":"3423515459","SVGID":"20","MD5HashData":"e349d56d32d945fa83016fb1c2eab2dc","SHA256HashData":"dafa7f54a389749a01a055ad06b09db173444efc9dfb03372f50c35721ec1c34","ConfigBuild":"1007.4.0012903.1","UID":"502","CommandLine":"/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/AssetCacheProfilePlugin.xpc/Contents/MacOS/AssetCacheProfilePlugin","TargetProcessId":"348913403033059284","ImageFileName":"/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/AssetCacheProfilePlugin.xpc/Contents/MacOS/AssetCacheProfilePlugin","RGID":"20","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","ProcessStartTime":"1617711031.533","RUID":"502","aid":"40ff6a1125e04b97acd62fe5695f2323","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 15:29:53.745 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SyntheticProcessRollup2","RawProcessId":"4295055690","ContextTimeStamp":"1617981533.454","ConfigStateHash":"2918023209","ParentProcessId":"140318733482848","aip":"165.225.208.230","SyntheticPR2Flags":"16","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","TargetProcessId":"347573425717557760","ImageFileName":"/Applications/Visual Studio Code.app/Contents/MacOS/Electron","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","id":"e5147002-9946-11eb-ac8a-06a67b76f98b","EffectiveTransmissionClass":"2","aid":"9b3304117aa4471a95a4855698751b4d","timestamp":"1617981533501","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-09 15:29:53.792 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SyntheticProcessRollup2","RawProcessId":"4294991750","ContextTimeStamp":"1617981532.983","ConfigStateHash":"2918023209","ParentProcessId":"140477117417056","aip":"165.225.242.255","SyntheticPR2Flags":"16","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","TargetProcessId":"347912479380283871","ImageFileName":"/bin/bash","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","id":"e4cd0a9b-9946-11eb-8a9d-0666cacb16a1","EffectiveTransmissionClass":"2","aid":"85191da4b9c24c0f9bc4cf607b45c8f6","timestamp":"1617981533033","cid":"1e09935edb764b1d866c260fab34c575"} 2021-04-30 08:57:49.831 collector-44434356e7daa251-7bf889b647-vrkgc=54.236.226.230 edr.crowdstrike.cannon: {"ParentProcessId":"352669866666338544","SourceProcessId":"352669872370592262","aip":"165.225.92.234","SessionProcessId":"352669872399952397","SyntheticPR2Flags":"0","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","SVUID":"502","id":"d03af89a-a990-11eb-9adf-06b3c163c597","EffectiveTransmissionClass":"2","timestamp":"1619772499884","ProcessGroupId":"1170","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"1170","ContextTimeStamp":"1619772499.739","GID":"20","ConfigStateHash":"1576918349","SVGID":"20","MD5HashData":"e474c0c85340f892ddc16141393f2ab6","SHA256HashData":"f4f2c8c83afdb4f329f290795fbadbc70f648b9516badc22736da53c34e7d2b4","ConfigBuild":"1007.4.0012505.1","UID":"502","CommandLine":"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService","TargetProcessId":"352669872399952397","ImageFileName":"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService","RGID":"20","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","ProcessStartTime":"1619555844.468","RUID":"502","aid":"8fdefc9f0dac4228af69ebea6099a4ea","cid":"1e09935edb764b1d866c260fab34c575"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
aid |
|
| |
aip |
|
| |
cid |
|
| |
event_platform |
|
| |
event_simpleName |
| str | |
id |
|
| |
name |
|
| |
timestamp |
|
| |
AuthenticationId |
|
| |
CommandLine |
|
| |
ConfigBuild |
|
| |
ConfigStateHash |
|
| |
ContextTimeStamp |
|
| |
EffectiveTransmissionClass |
|
| |
Entitlements |
|
| |
ImageFileName |
|
| |
IntegrityLevel |
|
| |
ParentProcessId |
|
| |
ProcessStartTime |
|
| |
RawProcessId |
|
| |
SHA256HashData |
|
| |
SyntheticPR2Flags |
|
| |
TargetProcessId |
|
| |
UserSid |
|
| |
MD5HashData |
|
| |
UID |
|
| |
RGID |
|
| |
RUID |
|
| |
GID | 20 | str | |
ProcessGroupId | 1170 | str | |
SessionProcessId | 352669872399952400 | str | |
SHA1HashData | 0000000000000000000000000000000000000000 | str | |
SourceProcessId | 352669872370592260 | str | |
SVGID | 20 | str | |
SVUID | 502 | str | |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |