Document toolboxDocument toolbox

edr.crowdstrike

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 11, 2022 by Former user (Deleted)
4 min read

Introduction

The tags beginning with edr.crowdstrike identify events generated by Crowdstrike.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

edr

crowdstrike

cannon

All the available tables receive data from a single tag (edr.crowdstrike.cannon) and are then classified into different tables according to the log type. The valid data tables include:

  • edr.crowdstrike.cannon
  • edr.crowdstrike.cannon.asepvalueupdate
  • edr.crowdstrike.cannon.channelversionrequired
  • edr.crowdstrike.cannon.dnsrequest
  • edr.crowdstrike.cannon.endofprocess
  • edr.crowdstrike.cannon.neighborlistip4
  • edr.crowdstrike.cannon.networkconnectip4
  • edr.crowdstrike.cannon.other
  • edr.crowdstrike.cannon.processrollup2
  • edr.crowdstrike.cannon.processrollup2stats
  • edr.crowdstrike.cannon.sensorheartbeat
  • edr.crowdstrike.cannon.syntheticprocessrollup2

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. Get in touch with us to start sending your data to the Devo platform.

Log samples

The following are sample logs sent to each of the edr.crowdstrike tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

edr.crowdstrike.cannon

2021-04-06 08:19:23.211 collector-44434356e7daa251-7b58fc79c5-h295q=35.205.115.35 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"4116864046","Timeout":"600","aip":"165.225.202.220","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","ProcessCount":"5","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"sh -c launchctl enable system/com.kace.patching-asus 2>&1","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"009c6c5e-96af-11eb-8114-06b1122a1f57","EffectiveTransmissionClass":"2","aid":"1791a646600d4191a28dae8ea3927efe","timestamp":"1617696393862","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-06 09:15:55.328 collector-44434356e7daa251-7b58fc79c5-gws4q=55.165.95.505 edr.crowdstrike.cannon: {"AgentLoadFlags":"0","AgentLocalTime":"1617358176","AgentTimeOffset":"2020.314","AgentVersion":"6.16.12903.0","BiosManufacturer":"Apple Inc.","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14346.0.0,0)","ChassisType":"Laptop","City":"Amsterdam","ComputerName":"FVFZN0MZLYWR","ConfigIDBuild":"12903","Continent":"Europe","Country":"Netherlands","FalconGroupingTags":"none","FirstSeen":"1598371419.0","HostHiddenStatus":"Visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"none","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookAir8,2","Time":"1617698981.569","Timezone":"Europe/Amsterdam","Version":"Catalina","aid":"51d163964c8942a687589e2304593f52","aip":"165.225.28.30","cid":"1e09935edb764b1d866c260fab34c575","event_platform":"Mac"}
2021-04-06 09:15:55.315 collector-44434356e7daa251-7b58fc79c5-gws4q=55.165.95.505 edr.crowdstrike.cannon: {"AgentLoadFlags":"0","AgentLocalTime":"1615226637","AgentTimeOffset":"1447.458","AgentVersion":"6.16.12903.0","BiosManufacturer":"Apple Inc.","BiosVersion":"426.0.0.0.0","ChassisType":"Laptop","City":"Melbourne","ComputerName":"C02RX18HH3QF","ConfigIDBuild":"12903","Continent":"Oceania","Country":"Australia","FalconGroupingTags":"none","FirstSeen":"1600881857.0","HostHiddenStatus":"Visible","MachineDomain":"CORP","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"none","ServicePackMajor":"none","SiteName":"Azure","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookAir7,2","Time":"1617698978.23","Timezone":"Australia/Melbourne","Version":"Catalina (10.15)","aid":"d501eb9e05f24983a07b5ec6493d87b2","aip":"165.225.243.35","cid":"1e09935edb764b1d866c260fab34c575","event_platform":"Mac"}
2021-04-06 08:19:23.209 collector-44434356e7daa251-7b58fc79c5-h295q=35.241.123.53 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"347304242636942820","SourceProcessId":"347304242636942820","aip":"85.145.30.144","SessionProcessId":"347304242636942820","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"08aec833-96af-11eb-a869-024422783679","EffectiveTransmissionClass":"2","Tags":"12094627905582, 12094627906234","timestamp":"1617696407404","ProcessGroupId":"347304242636942820","event_simpleName":"ProcessRollup2","RawProcessId":"1434","GID":"0","ConfigStateHash":"4116864046","SVGID":"0","MD5HashData":"50c7a421faf5bacdf89a3921752ab755","SHA256HashData":"87477a57c83ce40d53ae865d806f30d437c0b0eba37db244014319db2fb1a934","ConfigBuild":"1007.4.0012903.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.08000000-0100-0000-0000-000000000000","TargetProcessId":"348315942373125956","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1617696407.321","aid":"2fde523e75984c4ca7fb3c540b6af1f3","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Field transformation

Extra fields

AuthenticationId

null

str



ClientComputerName

null

str



CommandLine

logger -p security.warning audit warning: closefile /var/audit/20210406080601.20210406080628

str



ComputerName

null

str



ConfigBuild

1007.4.0012903.1

str



ConfigStateHash

4116864046

str



ContextProcessId

null

str



EffectiveTransmissionClass

2

str



Entitlements

15

str



FileName

logger

str

ifthenelse(event_platform="Win", 2 peek(FullFilePath, re("^.*\\\\(.*)$"), 1), 3 peek(FullFilePath, re("^.*\\/(.*)$"), 1))



FilePath

/usr/bin/

str

ifthenelse(event_platform="Win", 2 peek(FullFilePath, re("^(.*\\\\).*$"), 1), 3 peek(FullFilePath, re("^(.*\\/).*$"), 1))



FirstIP4Record

null

str



FullFilePath

/usr/bin/logger

str

ifthenelse(isnull(TargetFileName), 2 ImageFileName, 3 TargetFileName)



ImageFileName

/usr/bin/logger

str



ImageSubsystem

null

str



IntegrityLevel

null

str



LocalAddressIP4

null

ip



LocalPort

null

str



MD5HashData

e8ba5e4c5c1a15441915cea3f8c42230

str



ParentAuthenticationId

null

str



ParentProcessId

348022370693960700

str



PhysicalAddress

null

str



ProcessCreateFlags

null

str



ProcessEndTime


str



ProcessParameterFlags

null

str



ProcessStartTime

1617696388.668

str



ProcessSxsFlags

null

str



Protocol

null

str



RawProcessId

15116

str



RemoteAddressIP4

null

ip



RemotePort

null

str



SHA1HashData

0000000000000000000000000000000000000000

str



SHA256HashData

6bfcba946c9c802490403538bc47a639a0678441fa0bbdb10cb51f8cfea9edde

str



SourceProcessId

348021785772052800

str



SourceThreadId

0

str



TargetFileName

null

str



TargetProcessId

348022370704446462

str



TokenType

null

str



UserSid

null

str



aid

6d84caccda6f44f6990e94eaf918d010

str



aip

165.225.202.220

str



cid

1e09935edb764b1d866c260fab34c575

str



event_platform

Mac

str



event_simpleName

processrollup2

str

vevent in {"processrollup2", "endofprocess", 2 "networkconnectip4","filedeleted","asepvalueupdate","dnsrequest", 3 "networkcapableasepwrite","channelversionrequired","neighborlistip4", 4 "sensorheartbeat","processrollup2stats","suspectcreatethreadstack", 5 "syntheticprocessrollup2"}) 6 ? vevent : lower(event_simpleName_json



eventdate

2021-04-06 10:19:23.211

timestamp



id

fd928ef4-96ae-11eb-a000-067b5f78f609

str



name

ProcessRollup2MacV5

str



rawMessage

MachOSubType: 1
ParentProcessId: 348022370693960700
SourceProcessId: 348021785772052796
aip: 165.225.202.220
SessionProcessId: 348021785772052796
SHA1HashData: 0000000000000000000000000000000000000000
event_platform: Mac
ProcessEndTime:
SVUID: 0
ParentBaseFileName: bash
id: fd928ef4-96ae-11eb-a000-067b5f78f609
EffectiveTransmissionClass: 2
timestamp: 1617696388764
ProcessGroupId: 348021785772052796
event_simpleName: ProcessRollup2
RawProcessId: 15116
GID: 0
ConfigStateHash: 4116864046
SVGID: 0
MD5HashData: e8ba5e4c5c1a15441915cea3f8c42230
SHA256HashData: 6bfcba946c9c802490403538bc47a639a0678441fa0bbdb10cb51f8cfea9edde
ConfigBuild: 1007.4.0012903.1
UID: 0
CommandLine: logger -p security.warning audit warning: closefile /var/audit/20210406080601.20210406080628
TargetProcessId: 348022370704446462
ImageFileName: /usr/bin/logger
RGID: 0
SourceThreadId: 0
Entitlements: 15
name: ProcessRollup2MacV5
RUID: 0
ProcessStartTime: 1617696388.668
aid: 6d84caccda6f44f6990e94eaf918d010
cid: 1e09935edb764b1d866c260fab34c575

str



tagGroup

null

str



timestamp

2021-04-06 10:06:28.764

timestamp



event_simpleName_json


str


timestamp_str


str


SystemManufacturer


str


SystemProductName


str


AgentVersion


str


ConfigIDBuild


str


WinOSVersion


str


OSXVersion


str


BiosManufacturer


str


BiosVersion


str


AgentLoadFlags


str


AgentLocalTime


str


UserName


str


LogoffTime


str


UserIsAdmin


str


LogonType


str


LogonTime


str


LogonServer


str


LogonDomain


str


ApplicationName


str


CommandCount


str


CommandHistory


str


VolumeDeviceType


str


VolumeDriveLetter


str


VolumeFileSystemDriver


str


VolumeName


str


VolumeMountPoint


str


LocalAddressIP4_str


str


RemoteAddressIP4_str


str


hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=35.205.115.35

str


tag

edr.crowdstrike.cannon

str


edr.crowdstrike.cannon.asepvalueupdate

2021-04-09 07:59:53.810 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"AsepFlags":"1","ContextThreadId":"55205328602174","aip":"165.225.208.246","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ONEDRIVE.EXE","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"","id":"0e72e80a-9908-11eb-ab12-02fc1b602cbb","EffectiveTransmissionClass":"3","RegStringValue":"","timestamp":"1617954544613","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954543.842","ConfigStateHash":"2585295952","RegType":"3","ContextProcessId":"1496586776437","AsepClass":"23","AsepIndex":"40","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"MitigationOptions","AsepValueType":"0","RegBinaryValue":"010100000000100000001111010100000000000000000000","Entitlements":"15","name":"AsepValueUpdateV7","aid":"7341900971fd423396e86485c3f34ee6","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":""}
2021-04-09 07:59:54.901 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"RegNumericValue":"1033","AsepFlags":"1","ContextThreadId":"27485236266173","aip":"78.16.160.123","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"","id":"c79e37ec-9907-11eb-a56a-0661ae29273d","EffectiveTransmissionClass":"3","RegStringValue":"409","timestamp":"1617954425778","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954426.988","ConfigStateHash":"2585295952","RegType":"4","ContextProcessId":"638706279818","AsepClass":"10","AsepIndex":"279","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"SystemLcid","AsepValueType":"0","Entitlements":"15","name":"AsepValueUpdateV7","aid":"fd0dd3108b304897a4966372458b3065","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":""}
2021-04-09 07:53:44.695 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"AsepFlags":"1","ContextThreadId":"27480604675074","aip":"78.16.160.123","RegObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\ZoomLauncher\\shell\\open\\command","Data1":"00","RegOperationType":"1","event_platform":"Win","TokenType":"1","TargetCommandLineParameters":"\" \"--url=%1\"","id":"287e320a-9907-11eb-a56a-0661ae29273d","EffectiveTransmissionClass":"3","RegStringValue":"\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" \"--url=%1\"","timestamp":"1617954158811","event_simpleName":"AsepValueUpdate","ContextTimeStamp":"1617954160.234","ConfigStateHash":"2585295952","RegType":"1","ContextProcessId":"638376378083","AsepClass":"19","AsepIndex":"322","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","RegValueName":"","AsepValueType":"0","TargetSHA256HashData":"febd502cd28e262ba16167ebef93a89fb83d1d8107fa2e2a470a519b215861c2","Entitlements":"15","name":"AsepValueUpdateV7","aid":"fd0dd3108b304897a4966372458b3065","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files (x86)\\Zoom\\bin\\Zoom.exe"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 07:59:53.810

timestamp


aid

7341900971fd423396e86485c3f34ee6

str


aip

165.225.208.246

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Win

str


event_simpleName

AsepValueUpdate

str


id

0e72e80a-9908-11eb-ab12-02fc1b602cbb

str


name

AsepValueUpdateV7

str


timestamp

2021-04-09 07:49:04.613

timestamp


AsepClass

23

str


AsepFlags

1

str


AsepIndex

40

str


AsepValueType

0

str


AuthenticationId

999

str


ConfigBuild

1007.3.0012601.1

str


ConfigStateHash

2585295952

str


ContextProcessId

1496586776437

str


ContextThreadId

55205328602174

str


ContextTimeStamp

1617954543.842

str


Data1

00

str


EffectiveTransmissionClass

3

str


RegStringValue


str


Entitlements

15

str


RegNumericValue

null

str


RegObjectName

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONEDRIVE.EXE

str


RegOperationType

1

str


RegType

3

str


RegValueName

MitigationOptions

str


TokenType

1

str


RegBinaryValue

010100000000100000001111010100000000000000000000

str


TargetFileName


str


rawMessage

  • AsepFlags: 1

  • ContextThreadId: 55205328602174

  • aip: 165.225.208.246

  • RegObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONEDRIVE.EXE

  • Data1: 00

  • RegOperationType: 1

  • event_platform: Win

  • TokenType: 1

  • TargetCommandLineParameters:

  • id: 0e72e80a-9908-11eb-ab12-02fc1b602cbb

  • EffectiveTransmissionClass: 3

  • RegStringValue:

  • timestamp: 1617954544613

  • event_simpleName: AsepValueUpdate

  • ContextTimeStamp: 1617954543.842

  • ConfigStateHash: 2585295952

  • RegType: 3

  • ContextProcessId: 1496586776437

  • AsepClass: 23

  • AsepIndex: 40

  • AuthenticationId: 999

  • ConfigBuild: 1007.3.0012601.1

  • RegValueName: MitigationOptions

  • AsepValueType: 0

  • RegBinaryValue: 010100000000100000001111010100000000000000000000

  • Entitlements: 15

  • name: AsepValueUpdateV7

  • aid: 7341900971fd423396e86485c3f34ee6

  • cid: 1e09935edb764b1d866c260fab34c575

  • TargetFileName:

str


hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=35.205.115.35

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.channelversionrequired

2021-04-09 11:09:17.931 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"139","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2918023209","aip":"71.238.107.214","ChannelVersionRequired":"0","ChannelId":"208","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"a332d1d7-9922-11eb-ada3-06f148e29b03","EffectiveTransmissionClass":"0","aid":"23018dfd996c40c7be9eb77208f731a6","timestamp":"1617965961088","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 11:09:17.953 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"3","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2918023209","aip":"165.225.122.219","ChannelVersionRequired":"0","ChannelId":"10","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"b64cbff2-9922-11eb-a8c5-02feb8880353","EffectiveTransmissionClass":"0","aid":"3a1af6b03b0a4982b8898e7cd0e29553","timestamp":"1617965993135","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 11:09:17.975 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ChannelVersion":"73","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"2585295952","aip":"165.225.196.194","ChannelVersionRequired":"0","ChannelId":"232","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"ChannelVersionRequiredV1","id":"963b4bf2-9922-11eb-b22a-02eefaa4927b","EffectiveTransmissionClass":"0","aid":"46be8f87eca546a4ac5654164a26bf52","timestamp":"1617965939333","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 11:09:17.931

timestamp


aid

23018dfd996c40c7be9eb77208f731a6

str


aip

71.238.107.214

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

ChannelVersionRequired

str


id

a332d1d7-9922-11eb-ada3-06f148e29b03

str


name

ChannelVersionRequiredMacV2

str


timestamp

2021-04-09 10:59:21.088

timestamp


ChannelId

208

str


ChannelVersion

139

str


ChannelVersionRequired

0

str


ConfigBuild

1007.4.0012903.1

str


ConfigStateHash

2918023209

str


EffectiveTransmissionClass

0

str


Entitlements

15

str


rawMessage

  • ChannelVersion: 139

  • event_simpleName: ChannelVersionRequired

  • ConfigStateHash: 2918023209

  • aip: 71.238.107.214

  • ChannelVersionRequired: 0

  • ChannelId: 208

  • ConfigBuild: 1007.4.0012903.1

  • event_platform: Mac

  • Entitlements: 15

  • name: ChannelVersionRequiredMacV2

  • id: a332d1d7-9922-11eb-ada3-06f148e29b03

  • EffectiveTransmissionClass: 0

  • aid: 23018dfd996c40c7be9eb77208f731a6

  • timestamp: 1617965961088

  • cid: 1e09935edb764b1d866c260fab34c575

str


hostchain

collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.dnsrequest

2021-04-09 12:00:59.883 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"DnsResponseType":"2","IP4Records":"52.109.6.26;","ContextThreadId":"23764199475531","aip":"165.225.208.231","CNAMERecords":"prod.roaming1.live.com.akadns.net;us1.roaming1.live.com.akadns.net;","QueryStatus":"0","InterfaceIndex":"0","event_platform":"Win","DualRequest":"1","id":"0f4db7dc-992a-11eb-ae28-024b5e720a59","EffectiveTransmissionClass":"3","FirstIP4Record":"52.109.6.26","timestamp":"1617969148935","event_simpleName":"DnsRequest","ContextTimeStamp":"1617969148.178","ConfigStateHash":"2585295952","ContextProcessId":"747399737494","DomainName":"roaming.officeapps.live.com","RespondingDnsServer":"8.8.8.8","ConfigBuild":"1007.3.0012601.1","DnsRequestCount":"1","Entitlements":"15","name":"DnsRequestV4","aid":"b13e766e56b8456da46a8b54dc4572dd","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"28"}
2021-04-09 12:00:59.905 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"DnsRequest","ContextTimeStamp":"1617969109.156","ConfigStateHash":"2918023209","ContextProcessId":"348733400130856494","DomainName":"surveymonkey.jamfcloud.com","ContextThreadId":"0","aip":"165.225.28.51","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"fa3c9241-9929-11eb-958f-02a40a37d295","EffectiveTransmissionClass":"2","aid":"6986d4f96e1a4a3e92464db44d014c30","timestamp":"1617969113591","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"1"}
2021-04-09 11:55:58.094 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1617968458.301","ConfigStateHash":"2918023209","ContextProcessId":"345903110978295869","DomainName":"xmpp.zhumu.me","ContextThreadId":"0","aip":"165.225.243.35","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"73c01862-9928-11eb-99e9-0248ed9de6c7","EffectiveTransmissionClass":"2","aid":"a42d8f4f1f354bceb2b3762f8e0aecf2","timestamp":"1617968458464","cid":"1e09935edb764b1d866c260fab34c575","RequestType":"1"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 12:00:59.883

timestamp


aid

b13e766e56b8456da46a8b54dc4572dd

str


aip

165.225.208.231

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Win

str


event_simpleName

DnsRequest

str


id

0f4db7dc-992a-11eb-ae28-024b5e720a59

str


name

DnsRequestV4

str


timestamp

2021-04-09 11:52:28.935

timestamp


ConfigBuild

1007.3.0012601.1

str


ConfigStateHash

2585295952

str


ContextProcessId

747399737494

str


ContextThreadId

23764199475531

str


ContextTimeStamp

1617969148.178

str


DomainName

roaming.officeapps.live.com

str


Entitlements

15

str


RequestType

28

str


DnsResponseType

2

str


IP4Records

52.109.6.26;

str


FirstIP4Record

52.109.6.26

str


CNAMERecords

prod.roaming1.live.com.akadns.net;us1.roaming1.live.com.akadns.net;

str


IP6Records

null

str


FirstIP6Record

null

str


QueryStatus

0

str


DualRequest

1

str


RespondingDnsServer

8.8.8.8

str


DnsRequestCount

1

str


InterfaceIndex

0

str


EffectiveTransmissionClass

3

str


BoundingLimitCount

null

str


BoundingLimitDuration

null

str


TreeId

null

str


rawMessage

  • DnsResponseType: 2

  • IP4Records: 52.109.6.26;

  • ContextThreadId: 23764199475531

  • aip: 165.225.208.231

  • CNAMERecords: prod.roaming1.live.com.akadns.net;us1.roaming1.live.com.akadns.net;

  • QueryStatus: 0

  • InterfaceIndex: 0

  • event_platform: Win

  • DualRequest: 1

  • id: 0f4db7dc-992a-11eb-ae28-024b5e720a59

  • EffectiveTransmissionClass: 3

  • FirstIP4Record: 52.109.6.26

  • timestamp: 1617969148935

  • event_simpleName: DnsRequest

  • ContextTimeStamp: 1617969148.178

  • ConfigStateHash: 2585295952

  • ContextProcessId: 747399737494

  • DomainName: roaming.officeapps.live.com

  • RespondingDnsServer: 8.8.8.8

  • ConfigBuild: 1007.3.0012601.1

  • DnsRequestCount: 1

  • Entitlements: 15

  • name: DnsRequestV4

  • aid: b13e766e56b8456da46a8b54dc4572dd

  • cid: 1e09935edb764b1d866c260fab34c575

  • RequestType: 28



hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.endofprocess

2021-04-09 12:44:27.159 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"165.225.208.242","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"74bd0966-992e-11eb-b88a-0642ec650209","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1617971037102","event_simpleName":"EndOfProcess","RawProcessId":"25852","ContextTimeStamp":"1617971036.029","ConfigStateHash":"2918023209","ContextProcessId":"346942520916744874","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","ConfigBuild":"1007.4.0012903.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"346942520916744874","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"fcf145c19b07433593ab0aa2dc4e0d62","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 12:44:27.165 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ScreenshotsTakenCount":"0","ExitCode":"0","ParentProcessId":"601814509485","UserSid":"S-1-12-1-3303541727-1224872305-3705391750-2513421842","NetworkListenCount":"0","SuspiciousRawDiskReadCount":"0","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","ContextData":"","id":"88094ef5-992e-11eb-a3f4-02dbcc0f62f9","NewExecutableWrittenCount":"0","ExeAndServiceCount":"0","NetworkCloseCount":"0","SuspectStackCount":"0","CLICreationCount":"0","UnsignedModuleLoadCount":"0","UserTime":"1093750","event_simpleName":"EndOfProcess","RawProcessId":"59332","ContextTimeStamp":"1617971066.555","AllocateVirtualMemoryCount":"0","ContextProcessId":"601947963853","ServiceEventCount":"0","SnapshotFileOpenCount":"0","RemovableDiskFileWrittenCount":"0","InjectedDllCount":"0","ModuleLoadCount":"64","UserMemoryProtectExecutableCount":"2","NetworkCapableAsepWriteCount":"0","TargetProcessId":"601947963853","DnsRequestCount":"0","ArchiveFileWrittenCount":"0","Entitlements":"15","name":"EndOfProcessV15","ProcessStartTime":"1617971006.346","SetThreadContextCount":"0","SuspiciousCredentialModuleLoadCount":"0","aid":"64d66e62d6f942d887e4b48d7c72b7f0","cid":"1e09935edb764b1d866c260fab34c575","FileDeletedCount":"0","UserMemoryAllocateExecutableCount":"3","DirectoryCreatedCount":"0","NetworkConnectCountUdp":"0","QueueApcCount":"0","ContextThreadId":"39525180845435","aip":"174.114.225.21","SuspiciousFontLoadCount":"0","ConHostId":"60112","NetworkConnectCount":"0","BinaryExecutableWrittenCount":"0","CycleTime":"418479986","event_platform":"Win","ConHostProcessId":"601814509485","PrivilegedProcessHandleCount":"0","MaxThreadCount":"15","ImageSubsystem":"2","GenericFileWrittenCount":"0","EffectiveTransmissionClass":"3","ScriptEngineInvocationCount":"0","RunDllInvocationCount":"0","timestamp":"1617971069478","CreateProcessCount":"0","KernelTime":"937500","DirectoryEnumeratedCount":"0","ConfigStateHash":"2585295952","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","DocumentFileWrittenCount":"0","ProtectVirtualMemoryCount":"0","SHA256HashData":"175337a06386a331f7933c4c5e1b729179a0ce92a385d3f126c871d2976dfbf5","UserMemoryProtectExecutableRemoteCount":"0","ConfigBuild":"1007.3.0012601.1","UserMemoryAllocateExecutableRemoteCount":"0","ExecutableDeletedCount":"0","RegKeySecurityDecreasedCount":"0","InjectedThreadCount":"0","NetworkModuleLoadCount":"0"}
2021-04-09 12:44:27.166 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"174.127.158.149","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"6eb7b400-992e-11eb-bb6f-0243d64bb105","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1617971027001","event_simpleName":"EndOfProcess","RawProcessId":"2358","ContextTimeStamp":"1617971025.963","ConfigStateHash":"2918023209","ContextProcessId":"348891905675500933","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","SHA256HashData":"87477a57c83ce40d53ae865d806f30d437c0b0eba37db244014319db2fb1a934","ConfigBuild":"1007.4.0012903.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"348891905675500933","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"1a630baecc3b48c1b97683a4b72d7590","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 12:44:27.159

timestamp


aid

fcf145c19b07433593ab0aa2dc4e0d62

str


aip

165.225.208.242

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

EndOfProcess

str


id

74bd0966-992e-11eb-b88a-0642ec650209

str


name

EndOfProcessMacV15

str


timestamp

2021-04-09 12:23:57.102

timestamp


ActivePrivilegeEscalationCount

null

str


AsepWrittenCount

0

str


BinaryExecutableWrittenCount

null

str


CLICreationCount

null

str


ConHostId

null

str


ConfigBuild

1007.4.0012903.1

str


ConfigStateHash

2918023209

str


ContextProcessId

346942520916744900

str


ContextThreadId

0

str


ContextTimeStamp

1617971036.029

str


CycleTime

null

str


DirectoryCreatedCount

0

str


DirectoryEnumeratedCount

null

str


DnsRequestCount

0

str


EffectiveTransmissionClass

3

str


Entitlements

15

str


ExeAndServiceCount

null

str


ExecutableDeletedCount

0

str


ExitCode

null

str


FileDeletedCount

0

str


InjectedDllCount

null

str


InjectedThreadCount

null

str


KernelTime

null

str


MaxThreadCount

null

str


NamedObjectCount

null

str


NetworkBindCount

0

str


NetworkCapableAsepWriteCount

0

str


NetworkCloseCount

0

str


NetworkConnectCount

0

str


NetworkConnectCountUdp

null

str


NetworkListenCount

0

str


NetworkRecvAcceptCount

0

str


NewExecutableWrittenCount

0

str


PrivilegedProcessHandleCount

null

str


RawProcessId

25852

str


RegKeySecurityDecreasedCount

null

str


RunDllInvocationCount

null

str


ScriptEngineInvocationCount

null

str


ServiceEventCount

null

str


SHA256HashData

6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0

str


SnapshotFileOpenCount

null

str


SuspectStackCount

0

str


SuspiciousCredentialModuleLoadCount

null

str


SuspiciousDnsRequestCount

0

str


SuspiciousRawDiskReadCount

null

str


TargetProcessId

346942520916744900

str


UnsignedModuleLoadCount

null

str


UserMemoryAllocateExecutableCount

null

str


UserMemoryAllocateExecutableRemoteCount

null

str


UserMemoryProtectExecutableCount

null

str


UserMemoryProtectExecutableRemoteCount

null

str


UserSid

null

str


UserTime

null

str


rawMessage

  • FileDeletedCount: 0

  • DirectoryCreatedCount: 0

  • ContextThreadId: 0

  • aip: 165.225.208.242

  • NetworkConnectCount: 0

  • NetworkListenCount: 0

  • event_platform: Mac

  • NetworkBindCount: 0

  • NetworkRecvAcceptCount: 0

  • id: 74bd0966-992e-11eb-b88a-0642ec650209

  • NewExecutableWrittenCount: 0

  • NetworkCloseCount: 0

  • EffectiveTransmissionClass: 3

  • SuspectStackCount: 0

  • timestamp: 1617971037102

  • event_simpleName: EndOfProcess

  • RawProcessId: 25852

  • ContextTimeStamp: 1617971036.029

  • ConfigStateHash: 2918023209

  • ContextProcessId: 346942520916744874

  • AsepWrittenCount: 0

  • SuspiciousDnsRequestCount: 0

  • SHA256HashData: 6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0

  • ConfigBuild: 1007.4.0012903.1

  • NetworkCapableAsepWriteCount: 0

  • ExecutableDeletedCount: 0

  • TargetProcessId: 346942520916744874

  • DnsRequestCount: 0

  • Entitlements: 15

  • name: EndOfProcessMacV15

  • aid: fcf145c19b07433593ab0aa2dc4e0d62

  • cid: 1e09935edb764b1d866c260fab34c575

str


hostchain

collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.neighborlistip4

2021-04-09 13:29:00.575 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2918023209","NeighborList":"10-33-BF-8B-EE-99|10.0.0.1|1|1A-51-49-1A-8B-5B|10.0.0.5|0|6C-4A-85-32-F7-98|10.0.0.68|0|6E-AD-C0-FF-B4-B1|10.0.0.75|0|1C-F2-9A-4E-BA-36|10.0.0.177|0|B6-76-12-17-13-55|10.0.0.184|0|F0-EF-86-37-37-2B|10.0.0.193|0|00-80-92-7B-53-6C|10.0.0.198|0|50-02-91-14-E2-A1|10.0.0.226|0|","aip":"174.114.176.83","InterfaceIndex":"6","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"a1e2e9d7-9935-11eb-907f-062688f290d9","EffectiveTransmissionClass":"3","aid":"897ee36f5c714fcb809b1136b1f66c6b","timestamp":"1617974119325","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:29:02.248 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2585295952","NeighborList":"02-50-41-00-00-02|192.168.0.101|0|!!!!UNKNOWN!!!!;02-50-41-00-00-02|192.168.1.96|0|!!!!UNKNOWN!!!!;","aip":"165.225.196.233","InterfaceIndex":"24","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"NeighborListIP4V2","id":"df6f0f4a-9935-11eb-93f7-02cc23bb333b","EffectiveTransmissionClass":"3","aid":"35f4c119c32e48e394104cc6309e1bd3","timestamp":"1617974222584","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:29:03.038 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"NeighborListIP4","ConfigStateHash":"2585295952","NeighborList":"02-50-41-00-00-02|192.168.0.101|0|!!!!UNKNOWN!!!!;02-50-41-00-00-02|192.168.1.96|0|!!!!UNKNOWN!!!!;","aip":"165.225.196.233","InterfaceIndex":"24","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"NeighborListIP4V2","id":"1e275db5-9936-11eb-93f8-02cc23bb333b","EffectiveTransmissionClass":"3","aid":"35f4c119c32e48e394104cc6309e1bd3","timestamp":"1617974327811","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 13:29:00.575

timestamp


aid

897ee36f5c714fcb809b1136b1f66c6b

str


aip

174.114.176.83

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

NeighborListIP4

str


id

a1e2e9d7-9935-11eb-907f-062688f290d9

str


name

NeighborListIP4MacV1

str


timestamp

2021-04-09 13:15:19.325

timestamp


ConfigBuild

1007.4.0012903.1

str


ConfigStateHash

2918023209

str


EffectiveTransmissionClass

3

str


Entitlements

15

str


InterfaceIndex

6

str


NeighborList

10-33-BF-8B-EE-99|10.0.0.1|1|1A-51-49-1A-8B-5B|10.0.0.5|0|6C-4A-85-32-F7-98|10.0.0.68|0|6E-AD-C0-FF-B4-B1|10.0.0.75|0|1C-F2-9A-4E-BA-36|10.0.0.177|0|B6-76-12-17-13-55|10.0.0.184|0|F0-EF-86-37-37-2B|10.0.0.193|0|00-80-92-7B-53-6C|10.0.0.198|0|50-02-91-14-E2-A1|10.0.0.226|0|

str


rawMessage

  • event_simpleName: NeighborListIP4

  • ConfigStateHash: 2918023209

  • NeighborList: 10-33-BF-8B-EE-99|10.0.0.1|1|1A-51-49-1A-8B-5B|10.0.0.5|0|6C-4A-85-32-F7-98|10.0.0.68|0|6E-AD-C0-FF-B4-B1|10.0.0.75|0|1C-F2-9A-4E-BA-36|10.0.0.177|0|B6-76-12-17-13-55|10.0.0.184|0|F0-EF-86-37-37-2B|10.0.0.193|0|00-80-92-7B-53-6C|10.0.0.198|0|50-02-91-14-E2-A1|10.0.0.226|0|

  • aip: 174.114.176.83

  • InterfaceIndex: 6

  • ConfigBuild: 1007.4.0012903.1

  • event_platform: Mac

  • Entitlements: 15

  • name: NeighborListIP4MacV1

  • id: a1e2e9d7-9935-11eb-907f-062688f290d9

  • EffectiveTransmissionClass: 3

  • aid: 897ee36f5c714fcb809b1136b1f66c6b

  • timestamp: 1617974119325

  • cid: 1e09935edb764b1d866c260fab34c575

str


tag

edr.crowdstrike.cannon

str

hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33

str

edr.crowdstrike.cannon.networkconnectip4

2021-04-09 13:53:57.459 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"192.168.0.150","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975663.670","ConfigStateHash":"2585295952","ConnectionFlags":"0","ContextProcessId":"738719739861","RemotePort":"443","aip":"37.228.234.51","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","LocalPort":"59031","Entitlements":"15","name":"NetworkConnectIP4V5","id":"3a509a99-9939-11eb-a2f8-067e88e19e01","Protocol":"6","EffectiveTransmissionClass":"3","aid":"3abcbd5723e54e978874c27cde6bd35e","RemoteAddressIP4":"20.190.160.68","ConnectionDirection":"0","InContext":"0","timestamp":"1617975663547","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:53:57.468 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"127.0.0.1","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975649.557","ConfigStateHash":"2585295952","ConnectionFlags":"0","ContextProcessId":"571318780276","RemotePort":"52644","aip":"165.225.208.234","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","LocalPort":"61803","Entitlements":"15","name":"NetworkConnectIP4V5","id":"24272bf4-9939-11eb-adf6-067d20a67ffd","Protocol":"6","EffectiveTransmissionClass":"3","aid":"a0f9198183664268858d5fbb8535758a","RemoteAddressIP4":"127.0.0.1","ConnectionDirection":"0","InContext":"0","timestamp":"1617975626366","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:53:57.477 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1617975615.295","ConfigStateHash":"381236269","ConnectionFlags":"0","ContextProcessId":"348898307322358355","RemotePort":"443","aip":"165.225.243.10","ConfigBuild":"1007.4.0013402.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV5","id":"1d52f922-9939-11eb-9785-061eb7460571","Protocol":"6","EffectiveTransmissionClass":"3","aid":"9851078f4c6c4a2ba574138202e402ed","RemoteAddressIP4":"35.174.189.228","ConnectionDirection":"0","InContext":"0","timestamp":"1617975614909","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 13:53:57.459

timestamp


aid

3abcbd5723e54e978874c27cde6bd35e

str


aip

37.228.234.51

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Win

str


event_simpleName

NetworkConnectIP4

str


id

3a509a99-9939-11eb-a2f8-067e88e19e01

str


name

NetworkConnectIP4V5

str


timestamp

2021-04-09 13:41:03.547

timestamp


ConfigBuild

1007.3.0012601.1

str


ConfigStateHash

2585295952

str


ConnectionDirection

0

str


ConnectionFlags

0

str


ContextProcessId

738719739861

str


ContextTimeStamp

1617975663.67

str


Entitlements

15

str


InContext

0

str


LocalAddressIP4

192.168.0.150

ip


LocalPort

59031

str


Protocol

6

str


EffectiveTransmissionClass

3

str


RemoteAddressIP4

20.190.160.68

ip


RemotePort

443

str


rawMessage

  • LocalAddressIP4: 192.168.0.150

  • event_simpleName: NetworkConnectIP4

  • ContextTimeStamp: 1617975663.670

  • ConfigStateHash: 2585295952

  • ConnectionFlags: 0

  • ContextProcessId: 738719739861

  • RemotePort: 443

  • aip: 37.228.234.51

  • ConfigBuild: 1007.3.0012601.1

  • event_platform: Win

  • LocalPort: 59031

  • Entitlements: 15

  • name: NetworkConnectIP4V5

  • id: 3a509a99-9939-11eb-a2f8-067e88e19e01

  • Protocol: 6

  • EffectiveTransmissionClass: 3

  • aid: 3abcbd5723e54e978874c27cde6bd35e

  • RemoteAddressIP4: 20.190.160.68

  • ConnectionDirection: 0

  • InContext: 0

  • timestamp: 1617975663547

  • cid: 1e09935edb764b1d866c260fab34c575

str


tag

edr.crowdstrike.cannon

str

hostchain

collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205

str

edr.crowdstrike.cannon.other

2021-04-09 13:05:38.268 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"Size":"14200","ContextThreadId":"1176882223876","MinorFunction":"0","aip":"98.207.239.141","IsOnNetwork":"0","FileIdentifier":"bc707c55ebfb3b418c23a5dd4fe9960f57f5040000000a00","event_platform":"Win","TokenType":"1","id":"b2c60095-9932-11eb-ae87-02c522068d43","FileObject":"18446679257958897152","EffectiveTransmissionClass":"3","timestamp":"1617972859166","event_simpleName":"PeFileWritten","ContextTimeStamp":"1617941033.926","UserName":"SM-PC1NTZHY$","ConfigStateHash":"3041407854","IsTransactedFile":"0","ContextProcessId":"43047570327","IrpFlags":"1028","SHA256HashData":"167ff65a1079c3374b280588c2069b47387c02a3bb266ce0f0036d1e351bad37","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","FileEcpBitmask":"0","MajorFunction":"18","IsOnRemovableDisk":"0","Entitlements":"15","name":"PeFileWrittenV14","OperationFlags":"0","aid":"5e09cf6af2fa44dbad70bf817899311e","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\3.0.6.15\\api-ms-win-core-file-l1-1-0.dll"}
2021-04-09 13:05:38.273 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"RegisterRawInputDevicesEtw","ContextTimeStamp":"1617972872.520","ConfigStateHash":"3608611488","EtwRawProcessId":"21908","ContextProcessId":"410758879045","aip":"165.225.209.6","EtwRawThreadId":"10288","ApiReturnValue":"1","ConfigBuild":"1007.3.0012601.1","event_platform":"Win","Entitlements":"15","name":"RegisterRawInputDevicesEtwV1","id":"aa83b494-9932-11eb-9c80-02f3347e1ad9","EffectiveTransmissionClass":"3","aid":"40d54d290fb249d4874cfd957e3c2aed","timestamp":"1617972845310","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:05:38.277 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1617972841.216","GID":"0","ConfigStateHash":"2918023209","ContextProcessId":"348895714920688441","ContextThreadId":"0","aip":"86.92.111.243","Flags":"0","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"a83fe846-9932-11eb-aa4a-060a1b49bf57","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"1eac0bb9d8af42d498a529a0d140e2a2","TargetDirectoryName":"/private/var/folders/zb/lqtsq__s16z9wylcqvbkkj800000gn/C/com.apple.metadata.mdworker/12364.30906","timestamp":"1617972841510","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"/private/var/folders/zb/lqtsq__s16z9wylcqvbkkj800000gn/C/com.apple.metadata.mdworker/12364.30906"}
2021-04-30 07:50:48.727 collector-44434356e7daa251-7bf889b647-bbstk=54.86.233.29 edr.crowdstrike.cannon: {"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1619768064.491","GID":"0","ConfigStateHash":"3311018198","ContextProcessId":"352122003008913860","ContextThreadId":"0","aip":"165.225.243.20","Flags":"0","ConfigBuild":"1007.4.0013402.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"7c8bedd3-a986-11eb-b656-063c6f51de7d","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"bb4cdf98dfc543358d044639f5d3fe19","TargetDirectoryName":"/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868","timestamp":"1619768064518","cid":"1e09935edb764b1d866c260fab34c575","TargetFileName":"/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-30 09:50:48.727

timestamp


aid

bb4cdf98dfc543358d044639f5d3fe19

str


aip

165.225.243.20

str


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

DirectoryCreate

str


UserPrincipalnullstr

id

7c8bedd3-a986-11eb-b656-063c6f51de7d

str


name

DirectoryCreateMacV1

str


timestamp

2021-04-30 09:34:24.518

timestamp


PhysicalAddress

null

str


IrpFlags

null

str


SHA256HashData

null

str


AuthenticationId

null

str


FileWrittenFlags

null

str


ConfigBuild

1007.4.0013402.1

str


FileEcpBitmask

null

str


MajorFunction

null

str


IsOnRemovableDisk

null

str


Entitlements

15

str


OperationFlags

null

str


TargetFileName

/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868

str


LogonTypenullstr
ConfigStateHash3311018198str
ContextProcessId352122003008913860str
ContextThreadId0str
ContextTimeStamp

2021-04-30 09:34:24.491

timestamp
EffectiveTransmissionClass2str
Flags0str
GID0str
TargetDirectoryName/private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868str
UID0str
UnixMode0str
VnodeType2str

message

  • event_simpleName: DirectoryCreate

  • ContextTimeStamp: 1619768064.491

  • GID: 0

  • ConfigStateHash: 3311018198

  • ContextProcessId: 352122003008913860

  • ContextThreadId: 0

  • aip: 165.225.243.20

  • Flags: 0

  • ConfigBuild: 1007.4.0013402.1

  • UID: 0

  • event_platform: Mac

  • UnixMode: 0

  • Entitlements: 15

  • name: DirectoryCreateMacV1

  • id: 7c8bedd3-a986-11eb-b656-063c6f51de7d

  • VnodeType: 2

  • EffectiveTransmissionClass: 2

  • aid: bb4cdf98dfc543358d044639f5d3fe19

  • TargetDirectoryName: /private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868

  • timestamp: 1619768064518

  • cid: 1e09935edb764b1d866c260fab34c575

  • TargetFileName: /private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868

str


rawMessage


  • event_simpleName: DirectoryCreate

  • ContextTimeStamp: 1619768064.491

  • GID: 0

  • ConfigStateHash: 3311018198

  • ContextProcessId: 352122003008913860

  • ContextThreadId: 0

  • aip: 165.225.243.20

  • Flags: 0

  • ConfigBuild: 1007.4.0013402.1

  • UID: 0

  • event_platform: Mac

  • UnixMode: 0

  • Entitlements: 15

  • name: DirectoryCreateMacV1

  • id: 7c8bedd3-a986-11eb-b656-063c6f51de7d

  • VnodeType: 2

  • EffectiveTransmissionClass: 2

  • aid: bb4cdf98dfc543358d044639f5d3fe19

  • TargetDirectoryName: /private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868

  • timestamp: 1619768064518

  • cid: 1e09935edb764b1d866c260fab34c575

  • TargetFileName: /private/var/folders/qp/l_y7_2ln3v1076g6ntskw3fwytdbrx/T/com.apple.metadata.mdworker/82188.957868

str


hostchain

collector-44434356e7daa251-7bf889b647-bbstk=54.86.233.29

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.processrollup2

2021-04-09 14:17:26.739 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"348898968328545355","SourceProcessId":"348898968328545355","aip":"162.224.86.2","SessionProcessId":"348898968328545355","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"auditd","id":"549abc55-993c-11eb-b676-02f31117c8fd","EffectiveTransmissionClass":"2","Tags":"341, 12094627905582, 12094627906234","timestamp":"1617976996144","ProcessGroupId":"348898968328545355","event_simpleName":"ProcessRollup2","RawProcessId":"9059","GID":"0","ConfigStateHash":"2918023209","SVGID":"0","MD5HashData":"4650ee728313c95bf7af51301de50c5d","SHA256HashData":"a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece","ConfigBuild":"1007.4.0012903.1","UID":"0","CommandLine":"/bin/sh /etc/security/audit_warn closefile /var/audit/20210409140316.20210409140316","TargetProcessId":"348904428165227517","ImageFileName":"/bin/sh","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1617976996.129","aid":"c1bd5ddf99cd43479774291721c02f7e","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 14:17:26.747 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"ProcessCreateFlags":"12","IntegrityLevel":"16384","ParentProcessId":"154862993023","SourceProcessId":"154862993023","aip":"165.225.242.251","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-18","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"SearchIndexer.exe","ImageSubsystem":"3","id":"5b14f076-993c-11eb-b80c-06737e649339","EffectiveTransmissionClass":"3","SessionId":"0","Tags":"12094627905582, 12094627906234","timestamp":"1617977007011","event_simpleName":"ProcessRollup2","RawProcessId":"26644","ConfigStateHash":"2585295952","MD5HashData":"d4c0c10590da99309e3c36e66f99ee60","SHA256HashData":"dfe51b0739ed161f69afbb736460ebb7dd37372ff0659cbc20f4a9c850fbcc8c","ProcessSxsFlags":"64","AuthenticationId":"999","ConfigBuild":"1007.3.0012601.1","CommandLine":"\"C:\\WINDOWS\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe708_ Global\\UsGthrCtrlFltPipeMssGthrPipe708 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ","ParentAuthenticationId":"999","TargetProcessId":"189978486187","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\SearchProtocolHost.exe","SourceThreadId":"6177925955139","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1617977006.575","ProcessParameterFlags":"24577","aid":"c67fd29871894b1d993e4b9b57c96583","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 14:17:26.750 collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205 edr.crowdstrike.cannon: {"WindowTitle":"C:\\WINDOWS\\system32\\net.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"8192","ParentProcessId":"1904245799874","SourceProcessId":"1904245799874","aip":"174.114.192.36","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-2969236542-3715907981-188815748-37132","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"Duo Device Health.exe","ImageSubsystem":"3","id":"67d6a08e-993c-11eb-a5e7-0699e0aa9677","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 12094627905582, 12094627906234, 211381110440233, 237494511599633","timestamp":"1617977028413","event_simpleName":"ProcessRollup2","RawProcessId":"25524","ConfigStateHash":"2585295952","MD5HashData":"31890a7de89936f922d44d677f681a7f","SHA256HashData":"7c4c7725e266f12aba8c50fd1598d4001201bca0e7aca901508307e365afff42","ProcessSxsFlags":"64","AuthenticationId":"8011425","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0012601.1","WindowFlags":"256","CommandLine":"\"net\" accounts","ParentAuthenticationId":"8011425","TargetProcessId":"1997820221753","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\net.exe","SourceThreadId":"78850645569265","CallStackModuleNames":"0<-1>\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll+0x9e504:0x1f5000:0x60a6ca36|\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll+0x11739:0x59000:0xafef9bb9|1+0x10f10|1+0x901a|\\Device\\HarddiskVolume3\\Windows\\System32\\wow64cpu.dll+0x17c3:0xa000:0x378bc3cd|4+0x11b9|1+0x38c9|1+0x32bd|0+0x74f89|0+0x74b73|0+0x74b1e|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\ntdll.dll+0x7381c:0x1a3000:0xa9ac4e88|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\KernelBase.dll+0xfe73e:0x214000:0xb610d74d|12+0xfda4c|\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\258d4259dd4377d917679ad4b058966e\\System.ni.dll+0x23cc02:0xa55000:0x5f7e6395|14+0x1aaaa4|14+0x1aa39c|[HEAP:4:RWX-:JIT-DOTNET::0x6efc000]+0x6efc6b4|17+0x505|17+0x36e|17+0x2e6|\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\218db16dceaef380c6daf35c6a48f313\\mscorlib.ni.dll+0x4af0c2:0x140e000:0x5f7e60f6|21+0x3f8537|21+0x4aefff|21+0x4aee73|21+0x4aecd7|21+0x4aeb92|\\Device\\HarddiskVolume3\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll+0xf036:0x7b0000:0x5f7e61bb|27+0x122da|27+0x1859b|27+0x1c0d73|27+0x1be1e6|27+0x1be271|27+0x1be162|27+0x1be351|27+0x1c0d0e|27+0x1c0c72|27+0x1c0956|27+0x1bec23|27+0xd4bb7|\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\kernel32.dll+0x1fa29:0xf0000:0x7c5a840a|11+0x67c7e|11+0x67c4e","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1617977027.758","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"2bf4bbf2ed9640fda00a420fb32d8010","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-30 08:13:31.932 collector-44434356e7daa251-7bf889b647-bbstk=54.86.233.29 edr.crowdstrike.cannon: {"MachOSubType":"1","ParentProcessId":"352351680691546742","SourceProcessId":"352351680691546742","aip":"165.225.242.251","SessionProcessId":"352351680691546742","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"auditd","id":"5d8acde7-a988-11eb-902b-02858566b481","EffectiveTransmissionClass":"2","Tags":"341, 12094627905582, 12094627906234","timestamp":"1619768871495","ProcessGroupId":"352351680691546742","event_simpleName":"ProcessRollup2","RawProcessId":"88976","GID":"0","ConfigStateHash":"3311018198","SVGID":"0","MD5HashData":"4650ee728313c95bf7af51301de50c5d","SHA256HashData":"a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece","ConfigBuild":"1007.4.0013402.1","UID":"0","CommandLine":"/bin/sh /etc/security/audit_warn expired /var/audit/20210430073143.20210430073143","TargetProcessId":"352662252720926336","ImageFileName":"/bin/sh","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1619768871.463","aid":"4070e2439eae4397a3f8f31e11f4e5fb","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Source field name

Field transformation

Extra fields

eventdate

2021-04-30 10:13:31.932



timestamp




aid

4070e2439eae4397a3f8f31e11f4e5fb

str




aip

165.225.242.251

ip




cid

1e09935edb764b1d866c260fab34c575

str




event_platform

Mac

str




event_simpleNameProcessRollup2str


id

5d8acde7-a988-11eb-902b-02858566b481



str




name

ProcessRollup2MacV5

str




timestamp

2021-04-30 09:47:51.495

timestamp




LinkName

null

str




AuthenticationId

null

str




CommandLine

/bin/sh /etc/security/audit_warn expired /var/audit/20210430073143.20210430073143

str




ConfigBuild

1007.4.0013402.1

str




ConfigStateHash

3311018198

str




EffectiveTransmissionClass

2

str




Entitlements

15

str




FullFilePath

/bin/sh

str

ImageFileName



FilePath

/bin/

str


FilePath = ifthenelse(event_platform="Win", 2 peek(FullFilePath, re("^(.*\\\\).*$"), 1), 3 peek(FullFilePath, re("^(.*\\/).*$"), 1));



ComputerName

null

str


ComputerName = ifthenelse(event_platform="Win", 2 peek(FullFilePath, re("\\\\([^\\\\]+)\\\\.*$"), 1), 3 null);



UserName

null

str


UserName = ifthenelse(event_platform="Win" and FullFilePath->"Users", 2 peek(FullFilePath, re("Users\\\\([^\\\\]+)\\\\.*$"), 1), 3 null);



FileName

sh

str


FileName = ifthenelse(event_platform="Win", 2 peek(FullFilePath, re("^.*\\\\(.*)$"), 1), 3 peek(FullFilePath, re("^.*\\/(.*)$"), 1));



ImageFileName

/bin/sh

str




ImageSubsystem

null

str




IntegrityLevel

null

str




MD5HashData

4650ee728313c95bf7af51301de50c5d

str




ParentAuthenticationId

null

str




ParentProcessId

352351680691546750

str




ProcessCreateFlags

null

str




ProcessEndTime


str




ProcessParameterFlags

null

str




ProcessStartTime

1619768871.463

str




ProcessSxsFlags

null

str




RawProcessId

88976

str




SHA1HashData

0000000000000000000000000000000000000000

str




SHA256HashData

a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece

str




SourceProcessId

352351680691546750

str




SourceThreadId

0

str




TargetProcessId

352662252720926340

str




TokenType

null

str




UserSid

null

str




ParentBaseFileName

auditd

str




GrandParentBaseFileName

null

str




UID

0

str




RGID

0

str




RUID

0

str




GID0str


MachOSubType1str


ProcessGroupId352351680691546750str


SessionProcessId352351680691546750str


SVGID0str


SVUID0str


Tags341, 12094627905582, 12094627906234str


rawMessage

  • MachOSubType: 1

  • ParentProcessId: 348898968328545355

  • SourceProcessId: 348898968328545355

  • aip: 162.224.86.2

  • SessionProcessId: 348898968328545355

  • SHA1HashData: 0000000000000000000000000000000000000000

  • event_platform: Mac

  • ProcessEndTime:

  • SVUID: 0

  • ParentBaseFileName: auditd

  • id: 549abc55-993c-11eb-b676-02f31117c8fd

  • EffectiveTransmissionClass: 2

  • Tags: 341, 12094627905582, 12094627906234

  • timestamp: 1617976996144

  • ProcessGroupId: 348898968328545355

  • event_simpleName: ProcessRollup2

  • RawProcessId: 9059

  • GID: 0

  • ConfigStateHash: 2918023209

  • SVGID: 0

  • MD5HashData: 4650ee728313c95bf7af51301de50c5d

  • SHA256HashData: a48f208b7aef042ddee399e274c00604973658319466b7fe8cf7c1fe55c6dece

  • ConfigBuild: 1007.4.0012903.1

  • UID: 0

  • CommandLine: /bin/sh /etc/security/audit_warn closefile /var/audit/20210409140316.20210409140316

  • TargetProcessId: 348904428165227517

  • ImageFileName: /bin/sh

  • RGID: 0

  • SourceThreadId: 0

  • Entitlements: 15

  • name: ProcessRollup2MacV5

  • RUID: 0

  • ProcessStartTime: 1617976996.129

  • aid: c1bd5ddf99cd43479774291721c02f7e

  • cid: 1e09935edb764b1d866c260fab34c575

str




hostchain

collector-44434356e7daa251-7b58fc79c5-gws4q=54.164.90.205

str



tag

edr.crowdstrike.cannon

str



edr.crowdstrike.cannon.processrollup2stats

2021-04-09 13:50:47.398 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2918023209","Timeout":"600","aip":"165.225.208.236","SHA256HashData":"87e561f9ebfde647eaf39939642c5a51932a8bfa441a366c6c3d81ff011cdc05","ProcessCount":"2","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"launchctl enable system/com.kace.patching-asus","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"cb086e20-9937-11eb-ba3d-06fef92fe9dd","EffectiveTransmissionClass":"2","aid":"8068046df4a6490987f0089b526a4667","timestamp":"1617975047351","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:50:47.415 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"381236269","Timeout":"600","aip":"165.225.243.10","SHA256HashData":"b0e1fa302c1fa8ab3626f0bd3771a2252a4590257fa928a8f88402051004916e","ProcessCount":"11","ConfigBuild":"1007.4.0013402.1","UID":"0","event_platform":"Mac","CommandLine":"/sbin/route delete -net 10.3.0.0/19 -ifp utun2","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"c62a6a94-9937-11eb-9784-061eb7460571","EffectiveTransmissionClass":"2","aid":"9851078f4c6c4a2ba574138202e402ed","timestamp":"1617975039185","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 13:50:47.436 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2918023209","Timeout":"600","aip":"165.225.28.45","SHA256HashData":"96f73ca8a47bf31bbcb48f1bc2bd73e76f6f63417be67b9adc0eb9733c657a34","ProcessCount":"4","ConfigBuild":"1007.4.0012903.1","UID":"0","event_platform":"Mac","CommandLine":"/usr/sbin/networksetup -listallnetworkservices","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"aa24425b-9937-11eb-97ad-023f0be97253","EffectiveTransmissionClass":"2","aid":"42a912472bdb4ed792b6a08994696e89","timestamp":"1617974992168","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 13:50:47.398

timestamp


aid

8068046df4a6490987f0089b526a4667

str


aip

165.225.208.236

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

ProcessRollup2Stats

str


id

cb086e20-9937-11eb-ba3d-06fef92fe9dd

str


name

ProcessRollup2StatsMacV1

str


timestamp

2021-04-09 13:30:47.351

timestamp


CommandLine

launchctl enable system/com.kace.patching-asus

str


ConfigBuild

1007.4.0012903.1

str


ConfigStateHash

2918023209

str


Entitlements

15

str


ProcessCount

2

str


SHA256HashData

87e561f9ebfde647eaf39939642c5a51932a8bfa441a366c6c3d81ff011cdc05

str


Timeout

600

str


UID

0

str


EffectiveTransmissionClass

2

str


rawMessage

  • event_simpleName: ProcessRollup2Stats

  • ConfigStateHash: 2918023209

  • Timeout: 600

  • aip: 165.225.208.236

  • SHA256HashData: 87e561f9ebfde647eaf39939642c5a51932a8bfa441a366c6c3d81ff011cdc05

  • ProcessCount: 2

  • ConfigBuild: 1007.4.0012903.1

  • UID: 0

  • event_platform: Mac

  • CommandLine: launchctl enable system/com.kace.patching-asus

  • Entitlements: 15

  • name: ProcessRollup2StatsMacV1

  • id: cb086e20-9937-11eb-ba3d-06fef92fe9dd

  • EffectiveTransmissionClass: 2

  • aid: 8068046df4a6490987f0089b526a4667

  • timestamp: 1617975047351

  • cid: 1e09935edb764b1d866c260fab34c575

str


hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.sensorheartbeat

2021-04-09 14:56:41.491 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"165.225.60.238","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c9aa366d-9941-11eb-8244-060987fb5de7","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"5aea9aa9268f4812b9b24587eed349e3","ProvisionState":"1","timestamp":"1617979340023","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 14:56:41.653 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"165.225.209.8","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c11350f7-9941-11eb-839d-02f1fd9362ab","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"f4090914bbe94f4a8c57ca41d42b4c05","ProvisionState":"1","timestamp":"1617979325612","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 14:56:41.756 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SensorHeartbeat","ConfigStateHash":"2918023209","NetworkContainmentState":"0","aip":"188.214.13.174","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"c6e8bdb2-9941-11eb-acca-06b912d7ff79","ConfigIDBuild":"12903","EffectiveTransmissionClass":"0","aid":"9caeadd3386c480a82e39a519a33e538","ProvisionState":"1","timestamp":"1617979335399","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-09 16:56:41.756

timestamp


aid

9caeadd3386c480a82e39a519a33e538

str


aip

188.214.13.174

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

SensorHeartbeat

str


id

c6e8bdb2-9941-11eb-acca-06b912d7ff79

str


name

SensorHeartbeatMacV4

str


timestamp

2021-04-09 16:42:15.399

timestamp


ConfigBuild

1007.4.0012903.1

str


ConfigIDBase

65994753

str


ConfigIDBuild

12903

str


ConfigIDPlatform

4

str


ConfigStateHash

2918023209

str


ConfigurationVersion

10

str


EffectiveTransmissionClass

0

str


Entitlements

15

str


NetworkContainmentState

0

str


ProvisionState

1

str


SensorStateBitMap

0

str


rawMessage

  • event_simpleName: SensorHeartbeat

  • ConfigStateHash: 2918023209

  • NetworkContainmentState: 0

  • aip: 188.214.13.174

  • ConfigIDBase: 65994753

  • SensorStateBitMap: 0

  • ConfigBuild: 1007.4.0012903.1

  • event_platform: Mac

  • ConfigurationVersion: 10

  • Entitlements: 15

  • name: SensorHeartbeatMacV4

  • ConfigIDPlatform: 4

  • id: c6e8bdb2-9941-11eb-acca-06b912d7ff79

  • ConfigIDBuild: 12903

  • EffectiveTransmissionClass: 0

  • aid: 9caeadd3386c480a82e39a519a33e538

  • ProvisionState: 1

  • timestamp: 1617979335399

  • cid: 1e09935edb764b1d866c260fab34c575

str


hostchain

collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33

str

tag

edr.crowdstrike.cannon

str

edr.crowdstrike.cannon.syntheticprocessrollup2

2021-04-09 15:29:53.739 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"ParentProcessId":"348913391379184902","SourceProcessId":"348913402982727632","aip":"165.225.208.240","SessionProcessId":"348913403033059284","SyntheticPR2Flags":"0","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","SVUID":"502","id":"f7814f69-9946-11eb-813f-02dd1444b789","EffectiveTransmissionClass":"2","timestamp":"1617981564413","ProcessGroupId":"19303","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"19303","ContextTimeStamp":"1617981561.971","GID":"20","ConfigStateHash":"3423515459","SVGID":"20","MD5HashData":"e349d56d32d945fa83016fb1c2eab2dc","SHA256HashData":"dafa7f54a389749a01a055ad06b09db173444efc9dfb03372f50c35721ec1c34","ConfigBuild":"1007.4.0012903.1","UID":"502","CommandLine":"/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/AssetCacheProfilePlugin.xpc/Contents/MacOS/AssetCacheProfilePlugin","TargetProcessId":"348913403033059284","ImageFileName":"/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/AssetCacheProfilePlugin.xpc/Contents/MacOS/AssetCacheProfilePlugin","RGID":"20","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","ProcessStartTime":"1617711031.533","RUID":"502","aid":"40ff6a1125e04b97acd62fe5695f2323","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 15:29:53.745 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SyntheticProcessRollup2","RawProcessId":"4295055690","ContextTimeStamp":"1617981533.454","ConfigStateHash":"2918023209","ParentProcessId":"140318733482848","aip":"165.225.208.230","SyntheticPR2Flags":"16","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","TargetProcessId":"347573425717557760","ImageFileName":"/Applications/Visual Studio Code.app/Contents/MacOS/Electron","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","id":"e5147002-9946-11eb-ac8a-06a67b76f98b","EffectiveTransmissionClass":"2","aid":"9b3304117aa4471a95a4855698751b4d","timestamp":"1617981533501","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-09 15:29:53.792 collector-44434356e7daa251-7b58fc79c5-h295q=34.201.113.33 edr.crowdstrike.cannon: {"event_simpleName":"SyntheticProcessRollup2","RawProcessId":"4294991750","ContextTimeStamp":"1617981532.983","ConfigStateHash":"2918023209","ParentProcessId":"140477117417056","aip":"165.225.242.255","SyntheticPR2Flags":"16","ConfigBuild":"1007.4.0012903.1","event_platform":"Mac","TargetProcessId":"347912479380283871","ImageFileName":"/bin/bash","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","id":"e4cd0a9b-9946-11eb-8a9d-0666cacb16a1","EffectiveTransmissionClass":"2","aid":"85191da4b9c24c0f9bc4cf607b45c8f6","timestamp":"1617981533033","cid":"1e09935edb764b1d866c260fab34c575"}
2021-04-30 08:57:49.831 collector-44434356e7daa251-7bf889b647-vrkgc=54.236.226.230 edr.crowdstrike.cannon: {"ParentProcessId":"352669866666338544","SourceProcessId":"352669872370592262","aip":"165.225.92.234","SessionProcessId":"352669872399952397","SyntheticPR2Flags":"0","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","SVUID":"502","id":"d03af89a-a990-11eb-9adf-06b3c163c597","EffectiveTransmissionClass":"2","timestamp":"1619772499884","ProcessGroupId":"1170","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"1170","ContextTimeStamp":"1619772499.739","GID":"20","ConfigStateHash":"1576918349","SVGID":"20","MD5HashData":"e474c0c85340f892ddc16141393f2ab6","SHA256HashData":"f4f2c8c83afdb4f329f290795fbadbc70f648b9516badc22736da53c34e7d2b4","ConfigBuild":"1007.4.0012505.1","UID":"502","CommandLine":"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService","TargetProcessId":"352669872399952397","ImageFileName":"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService","RGID":"20","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","ProcessStartTime":"1619555844.468","RUID":"502","aid":"8fdefc9f0dac4228af69ebea6099a4ea","cid":"1e09935edb764b1d866c260fab34c575"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-30 10:57:49.831



timestamp


aid

8fdefc9f0dac4228af69ebea6099a4ea

str


aip

165.225.92.234

ip


cid

1e09935edb764b1d866c260fab34c575

str


event_platform

Mac

str


event_simpleName

SyntheticProcessRollup2

str

id

d03af89a-a990-11eb-9adf-06b3c163c597



str


name

SyntheticProcessRollup2MacV3

str


timestamp

2021-04-30 10:48:19.884

timestamp


AuthenticationId

null

str


CommandLine

/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService

str


ConfigBuild

1007.4.0012505.1

str


ConfigStateHash

1576918349

str


ContextTimeStamp

1619772499.739

str


EffectiveTransmissionClass

2

str


Entitlements

15

str


ImageFileName

/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService

str


IntegrityLevel

null

str


ParentProcessId

352669866666338560

str


ProcessStartTime

1619555844.468

str


RawProcessId

1170

str


SHA256HashData

f4f2c8c83afdb4f329f290795fbadbc70f648b9516badc22736da53c34e7d2b4

str


SyntheticPR2Flags

0

str


TargetProcessId

352669872399952400

str


UserSid

null

str


MD5HashData

e474c0c85340f892ddc16141393f2ab6

str


UID

502

str


RGID

20

str


RUID

502

str


GID20str
ProcessGroupId1170str
SessionProcessId352669872399952400str

SHA1HashData

0000000000000000000000000000000000000000str

SourceProcessId

352669872370592260str
SVGID20str
SVUID502str

rawMessage

  • ParentProcessId: 352669866666338544

  • SourceProcessId: 352669872370592262

  • aip: 165.225.92.234

  • SessionProcessId: 352669872399952397

  • SyntheticPR2Flags: 0

  • SHA1HashData: 0000000000000000000000000000000000000000

  • event_platform: Mac

  • SVUID: 502

  • id: d03af89a-a990-11eb-9adf-06b3c163c597

  • EffectiveTransmissionClass: 2

  • timestamp: 1619772499884

  • ProcessGroupId: 1170

  • event_simpleName: SyntheticProcessRollup2

  • RawProcessId: 1170

  • ContextTimeStamp: 1619772499.739

  • GID: 20

  • ConfigStateHash: 1576918349

  • SVGID: 20

  • MD5HashData: e474c0c85340f892ddc16141393f2ab6

  • SHA256HashData: f4f2c8c83afdb4f329f290795fbadbc70f648b9516badc22736da53c34e7d2b4

  • ConfigBuild: 1007.4.0012505.1

  • UID: 502

  • CommandLine: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService

  • TargetProcessId: 352669872399952397

  • ImageFileName: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/90.0.4430.85/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService

  • RGID: 20

  • Entitlements: 15

  • name: SyntheticProcessRollup2MacV3

  • ProcessStartTime: 1619555844.468

  • RUID: 502

  • aid: 8fdefc9f0dac4228af69ebea6099a4ea

  • cid: 1e09935edb764b1d866c260fab34c575

str


hostchain

collector-44434356e7daa251-7bf889b647-vrkgc=54.236.226.230

str

tag

edr.crowdstrike.cannon

str