CrowdStrike Logs
Onboarding CrowdStrike logs into your Panther Console

Overview

Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator.

How to onboard CrowdStrike logs to Panther

Prerequisites

  • You must have an active subscription to Falcon Data Replicator and it must be enabled in Crowdstrike.
  • There is no minimum version of Falcon Data Replicator required.

Step 1: Create FDR API Keys

  1. 1.
    Log in to your CrowdStrike Falcon console.
  2. 2.
    Navigate to the API Clients and Keys page.
  3. 3.
    Click Create new credentials under the FDR AWS S3 Credentials and SQS Queue section.
  4. 4.
    Copy down the Client ID, Secret ID, and SQS URL for the next steps.

Step 2: Create a New CrowdStrike Source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select CrowdStrike from the list of available log sources. Click Start Source Setup.
  5. 5.
    Fill in the fields below:
    • Name: A memorable name for the source e.g. CrowdStrike Falcon.
    • SQS Url: The URL for the CrowdStrike-managed SQS queue, previously copied.
    • AWS Access Key, AWS Access Secret: The AWS access key and secret, previously copied.
  6. 6.
    Click Continue Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Crowdstrike.AIDMaster

Sensor and Host information provided by Falcon Insight.
1
schema: Crowdstrike.AIDMaster
2
parser:
3
native:
4
name: Crowdstrike.AIDMaster
5
description: Sensor and Host information provided by Falcon Insight
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
7
version: 0
8
fields:
9
- name: Time
10
required: true
11
description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
12
type: timestamp
13
timeFormat: unix
14
isEventTime: true
15
- name: AgentLoadFlags
16
required: true
17
description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
18
type: int
19
- name: AgentLocalTime
20
required: true
21
description: The local time for the sensor in epoch format.
22
type: timestamp
23
timeFormat: unix
24
- name: AgentTimeOffset
25
required: true
26
description: The time since the last reboot in epoch format.
27
type: float
28
- name: AgentVersion
29
required: true
30
description: The version of the sensor running on a host.
31
type: string
32
- name: aid
33
required: true
34
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
35
type: string
36
indicators:
37
- md5
38
- trace_id
39
- name: cid
40
required: true
41
description: The customer ID.
42
type: string
43
indicators:
44
- md5
45
- trace_id
46
- name: aip
47
required: true
48
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
49
type: string
50
indicators:
51
- ip
52
- name: BiosManufacturer
53
description: The manufacturer of the host's BIOS.
54
type: string
55
- name: BiosVersion
56
description: The version of the host's BIOS.
57
type: string
58
- name: ChassisType
59
description: Type of system chassis, as defined in SMBIOS Standard.
60
type: string
61
- name: City
62
description: The system's city of origin.
63
type: string
64
- name: Country
65
description: The system's country of origin.
66
type: string
67
- name: Continent
68
description: The sensor's continent, as seen from the CrowdStrike cloud.
69
type: string
70
- name: ComputerName
71
description: The name of the host.
72
type: string
73
- name: ConfigBuild
74
description: ConfigBuild field
75
type: string
76
- name: ConfigIDBuild
77
description: Build number used as part of the ConfigID.
78
type: string
79
- name: event_platform
80
description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
81
type: string
82
- name: FalconGroupingTags
83
description: FalconGroupingTags field
84
type: string
85
- name: FirstSeen
86
description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
87
type: timestamp
88
timeFormat: unix
89
- name: MachineDomain
90
description: The Windows domain name to which the host is currently joined.
91
type: string
92
- name: OU
93
description: The organizational unit of the host as seen by the sensor (defined by system admin).
94
type: string
95
- name: PointerSize
96
description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
97
type: string
98
- name: ProductType
99
description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
100
type: string
101
- name: SensorGroupingTags
102
description: SensorGroupingTags field
103
type: string
104
- name: ServicePackMajor
105
description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
106
type: string
107
- name: SiteName
108
description: The site name of the domain to which the host is joined (defined by system admin).
109
type: string
110
- name: SystemManufacturer
111
description: The host's system manufacturer.
112
type: string
113
- name: SystemProductName
114
description: The host's product name.
115
type: string
116
- name: Timezone
117
description: The sensor's time zone, as seen from the CrowdStrike cloud.
118
type: string
119
- name: Version
120
description: The host's system version.
121
type: string
122
- name: HostHiddenStatus
123
description: Whether the host is visible or not.
124
type: string
Copied!

Crowdstrike.ActivityAudit

Contains activity audit information.
1
schema: Crowdstrike.ActivityAudit
2
parser:
3
native:
4
name: Crowdstrike.ActivityAudit
5
description: Contains activity audit information
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
7
version: 0
8
fields:
9
- name: AgentIdString
10
description: The Agent ID
11
type: string
12
- name: cid
13
description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
14
type: string
15
indicators:
16
- md5
17
- trace_id
18
- name: ExternalApiType
19
required: true
20
description: The external API type
21
type: string
22
- name: Nonce
23
description: The nonce
24
type: bigint
25
- name: ServiceName
26
description: The service name
27
type: string
28
- name: UserId
29
description: User that performed the operation, e.g. person that performed the operation to create a new user account.
30
type: string
31
indicators:
32
- email
33
- name: UserIp
34
description: IP address of user that performs the operation.
35
type: string
36
indicators:
37
- ip
38
- name: CustomerIdString
39
description: Unique ID assigned by CS for each customer.
40
type: string
41
- name: EventType
42
required: true
43
description: Will be Event_ExternalApiEvent
44
type: string
45
- name: OperationName
46
description: The operation name
47
type: string
48
- name: UTCTimestamp
49
description: The timestamp
50
type: timestamp
51
timeFormat: unix_ms
52
- name: timestamp
53
required: true
54
description: The timestamp
55
type: timestamp
56
timeFormat: rfc3339
57
isEventTime: true
58
- name: AuditKeyValues
59
description: The AuditKeyValues
60
type: array
61
element:
62
type: object
63
fields:
64
- name: Key
65
description: The Key
66
type: string
67
- name: ValueString
68
description: The value as a string
69
type: string
70
- name: eid
71
description: The EID
72
type: bigint
73
- name: Success
74
description: If the operation was successful or not
75
type: boolean
76
- name: EventUUID
77
description: The EventUUID
78
type: string
Copied!

Crowdstrike.AppInfo

Detected Application Information provided by Falcon Discover.
1
schema: Crowdstrike.AppInfo
2
parser:
3
native:
4
name: Crowdstrike.AppInfo
5
description: Detected Application Information provided by Falcon Discover
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
7
version: 0
8
fields:
9
- name: _time
10
required: true
11
description: The host's local time in epoch format.
12
type: timestamp
13
timeFormat: unix
14
isEventTime: true
15
- name: cid
16
required: true
17
description: The customer ID.
18
type: string
19
indicators:
20
- md5
21
- trace_id
22
- name: CompanyName
23
required: true
24
description: The name of the company.
25
type: string
26
- name: detectioncount
27
required: true
28
description: The number of detections.
29
type: bigint
30
- name: FileName
31
required: true
32
description: The name of the file.
33
type: string
34
- name: SHA256HashData
35
required: true
36
description: The file hash bashed on SHA-256.
37
type: string
38
indicators:
39
- sha256
40
- name: FileDescription
41
description: The description of the file, if any.
42
type: string
43
- name: FileVersion
44
description: The version of the file.
45
type: string
46
- name: ProductName
47
description: The name of the product.
48
type: string
49
- name: ProductVersion
50
description: The version of the product.
51
type: string
Copied!

Crowdstrike.CriticalFile

This event is generated every time a critical file is accessed or modified.
1
schema: Crowdstrike.CriticalFile
2
parser:
3
native:
4
name: Crowdstrike.CriticalFile
5
description: This event is generated every time a critical file is accessed or modified
6
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
7
version: 0
8
fields:
9
- name: event_simpleName
10
required: true
11
description: Event name
12
type: string
13
- name: name
14
required: true
15
description: The event name
16
type: string
17
- name: aid
18
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
19
type: string
20
indicators:
21
- md5
22
- trace_id
23
- name: aip
24
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
25
type: string
26
indicators:
27
- ip
28
- name: cid
29
description: CID
30
type: string
31
indicators:
32
- md5
33
- trace_id
34
- name: id
35
description: ID
36
type: string
37
- name: event_platform
38
description: The platform the sensor was running on
39
type: string
40
- name: timestamp
41
description: Timestamp when the event was received by the CrowdStrike cloud.
42
type: timestamp
43
timeFormat: unix_ms
44
isEventTime: true
45
- name: _time
46
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
47
type: timestamp
48
timeFormat: layout=01/02/2006 15:04:05.999
49
- name: ComputerName
50
description: The name of the host.
51
type: string
52
indicators:
53
- hostname
54
- name: ConfigBuild
55
description: Config build
56
type: string
57
- name: ConfigStateHash
58
description: Config state hash
59
type: string
60
- name: Entitlements
61
description: Entitlements
62
type: string
63
- name: TreeId
64
description: If this event is part of a detection tree, the tree ID it is part of
65
type: string
66
indicators:
67
- trace_id
68
- name: TreeId_decimal
69
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
70
type: bigint
71
- name: ContextThreadId
72
description: The unique ID of a process that was spawned by another process.
73
type: string
74
- name: ContextThreadId_decimal
75
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
76
type: bigint
77
- name: ContextTimeStamp
78
description: The time at which an event occurred on the system, as seen by the sensor.
79
type: timestamp
80
timeFormat: unix
81
- name: ContextTimeStamp_decimal
82
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
83
type: timestamp
84
timeFormat: unix_ms
85
- name: ContextProcessId
86
description: The unique ID of a process that was spawned by another process.
87
type: string
88
- name: ContextProcessId_decimal
89
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
90
type: bigint
91
- name: InContext
92
description: In context (N/A on iOS)
93
type: string
94
- name: EffectiveTransmissionClass
95
description: Effective transmission class
96
type: bigint
97
- name: GID
98
description: The user Group ID
99
type: bigint
100
- name: TargetFileName
101
description: The file that was accessed
102
type: string
103
- name: UID
104
description: The User ID
105
type: bigint
106
- name: UnixMode
107
description: The unix file permissions
108
type: string
109
- name: FileIdentifier
110
description: The file identifier
111
type: string
112
- name: USN
113
description: The USN
114
type: bigint
Copied!

