edr.crowdstrike

[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with edr.crowdstrike identify events generated by CrowdStrike.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services	Tags	Data tables

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. Get in touch with us to start sending your data to the Devo platform.

For Falcon Streaming, follow these instructions:

Get in touch with us to download the collector. Devo's CrowdStrike Falcon Streaming Collector collects audit and detection data.

This collector does the following:

Authenticates with the Falcon Streaming API.
Discovers available streams.
Creates a long-running stream connection to available streams.
As events come in, they are shipped into the Devo domain.
After an event is shipped to Devo, the offset id is saved to the state store to resume from the same
point if stopped.

Setup

Obtain access to the CrowdStrike API and acquire a client_id and client_secret for use.
1. The API scope necessary for the client is “Event Streams”.
  1. If you have errors discovering streams, check that this is added to the API role.
Add the CrowdStrike Falcon Streaming Collector to your domain and set your client_id and client_secret in the collector's parameters JSON.
Done! Once the collector is added and running, you will see your falcon data in the edr.crowdstrike.falconstreaming table.

Error/Troubleshooting

You get error (401) discovering streams - access denied, invalid bearer token.
- The URL Endpoint may not be correct. The default api_url setting is api.crowdstrike.com, but your customer may be configured with a different endpoint such as api.us-2.crowdstrike.com.
  - Update the api_url parameter and try again.
You get another error (not 401) regarding discovering streams.
- Check that “Event Streams” is part of the API scope for the credentials provided.

Table structure

These are the fields displayed in the tables:

Product / Services	Tags	Data tables
CrowdStrike Cannon	`edr.crowdstrike.cannon`	`edr.crowdstrike.cannon`
	`edr.crowdstrike.cannon.additionalhostinfo`	`edr.crowdstrike.cannon.additionalhostinfo`
	`edr.crowdstrike.cannon.agentconnect`	`edr.crowdstrike.cannon.agentconnect`
	`edr.crowdstrike.cannon.agentonline`	`edr.crowdstrike.cannon.agentonline`
	`edr.crowdstrike.cannon.arcfilewritten`	`edr.crowdstrike.cannon.arcfilewritten`
	`edr.crowdstrike.cannon.asepkeyupdate`	`edr.crowdstrike.cannon.asepkeyupdate`
	`edr.crowdstrike.cannon.asepvalueupdate`	`edr.crowdstrike.cannon.asepvalueupdate`
	`edr.crowdstrike.cannon.associateindicator`	`edr.crowdstrike.cannon.associateindicator`
	`edr.crowdstrike.cannon.associatetreeidwithroot`	`edr.crowdstrike.cannon.associatetreeidwithroot`
	`edr.crowdstrike.cannon.billinginfo`	`edr.crowdstrike.cannon.billinginfo`
	`edr.crowdstrike.cannon.bitsjobcreated`	`edr.crowdstrike.cannon.bitsjobcreated`
	`edr.crowdstrike.cannon.bmpfilewritten`	`edr.crowdstrike.cannon.bmpfilewritten`
	`edr.crowdstrike.cannon.cabfilewritten`	`edr.crowdstrike.cannon.cabfilewritten`
	`edr.crowdstrike.cannon.channeldatadownloadcomplete`	`edr.crowdstrike.cannon.channeldatadownloadcomplete`
	`edr.crowdstrike.cannon.channelversionrequired`	`edr.crowdstrike.cannon.channelversionrequired`
	`edr.crowdstrike.cannon.commandhistory`	`edr.crowdstrike.cannon.commandhistory`
	`edr.crowdstrike.cannon.configstateupdate`	`edr.crowdstrike.cannon.configstateupdate`
	`edr.crowdstrike.cannon.createservice`	`edr.crowdstrike.cannon.createservice`
	`edr.crowdstrike.cannon.criticalenvironmentvariablechanged`	`edr.crowdstrike.cannon.criticalenvironmentvariablechanged`
	`edr.crowdstrike.cannon.criticalfileaccessed`	`edr.crowdstrike.cannon.criticalfileaccessed`
	`edr.crowdstrike.cannon.currentsystemtags`	`edr.crowdstrike.cannon.currentsystemtags`
	`edr.crowdstrike.cannon.dconline`	`edr.crowdstrike.cannon.dconline`
	`edr.crowdstrike.cannon.dcstatus`	`edr.crowdstrike.cannon.dcstatus`
	`edr.crowdstrike.cannon.dcsyncattempted`	`edr.crowdstrike.cannon.dcsyncattempted`
	`edr.crowdstrike.cannon.dcusbconfigurationdescriptor`	`edr.crowdstrike.cannon.dcusbconfigurationdescriptor`
	`edr.crowdstrike.cannon.dcusbdeviceblocked`	`edr.crowdstrike.cannon.dcusbdeviceblocked`
	`edr.crowdstrike.cannon.dcusbdeviceconnected`	`edr.crowdstrike.cannon.dcusbdeviceconnected`
	`edr.crowdstrike.cannon.dcusbdevicedisconnected`	`edr.crowdstrike.cannon.dcusbdevicedisconnected`
	`edr.crowdstrike.cannon.dcusbendpointdescriptor`	`edr.crowdstrike.cannon.dcusbendpointdescriptor`
	`edr.crowdstrike.cannon.dcusbhiddescriptor`	`edr.crowdstrike.cannon.dcusbhiddescriptor`
	`edr.crowdstrike.cannon.dcusbinterfacedescriptor`	`edr.crowdstrike.cannon.dcusbinterfacedescriptor`
	`edr.crowdstrike.cannon.deliverlocalfxtocloud`	`edr.crowdstrike.cannon.deliverlocalfxtocloud`
	`edr.crowdstrike.cannon.detectionexcluded`	`edr.crowdstrike.cannon.detectionexcluded`
	`edr.crowdstrike.cannon.directorycreate`	`edr.crowdstrike.cannon.directorycreate`
	`edr.crowdstrike.cannon.directorytraversaloversmb`	`edr.crowdstrike.cannon.directorytraversaloversmb`
	`edr.crowdstrike.cannon.diskcapacity`	`edr.crowdstrike.cannon.diskcapacity`
	`edr.crowdstrike.cannon.dllinjection`	`edr.crowdstrike.cannon.dllinjection`
	`edr.crowdstrike.cannon.dmpfilewritten`	`edr.crowdstrike.cannon.dmpfilewritten`
	`edr.crowdstrike.cannon.dnsrequest`	`edr.crowdstrike.cannon.dnsrequest`
	`edr.crowdstrike.cannon.documentprograminjectedthread`	`edr.crowdstrike.cannon.documentprograminjectedthread`
	`edr.crowdstrike.cannon.driverload`	`edr.crowdstrike.cannon.driverload`
	`edr.crowdstrike.cannon.dwgfilewritten`	`edr.crowdstrike.cannon.dwgfilewritten`
	`edr.crowdstrike.cannon.elffilewritten`	`edr.crowdstrike.cannon.elffilewritten`
	`edr.crowdstrike.cannon.endofprocess`	`edr.crowdstrike.cannon.endofprocess`
	`edr.crowdstrike.cannon.errorevent`	`edr.crowdstrike.cannon.errorevent`
	`edr.crowdstrike.cannon.etwcomponentresponse`	`edr.crowdstrike.cannon.etwcomponentresponse`
	`edr.crowdstrike.cannon.etwerrorevent`	`edr.crowdstrike.cannon.etwerrorevent`
	`edr.crowdstrike.cannon.executabledeleted`	`edr.crowdstrike.cannon.executabledeleted`
	`edr.crowdstrike.cannon.falconservicestatus`	`edr.crowdstrike.cannon.falconservicestatus`
	`edr.crowdstrike.cannon.filedeleted`	`edr.crowdstrike.cannon.filedeleted`
	`edr.crowdstrike.cannon.filedeleteinfo`	`edr.crowdstrike.cannon.filedeleteinfo`
	`edr.crowdstrike.cannon.fileopeninfo`	`edr.crowdstrike.cannon.fileopeninfo`
	`edr.crowdstrike.cannon.filerenameinfo`	`edr.crowdstrike.cannon.filerenameinfo`
	`edr.crowdstrike.cannon.firewallchangeoption`	`edr.crowdstrike.cannon.firewallchangeoption`
	`edr.crowdstrike.cannon.firewalldeleterule`	`edr.crowdstrike.cannon.firewalldeleterule`
	`edr.crowdstrike.cannon.firewallsetrule`	`edr.crowdstrike.cannon.firewallsetrule`
	`edr.crowdstrike.cannon.firmwareanalysishardwaredata`	`edr.crowdstrike.cannon.firmwareanalysishardwaredata`
	`edr.crowdstrike.cannon.firmwareanalysisstatus`	`edr.crowdstrike.cannon.firmwareanalysisstatus`
	`edr.crowdstrike.cannon.fspostopensnapshotfile`	`edr.crowdstrike.cannon.fspostopensnapshotfile`
	`edr.crowdstrike.cannon.fsvolumemounted`	`edr.crowdstrike.cannon.fsvolumemounted`
	`edr.crowdstrike.cannon.fsvolumeunmounted`	`edr.crowdstrike.cannon.fsvolumeunmounted`
	`edr.crowdstrike.cannon.genericfilewritten`	`edr.crowdstrike.cannon.genericfilewritten`
	`edr.crowdstrike.cannon.giffilewritten`	`edr.crowdstrike.cannon.giffilewritten`
	`edr.crowdstrike.cannon.gzipfilewritten`	`edr.crowdstrike.cannon.gzipfilewritten`
`edr.crowdstrike.cannon.hostedservicestarted`	`edr.crowdstrike.cannon.hostedservicestarted`
`edr.crowdstrike.cannon.hostedservicestopped`	`edr.crowdstrike.cannon.hostedservicestopped`
`edr.crowdstrike.cannon.hostinfo`	`edr.crowdstrike.cannon.hostinfo`
`edr.crowdstrike.cannon.hostnamechanged`	`edr.crowdstrike.cannon.hostnamechanged`
`edr.crowdstrike.cannon.imagehash`	`edr.crowdstrike.cannon.imagehash`
`edr.crowdstrike.cannon.injectedthread`	`edr.crowdstrike.cannon.injectedthread`
`edr.crowdstrike.cannon.installedapplication`	`edr.crowdstrike.cannon.installedapplication`
`edr.crowdstrike.cannon.installedupdates`	`edr.crowdstrike.cannon.installedupdates`
`edr.crowdstrike.cannon.invalid`	`edr.crowdstrike.cannon.invalid`
`edr.crowdstrike.cannon.iosessionconnected`	`edr.crowdstrike.cannon.iosessionconnected`
`edr.crowdstrike.cannon.iosessionloggedon`	`edr.crowdstrike.cannon.iosessionloggedon`
`edr.crowdstrike.cannon.jarfilewritten`	`edr.crowdstrike.cannon.jarfilewritten`
`edr.crowdstrike.cannon.javaclassfilewritten`	`edr.crowdstrike.cannon.javaclassfilewritten`
`edr.crowdstrike.cannon.jpegfilewritten`	`edr.crowdstrike.cannon.jpegfilewritten`
`edr.crowdstrike.cannon.kernelmodeloadimage`	`edr.crowdstrike.cannon.kernelmodeloadimage`
`edr.crowdstrike.cannon.lfodownloadconfirmation`	`edr.crowdstrike.cannon.lfodownloadconfirmation`
`edr.crowdstrike.cannon.localipaddressip4`	`edr.crowdstrike.cannon.localipaddressip4`
`edr.crowdstrike.cannon.localipaddressip6`	`edr.crowdstrike.cannon.localipaddressip6`
`edr.crowdstrike.cannon.localipaddressremovedip4`	`edr.crowdstrike.cannon.localipaddressremovedip4`
`edr.crowdstrike.cannon.localipaddressremovedip6`	`edr.crowdstrike.cannon.localipaddressremovedip6`
`edr.crowdstrike.cannon.lsasshandlefromunsignedmodule`	`edr.crowdstrike.cannon.lsasshandlefromunsignedmodule`
`edr.crowdstrike.cannon.manifestdownloadcomplete`	`edr.crowdstrike.cannon.manifestdownloadcomplete`
`edr.crowdstrike.cannon.modifyservicebinary`	`edr.crowdstrike.cannon.modifyservicebinary`
`edr.crowdstrike.cannon.neighborlistip4`	`edr.crowdstrike.cannon.neighborlistip4`
`edr.crowdstrike.cannon.neighborlistip6`	`edr.crowdstrike.cannon.neighborlistip6`
`edr.crowdstrike.cannon.netshareadd`	`edr.crowdstrike.cannon.netshareadd`
`edr.crowdstrike.cannon.netsharesecuritymodify`	`edr.crowdstrike.cannon.netsharesecuritymodify`
`edr.crowdstrike.cannon.networkcapableasepwrite`	`edr.crowdstrike.cannon.networkcapableasepwrite`
`edr.crowdstrike.cannon.networkcloseip4`	`edr.crowdstrike.cannon.networkcloseip4`
`edr.crowdstrike.cannon.networkcloseip6`	`edr.crowdstrike.cannon.networkcloseip6`
`edr.crowdstrike.cannon.networkconnectip4`	`edr.crowdstrike.cannon.networkconnectip4`
`edr.crowdstrike.cannon.networkconnectip6`	`edr.crowdstrike.cannon.networkconnectip6`
`edr.crowdstrike.cannon.networklistenip4`	`edr.crowdstrike.cannon.networklistenip4`
`edr.crowdstrike.cannon.networklistenip6`	`edr.crowdstrike.cannon.networklistenip6`
`edr.crowdstrike.cannon.networkreceiveacceptip4`	`edr.crowdstrike.cannon.networkreceiveacceptip4`
`edr.crowdstrike.cannon.networkreceiveacceptip6`	`edr.crowdstrike.cannon.networkreceiveacceptip6`
`edr.crowdstrike.cannon.newexecutablerenamed`	`edr.crowdstrike.cannon.newexecutablerenamed`
`edr.crowdstrike.cannon.newexecutablewritten`	`edr.crowdstrike.cannon.newexecutablewritten`
`edr.crowdstrike.cannon.newscriptwritten`	`edr.crowdstrike.cannon.newscriptwritten`
`edr.crowdstrike.cannon.olefilewritten`	`edr.crowdstrike.cannon.olefilewritten`
`edr.crowdstrike.cannon.ooxmlfilewritten`	`edr.crowdstrike.cannon.ooxmlfilewritten`
`edr.crowdstrike.cannon.osversioninfo`	`edr.crowdstrike.cannon.osversioninfo`
`edr.crowdstrike.cannon.other`	`edr.crowdstrike.cannon.other`
`edr.crowdstrike.cannon.packedexecutablewritten`	`edr.crowdstrike.cannon.packedexecutablewritten`
`edr.crowdstrike.cannon.pdffilewritten`	`edr.crowdstrike.cannon.pdffilewritten`
`edr.crowdstrike.cannon.pefilewritten`	`edr.crowdstrike.cannon.pefilewritten`
`edr.crowdstrike.cannon.pngfilewritten`	`edr.crowdstrike.cannon.pngfilewritten`
`edr.crowdstrike.cannon.privilegedprocesshandlefromunsignedmodule`	`edr.crowdstrike.cannon.privilegedprocesshandlefromunsignedmodule`
`edr.crowdstrike.cannon.processinjection`	`edr.crowdstrike.cannon.processinjection`
`edr.crowdstrike.cannon.processrollup2`	`edr.crowdstrike.cannon.processrollup2`
`edr.crowdstrike.cannon.processrollup2stats`	`edr.crowdstrike.cannon.processrollup2stats`
`edr.crowdstrike.cannon.processselfdeleted`	`edr.crowdstrike.cannon.processselfdeleted`
`edr.crowdstrike.cannon.promiscuousbindip4`	`edr.crowdstrike.cannon.promiscuousbindip4`
`edr.crowdstrike.cannon.queueapcetw`	`edr.crowdstrike.cannon.queueapcetw`
`edr.crowdstrike.cannon.ransomwareopenfile`	`edr.crowdstrike.cannon.ransomwareopenfile`
`edr.crowdstrike.cannon.rarfilewritten`	`edr.crowdstrike.cannon.rarfilewritten`
`edr.crowdstrike.cannon.rawbindip4`	`edr.crowdstrike.cannon.rawbindip4`
`edr.crowdstrike.cannon.rawbindip6`	`edr.crowdstrike.cannon.rawbindip6`
`edr.crowdstrike.cannon.reflectivedotnedmoduleload`	`edr.crowdstrike.cannon.reflectivedotnedmoduleload`
`edr.crowdstrike.cannon.reggenericvalueupdate`	`edr.crowdstrike.cannon.reggenericvalueupdate`
`edr.crowdstrike.cannon.registerrawinputdevicesetw`	`edr.crowdstrike.cannon.registerrawinputdevicesetw`
`edr.crowdstrike.cannon.regsystemconfigvalueupdate`	`edr.crowdstrike.cannon.regsystemconfigvalueupdate`
`edr.crowdstrike.cannon.removablemediavolumemounted`	`edr.crowdstrike.cannon.removablemediavolumemounted`
`edr.crowdstrike.cannon.resourceutilization`	`edr.crowdstrike.cannon.resourceutilization`
`edr.crowdstrike.cannon.rtffilewritten`	`edr.crowdstrike.cannon.rtffilewritten`
`edr.crowdstrike.cannon.samhashdumpfromunsignedmodule`	`edr.crowdstrike.cannon.samhashdumpfromunsignedmodule`
`edr.crowdstrike.cannon.scheduledtaskdeleted`	`edr.crowdstrike.cannon.scheduledtaskdeleted`
`edr.crowdstrike.cannon.scheduledtaskmodified`	`edr.crowdstrike.cannon.scheduledtaskmodified`
`edr.crowdstrike.cannon.scheduledtaskregistered`	`edr.crowdstrike.cannon.scheduledtaskregistered`
`edr.crowdstrike.cannon.screenshottakentw`	`edr.crowdstrike.cannon.screenshottakentw`
`edr.crowdstrike.cannon.scriptcontroldetectioninfo`	`edr.crowdstrike.cannon.scriptcontroldetectioninfo`
`edr.crowdstrike.cannon.scriptcontrolscantelemetry`	`edr.crowdstrike.cannon.scriptcontrolscantelemetry`
`edr.crowdstrike.cannon.sensitivewmiquery`	`edr.crowdstrike.cannon.sensitivewmiquery`
`edr.crowdstrike.cannon.sensorheartbeat`	`edr.crowdstrike.cannon.sensorheartbeat`
`edr.crowdstrike.cannon.servicestarted`	`edr.crowdstrike.cannon.servicestarted`
`edr.crowdstrike.cannon.setwineventhooketw`	`edr.crowdstrike.cannon.setwineventhooketw`
`edr.crowdstrike.cannon.sevenzipfilewritten`	`edr.crowdstrike.cannon.sevenzipfilewritten`
`edr.crowdstrike.cannon.signinfoerror`	`edr.crowdstrike.cannon.signinfoerror`
`edr.crowdstrike.cannon.signinfowithcertandcontext`	`edr.crowdstrike.cannon.signinfowithcertandcontext`
`edr.crowdstrike.cannon.signinfowithcontext`	`edr.crowdstrike.cannon.signinfowithcontext`
`edr.crowdstrike.cannon.smbclientshareclosedetw`	`edr.crowdstrike.cannon.smbclientshareclosedetw`
`edr.crowdstrike.cannon.smbclientshareopenedetw`	`edr.crowdstrike.cannon.smbclientshareopenedetw`
`edr.crowdstrike.cannon.snapshotvolumemounted`	`edr.crowdstrike.cannon.snapshotvolumemounted`
`edr.crowdstrike.cannon.suspectcreatethreadstack`	`edr.crowdstrike.cannon.suspectcreatethreadstack`
`edr.crowdstrike.cannon.suspiciouscreatesymboliclink`	`edr.crowdstrike.cannon.suspiciouscreatesymboliclink`
`edr.crowdstrike.cannon.suspiciouslackofprocessrollupevents`	`edr.crowdstrike.cannon.suspiciouslackofprocessrollupevents`
`edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle`	`edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle`
`edr.crowdstrike.cannon.suspiciousregasepupdate`	`edr.crowdstrike.cannon.suspiciousregasepupdate`
`edr.crowdstrike.cannon.syntheticprocessrollup2`	`edr.crowdstrike.cannon.syntheticprocessrollup2`
`edr.crowdstrike.cannon.systemcapacity`	`edr.crowdstrike.cannon.systemcapacity`
`edr.crowdstrike.cannon.tarfilewritten`	`edr.crowdstrike.cannon.tarfilewritten`
`edr.crowdstrike.cannon.tcgpcrinfo`	`edr.crowdstrike.cannon.tcgpcrinfo`
`edr.crowdstrike.cannon.terminateprocess`	`edr.crowdstrike.cannon.terminateprocess`
`edr.crowdstrike.cannon.tifffilewritten`	`edr.crowdstrike.cannon.tifffilewritten`
`edr.crowdstrike.cannon.tokenimpersonated`	`edr.crowdstrike.cannon.tokenimpersonated`
`edr.crowdstrike.cannon.umppaerrorevent`	`edr.crowdstrike.cannon.umppaerrorevent`
`edr.crowdstrike.cannon.umppcbypasssuspected`	`edr.crowdstrike.cannon.umppcbypasssuspected`
`edr.crowdstrike.cannon.updatemanifestdownloadcomplete`	`edr.crowdstrike.cannon.updatemanifestdownloadcomplete`
`edr.crowdstrike.cannon.useraccountaddedtogroup`	`edr.crowdstrike.cannon.useraccountaddedtogroup`
`edr.crowdstrike.cannon.userexceptiondep`	`edr.crowdstrike.cannon.userexceptiondep`
`edr.crowdstrike.cannon.userfontload`	`edr.crowdstrike.cannon.userfontload`
`edr.crowdstrike.cannon.useridentity`	`edr.crowdstrike.cannon.useridentity`
`edr.crowdstrike.cannon.userinformationetw`	`edr.crowdstrike.cannon.userinformationetw`
`edr.crowdstrike.cannon.userlogoff`	`edr.crowdstrike.cannon.userlogoff`
`edr.crowdstrike.cannon.userlogon`	`edr.crowdstrike.cannon.userlogon`
`edr.crowdstrike.cannon.userlogonfailed`	`edr.crowdstrike.cannon.userlogonfailed`
`edr.crowdstrike.cannon.userlogonfailed2`	`edr.crowdstrike.cannon.userlogonfailed2`
`edr.crowdstrike.cannon.volumesnapshotcreated`	`edr.crowdstrike.cannon.volumesnapshotcreated`
`edr.crowdstrike.cannon.volumesnapshotdeleted`	`edr.crowdstrike.cannon.volumesnapshotdeleted`
`edr.crowdstrike.cannon.wfpfiltertamperingfilteradded`	`edr.crowdstrike.cannon.wfpfiltertamperingfilteradded`
`edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted`	`edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted`
`edr.crowdstrike.cannon.wmicreateprocess`	`edr.crowdstrike.cannon.wmicreateprocess`
`edr.crowdstrike.cannon.wmifilterconsumerbindingetw`	`edr.crowdstrike.cannon.wmifilterconsumerbindingetw`
`edr.crowdstrike.cannon.wmiproviderregistrationetw`	`edr.crowdstrike.cannon.wmiproviderregistrationetw`
`edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent`	`edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent`
`edr.crowdstrike.cannon.zipfilewritten`	`edr.crowdstrike.cannon.zipfilewritten`
CrowdStrike Cannon Basic	`edr.crowdstrike.cannonBasic`	`edr.crowdstrike.cannonBasic`
CrowdStrike Falcon Discover	`edr.crowdstrike.discover`	`edr.crowdstrike.discover`
	`edr.crowdstrike.discover.appinfo`	`edr.crowdstrike.discover.appinfo`
	`edr.crowdstrike.discover.userinfo`	`edr.crowdstrike.discover.userinfo`
CrowdStrike Falcon	`edr.crowdstrike.falcon`	`edr.crowdstrike.falcon`
CrowdStrike Falcon FileVantage	`edr.crowdstrike.falcon_filevantage.change`	`edr.crowdstrike.falcon_filevantage.change`
CrowdStrike Falcon Spotlight	`edr.crowdstrike.spotlight.vulnerabilities`	`edr.crowdstrike.spotlight.vulnerabilities`
CrowdStrike Falcon Streaming	`edr.crowdstrike.falconstreamin`	`edr.crowdstrike.falconstreamin`
	`edr.crowdstrike.falconstreaming.agents`	`edr.crowdstrike.falconstreaming.agents`
	`edr.crowdstrike.falconstreaming.auth_activity`	`edr.crowdstrike.falconstreaming.auth_activity`
	`edr.crowdstrike.falconstreaming.behaviors`	`edr.crowdstrike.falconstreaming.behaviors`
	`edr.crowdstrike.falconstreaming.cspm_ioa_streaming`	`edr.crowdstrike.falconstreaming.cspm_ioa_streaming`
	`edr.crowdstrike.falconstreaming.cspm_search_streaming`	`edr.crowdstrike.falconstreaming.cspm_search_streaming`
	`edr.crowdstrike.falconstreaming.customer_ioc`	`edr.crowdstrike.falconstreaming.customer_ioc`
	`edr.crowdstrike.falconstreaming.detection_summary`	`edr.crowdstrike.falconstreaming.detection_summary`
	`edr.crowdstrike.falconstreaming.external_api`	`edr.crowdstrike.falconstreaming.external_api`
	`edr.crowdstrike.falconstreaming.firewall_match`	`edr.crowdstrike.falconstreaming.firewall_match`
	`edr.crowdstrike.falconstreaming.identity_protection`	`edr.crowdstrike.falconstreaming.identity_protection`
	`edr.crowdstrike.falconstreaming.idp_detection_summary`	`edr.crowdstrike.falconstreaming.idp_detection_summary`
	`edr.crowdstrike.falconstreaming.incident_summary`	`edr.crowdstrike.falconstreaming.incident_summary`
	`edr.crowdstrike.falconstreaming.incidents`	`edr.crowdstrike.falconstreaming.incidents`
	`edr.crowdstrike.falconstreaming.mobile_detection_summary`	`edr.crowdstrike.falconstreaming.mobile_detection_summary`
	`edr.crowdstrike.falconstreaming.other`	`edr.crowdstrike.falconstreaming.other`
	`edr.crowdstrike.falconstreaming.recon_notification_summary`	`edr.crowdstrike.falconstreaming.recon_notification_summary`
	`edr.crowdstrike.falconstreaming.remote_response_session`	`edr.crowdstrike.falconstreaming.remote_response_session`
	`edr.crowdstrike.falconstreaming.scheduled_report_notification`	`edr.crowdstrike.falconstreaming.scheduled_report_notification`
	`edr.crowdstrike.falconstreaming.user_activity_detections`	`edr.crowdstrike.falconstreaming.user_activity_detections`
	`edr.crowdstrike.falconstreaming.user_activity_device_control_policy`	`edr.crowdstrike.falconstreaming.user_activity_device_control_policy`
	`edr.crowdstrike.falconstreaming.user_activity_devices`	`edr.crowdstrike.falconstreaming.user_activity_devices`
	`edr.crowdstrike.falconstreaming.user_activity_groups`	`edr.crowdstrike.falconstreaming.user_activity_groups`
	`edr.crowdstrike.falconstreaming.user_activity_ip_whitelist`	`edr.crowdstrike.falconstreaming.user_activity_ip_whitelist`
	`edr.crowdstrike.falconstreaming.user_activity_other`	`edr.crowdstrike.falconstreaming.user_activity_other`
	`edr.crowdstrike.falconstreaming.user_activity_prevention_policy`	`edr.crowdstrike.falconstreaming.user_activity_prevention_policy`
	`edr.crowdstrike.falconstreaming.user_activity_quarantined_files`	`edr.crowdstrike.falconstreaming.user_activity_quarantined_files`
	`edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy`	`edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy`
	`edr.crowdstrike.falconstreaming.vulnerabilities`	`edr.crowdstrike.falconstreaming.vulnerabilities`
CrowdStrike Falcon Insight	`edr.crowdstrike.insight`
	`edr.crowdstrike.insight.aidmaster`	`edr.crowdstrike.insight.aidmaster`
	`edr.crowdstrike.insight.managedassets`	`edr.crowdstrike.insight.managedassets`
	`edr.crowdstrike.insight.notmanaged`	`edr.crowdstrike.insight.notmanaged`