Document toolboxDocument toolbox

edr.crowdstrike: Table structure (Part 3)

Owned by Borja Moro Moreno
Last updated: Nov 25, 2024
5 min read

edr.crowdstrike.falconstreaming.user_activity_other

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

UserId

str

-

UserIp

ip4

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.recon_notification_summary

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int4

-

eventType

str

-

eventCreationTime

timestamp

-

version

str

-

notificationId

str

-

highlights_str

str

-

matchedTimestamp

timestamp

-

ruleId

str

-

ruleName

str

-

ruleTopic

str

-

rulePriority

str

-

itemId

str

-

itemType

str

-

itemPostedTimestamp

timestamp

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_detections

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

customerIDString

str

 

 

 

offset

int8

 

 

 

eventCreationTime

timestamp

 

 

 

version

str

 

 

 

eventType

str

 

 

 

ServiceName

str

 

 

 

OperationName

str

 

 

 

UTCTimestamp

timestamp

 

 

 

Success

bool

 

 

 

UserId

str

 

 

 

UserIp

ip4

 

 

 

detection_id

str

isnull(detection_id_aux) or isempty(detection_id_aux) ? composite_id : detection_id_aux

detection_id_aux

composite_id

 

composite_id

str

 

 

 

detects

str

 

 

 

new_state

str

 

 

 

assigned_to

str

 

 

 

assigned_to_uid

str

 

 

 

show_in_ui

str

 

 

 

APIClientID

str

 

 

 

AuditKeyValues

json

 

 

 

jsonEvent

json

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

edr.crowdstrike.falconstreaming.user_activity_devices

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

SensorId

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_prevention_policy

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

policy_id

str

-

devices_affected

str

-

policy_priority

str

-

old_policy_priority

str

-

policy_name

str

-

policy_description

str

-

policy_platform

str

-

policy_type

str

-

policy_assignment_rule

str

-

policy_enabled

str

-

policy_settings_AdwareExecution

str

-

old_policy_settings_AdwareExecution

str

-

policy_settings_ApplicationExploitationActivity

str

-

old_policy_settings_ApplicationExploitationActivity

str

-

policy_settings_BackupDeletion

str

-

old_policy_settings_BackupDeletion

str

-

policy_settings_ChopperWebshell

str

-

old_policy_settings_ChopperWebshell

str

-

policy_settings_Cryptowall

str

-

old_policy_settings_Cryptowall

str

-

policy_settings_CustomBlacklisting

str

-

old_policy_settings_CustomBlacklisting

str

-

policy_settings_DriveByDownload

str

-

old_policy_settings_DriveByDownload

str

-

policy_settings_FileAnalysis

str

-

old_policy_settings_FileAnalysis

str

-

policy_settings_FileAttributeAnalysis

str

-

old_policy_settings_FileAttributeAnalysis

str

-

policy_settings_FileEncryption

str

-

old_policy_settings_FileEncryption

str

-

policy_settings_ForceASLR

str

-

old_policy_settings_ForceASLR

str

-

policy_settings_ForceDEP

str

-

old_policy_settings_ForceDEP

str

-

policy_settings_HeapSprayPreallocation

str

-

old_policy_settings_HeapSprayPreallocation

str

-

policy_settings_Locky

str

-

old_policy_settings_Locky

str

-

policy_settings_WindowsLogonBypassStickyKeys

str

-

old_policy_settings_WindowsLogonBypassStickyKeys

str

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

customerIDString

str

-

offset

int8

-

eventCreationTime

timestamp

-

version

str

-

eventType

str

-

ServiceName

str

-

OperationName

str

-

UTCTimestamp

timestamp

-

Success

bool

-

UserId

str

-

UserIp

ip4

-

APIClientID

str

-

AuditKeyValues

json

-

jsonEvent

json

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falconstreaming.vulnerabilities

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

id

str

-

cid

str

-

aid

str

-

created_timestamp

timestamp

-

closed_timestamp

timestamp

-

updated_timestamp

timestamp

-

status

str

-

cve__id

str

-

cve__base_score

float8

-

cve__severity

str

-

cve__exploit_status

int4

-

app__product_name_version

str

-

apps

str

-

host_info__hostname

str

-

host_info__local_ip

ip4

-

host_info__machine_domain

str

-

host_info__os_version

str

-

host_info__ou

str

-

host_info__site_name

str

-

host_info__system_manufacturer

str

-

host_info__groups

str

-

host_info__tags

str

-

host_info__platform

str

-

remediation__ids

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.crowdstrike.falcon

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

metadata_customerIDString

str

 

 

 

metadata_offset

int4

 

 

 

metadata_eventType

str

 

 

 

metadata_eventCreationTime

int8

 

 

 

metadata_version

str

 

 

 

event_ProcessStartTime

int4

 

 

 

event_ProcessEndTime

int4

 

 

 

event_ProcessId

int8

 

 

 

event_ParentProcessId

int8

 

 

 

event_ComputerName

str

 

 

 

event_UserName

str

 

 

 

event_DetectId

str

isnull(event_DetectId_aux) or isempty(event_DetectId_aux) ? event_CompositeId : event_DetectId_aux

event_DetectId_aux

event_CompositeId

 

event_DetectName

str

isnull(event_DetectName_aux) or isempty(event_DetectName_aux) ? event_Name : event_DetectName_aux

event_Name

event_DetectName_aux

 

event_DetectDescription

str

event_DetectDescription_aux

event_Description

 

event_CompositeId

str

 

 

 

event_Name

str

 

 

 

event_Description

str

 

 

 

event_Severity

int4

 

 

 

event_SeverityName

str

 

 

 

event_FileName

str

 

 

 

event_FilePath

str

 

 

 

event_CommandLine

str

 

 

 

event_SHA256String

str

 

 

 

event_MD5String

str

 

 

 

event_SHA1String

str

 

 

 

event_MachineDomain

str

 

 

 

event_ExecutablesWritten

str

 

 

 

event_FalconHostLink

str

 

 

 

event_SensorId

str

 

 

 

event_IOCType

str

 

 

 

event_IOCValue

str

 

 

 

event_new_state

str

 

 

 

event_quarantined_file_id

str

 

 

 

event_action_taken

str

 

 

 

event_target_name

str

 

 

 

event_LocalIP

str

 

 

 

event_MACAddress

str

 

 

 

event_Tactic

str

 

 

 

event_Technique

str

 

 

 

event_Objective

str

 

 

 

event_group_id

str

 

 

 

event_group_name

str

 

 

 

event_old_group_name

str

 

 

 

event_group_description

str

 

 

 

event_old_group_description

str

 

 

 

event_group_assignment_rule

str

 

 

 

event_old_group_assignment_rule

str

 

 

 

event_policy_id

str

 

 

 

event_policy_name

str

 

 

 

event_old_policy_name

str

 

 

 

event_policy_description

str

 

 

 

event_policy_type

str

 

 

 

event_policy_enabled

bool

 

 

 

event_policy_platform

str

 

 

 

event_policy_assignment_rule

str

 

 

 

event_policy_settings_ReleaseID

str

 

 

 

event_old_policy_settings_ReleaseID

str

 

 

 

event_policy_settings_UninstallProtection

str

 

 

 

event_UserId

str

 

 

 

event_UserIp

str

 

 

 

event_OperationName

str

 

 

 

event_ServiceName

str

 

 

 

event_Success

bool

 

 

 

event_UTCTimestamp

int8

 

 

 

event_UTCTimestamp_formatted

timestamp

 

 

 

event_ScanResults_Engine_str

str

event_ScanResults_Engine

 

event_ScanResults_ResultName_str

str

event_ScanResults_ResultName

 

event_ScanResults_Version_str

str

event_ScanResults_Version

 

event_ScanResults_Detected_str

str

event_ScanResults_Detected

 

event_PatternDispositionDescription

str

 

 

 

event_PatternDispositionValue

int4

 

 

 

event_PatternDispositionFlags_Indicator

bool

 

 

 

event_PatternDispositionFlags_Detect

bool

 

 

 

event_PatternDispositionFlags_InddetMask

bool

 

 

 

event_PatternDispositionFlags_SensorOnly

bool

 

 

 

event_PatternDispositionFlags_Rooting

bool

 

 

 

event_PatternDispositionFlags_KillProcess

bool

 

 

 

event_PatternDispositionFlags_KillSubProcess

bool

 

 

 

event_PatternDispositionFlags_QuarantineMachine

bool

 

 

 

event_PatternDispositionFlags_QuarantineFile

bool

 

 

 

event_PatternDispositionFlags_PolicyDisabled

bool

 

 

 

event_PatternDispositionFlags_KillParent

bool

 

 

 

event_PatternDispositionFlags_OperationBlocked

bool

 

 

 

event_PatternDispositionFlags_ProcessBlocked

bool

 

 

 

event_ParentImageFileName

str

 

 

 

event_ParentCommandLine

str

 

 

 

event_GrandparentImageFileName

str

 

 

 

event_GrandparentCommandLine

str

 

 

 

event_QuarantineFiles_ImageFileName_str

str

event_QuarantineFiles_ImageFileName

 

event_QuarantineFiles_SHA256HashData_str

str

event_QuarantineFiles_SHA256HashData

 

message

str

 

rawSource

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓

edr.crowdstrike.cannon

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

aid

str

-

aip

str

-

cid

str

-

event_platform

str

-

event_type

str

-

event_simpleName

str

-

id

str

-

name

str

-

timestamp

timestamp

-

AuthenticationId

str

-

CommandLine

str

-

ConfigBuild

str

-

ConfigStateHash

str

-

EffectiveTransmissionClass

str

-

Entitlements

str

-

FullFilePath

str

-

FilePath

str

-

FileName

str

-

ImageFileName

str

-

ImageSubsystem

str

-

IntegrityLevel

str

-

MD5HashData

str

-

ParentAuthenticationId

str

-

ParentProcessId

str

-

ProcessCreateFlags

str

-

ProcessEndTime

str

-

ProcessParameterFlags

str

-

ProcessStartTime

str

-

ProcessSxsFlags

str

-

RawProcessId

str

-

SHA1HashData

str

-

SHA256HashData

str

-

SourceProcessId

str

-

SourceThreadId

str

-

TargetFileName

str

-

TargetProcessId

str

-

SessionProcessId

str

-

TokenType

str

-

UserSid

str

-

ComputerName

str

-

ClientComputerName

str

-

FirstIP4Record

str

-

PhysicalAddress

str

-

ContextProcessId

str

-

LocalAddressIP4

ip4

-

LocalPort

str

-

Protocol

str

-

RemoteAddressIP4

ip4

-

RemotePort

str

-

hostchain

str

✓

tag

str

✓

tagGroup

str

-

rawMessage

str

-

edr.crowdstrike.cannon.associateindicator

Field

Type

Extra Field

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

event_simpleName

str

-

ContextTimeStamp

str

-

ConfigStateHash

str

-

aip

ip4

-

SessionProcessId

str

-

ConfigBuild

str

-

PatternDisposition

str

-

event_platform

str

-

TargetProcessId

str

-

PatternId

str

-

Entitlements

str

-

name

str

-

id

str

-

EffectiveTransmissionClass

str

-

aid

str

-

timestamp

str

-

cid

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