Crowdstrike.DNSRequest

This event is generated for every attempted DNS name resolution on a host.
1
schema: Crowdstrike.DNSRequest
2
parser:
3
native:
4
name: Crowdstrike.DNSRequest
5
description: This event is generated for every attempted DNS name resolution on a host.
6
version: 0
7
fields:
8
- name: event_simpleName
9
required: true
10
description: Event name
11
type: string
12
- name: name
13
required: true
14
description: The event name
15
type: string
16
- name: aid
17
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
type: string
19
indicators:
20
- md5
21
- trace_id
22
- name: aip
23
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
24
type: string
25
indicators:
26
- ip
27
- name: cid
28
description: CID
29
type: string
30
indicators:
31
- md5
32
- trace_id
33
- name: id
34
description: ID
35
type: string
36
- name: event_platform
37
description: The platform the sensor was running on
38
type: string
39
- name: timestamp
40
description: Timestamp when the event was received by the CrowdStrike cloud.
41
type: timestamp
42
timeFormat: unix_ms
43
isEventTime: true
44
- name: _time
45
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
46
type: timestamp
47
timeFormat: layout=01/02/2006 15:04:05.999
48
- name: ComputerName
49
description: The name of the host.
50
type: string
51
indicators:
52
- hostname
53
- name: ConfigBuild
54
description: Config build
55
type: string
56
- name: ConfigStateHash
57
description: Config state hash
58
type: string
59
- name: Entitlements
60
description: Entitlements
61
type: string
62
- name: TreeId
63
description: If this event is part of a detection tree, the tree ID it is part of
64
type: string
65
indicators:
66
- trace_id
67
- name: TreeId_decimal
68
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
69
type: bigint
70
- name: ContextThreadId
71
description: The unique ID of a process that was spawned by another process.
72
type: string
73
- name: ContextThreadId_decimal
74
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
75
type: bigint
76
- name: ContextTimeStamp
77
description: The time at which an event occurred on the system, as seen by the sensor.
78
type: timestamp
79
timeFormat: unix
80
- name: ContextTimeStamp_decimal
81
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
82
type: timestamp
83
timeFormat: unix_ms
84
- name: ContextProcessId
85
description: The unique ID of a process that was spawned by another process.
86
type: string
87
- name: ContextProcessId_decimal
88
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
89
type: bigint
90
- name: InContext
91
description: In context (N/A on iOS)
92
type: string
93
- name: EffectiveTransmissionClass
94
description: Effective transmission class
95
type: bigint
96
- name: DomainName
97
description: The domain name requested
98
type: string
99
indicators:
100
- domain
101
- name: InterfaceIndex
102
description: The network interface index (Windows only)
103
type: bigint
104
- name: DualRequest
105
description: If the event is dual request (Windows only)
106
type: bigint
107
- name: DnsRequestCount
108
description: The number of DNS requests (Windows only)
109
type: bigint
110
- name: AppIdentifier
111
description: The identifier of the app that made the request (Android, iOS)
112
type: string
113
- name: IpAddress
114
description: The device ip address (Android, iOS)
115
type: string
116
indicators:
117
- ip
118
- name: RequestType
119
description: The DNS request type
120
type: string
Copied!

Crowdstrike.DetectionSummary

Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
1
schema: Crowdstrike.DetectionSummary
2
parser:
3
native:
4
name: Crowdstrike.DetectionSummary
5
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
7
version: 0
8
fields:
9
- name: cid
10
description: Customer ID
11
type: string
12
indicators:
13
- md5
14
- trace_id
15
- name: Technique
16
description: The name of the technique associated to the behavior.
17
type: string
18
- name: ProcessId
19
description: Process ID.
20
type: bigint
21
- name: AgentIdString
22
description: Agent Id.
23
type: string
24
- name: DetectName
25
description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
26
type: string
27
- name: ComputerName
28
description: Host name.
29
type: string
30
- name: ProcessStartTime
31
description: Timestamp of when a process started.
32
type: timestamp
33
timeFormat: unix
34
- name: GrandparentCommandLine
35
description: Effective transmission class
36
type: string
37
- name: MACAddress
38
description: The MAC Address
39
type: string
40
- name: CommandLine
41
description: The command line execution of the process.
42
type: string
43
- name: Objective
44
description: The name of the objective associated to the behavior.
45
type: string
46
- name: Nonce
47
description: The nonce.
48
type: bigint
49
- name: SHA256String
50
description: SHA256 hash.
51
type: string
52
indicators:
53
- sha256
54
- name: ExternalApiType
55
required: true
56
description: The type of the External API
57
type: string
58
- name: PatternDispositionValue
59
description: The pattern disposition value.
60
type: bigint
61
- name: DetectId
62
description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
63
type: string
64
- name: Severity
65
description: The severity
66
type: bigint
67
- name: PatternDispositionDescription
68
description: The description of the pattern associated to the action taken on the behavior.
69
type: string
70
- name: SeverityName
71
description: The severity name.
72
type: string
73
- name: MD5String
74
description: MD5 hash
75
type: string
76
indicators:
77
- md5
78
- name: EventUUID
79
description: Event UUID
80
type: string
81
- name: UserName
82
description: User name.
83
type: string
84
indicators:
85
- username
86
- name: FilePath
87
description: Full path of the file, excluding the file name.
88
type: string
89
- name: timestamp
90
description: The timestamp
91
type: timestamp
92
timeFormat: rfc3339
93
isEventTime: true
94
- name: ParentCommandLine
95
description: The command line of the parent process.
96
type: string
97
- name: DetectDescription
98
description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
99
type: string
100
- name: LocalIP
101
description: The local IP.
102
type: string
103
indicators:
104
- ip
105
- name: ProcessEndTime
106
description: Timestamp of when a process ended in UNIX EPOCH time.
107
type: timestamp
108
timeFormat: unix
109
- name: SHA1String
110
description: SHA1 hash
111
type: string
112
indicators:
113
- sha1
114
- name: OriginSourceIpAddress
115
description: The OriginSourceIpAddress.
116
type: string
117
indicators:
118
- ip
119
- name: GrandparentImageFileName
120
description: The GrandparentImageFileName
121
type: string
122
- name: MachineDomain
123
description: The Windows Domain Name to which the machine is currently joined.
124
type: string
125
- name: ParentImageFileName
126
description: The ParentImageFileName
127
type: string
128
- name: FalconHostLink
129
description: Link to view detection event in Falcon console.
130
type: string
131
- name: UTCTimestamp
132
description: The UTC timestamp.
133
type: timestamp
134
timeFormat: unix_ms
135
- name: FileName
136
description: File name if a file is involved in the detection.
137
type: string
138
- name: ParentProcessId
139
description: Parent Process ID.
140
type: bigint
141
- name: EventType
142
required: true
143
description: The EventType.
144
type: string
145
- name: CustomerIdString
146
description: Unique ID assigned by CS for each customer.
147
type: string
148
- name: Tactic
149
description: The name of the tactic associated to the behavior.
150
type: string
151
- name: SensorId
152
description: Falcon sensor Agent ID.
153
type: string
154
- name: eid
155
description: The EID.
156
type: bigint
157
- name: PatternDispositionFlags
158
description: The pattern disposition flags
159
type: json
Copied!

Crowdstrike.GroupIdentity

Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
1
schema: Crowdstrike.GroupIdentity
2
parser:
3
native:
4
name: Crowdstrike.GroupIdentity
5
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
7
version: 0
8
fields:
9
- name: name
10
required: true
11
description: The event name
12
type: string
13
- name: aid
14
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
15
type: string
16
indicators:
17
- md5
18
- trace_id
19
- name: aip
20
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
21
type: string
22
indicators:
23
- ip
24
- name: cid
25
description: CID
26
type: string
27
indicators:
28
- md5
29
- trace_id
30
- name: id
31
description: ID
32
type: string
33
- name: event_platform
34
description: The platform the sensor was running on
35
type: string
36
- name: timestamp
37
description: Timestamp when the event was received by the CrowdStrike cloud.
38
type: timestamp
39
timeFormat: unix_ms
40
isEventTime: true
41
- name: _time
42
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
43
type: timestamp
44
timeFormat: layout=01/02/2006 15:04:05.999
45
- name: ComputerName
46
description: The name of the host.
47
type: string
48
indicators:
49
- hostname
50
- name: ConfigBuild
51
description: Config build
52
type: string
53
- name: ConfigStateHash
54
description: Config state hash
55
type: string
56
- name: Entitlements
57
description: Entitlements
58
type: string
59
- name: TreeId
60
description: If this event is part of a detection tree, the tree ID it is part of
61
type: string
62
indicators:
63
- trace_id
64
- name: TreeId_decimal
65
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
66
type: bigint
67
- name: ContextThreadId
68
description: The unique ID of a process that was spawned by another process.
69
type: string
70
- name: ContextThreadId_decimal
71
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
72
type: bigint
73
- name: ContextTimeStamp
74
description: The time at which an event occurred on the system, as seen by the sensor.
75
type: timestamp
76
timeFormat: unix
77
- name: ContextTimeStamp_decimal
78
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
79
type: timestamp
80
timeFormat: unix_ms
81
- name: ContextProcessId
82
description: The unique ID of a process that was spawned by another process.
83
type: string
84
- name: ContextProcessId_decimal
85
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
86
type: bigint
87
- name: InContext
88
description: In context (N/A on iOS)
89
type: string
90
- name: event_simpleName
91
required: true
92
description: Event Name
93
type: string
94
- name: GID
95
required: true
96
description: The user Group ID.
97
type: bigint
98
- name: AuthenticationUuid
99
required: true
100
description: AuthenticationUUID field
101
type: string
102
- name: AuthenticationUuidAsString
103
required: true
104
description: AuthenticationUUIDAsString field
105
type: string
106
- name: AuthenticationId
107
required: true
108
description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
109
type: int
110
- name: UserPrincipal
111
required: true
112
description: UserPrincipal field
113
type: string
114
- name: UserSid
115
required: true
116
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
117
type: string
Copied!

Crowdstrike.ManagedAssets

Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address).
1
schema: Crowdstrike.ManagedAssets
2
parser:
3
native:
4
name: Crowdstrike.ManagedAssets
5
description: 'Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)'
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets
7
version: 0
8
fields:
9
- name: _time
10
required: true
11
description: The host's local time in epoch format.
12
type: timestamp
13
timeFormat: unix
14
isEventTime: true
15
- name: aid
16
required: true
17
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
type: string
19
indicators:
20
- md5
21
- trace_id
22
- name: cid
23
required: true
24
description: The customer ID.
25
type: string
26
indicators:
27
- md5
28
- trace_id
29
- name: GatewayIP
30
description: The gateway of the system where the sensor is installed.
31
type: string
32
indicators:
33
- ip
34
- name: GatewayMAC
35
description: The MAC address of the gateway.
36
type: string
37
- name: MACPrefix
38
required: true
39
description: An identifier unique to the organization.
40
type: string
41
- name: MAC
42
required: true
43
description: The MAC address of the system.
44
type: string
45
- name: LocalAddressIP4
46
required: true
47
description: The device's local IP address in IPv4 format.
48
type: string
49
indicators:
50
- ip
51
- name: InterfaceAlias
52
description: The user-friendly name of the IP interface.
53
type: string
54
- name: InterfaceDescription
55
description: The network adapter used for the IP interface.
56
type: string
Copied!

Crowdstrike.NetworkConnect

This event is generated when an application attempts a remote connection on an interface.
1
schema: Crowdstrike.NetworkConnect
2
parser:
3
native:
4
name: Crowdstrike.NetworkConnect
5
description: This event is generated when an application attempts a remote connection on an interface
6
version: 0
7
fields:
8
- name: event_simpleName
9
required: true
10
description: Event name
11
type: string
12
- name: name
13
required: true
14
description: The event name
15
type: string
16
- name: aid
17
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
type: string
19
indicators:
20
- md5
21
- trace_id
22
- name: aip
23
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
24
type: string
25
indicators:
26
- ip
27
- name: cid
28
description: CID
29
type: string
30
indicators:
31
- md5
32
- trace_id
33
- name: id
34
description: ID
35
type: string
36
- name: event_platform
37
description: The platform the sensor was running on
38
type: string
39
- name: timestamp
40
description: Timestamp when the event was received by the CrowdStrike cloud.
41
type: timestamp
42
timeFormat: unix_ms
43
isEventTime: