Document toolboxDocument toolbox

cef0.crowdstrike

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Oct 02, 2023
1 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cef0.crowdstrike identifies events in CEF format generated by CrowdStrike Falcon Host.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags

Data tables

Tags

Data tables

cef0.crowdstrike.falconhost

cef0.crowdstrike.falconhost

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.crowdstrike.falconhost

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

PolicyNameLabel

str

 

 

cat

str

 

 

cmdLine

str

 

 

cmdLineLabel

str

 

 

cn1

int8

 

 

cn1Label

str

 

 

cn2

int8

 

 

cn2Label

str

 

 

cn3

int8

 

 

cn3Label

str

 

 

connectionDirection

str

 

 

connectionDirectionLabel

str

 

 

cs1

str

 

 

cs1Label

str

 

 

cs6

str

 

 

cs6Label

str

 

 

deviceCustomDate1

timestamp

 

 

deviceCustomDate1Label

str

 

 

deviceId

str

 

 

dhost

str

 

 

eventType

str

 

 

externalID

str

 

 

fileHash

str

 

 

filePath

str

 

 

fname

str

 

 

hostName

str

 

 

icmpCodeLabel

str

 

 

imageFileName

str

 

 

imageFileNameLabel

str

 

 

ipVLabel

str

 

 

localAddress

str

 

 

localAddressLabel

str

 

 

localPort

str

 

 

localPortLabel

str

 

 

matchCount

str

 

 

matchCountLabel

str

 

 

matchCountSinceLastReport

str

 

 

matchCountSinceLastReportLabel

str

 

 

msg

str

 

 

networkProfile

str

 

 

networkProfileLabel

str

 

 

protocol

str

 

 

protocolLabel

str

 

 

remoteAddress

str

 

 

remoteAddressLabel

str

 

 

remotePort

str

 

 

remotePortLabel

str

 

 

rt

timestamp

 

 

ruleAction

str

 

 

ruleActionLabel

str

 

 

ruleDescriptionLabel

str

 

 

ruleGroupName

str

 

 

ruleGroupNameLabel

str

 

 

ruleName

str

 

 

ruleNameLabel

str

 

 

shost

str

 

 

sntdom

str

 

 

statusLabel

str

 

 

suser

str

 

 

duser

str

 

 

rawMessage

str

 

 

tag

str

cefTag

✓

hostchain

str

 

✓