CrowdStrike Logs

Docs Home Panther.com Release Notes Demo Request
Search…
CrowdStrike Logs
Onboarding CrowdStrike logs into your Panther Console
Overview
Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator.
How to onboard CrowdStrike logs to Panther
Prerequisites
You must have an active subscription to Falcon Data Replicator and it must be enabled in Crowdstrike.
There is no minimum version of Falcon Data Replicator required.
Step 1: Create FDR API Keys
1.Log in to your CrowdStrike Falcon console.
2.Navigate to the API Clients and Keys page.
3.Click Create new credentials under the FDR AWS S3 Credentials and SQS Queue section.
4.Copy down the Client ID, Secret ID, and SQS URL for the next steps.
​
​
Step 2: Create a New CrowdStrike Source in Panther
1.Log in to your Panther Console.
2.In the left sidebar menu, click Integrations > Log Sources.
3.Click Create New.
4.Select CrowdStrike from the list of available log sources. Click Start Source Setup.
5.Fill in the fields below:
Name: A memorable name for the source e.g. CrowdStrike Falcon.
SQS Url: The URL for the CrowdStrike-managed SQS queue, previously copied.
AWS Access Key, AWS Access Secret: The AWS access key and secret, previously copied.

6.Click Continue Setup.
7.You will be directed to a confirmation screen where you can set up a log drop-off alarm.
This feature sends an error message if logs aren't received within a specified time interval.
8.Click Finish Setup.
Supported log types
Required fields in the schema are listed as "required: true" just below the "name" field.
Crowdstrike.AIDMaster
Sensor and Host information provided by Falcon Insight.
Reference: CrowdStrike Documentation on Falcon Data Replicator.​
1
schema: Crowdstrike.AIDMaster
2
parser:
3
 native:
4
 name: Crowdstrike.AIDMaster
5
description: Sensor and Host information provided by Falcon Insight
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
7
version: 0
8
fields:
9
 - name: Time
10
 required: true
11
 description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
12
 type: timestamp
13
 timeFormat: unix
14
 isEventTime: true
15
 - name: AgentLoadFlags
16
 required: true
17
 description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
18
 type: int
19
 - name: AgentLocalTime
20
 required: true
21
 description: The local time for the sensor in epoch format.
22
 type: timestamp
23
 timeFormat: unix
24
 - name: AgentTimeOffset
25
 required: true
26
 description: The time since the last reboot in epoch format.
27
 type: float
28
 - name: AgentVersion
29
 required: true
30
 description: The version of the sensor running on a host.
31
 type: string
32
 - name: aid
33
 required: true
34
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
35
 type: string
36
 indicators:
37
 - md5
38
 - trace_id
39
 - name: cid
40
 required: true
41
 description: The customer ID.
42
 type: string
43
 indicators:
44
 - md5
45
 - trace_id
46
 - name: aip
47
 required: true
48
 description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
49
 type: string
50
 indicators:
51
 - ip
52
 - name: BiosManufacturer
53
 description: The manufacturer of the host's BIOS.
54
 type: string
55
 - name: BiosVersion
56
 description: The version of the host's BIOS.
57
 type: string
58
 - name: ChassisType
59
 description: Type of system chassis, as defined in SMBIOS Standard.
60
 type: string
61
 - name: City
62
 description: The system's city of origin.
63
 type: string
64
 - name: Country
65
 description: The system's country of origin.
66
 type: string
67
 - name: Continent
68
 description: The sensor's continent, as seen from the CrowdStrike cloud.
69
 type: string
70
 - name: ComputerName
71
 description: The name of the host.
72
 type: string
73
 - name: ConfigBuild
74
 description: ConfigBuild field
75
 type: string
76
 - name: ConfigIDBuild
77
 description: Build number used as part of the ConfigID.
78
 type: string
79
 - name: event_platform
80
 description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
81
 type: string
82
 - name: FalconGroupingTags
83
 description: FalconGroupingTags field
84
 type: string
85
 - name: FirstSeen
86
 description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
87
 type: timestamp
88
 timeFormat: unix
89
 - name: MachineDomain
90
 description: The Windows domain name to which the host is currently joined.
91
 type: string
92
 - name: OU
93
 description: The organizational unit of the host as seen by the sensor (defined by system admin).
