Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Data Transports
Supported Logs
1Password Logs
Apache Logs
Asana Logs
Atlassian Logs
AWS Logs
Box Logs
Cisco Umbrella Logs
Cloudflare Logs
CrowdStrike Logs
Dropbox Logs
Duo Security Logs
Fastly Logs
Fluentd Logs
GCP Logs
Github Logs
GitLab Logs
G Suite Logs
JAMF Pro Logs
Juniper Logs
Lacework Logs
Microsoft 365 Logs
Microsoft Graph Logs (Beta)
Nginx Logs
Okta Logs
OneLogin Logs
Osquery Logs
OSSEC Logs
Salesforce Logs
Sophos Logs
Slack Logs
Snyk Logs
Suricata Logs
Syslog Logs
Teleport Logs
Zeek Logs
Zoom Logs
Zendesk Logs
Custom Logs
Monitoring Log Sources
Writing Detections
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
CrowdStrike Logs
Connecting CrowdStrike logs to your Panther Console

Overview

Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator.

How to onboard CrowdStrike logs to Panther

Prerequisites

  • You must have an active subscription to Falcon Data Replicator and it must be enabled in Crowdstrike.
  • There is no minimum version of Falcon Data Replicator required.

Step 1: Create FDR API Keys

  1. 1.
    Log in to your CrowdStrike Falcon console.
  2. 2.
    Navigate to the API Clients and Keys page.
  3. 3.
    Click Create new credentials under the FDR AWS S3 Credentials and SQS Queue section.
  4. 4.
    Copy down the Client ID, Secret ID, and SQS URL for the next steps.

Step 2: Create a New CrowdStrike Source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select CrowdStrike from the list of available log sources. Click Start Source Setup.
  5. 5.
    Fill in the fields below:
    • Name: A memorable name for the source e.g. CrowdStrike Falcon.
    • SQS Url: The URL for the CrowdStrike-managed SQS queue, previously copied.
    • AWS Access Key, AWS Access Secret: The AWS access key and secret, previously copied.
  6. 6.
    Click Continue Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Crowdstrike.AIDMaster

Sensor and Host information provided by Falcon Insight.
schema: Crowdstrike.AIDMaster
parser:
native:
name: Crowdstrike.AIDMaster
description: Sensor and Host information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
version: 0
fields:
- name: Time
required: true
description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
type: timestamp
timeFormat: unix
isEventTime: true
- name: AgentLoadFlags
required: true
description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
type: int
- name: AgentLocalTime
required: true
description: The local time for the sensor in epoch format.
type: timestamp
timeFormat: unix
- name: AgentTimeOffset
required: true
description: The time since the last reboot in epoch format.
type: float
- name: AgentVersion
required: true
description: The version of the sensor running on a host.
type: string
- name: aid
required: true
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- md5
- trace_id
- name: aip
required: true
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: BiosManufacturer
description: The manufacturer of the host's BIOS.
type: string
- name: BiosVersion
description: The version of the host's BIOS.
type: string
- name: ChassisType
description: Type of system chassis, as defined in SMBIOS Standard.
type: string
- name: City
description: The system's city of origin.
type: string
- name: Country
description: The system's country of origin.
type: string
- name: Continent
description: The sensor's continent, as seen from the CrowdStrike cloud.
type: string
- name: ComputerName
description: The name of the host.
type: string
- name: ConfigBuild
description: ConfigBuild field
type: string
- name: ConfigIDBuild
description: Build number used as part of the ConfigID.
type: string
- name: event_platform
description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
type: string
- name: FalconGroupingTags
description: FalconGroupingTags field
type: string
- name: FirstSeen
description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
type: timestamp
timeFormat: unix
- name: MachineDomain
description: The Windows domain name to which the host is currently joined.
type: string
- name: OU
description: The organizational unit of the host as seen by the sensor (defined by system admin).
type: string
- name: PointerSize
description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
type: string
- name: ProductType
description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
type: string
- name: SensorGroupingTags
description: SensorGroupingTags field
type: string
- name: ServicePackMajor
description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
type: string
- name: SiteName
description: The site name of the domain to which the host is joined (defined by system admin).
type: string
- name: SystemManufacturer
description: The host's system manufacturer.
type: string
- name: SystemProductName
description: The host's product name.
type: string
- name: Timezone
description: The sensor's time zone, as seen from the CrowdStrike cloud.
type: string
- name: Version
description: The host's system version.
type: string
- name: HostHiddenStatus
description: Whether the host is visible or not.
type: string

Crowdstrike.ActivityAudit

Contains activity audit information.
schema: Crowdstrike.ActivityAudit
parser:
native:
name: Crowdstrike.ActivityAudit
description: Contains activity audit information
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
version: 0
fields:
- name: AgentIdString
description: The Agent ID
type: string
- name: cid
description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
type: string
indicators:
- md5
- trace_id
- name: ExternalApiType
required: true
description: The external API type
type: string
- name: Nonce
description: The nonce
type: bigint
- name: ServiceName
description: The service name
type: string
- name: UserId
description: User that performed the operation, e.g. person that performed the operation to create a new user account.
type: string
indicators:
- email
- name: UserIp
description: IP address of user that performs the operation.
type: string
indicators:
- ip
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: EventType
required: true
description: Will be Event_ExternalApiEvent
type: string
- name: OperationName
description: The operation name
type: string
- name: UTCTimestamp
description: The timestamp
type: timestamp
timeFormat: unix_ms
- name: timestamp
required: true
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: AuditKeyValues
description: The AuditKeyValues
type: array
element:
type: object
fields:
- name: Key
description: The Key
type: string
- name: ValueString
description: The value as a string
type: string
- name: eid
description: The EID
type: bigint
- name: Success
description: If the operation was successful or not
type: boolean
- name: EventUUID
description: The EventUUID
type: string

Crowdstrike.AppInfo

Detected Application Information provided by Falcon Discover.
schema: Crowdstrike.AppInfo
parser:
native:
name: Crowdstrike.AppInfo
description: Detected Application Information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
version: 0
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- md5
- trace_id
- name: CompanyName
required: true
description: The name of the company.
type: string
- name: detectioncount
required: true
description: The number of detections.
type: bigint
- name: FileName
required: true
description: The name of the file.
type: string
- name: SHA256HashData
required: true
description: The file hash bashed on SHA-256.
type: string
indicators:
- sha256
- name: FileDescription
description: The description of the file, if any.
type: string
- name: FileVersion
description: The version of the file.
type: string
- name: ProductName
description: The name of the product.
type: string
- name: ProductVersion
description: The version of the product.
type: string

Crowdstrike.CriticalFile

This event is generated every time a critical file is accessed or modified.
schema: Crowdstrike.CriticalFile
parser:
native:
name: Crowdstrike.CriticalFile
description: This event is generated every time a critical file is accessed or modified
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
version: 0
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: GID
description: The user Group ID
type: bigint
- name: TargetFileName
description: The file that was accessed
type: string
- name: UID
description: The User ID
type: bigint
- name: UnixMode
description: The unix file permissions
type: string
- name: FileIdentifier
description: The file identifier
type: string
- name: USN
description: The USN
type: bigint

Crowdstrike.DNSRequest

This event is generated for every attempted DNS name resolution on a host.
schema: Crowdstrike.DNSRequest
parser:
native:
name: Crowdstrike.DNSRequest
description: This event is generated for every attempted DNS name resolution on a host.
version: 0
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: DomainName
description: The domain name requested
type: string
indicators:
- domain
- name: InterfaceIndex
description: The network interface index (Windows only)
type: bigint
- name: DualRequest
description: If the event is dual request (Windows only)
type: bigint
- name: DnsRequestCount
description: The number of DNS requests (Windows only)
type: bigint
- name: AppIdentifier
description: The identifier of the app that made the request (Android, iOS)
type: string
- name: IpAddress
description: The device ip address (Android, iOS)
type: string
indicators:
- ip
- name: RequestType
description: The DNS request type
type: string

Crowdstrike.DetectionSummary

Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
schema: Crowdstrike.DetectionSummary
parser:
native:
name: Crowdstrike.DetectionSummary
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
version: 0
fields:
- name: cid
description: Customer ID
type: string
indicators:
- md5
- trace_id
- name: Technique
description: The name of the technique associated to the behavior.
type: string
- name: ProcessId
description: Process ID.
type: bigint
- name: AgentIdString
description: Agent Id.
type: string
- name: DetectName
description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
type: string
- name: ComputerName
description: Host name.
type: string
- name: ProcessStartTime
description: Timestamp of when a process started.
type: timestamp
timeFormat: unix
- name: GrandparentCommandLine
description: Effective transmission class
type: string
- name: MACAddress
description: The MAC Address
type: string
- name: CommandLine
description: The command line execution of the process.
type: string
- name: Objective
description: The name of the objective associated to the behavior.
type: string
- name: Nonce
description: The nonce.
type: bigint
- name: SHA256String
description: SHA256 hash.
type: string
indicators:
- sha256
- name: ExternalApiType
required: true
description: The type of the External API
type: string
- name: PatternDispositionValue
description: The pattern disposition value.
type: bigint
- name: DetectId
description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
type: string
- name: Severity
description: The severity
type: bigint
- name: PatternDispositionDescription
description: The description of the pattern associated to the action taken on the behavior.
type: string
- name: SeverityName
description: The severity name.
type: string
- name: MD5String
description: MD5 hash
type: string
indicators:
- md5
- name: EventUUID
description: Event UUID
type: string
- name: UserName
description: User name.
type: string
indicators:
- username
- name: FilePath
description: Full path of the file, excluding the file name.
type: string
- name: timestamp
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: ParentCommandLine
description: The command line of the parent process.
type: string
- name: DetectDescription
description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
type: string
- name: LocalIP
description: The local IP.
type: string
indicators:
- ip
- name: ProcessEndTime
description: Timestamp of when a process ended in UNIX EPOCH time.
type: timestamp
timeFormat: unix
- name: SHA1String
description: SHA1 hash
type: string
indicators:
- sha1
- name: OriginSourceIpAddress
description: The OriginSourceIpAddress.
type: string
indicators:
- ip
- name: GrandparentImageFileName
description: The GrandparentImageFileName
type: string
- name: MachineDomain
description: The Windows Domain Name to which the machine is currently joined.
type: string
- name: ParentImageFileName
description: The ParentImageFileName
type: string
- name: FalconHostLink
description: Link to view detection event in Falcon console.
type: string
- name: UTCTimestamp
description: The UTC timestamp.
type: timestamp
timeFormat: unix_ms
- name: FileName
description: File name if a file is involved in the detection.
type: string
- name: ParentProcessId
description: Parent Process ID.
type: bigint
- name: EventType
required: true
description: The EventType.
type: string
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: Tactic
description: The name of the tactic associated to the behavior.
type: string
- name: SensorId
description: Falcon sensor Agent ID.
type: string
- name: eid
description: The EID.
type: bigint
- name: PatternDispositionFlags
description: The pattern disposition flags
type: json

Crowdstrike.GroupIdentity

Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
schema: Crowdstrike.GroupIdentity
parser:
native:
name: Crowdstrike.GroupIdentity
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
version: 0
fields:
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: event_simpleName
required: true
description: Event Name
type: string
- name: GID
required: true
description: The user Group ID.
type: bigint
- name: AuthenticationUuid
required: true
description: AuthenticationUUID field
type: string
- name: AuthenticationUuidAsString
required: true
description: AuthenticationUUIDAsString field
type: string
- name: AuthenticationId
required: true
description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
type: int
- name: UserPrincipal
required: true
description: UserPrincipal field
type: string
- name: UserSid
required: true
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
type: string

Crowdstrike.ManagedAssets

Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address).
schema: Crowdstrike.ManagedAssets
parser:
native:
name: Crowdstrike.ManagedAssets
description: 'Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)'
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets
version: 0
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: aid
required: true
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- md5
- trace_id
- name: GatewayIP
description: The gateway of the system where the sensor is installed.
type: string
indicators:
- ip
- name: GatewayMAC
description: The MAC address of the gateway.
type: string
- name: MACPrefix
required: true
description: An identifier unique to the organization.
type: string
- name: MAC
required: true
description: The MAC address of the system.
type: string
- name: LocalAddressIP4
required: true
description: The device's local IP address in IPv4 format.
type: string
indicators:
- ip
- name: InterfaceAlias
description: The user-friendly name of the IP interface.
type: string
- name: InterfaceDescription
description: The network adapter used for the IP interface.
type: string

Crowdstrike.NetworkConnect

This event is generated when an application attempts a remote connection on an interface.
schema: Crowdstrike.NetworkConnect
parser:
native:
name: Crowdstrike.NetworkConnect
description: This event is generated when an application attempts a remote connection on an interface
version: 0
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- md5
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- md5
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type