CrowdStrike Logs
Connecting CrowdStrike logs to your Panther Console
Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator (FDR).
As of Panther version 1.52, all new CrowdStrike log source configurations will use the Crowdstrike.FDREvent schema.
- There is no minimum version of FDR required.
- 1.Log in to your CrowdStrike Falcon console.
- 2.Navigate to the API Clients and Keys page.
- 3.Click Create new credentials under the FDR AWS S3 Credentials and SQS Queue section.
- 4.Copy the Client ID, Secret ID, and SQS URL and store them in a secure location. You will need them in the next steps.
- 1.Log in to your Panther Console.
- 2.In the left sidebar menu, click Configure > Log Sources.
- 3.Click Create New.
- 4.Select CrowdStrike from the list of available log sources. Click Start Source Setup.
- 5.Fill in the fields below:
- Name: Enter a descriptive name for the source, e.g.
CrowdStrike Falcon. - SQS URL: Enter the URL for the CrowdStrike-managed SQS queue, previously copied.
- AWS Access Key, AWS Access Secret: Enter the AWS access key and secret that you copied in the previous steps.
- 6.Click Continue Setup.
- 7.You will be directed to a confirmation screen where you can set up a log drop-off alarm.
- This feature sends an error message if logs aren't received within a specified time interval.
- 8.Click Finish Setup.
Required fields in the schema are listed as "required: true" just below the "name" field.
Crowdstrike.FDREvent contains all event types produced by the FDR. Including all types of events in a single log type helps to:- Provide ongoing ingestion flexibility and reduce maintenance efforts.
- For example, if CrowdStrike adds a new event type, you may not need to rewrite existing detection logic and data queries.
- Simplify querying of CrowdStrike logs by enriching all
Crowdstrike.FDREventlogs with commonly referenced fields, such asevent_simpleName. - Expedite investigations by leveraging the indicators extracted from each FDR event type and stored in
Crowdstrike.FDREvent.
The FDR data stream sends the following two types of events:
- Primary events
- These events include information related to threat hunting, archiving data, warehousing data, and SIEM activity.
- A complete list of primary event types supported by
Crowdstrike.FDREventcan be viewed on CrowdStrike's documentation on streaming API events.
- Secondary events
- These events include additional environment information.
- A complete list of secondary event types supported by
Crowdstrike.FDREventcan be viewed on CrowdStrike's documentation on data for seeing additional environment information.
Not all FDR events contain the same fields. To accommodate this, the value of
fdr_event_type is assigned dynamically, according to the following rules (ordered by precedence):- 1.If
event_simpleNameis present,fdr_event_type=event_simpleName - 2.If
event_typeis present,fdr_event_type=event.event_type - 3.If
ExternalApiTypeis present,fdr_event_type=event.ExternalApiTypeCrowdstrike.DetectionSummaryandCrowdstrike.ActivityAuditlog types define thisExternalApiTypefield.
- 4.If the FDR event is a secondary event,
fdr_event_type= the event type as described in CrowdStrike's documentation on seeing additional environment information.- In this case, the resulting log type is still
Crowdstrike.FDREvent.
- 5.If none of the above conditions are met,
fdr_event_type=unknown
schema: Crowdstrike.FDREvent
parser:
native:
name: Crowdstrike.FDREvent
description: Contains all Crowdstrike Falcon Data Replicator events
referenceURL: https://falcon.us-2.crowdstrike.com/documentation/9/falcon-data-replicator
fields:
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormats:
- unix_ms
- rfc3339
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormats:
- '%m/%d/%Y %H:%M:%S.%f'
- unix
isEventTime: true
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormats:
- unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: event_simpleName
description: Event name
type: string
- name: fdr_event_type
description: Crowdstrike Event type (populated by panther)
type: string
- name: TargetProcessId_decimal
description: The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it represents the ID of the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that performed thread injection in an InjectedThread event.
type: string
- name: FileName
description: The name of the file.
type: string
- name: FilePath
description: The full path of the file, including the file name.
type: string
- name: event
description: The full JSON payload of the event
type: json
Existing CrowdStrike log source configurations set up prior to Panther version 1.52 will continue to function using the legacy log types below, until you transition them to Crowdstrike.FDREvent. Please contact your Panther support team if you would like assistance with this transition.
Sensor and Host information provided by Falcon Insight.
schema: Crowdstrike.AIDMaster
parser:
native:
name: Crowdstrike.AIDMaster
description: Sensor and Host information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
fields:
- name: Time
required: true
description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
type: timestamp
timeFormat: unix
isEventTime: true
- name: AgentLoadFlags
required: true
description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
type: int
- name: AgentLocalTime
required: true
description: The local time for the sensor in epoch format.
type: timestamp
timeFormat: unix
- name: AgentTimeOffset
required: true
description: The time since the last reboot in epoch format.
type: float
- name: AgentVersion
required: true
description: The version of the sensor running on a host.
type: string
- name: aid
required: true
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- md5
- trace_id
- name: aip
required: true
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: BiosManufacturer
description: The manufacturer of the host's BIOS.
type: string
- name: BiosVersion
description: The version of the host's BIOS.
type: string
- name: ChassisType
description: Type of system chassis, as defined in SMBIOS Standard.
type: string
- name: City
description: The system's city of origin.
type: string
- name: Country
description: The system's country of origin.
type: string
- name: Continent
description: The sensor's continent, as seen from the CrowdStrike cloud.
type: string
- name: ComputerName
description: The name of the host.
type: string
- name: ConfigBuild
description: ConfigBuild field
type: string
- name: ConfigIDBuild
description: Build number used as part of the ConfigID.
type: string
- name: event_platform
description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
type: string
- name: FalconGroupingTags
description: FalconGroupingTags field
type: string
- name: FirstSeen
description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
type: timestamp
timeFormat: unix
- name: MachineDomain
description: The Windows domain name to which the host is currently joined.
type: string
- name: OU
description: The organizational unit of the host as seen by the sensor (defined by system admin).
type: string
- name: PointerSize
description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
type: string
- name: ProductType
description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
type: string
- name: SensorGroupingTags
description: SensorGroupingTags field
type: string
- name: ServicePackMajor
description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
type: string
- name: SiteName
description: The site name of the domain to which the host is joined (defined by system admin).
type: string
- name: SystemManufacturer
description: The host's system manufacturer.
type: string
- name: SystemProductName
description: The host's product name.
type: string
- name: Timezone
description: The sensor's time zone, as seen from the CrowdStrike cloud.
type: string
- name: Version
description: The host's system version.
type: string
- name: HostHiddenStatus
description: Whether the host is visible or not.
type: string
Contains activity audit information.
schema: Crowdstrike.ActivityAudit
parser:
native:
name: Crowdstrike.ActivityAudit
description: Contains activity audit information
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
fields:
- name: AgentIdString
description: The Agent ID
type: string
- name: cid
description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
type: string
indicators:
- md5
- trace_id
- name: ExternalApiType
required: true
description: The external API type
type: string
- name: Nonce
description: The nonce
type: bigint
- name: ServiceName
description: The service name
type: string
- name: UserId
description: User that performed the operation, e.g. person that performed the operation to create a new user account.
type: string
indicators:
- email
- name: UserIp
description: IP address of user that performs the operation.
type: string
indicators:
- ip
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: EventType
required: true
description: Will be Event_ExternalApiEvent
type: string
- name: OperationName
description: The operation name
type: string
- name: UTCTimestamp
description: The timestamp
type: timestamp
timeFormat: unix_ms
- name: timestamp
required: true
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: AuditKeyValues
description: The AuditKeyValues
type: array
element:
type: object
fields:
- name: Key
description: The Key
type: string
- name: ValueString
description: The value as a string
type: string
- name: eid
description: The EID
type: bigint
- name: Success
description: If the operation was successful or not
type: boolean
- name: EventUUID
description: The EventUUID
type: string
Detected Application Information provided by Falcon Discover.
schema: Crowdstrike.AppInfo
parser:
native:
name: Crowdstrike.AppInfo
description: Detected Application Information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- md5
- trace_id
- name: CompanyName
required: true
description: The name of the company.
type: string
- name: detectioncount
required: true
description: The number of detections.
type: bigint
- name: FileName
required: true
description: The name of the file.
type: string
- name: SHA256HashData
required: true
description: The file hash bashed on SHA-256.
type: string
indicators:
- sha256
- name: FileDescription
description: The description of the file, if any.
type: string
- name: FileVersion
description: The version of the file.
type: string
- name: ProductName
description: The name of the product.
type: string
- name: ProductVersion
description: The version of the product.
type: string
This event is generated every time a critical file is accessed or modified.
schema: Crowdstrike.CriticalFile
parser:
native:
name: Crowdstrike.CriticalFile
description: This event is generated every time a critical file is accessed or modified
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: GID
description: The user Group ID
type: bigint
- name: TargetFileName
description: The file that was accessed
type: string
- name: UID
description: The User ID
type: bigint
- name: UnixMode
description: The unix file permissions
type: string
- name: FileIdentifier
description: The file identifier
type: string
- name: USN
description: The USN
type: bigint
This event is generated for every attempted DNS name resolution on a host.
schema: Crowdstrike.DNSRequest
parser:
native:
name: Crowdstrike.DNSRequest
description: This event is generated for every attempted DNS name resolution on a host.
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: DomainName
description: The domain name requested
type: string
indicators:
- domain
- name: InterfaceIndex
description: The network interface index (Windows only)
type: bigint
- name: DualRequest
description: If the event is dual request (Windows only)
type: bigint
- name: DnsRequestCount
description: The number of DNS requests (Windows only)
type: bigint
- name: AppIdentifier
description: The identifier of the app that made the request (Android, iOS)
type: string
- name: IpAddress
description: The device ip address (Android, iOS)
type: string
indicators:
- ip
- name: RequestType
description: The DNS request type
type: string
Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
schema: Crowdstrike.DetectionSummary
parser:
native:
name: Crowdstrike.DetectionSummary
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
fields:
- name: cid
description: Customer ID
type: string
indicators:
- md5
- trace_id
- name: Technique
description: The name of the technique associated to the behavior.
type: string
- name: ProcessId
description: Process ID.
type: bigint
- name: AgentIdString
description: Agent Id.
type: string
- name: DetectName
description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
type: string
- name: ComputerName
description: Host name.
type: string
- name: ProcessStartTime
description: Timestamp of when a process started.
type: timestamp
timeFormat: unix
- name: GrandparentCommandLine
description: Effective transmission class
type: string
- name: MACAddress
description: The MAC Address
type: string
- name: CommandLine
description: The command line execution of the process.
type: string
- name: Objective
description: The name of the objective associated to the behavior.
type: string
- name: Nonce
description: The nonce.
type: bigint
- name: SHA256String
description: SHA256 hash.
type: string
indicators:
- sha256
- name: ExternalApiType
required: true
description: The type of the External API
type: string
- name: PatternDispositionValue
description: The pattern disposition value.
type: bigint
- name: DetectId
description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
type: string
- name: Severity
description: The severity
type: bigint
- name: PatternDispositionDescription
description: The description of the pattern associated to the action taken on the behavior.
type: string
- name: SeverityName
description: The severity name.
type: string
- name: MD5String
description: MD5 hash
type: string
indicators:
- md5
- name: EventUUID
description: Event UUID
type: string
- name: UserName
description: User name.
type: string
indicators:
- username
- name: FilePath
description: Full path of the file, excluding the file name.
type: string
- name: timestamp
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: ParentCommandLine
description: The command line of the parent process.
type: string
- name: DetectDescription
description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
type: string
- name: LocalIP
description: The local IP.
type: string
indicators:
- ip
- name: ProcessEndTime
description: Timestamp of when a process ended in UNIX EPOCH time.
type: timestamp
timeFormat: unix
- name: SHA1String
description: SHA1 hash
type: string
indicators:
- sha1
- name: OriginSourceIpAddress
description: The OriginSourceIpAddress.
type: string
indicators:
- ip
- name: GrandparentImageFileName
description: The GrandparentImageFileName
type: string
- name: MachineDomain
description: The Windows Domain Name to which the machine is currently joined.
type: string
- name: ParentImageFileName
description: The ParentImageFileName
type: string
- name: FalconHostLink
description: Link to view detection event in Falcon console.
type: string
- name: UTCTimestamp
description: The UTC timestamp.
type: timestamp
timeFormat: unix_ms
- name: FileName
description: File name if a file is involved in the detection.
type: string
- name: ParentProcessId
description: Parent Process ID.
type: bigint
- name: EventType
required: true
description: The EventType.
type: string
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: Tactic
description: The name of the tactic associated to the behavior.
type: string
- name: SensorId
description: Falcon sensor Agent ID.
type: string
- name: eid
description: The EID.
type: bigint
- name: PatternDispositionFlags
description: The pattern disposition flags
type: json
Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
schema: Crowdstrike.GroupIdentity
parser:
native:
name: Crowdstrike.GroupIdentity
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
fields:
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators: