Document toolboxDocument toolbox

edr.crowdstrike

Introduction

The tags beginning with edr.crowdstrike identify events generated by CrowdStrike.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.crowdstrike. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services

Tags

Data tables

Product / Services

Tags

Data tables

CrowdStrike Cannon

edr.crowdstrike.cannon

edr.crowdstrike.cannon

edr.crowdstrike.cannon.additionalhostinfo

edr.crowdstrike.cannon.additionalhostinfo

edr.crowdstrike.cannon.agentconnect

edr.crowdstrike.cannon.agentconnect

edr.crowdstrike.cannon.agentonline

edr.crowdstrike.cannon.agentonline

edr.crowdstrike.cannon.arcfilewritten

edr.crowdstrike.cannon.arcfilewritten

edr.crowdstrike.cannon.asepkeyupdate

edr.crowdstrike.cannon.asepkeyupdate

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.asepvalueupdate

edr.crowdstrike.cannon.associateindicator

edr.crowdstrike.cannon.associateindicator

edr.crowdstrike.cannon.associatetreeidwithroot

edr.crowdstrike.cannon.associatetreeidwithroot

edr.crowdstrike.cannon.billinginfo

edr.crowdstrike.cannon.billinginfo

edr.crowdstrike.cannon.bitsjobcreated

edr.crowdstrike.cannon.bitsjobcreated

edr.crowdstrike.cannon.bmpfilewritten

edr.crowdstrike.cannon.bmpfilewritten

edr.crowdstrike.cannon.cabfilewritten

edr.crowdstrike.cannon.cabfilewritten

edr.crowdstrike.cannon.channeldatadownloadcomplete

edr.crowdstrike.cannon.channeldatadownloadcomplete

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.channelversionrequired

edr.crowdstrike.cannon.commandhistory

edr.crowdstrike.cannon.commandhistory

edr.crowdstrike.cannon.configstateupdate

edr.crowdstrike.cannon.configstateupdate

edr.crowdstrike.cannon.createservice

edr.crowdstrike.cannon.createservice

edr.crowdstrike.cannon.criticalenvironmentvariablechanged

edr.crowdstrike.cannon.criticalenvironmentvariablechanged

edr.crowdstrike.cannon.criticalfileaccessed

edr.crowdstrike.cannon.criticalfileaccessed

edr.crowdstrike.cannon.currentsystemtags

edr.crowdstrike.cannon.currentsystemtags

edr.crowdstrike.cannon.dconline

edr.crowdstrike.cannon.dconline

edr.crowdstrike.cannon.dcstatus

edr.crowdstrike.cannon.dcstatus

edr.crowdstrike.cannon.dcsyncattempted

edr.crowdstrike.cannon.dcsyncattempted

edr.crowdstrike.cannon.dcusbconfigurationdescriptor

edr.crowdstrike.cannon.dcusbconfigurationdescriptor

edr.crowdstrike.cannon.dcusbdeviceblocked

edr.crowdstrike.cannon.dcusbdeviceblocked

edr.crowdstrike.cannon.dcusbdeviceconnected

edr.crowdstrike.cannon.dcusbdeviceconnected

edr.crowdstrike.cannon.dcusbdevicedisconnected

edr.crowdstrike.cannon.dcusbdevicedisconnected

edr.crowdstrike.cannon.dcusbendpointdescriptor

edr.crowdstrike.cannon.dcusbendpointdescriptor

edr.crowdstrike.cannon.dcusbhiddescriptor

edr.crowdstrike.cannon.dcusbhiddescriptor

edr.crowdstrike.cannon.dcusbinterfacedescriptor

edr.crowdstrike.cannon.dcusbinterfacedescriptor

edr.crowdstrike.cannon.deliverlocalfxtocloud

edr.crowdstrike.cannon.deliverlocalfxtocloud

edr.crowdstrike.cannon.detectionexcluded

edr.crowdstrike.cannon.detectionexcluded

edr.crowdstrike.cannon.directorycreate

edr.crowdstrike.cannon.directorycreate

edr.crowdstrike.cannon.directorytraversaloversmb

edr.crowdstrike.cannon.directorytraversaloversmb

edr.crowdstrike.cannon.diskcapacity

edr.crowdstrike.cannon.diskcapacity

edr.crowdstrike.cannon.dllinjection

edr.crowdstrike.cannon.dllinjection

edr.crowdstrike.cannon.dmpfilewritten

edr.crowdstrike.cannon.dmpfilewritten

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.dnsrequest

edr.crowdstrike.cannon.documentprograminjectedthread

edr.crowdstrike.cannon.documentprograminjectedthread

edr.crowdstrike.cannon.driverload

edr.crowdstrike.cannon.driverload

edr.crowdstrike.cannon.dwgfilewritten

edr.crowdstrike.cannon.dwgfilewritten

edr.crowdstrike.cannon.elffilewritten

edr.crowdstrike.cannon.elffilewritten

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.endofprocess

edr.crowdstrike.cannon.errorevent

edr.crowdstrike.cannon.errorevent

edr.crowdstrike.cannon.etwcomponentresponse

edr.crowdstrike.cannon.etwcomponentresponse

edr.crowdstrike.cannon.etwerrorevent

edr.crowdstrike.cannon.etwerrorevent

edr.crowdstrike.cannon.executabledeleted

edr.crowdstrike.cannon.executabledeleted

edr.crowdstrike.cannon.falconservicestatus

edr.crowdstrike.cannon.falconservicestatus

edr.crowdstrike.cannon.filedeleted

edr.crowdstrike.cannon.filedeleted

edr.crowdstrike.cannon.filedeleteinfo

edr.crowdstrike.cannon.filedeleteinfo

edr.crowdstrike.cannon.fileopeninfo

edr.crowdstrike.cannon.fileopeninfo

edr.crowdstrike.cannon.filerenameinfo

edr.crowdstrike.cannon.filerenameinfo

edr.crowdstrike.cannon.firewallchangeoption

edr.crowdstrike.cannon.firewallchangeoption

edr.crowdstrike.cannon.firewalldeleterule

edr.crowdstrike.cannon.firewalldeleterule

edr.crowdstrike.cannon.firewallsetrule

edr.crowdstrike.cannon.firewallsetrule

edr.crowdstrike.cannon.firmwareanalysishardwaredata

edr.crowdstrike.cannon.firmwareanalysishardwaredata

edr.crowdstrike.cannon.firmwareanalysisstatus

edr.crowdstrike.cannon.firmwareanalysisstatus

edr.crowdstrike.cannon.fspostopensnapshotfile

edr.crowdstrike.cannon.fspostopensnapshotfile

edr.crowdstrike.cannon.fsvolumemounted

edr.crowdstrike.cannon.fsvolumemounted

edr.crowdstrike.cannon.fsvolumeunmounted

edr.crowdstrike.cannon.fsvolumeunmounted

edr.crowdstrike.cannon.genericfilewritten

edr.crowdstrike.cannon.genericfilewritten

edr.crowdstrike.cannon.giffilewritten

edr.crowdstrike.cannon.giffilewritten

edr.crowdstrike.cannon.gzipfilewritten

edr.crowdstrike.cannon.gzipfilewritten

edr.crowdstrike.cannon.hostedservicestarted

edr.crowdstrike.cannon.hostedservicestarted

edr.crowdstrike.cannon.hostedservicestopped

edr.crowdstrike.cannon.hostedservicestopped

edr.crowdstrike.cannon.hostinfo

edr.crowdstrike.cannon.hostinfo

edr.crowdstrike.cannon.hostnamechanged

edr.crowdstrike.cannon.hostnamechanged

edr.crowdstrike.cannon.imagehash

edr.crowdstrike.cannon.imagehash

edr.crowdstrike.cannon.injectedthread

edr.crowdstrike.cannon.injectedthread

edr.crowdstrike.cannon.installedapplication

edr.crowdstrike.cannon.installedapplication

edr.crowdstrike.cannon.installedupdates

edr.crowdstrike.cannon.installedupdates

edr.crowdstrike.cannon.invalid

edr.crowdstrike.cannon.invalid

edr.crowdstrike.cannon.iosessionconnected

edr.crowdstrike.cannon.iosessionconnected

edr.crowdstrike.cannon.iosessionloggedon

edr.crowdstrike.cannon.iosessionloggedon

edr.crowdstrike.cannon.jarfilewritten

edr.crowdstrike.cannon.jarfilewritten

edr.crowdstrike.cannon.javaclassfilewritten

edr.crowdstrike.cannon.javaclassfilewritten

edr.crowdstrike.cannon.jpegfilewritten

edr.crowdstrike.cannon.jpegfilewritten

edr.crowdstrike.cannon.kernelmodeloadimage

edr.crowdstrike.cannon.kernelmodeloadimage

edr.crowdstrike.cannon.lfodownloadconfirmation

edr.crowdstrike.cannon.lfodownloadconfirmation

edr.crowdstrike.cannon.localipaddressip4

edr.crowdstrike.cannon.localipaddressip4

edr.crowdstrike.cannon.localipaddressip6

edr.crowdstrike.cannon.localipaddressip6

edr.crowdstrike.cannon.localipaddressremovedip4

edr.crowdstrike.cannon.localipaddressremovedip4

edr.crowdstrike.cannon.localipaddressremovedip6

edr.crowdstrike.cannon.localipaddressremovedip6

edr.crowdstrike.cannon.lsasshandlefromunsignedmodule

edr.crowdstrike.cannon.lsasshandlefromunsignedmodule

edr.crowdstrike.cannon.manifestdownloadcomplete

edr.crowdstrike.cannon.manifestdownloadcomplete

edr.crowdstrike.cannon.modifyservicebinary

edr.crowdstrike.cannon.modifyservicebinary

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.neighborlistip4

edr.crowdstrike.cannon.neighborlistip6

edr.crowdstrike.cannon.neighborlistip6

edr.crowdstrike.cannon.netshareadd

edr.crowdstrike.cannon.netshareadd

edr.crowdstrike.cannon.netsharesecuritymodify

edr.crowdstrike.cannon.netsharesecuritymodify

edr.crowdstrike.cannon.networkcapableasepwrite

edr.crowdstrike.cannon.networkcapableasepwrite

edr.crowdstrike.cannon.networkcloseip4

edr.crowdstrike.cannon.networkcloseip4

edr.crowdstrike.cannon.networkcloseip6

edr.crowdstrike.cannon.networkcloseip6

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.networkconnectip4

edr.crowdstrike.cannon.networkconnectip6

edr.crowdstrike.cannon.networkconnectip6

edr.crowdstrike.cannon.networklistenip4

edr.crowdstrike.cannon.networklistenip4

edr.crowdstrike.cannon.networklistenip6

edr.crowdstrike.cannon.networklistenip6

edr.crowdstrike.cannon.networkreceiveacceptip4

edr.crowdstrike.cannon.networkreceiveacceptip4

edr.crowdstrike.cannon.networkreceiveacceptip6

edr.crowdstrike.cannon.networkreceiveacceptip6

edr.crowdstrike.cannon.newexecutablerenamed

edr.crowdstrike.cannon.newexecutablerenamed

edr.crowdstrike.cannon.newexecutablewritten

edr.crowdstrike.cannon.newexecutablewritten

edr.crowdstrike.cannon.newscriptwritten

edr.crowdstrike.cannon.newscriptwritten

edr.crowdstrike.cannon.olefilewritten

edr.crowdstrike.cannon.olefilewritten

edr.crowdstrike.cannon.ooxmlfilewritten

edr.crowdstrike.cannon.ooxmlfilewritten

edr.crowdstrike.cannon.osversioninfo

edr.crowdstrike.cannon.osversioninfo

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.other

edr.crowdstrike.cannon.packedexecutablewritten

edr.crowdstrike.cannon.packedexecutablewritten

edr.crowdstrike.cannon.pdffilewritten

edr.crowdstrike.cannon.pdffilewritten

edr.crowdstrike.cannon.pefilewritten

edr.crowdstrike.cannon.pefilewritten

edr.crowdstrike.cannon.pngfilewritten

edr.crowdstrike.cannon.pngfilewritten

edr.crowdstrike.cannon.privilegedprocesshandlefromunsignedmodule

edr.crowdstrike.cannon.privilegedprocesshandlefromunsignedmodule

edr.crowdstrike.cannon.processinjection

edr.crowdstrike.cannon.processinjection

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.processrollup2stats

edr.crowdstrike.cannon.processselfdeleted

edr.crowdstrike.cannon.processselfdeleted

edr.crowdstrike.cannon.promiscuousbindip4

edr.crowdstrike.cannon.promiscuousbindip4

edr.crowdstrike.cannon.queueapcetw

edr.crowdstrike.cannon.queueapcetw

edr.crowdstrike.cannon.ransomwareopenfile

edr.crowdstrike.cannon.ransomwareopenfile

edr.crowdstrike.cannon.rarfilewritten

edr.crowdstrike.cannon.rarfilewritten

edr.crowdstrike.cannon.rawbindip4

edr.crowdstrike.cannon.rawbindip4

edr.crowdstrike.cannon.rawbindip6

edr.crowdstrike.cannon.rawbindip6

edr.crowdstrike.cannon.reflectivedotnedmoduleload

edr.crowdstrike.cannon.reflectivedotnedmoduleload

edr.crowdstrike.cannon.reggenericvalueupdate

edr.crowdstrike.cannon.reggenericvalueupdate

edr.crowdstrike.cannon.registerrawinputdevicesetw

edr.crowdstrike.cannon.registerrawinputdevicesetw

edr.crowdstrike.cannon.regsystemconfigvalueupdate

edr.crowdstrike.cannon.regsystemconfigvalueupdate

edr.crowdstrike.cannon.removablemediavolumemounted

edr.crowdstrike.cannon.removablemediavolumemounted

edr.crowdstrike.cannon.resourceutilization

edr.crowdstrike.cannon.resourceutilization

edr.crowdstrike.cannon.rtffilewritten

edr.crowdstrike.cannon.rtffilewritten

edr.crowdstrike.cannon.samhashdumpfromunsignedmodule

edr.crowdstrike.cannon.samhashdumpfromunsignedmodule

edr.crowdstrike.cannon.scheduledtaskdeleted

edr.crowdstrike.cannon.scheduledtaskdeleted

edr.crowdstrike.cannon.scheduledtaskmodified

edr.crowdstrike.cannon.scheduledtaskmodified

edr.crowdstrike.cannon.scheduledtaskregistered

edr.crowdstrike.cannon.scheduledtaskregistered

edr.crowdstrike.cannon.screenshottakentw

edr.crowdstrike.cannon.screenshottakentw

edr.crowdstrike.cannon.scriptcontroldetectioninfo

edr.crowdstrike.cannon.scriptcontroldetectioninfo

edr.crowdstrike.cannon.scriptcontrolscantelemetry

edr.crowdstrike.cannon.scriptcontrolscantelemetry

edr.crowdstrike.cannon.sensitivewmiquery

edr.crowdstrike.cannon.sensitivewmiquery

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.sensorheartbeat

edr.crowdstrike.cannon.servicestarted

edr.crowdstrike.cannon.servicestarted

edr.crowdstrike.cannon.setwineventhooketw

edr.crowdstrike.cannon.setwineventhooketw

edr.crowdstrike.cannon.sevenzipfilewritten

edr.crowdstrike.cannon.sevenzipfilewritten

edr.crowdstrike.cannon.signinfoerror

edr.crowdstrike.cannon.signinfoerror

edr.crowdstrike.cannon.signinfowithcertandcontext

edr.crowdstrike.cannon.signinfowithcertandcontext

edr.crowdstrike.cannon.signinfowithcontext

edr.crowdstrike.cannon.signinfowithcontext

edr.crowdstrike.cannon.smbclientshareclosedetw

edr.crowdstrike.cannon.smbclientshareclosedetw

edr.crowdstrike.cannon.smbclientshareopenedetw

edr.crowdstrike.cannon.smbclientshareopenedetw

edr.crowdstrike.cannon.snapshotvolumemounted

edr.crowdstrike.cannon.snapshotvolumemounted

edr.crowdstrike.cannon.suspectcreatethreadstack

edr.crowdstrike.cannon.suspectcreatethreadstack

edr.crowdstrike.cannon.suspiciouscreatesymboliclink

edr.crowdstrike.cannon.suspiciouscreatesymboliclink

edr.crowdstrike.cannon.suspiciouslackofprocessrollupevents

edr.crowdstrike.cannon.suspiciouslackofprocessrollupevents

edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle

edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle

edr.crowdstrike.cannon.suspiciousregasepupdate

edr.crowdstrike.cannon.suspiciousregasepupdate

edr.crowdstrike.cannon.syntheticprocessrollup2

edr.crowdstrike.cannon.syntheticprocessrollup2

edr.crowdstrike.cannon.systemcapacity

edr.crowdstrike.cannon.systemcapacity

edr.crowdstrike.cannon.tarfilewritten

edr.crowdstrike.cannon.tarfilewritten

edr.crowdstrike.cannon.tcgpcrinfo

edr.crowdstrike.cannon.tcgpcrinfo

edr.crowdstrike.cannon.terminateprocess

edr.crowdstrike.cannon.terminateprocess

edr.crowdstrike.cannon.tifffilewritten

edr.crowdstrike.cannon.tifffilewritten

edr.crowdstrike.cannon.tokenimpersonated

edr.crowdstrike.cannon.tokenimpersonated

edr.crowdstrike.cannon.umppaerrorevent

edr.crowdstrike.cannon.umppaerrorevent

edr.crowdstrike.cannon.umppcbypasssuspected

edr.crowdstrike.cannon.umppcbypasssuspected

edr.crowdstrike.cannon.updatemanifestdownloadcomplete

edr.crowdstrike.cannon.updatemanifestdownloadcomplete

edr.crowdstrike.cannon.useraccountaddedtogroup

edr.crowdstrike.cannon.useraccountaddedtogroup

edr.crowdstrike.cannon.userexceptiondep

edr.crowdstrike.cannon.userexceptiondep

edr.crowdstrike.cannon.userfontload

edr.crowdstrike.cannon.userfontload

edr.crowdstrike.cannon.useridentity

edr.crowdstrike.cannon.useridentity

edr.crowdstrike.cannon.userinformationetw

edr.crowdstrike.cannon.userinformationetw

edr.crowdstrike.cannon.userlogoff

edr.crowdstrike.cannon.userlogoff

edr.crowdstrike.cannon.userlogon

edr.crowdstrike.cannon.userlogon

edr.crowdstrike.cannon.userlogonfailed

edr.crowdstrike.cannon.userlogonfailed

edr.crowdstrike.cannon.userlogonfailed2

edr.crowdstrike.cannon.userlogonfailed2

edr.crowdstrike.cannon.volumesnapshotcreated

edr.crowdstrike.cannon.volumesnapshotcreated

edr.crowdstrike.cannon.volumesnapshotdeleted

edr.crowdstrike.cannon.volumesnapshotdeleted

edr.crowdstrike.cannon.wfpfiltertamperingfilteradded

edr.crowdstrike.cannon.wfpfiltertamperingfilteradded

edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted

edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted

edr.crowdstrike.cannon.wmicreateprocess

edr.crowdstrike.cannon.wmicreateprocess

edr.crowdstrike.cannon.wmifilterconsumerbindingetw

edr.crowdstrike.cannon.wmifilterconsumerbindingetw

edr.crowdstrike.cannon.wmiproviderregistrationetw

edr.crowdstrike.cannon.wmiproviderregistrationetw

edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent

edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent

edr.crowdstrike.cannon.zipfilewritten

edr.crowdstrike.cannon.zipfilewritten

CrowdStrike Cannon Basic

edr.crowdstrike.cannonBasic

edr.crowdstrike.cannonBasic

CrowdStrike Falcon Discover

edr.crowdstrike.discover

edr.crowdstrike.discover

edr.crowdstrike.discover.appinfo

edr.crowdstrike.discover.appinfo

edr.crowdstrike.discover.userinfo

edr.crowdstrike.discover.userinfo

CrowdStrike Falcon

edr.crowdstrike.falcon

edr.crowdstrike.falcon

CrowdStrike Falcon FileVantage

edr.crowdstrike.falcon_filevantage.change

edr.crowdstrike.falcon_filevantage.change

CrowdStrike Falcon Spotlight

edr.crowdstrike.spotlight.vulnerabilities

edr.crowdstrike.spotlight.vulnerabilities

CrowdStrike Falcon Streaming

edr.crowdstrike.falconstreamin

edr.crowdstrike.falconstreamin

edr.crowdstrike.falconstreaming.agents

edr.crowdstrike.falconstreaming.agents

edr.crowdstrike.falconstreaming.alert

edr.crowdstrike.falconstreaming.alert

edr.crowdstrike.falconstreaming.auth_activity

edr.crowdstrike.falconstreaming.auth_activity

edr.crowdstrike.falconstreaming.behaviors

edr.crowdstrike.falconstreaming.behaviors

edr.crowdstrike.falconstreaming.cspm_ioa_streaming

edr.crowdstrike.falconstreaming.cspm_ioa_streaming

edr.crowdstrike.falconstreaming.cspm_search_streaming

edr.crowdstrike.falconstreaming.cspm_search_streaming

edr.crowdstrike.falconstreaming.customer_ioc

edr.crowdstrike.falconstreaming.customer_ioc

edr.crowdstrike.falconstreaming.detection_summary

deprecated by crowdstrike: use epp detection summary

edr.crowdstrike.falconstreaming.detection_summary

deprecated by crowdstrike: use epp detection summary

edr.crowdstrike.falconstreaming.epp_detection_summary

edr.crowdstrike.falconstreaming.epp_detection_summary

edr.crowdstrike.falconstreaming.external_api

edr.crowdstrike.falconstreaming.external_api

edr.crowdstrike.falconstreaming.firewall_match

edr.crowdstrike.falconstreaming.firewall_match

edr.crowdstrike.falconstreaming.identity_protection

edr.crowdstrike.falconstreaming.identity_protection

edr.crowdstrike.falconstreaming.idp_detection_summary

edr.crowdstrike.falconstreaming.idp_detection_summary

edr.crowdstrike.falconstreaming.incident_summary

edr.crowdstrike.falconstreaming.incident_summary

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.incidents

edr.crowdstrike.falconstreaming.mobile_detection_summary

edr.crowdstrike.falconstreaming.mobile_detection_summary

edr.crowdstrike.falconstreaming.other

edr.crowdstrike.falconstreaming.other

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.recon_notification_summary

edr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.remote_response_session

edr.crowdstrike.falconstreaming.scheduled_report_notification

edr.crowdstrike.falconstreaming.scheduled_report_notification

edr.crowdstrike.falconstreaming.user_activity_detections

edr.crowdstrike.falconstreaming.user_activity_detections

edr.crowdstrike.falconstreaming.user_activity_device_control_policy

edr.crowdstrike.falconstreaming.user_activity_device_control_policy

edr.crowdstrike.falconstreaming.user_activity_devices

edr.crowdstrike.falconstreaming.user_activity_devices

edr.crowdstrike.falconstreaming.user_activity_groups

edr.crowdstrike.falconstreaming.user_activity_groups

edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

edr.crowdstrike.falconstreaming.user_activity_other

edr.crowdstrike.falconstreaming.user_activity_other

edr.crowdstrike.falconstreaming.user_activity_prevention_policy

edr.crowdstrike.falconstreaming.user_activity_prevention_policy

edr.crowdstrike.falconstreaming.user_activity_quarantined_files

edr.crowdstrike.falconstreaming.user_activity_quarantined_files

edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

edr.crowdstrike.falconstreaming.vulnerabilities

edr.crowdstrike.falconstreaming.vulnerabilities

CrowdStrike Falcon Insight

edr.crowdstrike.insight

 

edr.crowdstrike.insight.aidmaster

edr.crowdstrike.insight.aidmaster

edr.crowdstrike.insight.managedassets

edr.crowdstrike.insight.managedassets

edr.crowdstrike.insight.notmanaged

edr.crowdstrike.insight.notmanaged

How is the data sent to Devo?

To send logs to these tables, there are different methods depending on the data sources. Visit support site for those not described below.

For Crowdstrike Falcon, visit this article to download and configure the collector. Devo's CrowdStrike Falcon Streaming Collector collects audit and detection data. This collector does the following:

  • Authenticates with the Falcon API.

  • Discovers available streams.

  • Creates a long-running stream connection to available streams.

  • As events come in, they are shipped into the Devo domain.

  • After an event is shipped to Devo, the offset id is saved to the state store to resume from the same
    point if stopped.

Setup

  1. Obtain access to the CrowdStrike API and acquire a client_id and client_secret for use.

    1. The API scope necessary for the client is “Event Streams”.

      1. If you have errors discovering streams, check that this is added to the API role.

  2. Add the CrowdStrike Falcon Streaming Collector to your domain and set your client_id and client_secret in the collector's parameters JSON.

  3. Done! Once the collector is added and running, you will see your falcon data in the edr.crowdstrike.falconstreaming table.

Error/Troubleshooting

  • You get error (401) discovering streams - access denied, invalid bearer token.

    • The URL Endpoint may not be correct. The default api_url setting is api.crowdstrike.com, but your customer may be configured with a different endpoint such as api.us-2.crowdstrike.com.

      • Update the api_url parameter and try again.

  • You get another error (not 401) regarding discovering streams.

    • Check that “Event Streams” is part of the API scope for the credentials provided.

Table structure

These are the fields displayed in the tables: