edr.crowdstrike: Table structure (Part 2)
- Borja Moro Moreno
- 1 edr.crowdstrike.falconstreaming.incidents
- 2 edr.crowdstrike.falconstreaming.incident_summary
- 3 edr.crowdstrike.falconstreaming.mobile_detection_summary
- 4 edr.crowdstrike.falconstreaming.other
- 5 edr.crowdstrike.falconstreaming.recon_notification_summary
- 6 edr.crowdstrike.falconstreaming.remote_response_session
- 7 edr.crowdstrike.falconstreaming.scheduled_report_notification
- 8 edr.crowdstrike.falconstreaming.user_activity_groups
- 9 edr.crowdstrike.falconstreaming.user_activity_quarantined_files
- 10 edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
edr.crowdstrike.falconstreaming.incidents
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
hostname |
| - |
incident_id |
| - |
incident_type |
| - |
cid |
| - |
host_ids |
| - |
hosts |
| - |
created |
| - |
start |
| - |
end |
| - |
state |
| - |
status |
| - |
tactics |
| - |
techniques |
| - |
objectives |
| - |
fine_score |
| - |
lmra_host_ids |
| - |
lm_types |
| - |
tags |
| - |
modified_timestamp |
| - |
users |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.incident_summary
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventCreationTime |
| - |
version |
| - |
eventType |
| - |
State |
| - |
IncidentID |
| - |
IncidentStartTime |
| - |
IncidentEndTime |
| - |
FineScore |
| - |
FalconHostLink |
| - |
jsonEvent |
| - |
rawMessage |
| ✓ |
hostchain |
| ✓ |
tag |
| ✓ |
edr.crowdstrike.falconstreaming.mobile_detection_summary
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
| Â | Â | Â |
customerIDString |
| Â | Â | Â |
offset |
| Â | Â | Â |
eventType |
| Â | Â | Â |
eventCreationTime |
| Â | Â | Â |
version |
| Â | Â | Â |
sensorId |
| Â | Â | Â |
mobileDetectionId |
| Â | Â | Â |
computerName |
| Â | Â | Â |
userName |
| Â | Â | Â |
contextTimeStamp |
| Â | Â | Â |
detectId |
| isnull(detectId_aux) or isempty(detectId_aux) ? compositeId : detectId_aux | compositeId detectId_aux | Â |
detectName |
| isnull(detectName_aux) or isempty(detectName_aux) ? name : detectName_aux | detectName_aux name | Â |
detectDescription |
| isnull(detectDescription_aux) or isempty(detectDescription_aux) ? description : detectDescription_aux | description detectDescription_aux | Â |
compositeId |
| Â | Â | Â |
name |
| Â | Â | Â |
description |
| Â | Â | Â |
tactic |
| Â | Â | Â |
tacticId |
| Â | Â | Â |
technique |
| Â | Â | Â |
techniqueId |
| Â | Â | Â |
objective |
| Â | Â | Â |
severity |
| Â | Â | Â |
falconHostLink |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
edr.crowdstrike.falconstreaming.other
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
eventType |
| - |
jsonEvent |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.recon_notification_summary
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventType |
| - |
eventCreationTime |
| - |
version |
| - |
notificationId |
| - |
highlights_str |
| - |
matchedTimestamp |
| - |
ruleId |
| - |
ruleName |
| - |
ruleTopic |
| - |
rulePriority |
| - |
itemId |
| - |
itemType |
| - |
itemPostedTimestamp |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.remote_response_session
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventCreationTime |
| - |
version |
| - |
eventType |
| - |
SessionId |
| - |
UserName |
| - |
HostnameField |
| - |
StartTimestamp |
| - |
EndTimestamp |
| - |
Commands |
| - |
jsonEvent |
| - |
rawMessage |
| ✓ |
hostchain |
| ✓ |
tag |
| ✓ |
edr.crowdstrike.falconstreaming.scheduled_report_notification
Field | Type | Extra Label |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventType |
| - |
eventCreationTime |
| - |
version |
| - |
userUUID |
| - |
userID |
| - |
executionID |
| - |
reportID |
| - |
reportName |
| - |
reportType |
| - |
reportFileReference |
| - |
status |
| - |
statusMessage |
| - |
executionStart |
| - |
executionDuration |
| - |
reportFileName |
| - |
resultCount |
| - |
resultID |
| - |
searchWindowStart |
| - |
searchWindowEnd |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.user_activity_groups
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventCreationTime |
| - |
version |
| - |
eventType |
| - |
ServiceName |
| - |
OperationName |
| - |
UTCTimestamp |
| - |
Success |
| - |
UserId |
| - |
UserIp |
| - |
group_id |
| - |
group_name |
| - |
group_description |
| - |
group_assignment_rule |
| - |
old_group_assignment_rule |
| - |
APIClientID |
| - |
AuditKeyValues |
| - |
jsonEvent |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
Field | Type | Extra Label |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventCreationTime |
| - |
version |
| - |
eventType |
| - |
ServiceName |
| - |
OperationName |
| - |
UTCTimestamp |
| - |
Success |
| - |
UserId |
| - |
UserIp |
| - |
quarantined_file_id |
| - |
action_taken |
| - |
APIClientID |
| - |
AuditKeyValues |
| - |
jsonEvent |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
Field | Type | Extra Field |
|---|---|---|
eventdate |
| - |
customerIDString |
| - |
offset |
| - |
eventCreationTime |
| - |
version |
| - |
eventType |
| - |
ServiceName |
| - |
OperationName |
| - |
UTCTimestamp |
| - |
Success |
| - |
UserId |
| - |
UserIp |
| - |
quarantined_file_id |
| - |
action_taken |
| - |
APIClientID |
| - |
AuditKeyValues |
| - |
jsonEvent |
| - |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |