CrowdStrike Falcon Data Replicator
Connecting CrowdStrike logs to your Panther Console
Overview
Panther supports pulling logs directly from CrowdStrike events by integrating with the CrowdStrike Falcon Data Replicator (FDR). To ingest CrowdStrike logs into panther, you must have an active subscription to FDR, and it must be enabled in CrowdStrike.
As of Panther version 1.52, all new CrowdStrike log source configurations will use the Crowdstrike.FDREvent schema.
See Panther's KB for information on adapting your CrowdStrike detections and queries (created prior to version 1.52) to work with the Crowdstrike.FDREvent log type.
CrowdStrike Falcon Data Replicator logs video walkthrough
How to onboard CrowdStrike Falcon Data Replicator logs to Panther
Prerequisites
You must have an active subscription to FDR, and it must be enabled in CrowdStrike.
There is no minimum version of FDR required.
Step 1: Create FDR API Keys
In your CrowdStrike Falcon console, navigate to the FDR overview for your instance.
This URL should be
falcon.<cloud-region>.crowdstrike.com/fdr
Click Next.
On the Review page, click Create feed.
Step 2: Create a new CrowdStrike Falcon Data Replicator Source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "CrowdStrike Falcon Data Replicator," then click its tile.
In the slide-out panel, click Start Setup.
On the Configure page, fill in the form:
Name: Enter a descriptive name for the source, e.g.
CrowdStrike FDR.SQS URL: Enter the URL for the CrowdStrike-managed SQS queue, previously copied.
AWS Access Key: Enter the AWS access key you copied in the previous step.
AWS Secret Key: Enter the AWS secret you copied in the previous step.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-managed detections
See Panther-managed rules for CrowdStrike in the panther-analysis GitHub repository.
Supported log types
Crowdstrike.FDREvent
Crowdstrike.FDREvent contains all event types produced by the FDR. Including all types of events in a single log type helps to:
Provide ongoing ingestion flexibility and reduce maintenance efforts.
For example, if CrowdStrike adds a new event type, you may not need to rewrite existing detection logic and data queries.
Simplify querying of CrowdStrike logs by enriching all
Crowdstrike.FDREventlogs with commonly referenced fields, such asevent_simpleName.Expedite investigations by leveraging the indicators extracted from each FDR event type and stored in
Crowdstrike.FDREvent.
FDR events
The FDR data stream sends the following two types of events:
Primary events
These events include information related to threat hunting, archiving data, warehousing data, and SIEM activity.
A complete list of primary event types supported by
Crowdstrike.FDREventcan be viewed on CrowdStrike's documentation on streaming API events.
Secondary events
These events include additional environment information.
A complete list of secondary event types supported by
Crowdstrike.FDREventcan be viewed on CrowdStrike's documentation on data for seeing additional environment information.
How fdr_event_type is set
fdr_event_type is setNot all FDR events contain the same fields. To accommodate this, the value of fdr_event_type is assigned dynamically, according to the following rules (ordered by precedence):
If
event_simpleNameis present,fdr_event_type=event_simpleNameIf
event_typeis present,fdr_event_type=event.event_typeIf
ExternalApiTypeis present,fdr_event_type=event.ExternalApiTypeCrowdstrike.DetectionSummaryandCrowdstrike.ActivityAuditlog types define thisExternalApiTypefield.
If the FDR event is a secondary event,
fdr_event_type= the event type as described in CrowdStrike's documentation on seeing additional environment information.In this case, the resulting log type is still
Crowdstrike.FDREvent.
If none of the above conditions are met,
fdr_event_type=unknown
For more information, see CrowdStrike's FDR setup documentation.
schema: Crowdstrike.FDREvent
parser:
native:
name: Crowdstrike.FDREvent
description: Contains all Crowdstrike Falcon Data Replicator events
referenceURL: https://falcon.us-2.crowdstrike.com/documentation/9/falcon-data-replicator
fields:
- name: ContextTimeStamp
description: m, as seen by the sensor.
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormats:
- unix_ms
- rfc3339
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormats:
- '%m/%d/%Y %H:%M:%S.%f'
- unix
isEventTime: true
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormats:
- unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: event_simpleName
description: Event name
type: string
- name: fdr_event_type
description: Crowdstrike Event type (populated by panther)
type: string
- name: TargetProcessId_decimal
description: The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it represents the ID of the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that performed thread injection in an InjectedThread event.
type: string
- name: FileName
description: The name of the file.
type: string
- name: FilePath
description: The full path of the file, including the file name.
type: string
- name: event
description: The full JSON payload of the event
type: jsonLegacy log types
Existing CrowdStrike log source configurations set up prior to Panther version 1.52 will continue to function using the legacy log types below, until you transition them to Crowdstrike.FDREvent. Please contact your Panther support team if you would like assistance with this transition.
Crowdstrike.AIDMaster
Sensor and Host information provided by Falcon Insight.
Reference: CrowdStrike Documentation on Falcon Data Replicator.
schema: Crowdstrike.AIDMaster
parser:
native:
name: Crowdstrike.AIDMaster
description: Sensor and Host information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
fields:
- name: Time
required: true
description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
type: timestamp
timeFormat: unix
isEventTime: true
- name: AgentLoadFlags
required: true
description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
type: int
- name: AgentLocalTime
required: true
description: The local time for the sensor in epoch format.
type: timestamp
timeFormat: unix
- name: AgentTimeOffset
required: true
description: The time since the last reboot in epoch format.
type: float
- name: AgentVersion
required: true
description: The version of the sensor running on a host.
type: string
- name: aid
required: true
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- trace_id
- name: aip
required: true
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: BiosManufacturer
description: The manufacturer of the host's BIOS.
type: string
- name: BiosVersion
description: The version of the host's BIOS.
type: string
- name: ChassisType
description: Type of system chassis, as defined in SMBIOS Standard.
type: string
- name: City
description: The system's city of origin.
type: string
- name: Country
description: The system's country of origin.
type: string
- name: Continent
description: The sensor's continent, as seen from the CrowdStrike cloud.
type: string
- name: ComputerName
description: The name of the host.
type: string
- name: ConfigBuild
description: ConfigBuild field
type: string
- name: ConfigIDBuild
description: Build number used as part of the ConfigID.
type: string
- name: event_platform
description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
type: string
- name: FalconGroupingTags
description: FalconGroupingTags field
type: string
- name: FirstSeen
description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
type: timestamp
timeFormat: unix
- name: MachineDomain
description: The Windows domain name to which the host is currently joined.
type: string
- name: OU
description: The organizational unit of the host as seen by the sensor (defined by system admin).
type: string
- name: PointerSize
description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
type: string
- name: ProductType
description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
type: string
- name: SensorGroupingTags
description: SensorGroupingTags field
type: string
- name: ServicePackMajor
description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
type: string
- name: SiteName
description: The site name of the domain to which the host is joined (defined by system admin).
type: string
- name: SystemManufacturer
description: The host's system manufacturer.
type: string
- name: SystemProductName
description: The host's product name.
type: string
- name: Timezone
description: The sensor's time zone, as seen from the CrowdStrike cloud.
type: string
- name: Version
description: The host's system version.
type: string
- name: HostHiddenStatus
description: Whether the host is visible or not.
type: stringCrowdstrike.ActivityAudit
Contains activity audit information.
Reference: CrowdStrike Documentation on Streaming API Event Authentication.
schema: Crowdstrike.ActivityAudit
parser:
native:
name: Crowdstrike.ActivityAudit
description: Contains activity audit information
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
fields:
- name: AgentIdString
description: The Agent ID
type: string
- name: cid
description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
type: string
indicators:
- trace_id
- name: ExternalApiType
required: true
description: The external API type
type: string
- name: Nonce
description: The nonce
type: bigint
- name: ServiceName
description: The service name
type: string
- name: UserId
description: User that performed the operation, e.g. person that performed the operation to create a new user account.
type: string
indicators:
- email
- name: UserIp
description: IP address of user that performs the operation.
type: string
indicators:
- ip
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: EventType
required: true
description: Will be Event_ExternalApiEvent
type: string
- name: OperationName
description: The operation name
type: string
- name: UTCTimestamp
description: The timestamp
type: timestamp
timeFormat: unix_ms
- name: timestamp
required: true
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: AuditKeyValues
description: The AuditKeyValues
type: array
element:
type: object
fields:
- name: Key
description: The Key
type: string
- name: ValueString
description: The value as a string
type: string
- name: eid
description: The EID
type: bigint
- name: Success
description: If the operation was successful or not
type: boolean
- name: EventUUID
description: The EventUUID
type: stringCrowdstrike.AppInfo
Detected Application Information provided by Falcon Discover.
Reference: CrowdStrike Documentation on Falcon Data Replicator AppInfo.
schema: Crowdstrike.AppInfo
parser:
native:
name: Crowdstrike.AppInfo
description: Detected Application Information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- trace_id
- name: CompanyName
required: true
description: The name of the company.
type: string
- name: detectioncount
required: true
description: The number of detections.
type: bigint
- name: FileName
required: true
description: The name of the file.
type: string
- name: SHA256HashData
required: true
description: The file hash bashed on SHA-256.
type: string
indicators:
- sha256
- name: FileDescription
description: The description of the file, if any.
type: string
- name: FileVersion
description: The version of the file.
type: string
- name: ProductName
description: The name of the product.
type: string
- name: ProductVersion
description: The version of the product.
type: stringCrowdstrike.CriticalFile
This event is generated every time a critical file is accessed or modified.
Reference: CrowdStrike Documentation on CriticalFile.
schema: Crowdstrike.CriticalFile
parser:
native:
name: Crowdstrike.CriticalFile
description: This event is generated every time a critical file is accessed or modified
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: GID
description: The user Group ID
type: bigint
- name: TargetFileName
description: The file that was accessed
type: string
- name: UID
description: The User ID
type: bigint
- name: UnixMode
description: The unix file permissions
type: string
- name: FileIdentifier
description: The file identifier
type: string
- name: USN
description: The USN
type: bigintCrowdstrike.DNSRequest
This event is generated for every attempted DNS name resolution on a host.
Reference: CrowdStrike Documentation on DNSRequest.
schema: Crowdstrike.DNSRequest
parser:
native:
name: Crowdstrike.DNSRequest
description: This event is generated for every attempted DNS name resolution on a host.
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: DomainName
description: The domain name requested
type: string
indicators:
- domain
- name: InterfaceIndex
description: The network interface index (Windows only)
type: bigint
- name: DualRequest
description: If the event is dual request (Windows only)
type: bigint
- name: DnsRequestCount
description: The number of DNS requests (Windows only)
type: bigint
- name: AppIdentifier
description: The identifier of the app that made the request (Android, iOS)
type: string
- name: IpAddress
description: The device ip address (Android, iOS)
type: string
indicators:
- ip
- name: RequestType
description: The DNS request type
type: stringCrowdstrike.DetectionSummary
Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
Reference: CrowdStrike Documentation on Streaming API Detection Summary.
schema: Crowdstrike.DetectionSummary
parser:
native:
name: Crowdstrike.DetectionSummary
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
fields:
- name: cid
description: Customer ID
type: string
indicators:
- trace_id
- name: Technique
description: The name of the technique associated to the behavior.
type: string
- name: ProcessId
description: Process ID.
type: bigint
- name: AgentIdString
description: Agent Id.
type: string
- name: DetectName
description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
type: string
- name: ComputerName
description: Host name.
type: string
- name: ProcessStartTime
description: Timestamp of when a process started.
type: timestamp
timeFormat: unix
- name: GrandparentCommandLine
description: Effective transmission class
type: string
- name: MACAddress
description: The MAC Address
type: string
- name: CommandLine
description: The command line execution of the process.
type: string
- name: Objective
description: The name of the objective associated to the behavior.
type: string
- name: Nonce
description: The nonce.
type: bigint
- name: SHA256String
description: SHA256 hash.
type: string
indicators:
- sha256
- name: ExternalApiType
required: true
description: The type of the External API
type: string
- name: PatternDispositionValue
description: The pattern disposition value.
type: bigint
- name: DetectId
description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
type: string
- name: Severity
description: The severity
type: bigint
- name: PatternDispositionDescription
description: The description of the pattern associated to the action taken on the behavior.
type: string
- name: SeverityName
description: The severity name.
type: string
- name: MD5String
description: MD5 hash
type: string
indicators:
- md5
- name: EventUUID
description: Event UUID
type: string
- name: UserName
description: User name.
type: string
indicators:
- username
- name: FilePath
description: Full path of the file, excluding the file name.
type: string
- name: timestamp
description: The timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: ParentCommandLine
description: The command line of the parent process.
type: string
- name: DetectDescription
description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
type: string
- name: LocalIP
description: The local IP.
type: string
indicators:
- ip
- name: ProcessEndTime
description: Timestamp of when a process ended in UNIX EPOCH time.
type: timestamp
timeFormat: unix
- name: SHA1String
description: SHA1 hash
type: string
indicators:
- sha1
- name: OriginSourceIpAddress
description: The OriginSourceIpAddress.
type: string
indicators:
- ip
- name: GrandparentImageFileName
description: The GrandparentImageFileName
type: string
- name: MachineDomain
description: The Windows Domain Name to which the machine is currently joined.
type: string
- name: ParentImageFileName
description: The ParentImageFileName
type: string
- name: FalconHostLink
description: Link to view detection event in Falcon console.
type: string
- name: UTCTimestamp
description: The UTC timestamp.
type: timestamp
timeFormat: unix_ms
- name: FileName
description: File name if a file is involved in the detection.
type: string
- name: ParentProcessId
description: Parent Process ID.
type: bigint
- name: EventType
required: true
description: The EventType.
type: string
- name: CustomerIdString
description: Unique ID assigned by CS for each customer.
type: string
- name: Tactic
description: The name of the tactic associated to the behavior.
type: string
- name: SensorId
description: Falcon sensor Agent ID.
type: string
- name: eid
description: The EID.
type: bigint
- name: PatternDispositionFlags
description: The pattern disposition flags
type: jsonCrowdstrike.GroupIdentity
Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
Reference: CrowdStrike Documentation on Group Identity Events.
schema: Crowdstrike.GroupIdentity
parser:
native:
name: Crowdstrike.GroupIdentity
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
fields:
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: event_simpleName
required: true
description: Event Name
type: string
- name: GID
required: true
description: The user Group ID.
type: bigint
- name: AuthenticationUuid
required: true
description: AuthenticationUUID field
type: string
- name: AuthenticationUuidAsString
required: true
description: AuthenticationUUIDAsString field
type: string
- name: AuthenticationId
required: true
description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
type: int
- name: UserPrincipal
required: true
description: UserPrincipal field
type: string
- name: UserSid
required: true
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
type: stringCrowdstrike.ManagedAssets
Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address).
Reference: CrowdStrike Documentation on Falcon Data Replicator Managed Assets.
schema: Crowdstrike.ManagedAssets
parser:
native:
name: Crowdstrike.ManagedAssets
description: 'Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)'
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: aid
required: true
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- trace_id
- name: GatewayIP
description: The gateway of the system where the sensor is installed.
type: string
indicators:
- ip
- name: GatewayMAC
description: The MAC address of the gateway.
type: string
- name: MACPrefix
required: true
description: An identifier unique to the organization.
type: string
- name: MAC
required: true
description: The MAC address of the system.
type: string
- name: LocalAddressIP4
required: true
description: The device's local IP address in IPv4 format.
type: string
indicators:
- ip
- name: InterfaceAlias
description: The user-friendly name of the IP interface.
type: string
- name: InterfaceDescription
description: The network adapter used for the IP interface.
type: stringCrowdstrike.NetworkConnect
This event is generated when an application attempts a remote connection on an interface.
Reference: CrowdStrike Documentation on NetworkConnect.
schema: Crowdstrike.NetworkConnect
parser:
native:
name: Crowdstrike.NetworkConnect
description: This event is generated when an application attempts a remote connection on an interface
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: LocalAddressIP4
description: Local IPv4 address for the connection
type: string
indicators:
- ip
- name: LocalAddressIP6
description: Local IPv6 address for the connection
type: string
indicators:
- ip
- name: RemoteAddressIP4
description: Remote IPv4 address for the connection
type: string
indicators:
- ip
- name: RemoteAddressIP6
description: Remote IPv6 address for the connection
type: string
indicators:
- ip
- name: ConnectionFlags
description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)
type: int
- name: Protocol
description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17)
type: int
- name: LocalPort
description: Connection local port
type: int
- name: RemotePort
description: Connection remote port
type: int
- name: ConnectionDirection
description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)
type: int
- name: IcmpType
description: ICMP type (N/A on iOS)
type: string
- name: IcmpCode
description: ICMP code (N/A on iOS)
type: stringCrowdstrike.NetworkListen
This event is generated when an application establishes a socket in listening mode.
Reference: CrowdStrike Documentation on NetworkListen.
schema: Crowdstrike.NetworkListen
parser:
native:
name: Crowdstrike.NetworkListen
description: This event is generated when an application establishes a socket in listening mode
fields:
- name: event_simpleName
required: true
description: event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: LocalAddressIP4
description: Local IPv4 address for the connection
type: string
indicators:
- ip
- name: LocalAddressIP6
description: Local IPv6 address for the connection
type: string
indicators:
- ip
- name: RemoteAddressIP4
description: Remote IPv4 address for the connection
type: string
indicators:
- ip
- name: RemoteAddressIP6
description: Remote IPv6 address for the connection
type: string
indicators:
- ip
- name: ConnectionFlags
description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)
type: int
- name: Protocol
description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17)
type: int
- name: LocalPort
description: Connection local port
type: int
- name: RemotePort
description: Connection remote port
type: int
- name: ConnectionDirection
description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)
type: intCrowdstrike.NotManagedAssets
Unmanaged Host discovery information provided by Falcon Insight.
Reference: CrowdStrike Documentation on Falcon Data Replicator Notmanaged Assets.
schema: Crowdstrike.NotManagedAssets
parser:
native:
name: Crowdstrike.NotManagedAssets
description: Unmanaged Host discovery information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-notmanaged
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: aip
required: true
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: aipCount
required: true
description: The number of public-facing IP addresses.
type: bigint
- name: localipCount
required: true
description: The number of local IP addresses.
type: bigint
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- trace_id
- name: CurrentLocalIP
required: true
description: The current local IP address of the machine, found via the IPv4 network discovery protocol.
type: string
indicators:
- ip
- name: subnet
description: The subnet of the system.
type: string
- name: MAC
required: true
description: The MAC address of the system.
type: string
- name: MACPrefix
required: true
description: An identifier unique to the organization.
type: string
- name: discovererCount
required: true
description: The number of aid's that have discovered this system.
type: bigint
- name: discoverer_aid
description: The agent IDs that have discovered this system.
type: array
element:
type: string
- name: discoverer_devicetype
description: The type of device that discovered this system ('VM' or 'Server').
type: string
- name: FirstDiscoveredDate
description: The first time the system was discovered in epoch format.
type: timestamp
timeFormat: unix
- name: LastDiscoveredBy
description: The host ID of the host that most recently discovered this device.
type: string
- name: LocalAddressIP4
description: The device's local IP address in IPv4 format.
type: string
indicators:
- ip
- name: ComputerName
description: The name of the host that discovered the neighbor.
type: string
- name: NeighborName
description: The neighbor's host name.
type: stringCrowdstrike.ProcessRollup2
This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.
Reference: CrowdStrike Documentation on ProcessRollup2.
schema: Crowdstrike.ProcessRollup2
parser:
native:
name: Crowdstrike.ProcessRollup2
description: This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.
fields:
- name: event_simpleName
required: true
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: TargetProcessId
description: The unique ID of a target process
type: string
- name: SourceProcessId
description: The unique ID of creating process.
type: string
- name: SourceThreadId
description: The unique ID of thread from creating process.
type: string
- name: ParentProcessId
description: The unique ID of the parent process.
type: string
- name: ImageFileName
description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process
type: string
- name: CommandLine
description: The command line used to create this process. May be empty in some circumstances
type: string
- name: RawProcessId
description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
type: bigint
- name: ProcessStartTime
description: The time the process began in UNIX epoch time (in decimal, non-hex format).
type: timestamp
timeFormat: unix
- name: ProcessEndTime
description: The time the process finished (in decimal, non-hex format).
type: timestamp
timeFormat: unix
- name: SHA256HashData
description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
type: string
indicators:
- sha256
- name: SHA1HashData
description: The SHA1 hash of a file
type: string
indicators:
- sha1
- name: MD5HashData
description: The MD5 hash of a file
type: string
indicators:
- md5
- name: ImageSubsystem
description: Subsystem of the image filename (Windows only)
type: string
- name: UserSid
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)
type: string
- name: UserName
description: User name field
type: string
indicators:
- username
- name: AuthenticationId
description: The authentication identifier (Windows only)
type: string
- name: IntegrityLevel
description: The integrity level (Windows only)
type: string
- name: ProcessCreateFlags
description: Captured flags from original process create. This is a bitfield. (Windows only)
type: string
- name: ProcessParameterFlags
description: Flags from the ‘NtCreateUserProcess’ API. This bitfield includes data like if DLL redirection is enabled. (Windows only)
type: string
- name: ProcessSxsFlags
description: Flags from the communications path with the Windows Subsystem Process. This bitfield includes data like if there’s a manifest and if it’s local or not. (Windows only)
type: string
- name: ParentAuthenticationId
description: The authentication identifier for the parent process (Windows only)
type: string
- name: TokenType
description: The token type (Windows only)
type: string
- name: SessionId
description: The id of the session (Windows only)
type: string
- name: WindowFlags
description: Flags from the window (Windows only)
type: string
- name: ShowWindowFlags
description: Window visibility flags (Windows only)
type: string
- name: WindowStartingPositionHorizontal
description: Start horizontal position of the process window (Windows only)
type: bigint
- name: WindowStartingPositionVertical
description: Start vertical position of the process window (Windows only)
type: bigint
- name: WindowStartingWidth
description: Start width of the process window (Windows only)
type: bigint
- name: WindowStartingHeight
description: Start height of the process window (Windows only)
type: bigint
- name: Desktop
description: The desktop of the process window (Windows only)
type: string
- name: WindowStation
description: The process window station (Windows only)
type: string
- name: WindowTitle
description: The title of the process window (WindowsOnly)
type: string
- name: LinkName
description: Link name (Windows only)
type: string
- name: ApplicationUserModelId
description: Application user model id (WindowsOnly)
type: string
- name: CallStackModuleNames
description: Call stack module names (Windows only)
type: string
- name: CallStackModuleNamesVersion
description: Call stack module names version (Windows only)
type: string
- name: RpcClientProcessId
description: RPC client process id (Windows only)
type: string
- name: CsaProcessDataCollectionInstanceId
description: CSA process data collection instance id (Windows only)
type: string
- name: OriginalCommandLine
description: The original command line used to create this process (Windows only)
type: string
- name: CreateProcessType
description: Create process type (Windows only)
type: string
- name: ZoneIdentifier
description: Zone identifier (Windows only)
type: string
- name: HostUrl
description: Host URL (Windows only)
type: string
- name: ReferrerUrl
description: Referrer URL (Windows only)
type: string
indicators:
- url
- name: GrandParent
description: Grant parent (Windows only)
type: string
- name: BaseFileName
description: Base file name (Windows only)
type: string
- name: Tags
description: Process tags comma separated list (Windows, Mac)
type: string
- name: ParentBaseFileName
description: Parent process base file name (Windows, Mac)
type: string
- name: ProcessGroupId
description: Process group id (Windows, Mac)
type: bigint
- name: UID
description: UID (Mac, Linux, Android)
type: bigint
- name: RUID
description: RUID (Mac, Linux, Android)
type: bigint
- name: SVUID
description: SVUID (Mac, Linux, Android)
type: bigint
- name: GID
description: GID (Mac, Linux, Android)
type: bigint
- name: RGID
description: RGID (Mac, Linux, Android)
type: bigint
- name: SVGID
description: SVGID (Mac, Linux, Android)
type: bigint
- name: SessionProcessId
description: Session process id (Mac, Linux)
type: bigint
- name: MachOSubType
description: MachOSubType (Mac only)
type: string
- name: TtyName
description: TTY name (Linux only)
type: string
- name: OciContainerId
description: OCI Container id (Linux only)
type: string
- name: SourceAndroidComponentName
description: Source component name (Android only)
type: string
- name: TargetAndroidComponentName
description: Target component name (Android only)
type: string
- name: TargetAndroidComponentType
description: Target component type (Android only)
type: stringCrowdstrike.ProcessRollup2Stats
When a process finishes running, the sensor generates and sends a ProcessRollup2 event. Mac and Linux sensors send far more ProcessRollup2 events than Windows (roughly 20x as many), so rather than send events for every process on those hosts, the sensor sends an initial ProcessRollup2 event, followed 10 minutes later by a ProcessRollup2Stats event with a SHA256 hash and the count of how many times the hash executed in the last 10 minutes.
Reference: CrowdStrike Documentation on ProcessRollup2Stats.
schema: Crowdstrike.ProcessRollup2Stats
parser:
native:
name: Crowdstrike.ProcessRollup2Stats
description: When a process finishes running, the sensor generates and sends a ProcessRollup2 event. Mac and Linux sensors send far more ProcessRollup2 events than Windows (roughly 20x as many), so rather than send events for every process on those hosts, the sensor sends an initial ProcessRollup2 event, followed 10 minutes later by a ProcessRollup2Stats event with a SHA256 hash and the count of how many times the hash executed in the last 10 minutes.
fields:
- name: event_simpleName
required: true
description: event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: EffectiveTransmissionClass
description: Effective transmission class
type: bigint
- name: SHA256HashData
description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
type: string
indicators:
- sha256
- name: CommandLine
description: The command line used to create this process. May be empty in some circumstances
type: string
- name: UID
description: UID (Mac)
type: bigint
- name: ProcessCount
description: The ProcessCount.
type: bigint
- name: Timeout
description: The timeout
type: bigint
- name: ParentProcessId
description: The unique ID of the parent process.
type: bigint
- name: SuppressType
description: 'Values: GLOBAL (0) PARENT (1) UID (2) UIDNORMALIZED (3) PREFILTER (4) TIMEOUT_CHECK (5)'
type: bigint
- name: BoundedCount
description: The bounded count
type: bigintCrowdstrike.SyntheticProcessRollup2
A synthetic version of the process rollup (PR2) event.
Reference: CrowdStrike Documentation on SyntheticProcessRollup2.
schema: Crowdstrike.SyntheticProcessRollup2
parser:
native:
name: Crowdstrike.SyntheticProcessRollup2
description: A synthetic version of the process rollup (PR2) event
fields:
- name: event_simpleName
required: true
description: event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: TargetProcessId
description: The unique ID of a target process
type: string
- name: SourceProcessId
description: The unique ID of creating process.
type: string
- name: SourceThreadId
description: The unique ID of thread from creating process.
type: string
- name: ParentProcessId
description: The unique ID of the parent process.
type: string
- name: ImageFileName
description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process
type: string
- name: CommandLine
description: The command line used to create this process. May be empty in some circumstances
type: string
- name: RawProcessId
description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
type: String
- name: ProcessStartTime
description: The time the process began in UNIX epoch time (in decimal, non-hex format).
type: timestamp
timeFormat: unix
- name: ProcessEndTime
description: The time the process finished (in decimal, non-hex format).
type: timestamp
timeFormat: unix
- name: SHA256HashData
description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
type: string
indicators:
- sha256
- name: SHA1HashData
description: The SHA1 hash of a file
type: string
indicators:
- sha1
- name: MD5HashData
description: The MD5 hash of a file
type: string
indicators:
- md5
- name: SyntheticPR2Flags
description: PR2 flags (PROCESS_RUNDOWN = 0, PROCESS_HOLLOWED = 1, IMAGEHASH_FAILURE = 4, FILE_PATH_EXCLUDED = 8, PROCESS_FORK_FOLDING = 16, APP_MONITORING = 2)
type: int
- name: ImageSubsystem
description: Subsystem of the image filename (Windows only)
type: string
- name: UserSid
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)
type: string
- name: AuthenticationId
description: The authentication identifier (Windows only)
type: string
- name: IntegrityLevel
description: The integrity level (Windows only)
type: string
- name: ProcessGroupId
description: Process group id (Mac)
type: String
- name: UID
description: UID (Mac)
type: String
- name: RUID
description: RUID (Mac)
type: String
- name: SVUID
description: SVUID (Mac)
type: String
- name: GID
description: GID (Mac)
type: String
- name: RGID
description: RGID (Mac)
type: String
- name: SVGID
description: SVGID (Mac)
type: String
- name: SessionProcessId
description: Session process id (Mac)
type: StringCrowdstrike.Unknown
This schema contains all the Crowdstrike events that don't match to any of the registered types.
Reference: CrowdStrike Documentation on API Event Types.
schema: Crowdstrike.Unknown
parser:
native:
name: Crowdstrike.Unknown
description: This table contains all the Crowdstrike events that don't match to any of the registered types
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events
fields:
- name: event_simpleName
description: Event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: unknown_payload
required: true
description: The full JSON payload of the event
type: jsonCrowdstrike.UserIdentity
The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms.
Reference: CrowdStrike Documentation on User Identity Events.
schema: Crowdstrike.UserIdentity
parser:
native:
name: Crowdstrike.UserIdentity
description: The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-UserIdentity
fields:
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: event_simpleName
required: true
description: Event Name
type: string
- name: AuthenticationId
required: true
description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
type: int
- name: UserPrincipal
required: true
description: UserPrincipal field
type: string
- name: UserSid
required: true
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
type: string
- name: AuthenticationUuid
description: AuthenticationUUID field
type: string
- name: AuthenticationUuidAsString
description: AuthenticationUUIDAsString field
type: string
- name: UID
description: The User ID.
type: bigint
- name: UserName
description: UserName field
type: string
indicators:
- username
- name: UserCanonical
description: UserCanonical field
type: string
- name: LogonId
description: LogonID field
type: string
- name: LogonDomain
description: LogonDomain field
type: string
- name: AuthenticationPackage
description: AuthenticationPackage field
type: string
- name: LogonType
description: 'Values: INTERACTIVE (2), NETWORK (3), BATCH (4), SERVICE (5), PROXY (6), UNLOCK (7), NETWORK_CLEARTEXT (8), CACHED_UNLOCK (13), NEW_CREDENTIALS (9), REMOTE_INTERACTIVE (10), CACHED_INTERACTIVE (11), CACHED_REMOTE_INTERACTIVE (12)'
type: int
- name: LogonTime
description: LogonTime field
type: timestamp
timeFormat: unix
- name: LogonServer
description: LogonServer field
type: string
- name: UserFlags
description: 'Values: LOGON_OPTIMIZED (0x4000), LOGON_WINLOGON (0x8000), LOGON_PKINIT (0x10000), LOGON_NOT_OPTIMIZED (0x20000)'
type: bigint
- name: PasswordLastSet
description: PasswordLastSet field
type: timestamp
timeFormat: unix
- name: RemoteAccount
description: RemoteAccount field
type: int
- name: UserIsAdmin
description: UserIsAdmin field
type: int
- name: SessionId
description: SessionID field
type: string
indicators:
- trace_id
- name: UserLogonFlags
description: 'Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)'
type: intCrowdstrike.UserInfo
User Account & Logon information provided by Falcon Discover.
Reference: CrowdStrike Documentation on Falcon Data Replicator UserInfo.
schema: Crowdstrike.UserInfo
parser:
native:
name: Crowdstrike.UserInfo
description: User Account & Logon information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-userinfo
fields:
- name: _time
required: true
description: The host's local time in epoch format.
type: timestamp
timeFormat: unix
isEventTime: true
- name: cid
required: true
description: The customer ID.
type: string
indicators:
- trace_id
- name: AccountType
required: true
description: 'The type of account set for the user: ''Domain User'', ''Domain Administrator'', ''Local User''.'
type: string
- name: DomainUser
required: true
description: 'Indicates if the user''s credentials are part of a domain controller: ''Yes'', ''No''.'
type: string
- name: UserName
required: true
description: The username of the system.
type: string
indicators:
- username
- name: UserSid_readable
required: true
description: The user SID associated with this process.
type: string
- name: LastLoggedOnHost
description: The host that was last logged into the system.
type: string
- name: LocalAdminAccess
description: 'Indicates whether a local user is an admin: ''Yes'', ''No''.'
type: string
- name: LoggedOnHostCount
description: The number of hosts logged in at _time.
type: int
- name: LogonInfo
description: The login information.
type: string
- name: LogonTime
description: The last login time by this user in epoch format.
type: timestamp
timeFormat: unix
- name: LogonType
description: 'Values defined as follows, INTERACTIVE: The security principal is logging on interactively, NETWORK: The security principal is logging on using a network, TERMINAL SERVER: The security principal has logged in via a terminal server.'
type: string
- name: monthsincereset
description: The number of months since this user's password was last reset.
type: int
- name: PasswordLastSet
description: The last time in epoch format that this user's password in the system was set.
type: timestamp
timeFormat: unix
- name: User
description: A system username with domain.
type: string
- name: UserIsAdmin
description: Indicates whether the user account has administrator privileges.
type: smallint
- name: UserLogonFlags_decimal
description: A bitfield for various bits of a UserLogon, or failed user logon.
type: intCrowdstrike.UserLogonLogoff
Contains the UserLogon and UserLogoff events.
Reference: CrowdStrike Documentation on User Logon Logoff.
schema: Crowdstrike.UserLogonLogoff
parser:
native:
name: Crowdstrike.UserLogonLogoff
description: Contains the UserLogon and UserLogoff events
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
- name: event_simpleName
required: true
description: event name
type: string
- name: name
required: true
description: The event name
type: string
- name: aid
description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
type: string
indicators:
- trace_id
- name: aip
description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
type: string
indicators:
- ip
- name: cid
description: CID
type: string
indicators:
- trace_id
- name: id
description: ID
type: string
- name: event_platform
description: The platform the sensor was running on
type: string
- name: timestamp
description: Timestamp when the event was received by the CrowdStrike cloud.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: _time
description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
type: timestamp
timeFormat: layout=01/02/2006 15:04:05.999
- name: ComputerName
description: The name of the host.
type: string
indicators:
- hostname
- name: ConfigBuild
description: Config build
type: string
- name: ConfigStateHash
description: Config state hash
type: string
- name: Entitlements
description: Entitlements
type: string
- name: TreeId
description: If this event is part of a detection tree, the tree ID it is part of
type: string
indicators:
- trace_id
- name: TreeId_decimal
description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
type: bigint
- name: ContextThreadId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextThreadId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: ContextTimeStamp
description: The time at which an event occurred on the system, as seen by the sensor.
type: timestamp
timeFormat: unix
- name: ContextTimeStamp_decimal
description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
type: timestamp
timeFormat: unix_ms
- name: ContextProcessId
description: The unique ID of a process that was spawned by another process.
type: string
- name: ContextProcessId_decimal
description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
type: bigint
- name: InContext
description: In context (N/A on iOS)
type: string
- name: UserIsAdmin
description: Indicates whether the user account has administrator privileges
type: int
- name: UserLogonFlags
description: 'Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)'
type: bigint
- name: UserName
description: The username
type: string
indicators:
- username
- name: UserPrincipal
description: The user principal
type: string
- name: UserSid
description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system
type: string
- name: LogonTime
description: The logon time
type: timestamp
timeFormat: unix
- name: LogonType
description: 'Values: INTERACTIVE (2) NETWORK (3) BATCH (4) SERVICE (5) PROXY (6) UNLOCK (7) NETWORK_CLEARTEXT (8) CACHED_UNLOCK (13) REMOTE_INTERACTIVE (10) NEW_CREDENTIALS (9) CACHED_INTERACTIVE (11) CACHED_REMOTE_INTERACTIVE (12)'
type: bigint
- name: PasswordLastSet
description: The time the password was last set
type: timestamp
timeFormat: unix
- name: RawProcessId
description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
type: bigint
- name: UID
description: The User ID
type: bigint
- name: UserGroupsBitmask
description: The user group bitmask
type: bigint
- name: EffectiveTransmissionClass
description: The user principal
type: bigint
- name: AuthenticationId
description: The authentication identifier
type: string
- name: LogoffTime
description: The logoff time
type: timestamp
timeFormat: unix
- name: UserLogoffType
description: 'Values: LOGOFF_EVENT_SOURCE (0x01) LOGOFF_PROFILE_UNLOAD (0x02) ETW (0x03) SYNTHETIC (0x04)'
type: bigintLast updated