94
 type: string
95
 - name: PointerSize
96
 description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
97
 type: string
98
 - name: ProductType
99
 description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
100
 type: string
101
 - name: SensorGroupingTags
102
 description: SensorGroupingTags field
103
 type: string
104
 - name: ServicePackMajor
105
 description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
106
 type: string
107
 - name: SiteName
108
 description: The site name of the domain to which the host is joined (defined by system admin).
109
 type: string
110
 - name: SystemManufacturer
111
 description: The host's system manufacturer.
112
 type: string
113
 - name: SystemProductName
114
 description: The host's product name.
115
 type: string
116
 - name: Timezone
117
 description: The sensor's time zone, as seen from the CrowdStrike cloud.
118
 type: string
119
 - name: Version
120
 description: The host's system version.
121
 type: string
122
 - name: HostHiddenStatus
123
 description: Whether the host is visible or not.
124
 type: string
Copied!
Crowdstrike.ActivityAudit
Contains activity audit information.
Reference: CrowdStrike Documentation on Streaming API Event Authentication.​
1
schema: Crowdstrike.ActivityAudit
2
parser:
3
 native:
4
 name: Crowdstrike.ActivityAudit
5
description: Contains activity audit information
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
7
version: 0
8
fields:
9
 - name: AgentIdString
10
 description: The Agent ID
11
 type: string
12
 - name: cid
13
 description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
14
 type: string
15
 indicators:
16
 - md5
17
 - trace_id
18
 - name: ExternalApiType
19
 required: true
20
 description: The external API type
21
 type: string
22
 - name: Nonce
23
 description: The nonce
24
 type: bigint
25
 - name: ServiceName
26
 description: The service name
27
 type: string
28
 - name: UserId
29
 description: User that performed the operation, e.g. person that performed the operation to create a new user account.
30
 type: string
31
 indicators:
32
 - email
33
 - name: UserIp
34
 description: IP address of user that performs the operation.
35
 type: string
36
 indicators:
37
 - ip
38
 - name: CustomerIdString
39
 description: Unique ID assigned by CS for each customer.
40
 type: string
41
 - name: EventType
42
 required: true
43
 description: Will be Event_ExternalApiEvent
44
 type: string
45
 - name: OperationName
46
 description: The operation name
47
 type: string
48
 - name: UTCTimestamp
49
 description: The timestamp
50
 type: timestamp
51
 timeFormat: unix_ms
52
 - name: timestamp
53
 required: true
54
 description: The timestamp
55
 type: timestamp
56
 timeFormat: rfc3339
57
 isEventTime: true
58
 - name: AuditKeyValues
59
 description: The AuditKeyValues
60
 type: array
61
 element:
62
 type: object
63
 fields:
64
  - name: Key
65
 description: The Key
66
 type: string
67
 - name: ValueString
68
 description: The value as a string
69
 type: string
70
 - name: eid
71
 description: The EID
72
 type: bigint
73
 - name: Success
74
 description: If the operation was successful or not
75
 type: boolean
76
 - name: EventUUID
77
 description: The EventUUID
78
 type: string
Copied!
Crowdstrike.AppInfo
Detected Application Information provided by Falcon Discover.
Reference: CrowdStrike Documentation on Falcon Data Replicator AppInfo.​
1
schema: Crowdstrike.AppInfo
2
parser:
3
 native:
4
 name: Crowdstrike.AppInfo
5
description: Detected Application Information provided by Falcon Discover
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
7
version: 0
8
fields:
9
 - name: _time
10
 required: true
11
 description: The host's local time in epoch format.
12
 type: timestamp
13
 timeFormat: unix
14
 isEventTime: true
15
 - name: cid
16
 required: true
17
 description: The customer ID.
18
 type: string
19
 indicators:
20
 - md5
21
 - trace_id
22
 - name: CompanyName
23
 required: true
24
 description: The name of the company.
25
 type: string
26
 - name: detectioncount
27
 required: true
28
 description: The number of detections.
29
 type: bigint
30
 - name: FileName
31
 required: true
32
 description: The name of the file.
33
 type: string
34
 - name: SHA256HashData
35
 required: true
36
 description: The file hash bashed on SHA-256.
37
 type: string
38
 indicators:
39
 - sha256
40
 - name: FileDescription
41
 description: The description of the file, if any.
42
 type: string
43
 - name: FileVersion
44
 description: The version of the file.
45
 type: string
46
 - name: ProductName
47
 description: The name of the product.
48
 type: string
49
 - name: ProductVersion
50
 description: The version of the product.
51
 type: string
Copied!
Crowdstrike.CriticalFile
This event is generated every time a critical file is accessed or modified.
Reference: CrowdStrike Documentation on CriticalFile.​
1
schema: Crowdstrike.CriticalFile
2
parser:
3
 native:
4
 name: Crowdstrike.CriticalFile
5
description: This event is generated every time a critical file is accessed or modified
6
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
7
version: 0
8
fields:
9
 - name: event_simpleName
10
 required: true
11
 description: Event name
12
 type: string
13
 - name: name
14
 required: true
15
 description: The event name
16
 type: string
17
 - name: aid
18
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
19
 type: string
20
 indicators:
21
 - md5
22
 - trace_id
23
 - name: aip
24
 description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
25
 type: string
26
 indicators:
27
 - ip
28
 - name: cid
29
 description: CID
30
 type: string
31
 indicators:
32
 - md5
33
 - trace_id
34
 - name: id
35
 description: ID
36
 type: string
37
 - name: event_platform
38
 description: The platform the sensor was running on
39
 type: string
40
 - name: timestamp
41
 description: Timestamp when the event was received by the CrowdStrike cloud.
42
 type: timestamp
43
 timeFormat: unix_ms
44
 isEventTime: true
45
 - name: _time
46
 description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
47
 type: timestamp
48
 timeFormat: layout=01/02/2006 15:04:05.999
49
 - name: ComputerName
50
 description: The name of the host.
51
 type: string
52
 indicators:
53
 - hostname
54
 - name: ConfigBuild
55
 description: Config build
56
 type: string
57
 - name: ConfigStateHash
58
 description: Config state hash
59
 type: string
60
 - name: Entitlements
61
 description: Entitlements
62
 type: string
63
 - name: TreeId
64
 description: If this event is part of a detection tree, the tree ID it is part of
65
 type: string
66
 indicators:
67
 - trace_id
68
 - name: TreeId_decimal
69
 description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
70
 type: bigint
71
 - name: ContextThreadId
72
 description: The unique ID of a process that was spawned by another process.
73
 type: string
74
 - name: ContextThreadId_decimal
75
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
76
 type: bigint
77
 - name: ContextTimeStamp
78
 description: The time at which an event occurred on the system, as seen by the sensor.
79
 type: timestamp
80
 timeFormat: unix
81
 - name: ContextTimeStamp_decimal
82
 description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
83
 type: timestamp
84
 timeFormat: unix_ms
85
 - name: ContextProcessId
86
 description: The unique ID of a process that was spawned by another process.
87
 type: string
88
 - name: ContextProcessId_decimal
89
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
90
 type: bigint
91
 - name: InContext
92
 description: In context (N/A on iOS)
93
 type: string
94
 - name: EffectiveTransmissionClass
95
 description: Effective transmission class
96
 type: bigint
97
 - name: GID
98
 description: The user Group ID
99
 type: bigint
100
 - name: TargetFileName
101
 description: The file that was accessed
102
 type: string
103
 - name: UID
104
 description: The User ID
105
 type: bigint
106
 - name: UnixMode
107
 description: The unix file permissions
108
 type: string
109
 - name: FileIdentifier
110
 description: The file identifier
111
 type: string
112
 - name: USN
113
 description: The USN
114
 type: bigint
Copied!
Crowdstrike.DNSRequest
This event is generated for every attempted DNS name resolution on a host.
Reference: CrowdStrike Documentation on DNSRequest.​
1
schema: Crowdstrike.DNSRequest
2
parser:
3
 native:
4
 name: Crowdstrike.DNSRequest
5
description: This event is generated for every attempted DNS name resolution on a host.
6
version: 0
7
fields:
8
 - name: event_simpleName
9
 required: true
10
 description: Event name
11
 type: string
12
 - name: name
13
 required: true
14
 description: The event name
15
 type: string
16
 - name: aid
17
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
 type: string
19
 indicators:
20
 - md5
21
 - trace_id
22
 - name: aip
23
 description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
24
 type: string
25
 indicators:
26
 - ip
27
 - name: cid
28
 description: CID
29
 type: string
30
 indicators:
31
 - md5
32
 - trace_id
33
 - name: id
34
 description: ID
35
 type: string
36
 - name: event_platform
37
 description: The platform the sensor was running on
38
 type: string
39
 - name: timestamp
40
 description: Timestamp when the event was received by the CrowdStrike cloud.
41
 type: timestamp
42
 timeFormat: unix_ms
43
 isEventTime: true
44
 - name: _time
45
 description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
46
 type: timestamp
47
 timeFormat: layout=01/02/2006 15:04:05.999
48
 - name: ComputerName
49
 description: The name of the host.
50
 type: string
51
 indicators:
52
 - hostname
53
 - name: ConfigBuild
54
 description: Config build
55
 type: string
56
 - name: ConfigStateHash
57
 description: Config state hash
58
 type: string
59
 - name: Entitlements
60
 description: Entitlements
61
 type: string
62
 - name: TreeId
63
 description: If this event is part of a detection tree, the tree ID it is part of
64
 type: string
65
 indicators:
66
 - trace_id
67
 - name: TreeId_decimal
68
 description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
69
 type: bigint
70
 - name: ContextThreadId
71
 description: The unique ID of a process that was spawned by another process.
72
 type: string
73
 - name: ContextThreadId_decimal
74
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
75
 type: bigint
76
 - name: ContextTimeStamp
77
 description: The time at which an event occurred on the system, as seen by the sensor.
78
 type: timestamp
79
 timeFormat: unix
80
 - name: ContextTimeStamp_decimal
81
 description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
82
 type: timestamp
83
 timeFormat: unix_ms
84
 - name: ContextProcessId
85
 description: The unique ID of a process that was spawned by another process.
86
 type: string
87
 - name: ContextProcessId_decimal
88
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
89
 type: bigint
90
 - name: InContext
91
 description: In context (N/A on iOS)
92
 type: string
93
 - name: EffectiveTransmissionClass
94
 description: Effective transmission class
95
 type: bigint
96
 - name: DomainName
97
 description: The domain name requested
98
 type: string
99
 indicators:
100
 - domain
101
 - name: InterfaceIndex
102
 description: The network interface index (Windows only)
103
 type: bigint
104
 - name: DualRequest
105
 description: If the event is dual request (Windows only)
106
 type: bigint
107
 - name: DnsRequestCount
108
 description: The number of DNS requests (Windows only)
109
 type: bigint
110
 - name: AppIdentifier
111
 description: The identifier of the app that made the request (Android, iOS)
112
 type: string
113
 - name: IpAddress
114
 description: The device ip address (Android, iOS)
115
 type: string
116
 indicators:
117
 - ip
118
 - name: RequestType
119
 description: The DNS request type
120
 type: string
Copied!
Crowdstrike.DetectionSummary
Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
Reference: CrowdStrike Documentation on Streaming API Detection Summary.​
1
schema: Crowdstrike.DetectionSummary
2
parser:
3
 native:
4
 name: Crowdstrike.DetectionSummary
5
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
7
version: 0
8
fields:
9
 - name: cid
10
 description: Customer ID
11
 type: string
12
 indicators:
13
 - md5
14
 - trace_id
15
 - name: Technique
16
 description: The name of the technique associated to the behavior.
17
 type: string
18
 - name: ProcessId
19
 description: Process ID.
20
 type: bigint
21
 - name: AgentIdString
22
 description: Agent Id.
23
 type: string
24
 - name: DetectName
25
 description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
26
 type: string
27
 - name: ComputerName
28
 description: Host name.
29
 type: string
30
 - name: ProcessStartTime
31
 description: Timestamp of when a process started.
32
 type: timestamp
33
 timeFormat: unix
34
 - name: GrandparentCommandLine
35
 description: Effective transmission class
36
 type: string
37
 - name: MACAddress
38
 description: The MAC Address
39
 type: string
40
 - name: CommandLine
41
 description: The command line execution of the process.
42
 type: string
43
 - name: Objective
44
 description: The name of the objective associated to the behavior.
45
 type: string
46
 - name: Nonce
47
 description: The nonce.
48
 type: bigint
49
 - name: SHA256String
50
 description: SHA256 hash.
51
 type: string
52
 indicators:
53
 - sha256
54
 - name: ExternalApiType
55
 required: true
56
 description: The type of the External API
57
 type: string
58
 - name: PatternDispositionValue
59
 description: The pattern disposition value.
60
 type: bigint
61
 - name: DetectId
62
 description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
63
 type: string
64
 - name: Severity
65
 description: The severity
66
 type: bigint
67
 - name: PatternDispositionDescription
68
 description: The description of the pattern associated to the action taken on the behavior.
69
 type: string
70
 - name: SeverityName
71
 description: The severity name.
72
 type: string
73
 - name: MD5String
74
 description: MD5 hash
75
 type: string
76
 indicators:
77
 - md5
78
 - name: EventUUID
79
 description: Event UUID
80
 type: string
81
 - name: UserName
82
 description: User name.
83
 type: string
84
 indicators:
85
 - username
86
 - name: FilePath
87
 description: Full path of the file, excluding the file name.
88
 type: string
89
 - name: timestamp
90
 description: The timestamp
91
 type: timestamp
92
 timeFormat: rfc3339
93
 isEventTime: true
94
 - name: ParentCommandLine
95
 description: The command line of the parent process.
96
 type: string
97
 - name: DetectDescription
98
 description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
99
 type: string
100
 - name: LocalIP
101
 description: The local IP.
102
 type: string
103
 indicators:
104
 - ip
105
 - name: ProcessEndTime
106
 description: Timestamp of when a process ended in UNIX EPOCH time.
107
 type: timestamp
108
 timeFormat: unix
109
 - name: SHA1String
110
 description: SHA1 hash
111
 type: string
112
 indicators:
113
 - sha1
114
 - name: OriginSourceIpAddress
115
 description: The OriginSourceIpAddress.
116
 type: string
117
 indicators:
118
 - ip
119
 - name: GrandparentImageFileName
120
 description: The GrandparentImageFileName
121
 type: string
122
 - name: MachineDomain
123
 description: The Windows Domain Name to which the machine is currently joined.
124
 type: string
125
 - name: ParentImageFileName
126
 description: The ParentImageFileName
127
 type: string
128
 - name: FalconHostLink
129
 description: Link to view detection event in Falcon console.
130
 type: string
131
 - name: UTCTimestamp
132
 description: The UTC timestamp.
133
 type: timestamp
134
  timeFormat: unix_ms
135
 - name: FileName
136
 description: File name if a file is involved in the detection.
137
 type: string
138
 - name: ParentProcessId
139
 description: Parent Process ID.
140
 type: bigint
141
 - name: EventType
142
 required: true
143
 description: The EventType.
144
 type: string
145
 - name: CustomerIdString
146
 description: Unique ID assigned by CS for each customer.
147
 type: string
148
 - name: Tactic
149
 description: The name of the tactic associated to the behavior.
150
 type: string
151
 - name: SensorId
152
 description: Falcon sensor Agent ID.
153
 type: string
154
 - name: eid
155
 description: The EID.
156
 type: bigint
157
 - name: PatternDispositionFlags
158
 description: The pattern disposition flags
159
 type: json
Copied!
Crowdstrike.GroupIdentity
Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
Reference: CrowdStrike Documentation on Group Identity Events.​
1
schema: Crowdstrike.GroupIdentity
2
parser:
3
 native:
4
 name: Crowdstrike.GroupIdentity
5
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
7
version: 0
8
fields:
9
 - name: name
10
 required: true
11
 description: The event name
12
 type: string
13
 - name: aid
14
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
15
 type: string
16
 indicators:
17
 - md5
18
 - trace_id
19
 - name: aip
20
 description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
21
 type: string
22
 indicators:
23
 - ip
24
 - name: cid
25
 description: CID
26
 type: string
27
 indicators:
28
 - md5
29
 - trace_id
30
 - name: id
31
 description: ID
32
 type: string
33
 - name: event_platform
34
 description: The platform the sensor was running on
35
 type: string
36
 - name: timestamp
37
 description: Timestamp when the event was received by the CrowdStrike cloud.
38
 type: timestamp
39
 timeFormat: unix_ms
40
 isEventTime: true
41
 - name: _time
42
 description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
43
 type: timestamp
44
 timeFormat: layout=01/02/2006 15:04:05.999
45
 - name: ComputerName
46
 description: The name of the host.
47
 type: string
48
 indicators:
49
 - hostname
50
 - name: ConfigBuild
51
 description: Config build
52
 type: string
53
 - name: ConfigStateHash
54
 description: Config state hash
55
 type: string
56
 - name: Entitlements
57
 description: Entitlements
58
 type: string
59
 - name: TreeId
60
 description: If this event is part of a detection tree, the tree ID it is part of
61
 type: string
62
 indicators:
63
 - trace_id
64
 - name: TreeId_decimal
65
 description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
66
 type: bigint
67
 - name: ContextThreadId
68
 description: The unique ID of a process that was spawned by another process.
69
 type: string
70
 - name: ContextThreadId_decimal
71
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
72
 type: bigint
73
 - name: ContextTimeStamp
74
 description: The time at which an event occurred on the system, as seen by the sensor.
75
 type: timestamp
76
 timeFormat: unix
77
 - name: ContextTimeStamp_decimal
78
 description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
79
 type: timestamp
80
 timeFormat: unix_ms
81
 - name: ContextProcessId
82
 description: The unique ID of a process that was spawned by another process.
83
 type: string
84
 - name: ContextProcessId_decimal
85
 description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
86
 type: bigint
87
 - name: InContext
88
 description: In context (N/A on iOS)
89
 type: string
90
 - name: event_simpleName
91
 required: true
92
 description: Event Name
93
 type: string
94
 - name: GID
95
 required: true
96
 description: The user Group ID.
97
 type: bigint
98
 - name: AuthenticationUuid
99
 required: true
100
 description: AuthenticationUUID field
101
 type: string
102
 - name: AuthenticationUuidAsString
103
 required: true
104
 description: AuthenticationUUIDAsString field
105
 type: string
106
 - name: AuthenticationId
107
 required: true
108
 description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
109
 type: int
110
 - name: UserPrincipal
111
 required: true
112
 description: UserPrincipal field
113
 type: string
114
 - name: UserSid
115
 required: true
116
 description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
117
 type: string
Copied!
Crowdstrike.ManagedAssets
Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address).
Reference: CrowdStrike Documentation on Falcon Data Replicator Managed Assets.​
1
schema: Crowdstrike.ManagedAssets
2
parser:
3
 native:
4
 name: Crowdstrike.ManagedAssets
5
description: 'Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)'
6
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets
7
version: 0
8
fields:
9
 - name: _time
10
 required: true
11
 description: The host's local time in epoch format.
12
 type: timestamp
13
 timeFormat: unix
14
 isEventTime: true
15
 - name: aid
16
 required: true
17
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
 type: string
19
 indicators:
20
 - md5
21
 - trace_id
22
 - name: cid
23
 required: true
24
 description: The customer ID.
25
 type: string
26
 indicators:
27
 - md5
28
 - trace_id
29
 - name: GatewayIP
30
 description: The gateway of the system where the sensor is installed.
31
 type: string
32
 indicators:
33
 - ip
34
 - name: GatewayMAC
35
 description: The MAC address of the gateway.
36
 type: string
37
 - name: MACPrefix
38
 required: true
39
 description: An identifier unique to the organization.
40
 type: string
41
 - name: MAC
42
 required: true
43
 description: The MAC address of the system.
44
 type: string
45
 - name: LocalAddressIP4
46
 required: true
47
 description: The device's local IP address in IPv4 format.
48
 type: string
49
 indicators:
50
 - ip
51
 - name: InterfaceAlias
52
 description: The user-friendly name of the IP interface.
53
 type: string
54
 - name: InterfaceDescription
55
 description: The network adapter used for the IP interface.
56
 type: string
Copied!
Crowdstrike.NetworkConnect
This event is generated when an application attempts a remote connection on an interface.
Reference: CrowdStrike Documentation on NetworkConnect.​
1
schema: Crowdstrike.NetworkConnect
2
parser:
3
 native:
4
 name: Crowdstrike.NetworkConnect
5
description: This event is generated when an application attempts a remote connection on an interface
6
version: 0
7
fields:
8
 - name: event_simpleName
9
 required: true
10
 description: Event name
11
 type: string
12
 - name: name
13
 required: true
14
 description: The event name
15
 type: string
16
 - name: aid
17
 description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
18
 type: string
19
 indicators:
20
 - md5
21
 - trace_id
22
 - name: aip
23
 description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
24
 type: string
25
 indicators:
26
 - ip
27
 - name: cid
28
 description: CID
29
 type: string
30
 indicators:
31
 - md5
32
 - trace_id
33
 - name: id
34
 description: ID
35
 type: string
36
 - name: event_platform
37
 description: The platform the sensor was running on
38
 type: string
39
 - name: timestamp
40
 description: Timestamp when the event was received by the CrowdStrike cloud.
41
 type: timestamp
42
 timeFormat: unix_ms
43
 isEventTime: 