LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
    • Managing Panther AI Response History
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Configuring Snowflake for Cloud Connected
        • Configuring AWS for Cloud Connected
        • Pre-Deployment Tools
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • CrowdStrike Falcon Data Replicator logs video walkthrough
  • How to onboard CrowdStrike Falcon Data Replicator logs to Panther
  • Prerequisites
  • Step 1: Create FDR API Keys
  • Step 2: Create a new CrowdStrike Falcon Data Replicator Source in Panther
  • Panther-managed detections
  • Supported log types
  • Crowdstrike.FDREvent
  • Legacy log types
  • Crowdstrike.AIDMaster
  • Crowdstrike.ActivityAudit
  • Crowdstrike.AppInfo
  • Crowdstrike.CriticalFile
  • Crowdstrike.DNSRequest
  • Crowdstrike.DetectionSummary
  • Crowdstrike.GroupIdentity
  • Crowdstrike.ManagedAssets
  • Crowdstrike.NetworkConnect
  • Crowdstrike.NetworkListen
  • Crowdstrike.NotManagedAssets
  • Crowdstrike.ProcessRollup2
  • Crowdstrike.ProcessRollup2Stats
  • Crowdstrike.SyntheticProcessRollup2
  • Crowdstrike.Unknown
  • Crowdstrike.UserIdentity
  • Crowdstrike.UserInfo
  • Crowdstrike.UserLogonLogoff

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs
  3. CrowdStrike Logs

CrowdStrike Falcon Data Replicator

Connecting CrowdStrike logs to your Panther Console

PreviousCrowdStrike LogsNextCrowdStrike Event Streams

Last updated 3 months ago

Was this helpful?

Overview

Panther supports pulling logs directly from CrowdStrike events by integrating with the (FDR). To ingest CrowdStrike logs into panther, you must have an active subscription to , and it must be enabled in CrowdStrike.

As of Panther version 1.52, all new CrowdStrike log source configurations will use the .

See Panther's KB for information on .

CrowdStrike Falcon Data Replicator logs video walkthrough

How to onboard CrowdStrike Falcon Data Replicator logs to Panther

Prerequisites

    • There is no minimum version of FDR required.

Step 1: Create FDR API Keys

  1. In your CrowdStrike Falcon console, navigate to the FDR overview for your instance.

    • This URL should be falcon.<cloud-region>.crowdstrike.com/fdr

    • Click Next.

  2. On the Review page, click Create feed.

Step 2: Create a new CrowdStrike Falcon Data Replicator Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "CrowdStrike Falcon Data Replicator," then click its tile.

  4. In the slide-out panel, click Start Setup.

  5. On the Configure page, fill in the form:

    • Name: Enter a descriptive name for the source, e.g. CrowdStrike FDR.

    • SQS URL: Enter the URL for the CrowdStrike-managed SQS queue, previously copied.

    • AWS Access Key: Enter the AWS access key you copied in the previous step.

    • AWS Secret Key: Enter the AWS secret you copied in the previous step.

  6. Click Setup. You will be directed to a success screen:

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-managed detections

Supported log types

Crowdstrike.FDREvent

Crowdstrike.FDREvent contains all event types produced by the FDR. Including all types of events in a single log type helps to:

  • Provide ongoing ingestion flexibility and reduce maintenance efforts.

    • For example, if CrowdStrike adds a new event type, you may not need to rewrite existing detection logic and data queries.

  • Simplify querying of CrowdStrike logs by enriching all Crowdstrike.FDREvent logs with commonly referenced fields, such as event_simpleName.

  • Expedite investigations by leveraging the indicators extracted from each FDR event type and stored inCrowdstrike.FDREvent.

FDR events

The FDR data stream sends the following two types of events:

  • Primary events

    • These events include information related to threat hunting, archiving data, warehousing data, and SIEM activity.

  • Secondary events

    • These events include additional environment information.

How fdr_event_type is set

Not all FDR events contain the same fields. To accommodate this, the value of fdr_event_type is assigned dynamically, according to the following rules (ordered by precedence):

  1. If event_simpleName is present, fdr_event_type = event_simpleName

  2. If event_type is present, fdr_event_type = event.event_type

  3. If ExternalApiType is present, fdr_event_type = event.ExternalApiType

    • Crowdstrike.DetectionSummary and Crowdstrike.ActivityAudit log types define this ExternalApiType field.

    • In this case, the resulting log type is still Crowdstrike.FDREvent.

  4. If none of the above conditions are met, fdr_event_type = unknown

schema: Crowdstrike.FDREvent
parser:
    native:
        name: Crowdstrike.FDREvent
description: Contains all Crowdstrike Falcon Data Replicator events
referenceURL: https://falcon.us-2.crowdstrike.com/documentation/9/falcon-data-replicator
fields:
    - name: ContextTimeStamp
      description: m, as seen by the sensor.
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormats:
        - unix_ms
        - rfc3339
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormats:
        - '%m/%d/%Y %H:%M:%S.%f'
        - unix
      isEventTime: true
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormats:
        - unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: event_simpleName
      description: Event name
      type: string
    - name: fdr_event_type
      description: Crowdstrike Event type (populated by panther)
      type: string
    - name: TargetProcessId_decimal
      description: The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it represents the ID of the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that performed thread injection in an InjectedThread event.
      type: string
    - name: FileName
      description: The name of the file.
      type: string
    - name: FilePath
      description: The full path of the file, including the file name.
      type: string
    - name: event
      description: The full JSON payload of the event
      type: json

Legacy log types

Crowdstrike.AIDMaster

Sensor and Host information provided by Falcon Insight.

schema: Crowdstrike.AIDMaster
parser:
    native:
        name: Crowdstrike.AIDMaster
description: Sensor and Host information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master
fields:
    - name: Time
      required: true
      description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: AgentLoadFlags
      required: true
      description: 'Whether the sensor loaded during or after the Windows host''s boot process. Example values: 0, 1'
      type: int
    - name: AgentLocalTime
      required: true
      description: The local time for the sensor in epoch format.
      type: timestamp
      timeFormat: unix
    - name: AgentTimeOffset
      required: true
      description: The time since the last reboot in epoch format.
      type: float
    - name: AgentVersion
      required: true
      description: The version of the sensor running on a host.
      type: string
    - name: aid
      required: true
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - trace_id
    - name: aip
      required: true
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: BiosManufacturer
      description: The manufacturer of the host's BIOS.
      type: string
    - name: BiosVersion
      description: The version of the host's BIOS.
      type: string
    - name: ChassisType
      description: Type of system chassis, as defined in SMBIOS Standard.
      type: string
    - name: City
      description: The system's city of origin.
      type: string
    - name: Country
      description: The system's country of origin.
      type: string
    - name: Continent
      description: The sensor's continent, as seen from the CrowdStrike cloud.
      type: string
    - name: ComputerName
      description: The name of the host.
      type: string
    - name: ConfigBuild
      description: ConfigBuild field
      type: string
    - name: ConfigIDBuild
      description: Build number used as part of the ConfigID.
      type: string
    - name: event_platform
      description: 'The platform the sensor is running on. Example values: ''Win'', ''Lin'', ''Mac''.'
      type: string
    - name: FalconGroupingTags
      description: FalconGroupingTags field
      type: string
    - name: FirstSeen
      description: The first time the sensor was seen by the CrowdStrike cloud in epoch format.
      type: timestamp
      timeFormat: unix
    - name: MachineDomain
      description: The Windows domain name to which the host is currently joined.
      type: string
    - name: OU
      description: The organizational unit of the host as seen by the sensor (defined by system admin).
      type: string
    - name: PointerSize
      description: 'The processor architecture (in decimal, non-hex format): ''4'' for 32-bit, ''8'' for 64-bit, or ''none'' for unknown.'
      type: string
    - name: ProductType
      description: 'The type of product (in decimal, non-hex format). Example values: ''1'' (Workstation), ''2'' (Domain Controller), ''3'' (Server).'
      type: string
    - name: SensorGroupingTags
      description: SensorGroupingTags field
      type: string
    - name: ServicePackMajor
      description: 'The major version # of the OS Service Pack (in decimal, non-hex format).'
      type: string
    - name: SiteName
      description: The site name of the domain to which the host is joined (defined by system admin).
      type: string
    - name: SystemManufacturer
      description: The host's system manufacturer.
      type: string
    - name: SystemProductName
      description: The host's product name.
      type: string
    - name: Timezone
      description: The sensor's time zone, as seen from the CrowdStrike cloud.
      type: string
    - name: Version
      description: The host's system version.
      type: string
    - name: HostHiddenStatus
      description: Whether the host is visible or not.
      type: string

Crowdstrike.ActivityAudit

Contains activity audit information.

schema: Crowdstrike.ActivityAudit
parser:
    native:
        name: Crowdstrike.ActivityAudit
description: Contains activity audit information
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication
fields:
    - name: AgentIdString
      description: The Agent ID
      type: string
    - name: cid
      description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud.
      type: string
      indicators:
        - trace_id
    - name: ExternalApiType
      required: true
      description: The external API type
      type: string
    - name: Nonce
      description: The nonce
      type: bigint
    - name: ServiceName
      description: The service name
      type: string
    - name: UserId
      description: User that performed the operation, e.g. person that performed the operation to create a new user account.
      type: string
      indicators:
        - email
    - name: UserIp
      description: IP address of user that performs the operation.
      type: string
      indicators:
        - ip
    - name: CustomerIdString
      description: Unique ID assigned by CS for each customer.
      type: string
    - name: EventType
      required: true
      description: Will be Event_ExternalApiEvent
      type: string
    - name: OperationName
      description: The operation name
      type: string
    - name: UTCTimestamp
      description: The timestamp
      type: timestamp
      timeFormat: unix_ms
    - name: timestamp
      required: true
      description: The timestamp
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: AuditKeyValues
      description: The AuditKeyValues
      type: array
      element:
        type: object
        fields:
            - name: Key
              description: The Key
              type: string
            - name: ValueString
              description: The value as a string
              type: string
    - name: eid
      description: The EID
      type: bigint
    - name: Success
      description: If the operation was successful or not
      type: boolean
    - name: EventUUID
      description: The EventUUID
      type: string

Crowdstrike.AppInfo

Detected Application Information provided by Falcon Discover.

schema: Crowdstrike.AppInfo
parser:
    native:
        name: Crowdstrike.AppInfo
description: Detected Application Information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo
fields:
    - name: _time
      required: true
      description: The host's local time in epoch format.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - trace_id
    - name: CompanyName
      required: true
      description: The name of the company.
      type: string
    - name: detectioncount
      required: true
      description: The number of detections.
      type: bigint
    - name: FileName
      required: true
      description: The name of the file.
      type: string
    - name: SHA256HashData
      required: true
      description: The file hash bashed on SHA-256.
      type: string
      indicators:
        - sha256
    - name: FileDescription
      description: The description of the file, if any.
      type: string
    - name: FileVersion
      description: The version of the file.
      type: string
    - name: ProductName
      description: The name of the product.
      type: string
    - name: ProductVersion
      description: The version of the product.
      type: string

Crowdstrike.CriticalFile

This event is generated every time a critical file is accessed or modified.

schema: Crowdstrike.CriticalFile
parser:
    native:
        name: Crowdstrike.CriticalFile
description: This event is generated every time a critical file is accessed or modified
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: EffectiveTransmissionClass
      description: Effective transmission class
      type: bigint
    - name: GID
      description: The user Group ID
      type: bigint
    - name: TargetFileName
      description: The file that was accessed
      type: string
    - name: UID
      description: The User ID
      type: bigint
    - name: UnixMode
      description: The unix file permissions
      type: string
    - name: FileIdentifier
      description: The file identifier
      type: string
    - name: USN
      description: The USN
      type: bigint

Crowdstrike.DNSRequest

This event is generated for every attempted DNS name resolution on a host.

schema: Crowdstrike.DNSRequest
parser:
    native:
        name: Crowdstrike.DNSRequest
description: This event is generated for every attempted DNS name resolution on a host.
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: EffectiveTransmissionClass
      description: Effective transmission class
      type: bigint
    - name: DomainName
      description: The domain name requested
      type: string
      indicators:
        - domain
    - name: InterfaceIndex
      description: The network interface index (Windows only)
      type: bigint
    - name: DualRequest
      description: If the event is dual request (Windows only)
      type: bigint
    - name: DnsRequestCount
      description: The number of DNS requests (Windows only)
      type: bigint
    - name: AppIdentifier
      description: The identifier of the app that made the request (Android, iOS)
      type: string
    - name: IpAddress
      description: The device ip address (Android, iOS)
      type: string
      indicators:
        - ip
    - name: RequestType
      description: The DNS request type
      type: string

Crowdstrike.DetectionSummary

Detection Summary events include multiple detections, when multiple malicious behaviors are detected.

schema: Crowdstrike.DetectionSummary
parser:
    native:
        name: Crowdstrike.DetectionSummary
description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected.
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary
fields:
    - name: cid
      description: Customer ID
      type: string
      indicators:
        - trace_id
    - name: Technique
      description: The name of the technique associated to the behavior.
      type: string
    - name: ProcessId
      description: Process ID.
      type: bigint
    - name: AgentIdString
      description: Agent Id.
      type: string
    - name: DetectName
      description: 'NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information'
      type: string
    - name: ComputerName
      description: Host name.
      type: string
    - name: ProcessStartTime
      description: Timestamp of when a process started.
      type: timestamp
      timeFormat: unix
    - name: GrandparentCommandLine
      description: Effective transmission class
      type: string
    - name: MACAddress
      description: The MAC Address
      type: string
    - name: CommandLine
      description: The command line execution of the process.
      type: string
    - name: Objective
      description: The name of the objective associated to the behavior.
      type: string
    - name: Nonce
      description: The nonce.
      type: bigint
    - name: SHA256String
      description: SHA256 hash.
      type: string
      indicators:
        - sha256
    - name: ExternalApiType
      required: true
      description: The type of the External API
      type: string
    - name: PatternDispositionValue
      description: The pattern disposition value.
      type: bigint
    - name: DetectId
      description: 'The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922'
      type: string
    - name: Severity
      description: The severity
      type: bigint
    - name: PatternDispositionDescription
      description: The description of the pattern associated to the action taken on the behavior.
      type: string
    - name: SeverityName
      description: The severity name.
      type: string
    - name: MD5String
      description: MD5 hash
      type: string
      indicators:
        - md5
    - name: EventUUID
      description: Event UUID
      type: string
    - name: UserName
      description: User name.
      type: string
      indicators:
        - username
    - name: FilePath
      description: Full path of the file, excluding the file name.
      type: string
    - name: timestamp
      description: The timestamp
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: ParentCommandLine
      description: The command line of the parent process.
      type: string
    - name: DetectDescription
      description: 'A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly.'
      type: string
    - name: LocalIP
      description: The local IP.
      type: string
      indicators:
        - ip
    - name: ProcessEndTime
      description: Timestamp of when a process ended in UNIX EPOCH time.
      type: timestamp
      timeFormat: unix
    - name: SHA1String
      description: SHA1 hash
      type: string
      indicators:
        - sha1
    - name: OriginSourceIpAddress
      description: The OriginSourceIpAddress.
      type: string
      indicators:
        - ip
    - name: GrandparentImageFileName
      description: The GrandparentImageFileName
      type: string
    - name: MachineDomain
      description: The Windows Domain Name to which the machine is currently joined.
      type: string
    - name: ParentImageFileName
      description: The ParentImageFileName
      type: string
    - name: FalconHostLink
      description: Link to view detection event in Falcon console.
      type: string
    - name: UTCTimestamp
      description: The UTC timestamp.
      type: timestamp
      timeFormat: unix_ms
    - name: FileName
      description: File name if a file is involved in the detection.
      type: string
    - name: ParentProcessId
      description: Parent Process ID.
      type: bigint
    - name: EventType
      required: true
      description: The EventType.
      type: string
    - name: CustomerIdString
      description: Unique ID assigned by CS for each customer.
      type: string
    - name: Tactic
      description: The name of the tactic associated to the behavior.
      type: string
    - name: SensorId
      description: Falcon sensor Agent ID.
      type: string
    - name: eid
      description: The EID.
      type: bigint
    - name: PatternDispositionFlags
      description: The pattern disposition flags
      type: json

Crowdstrike.GroupIdentity

Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.

schema: Crowdstrike.GroupIdentity
parser:
    native:
        name: Crowdstrike.GroupIdentity
description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity
fields:
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: event_simpleName
      required: true
      description: Event Name
      type: string
    - name: GID
      required: true
      description: The user Group ID.
      type: bigint
    - name: AuthenticationUuid
      required: true
      description: AuthenticationUUID field
      type: string
    - name: AuthenticationUuidAsString
      required: true
      description: AuthenticationUUIDAsString field
      type: string
    - name: AuthenticationId
      required: true
      description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
      type: int
    - name: UserPrincipal
      required: true
      description: UserPrincipal field
      type: string
    - name: UserSid
      required: true
      description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
      type: string

Crowdstrike.ManagedAssets

Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address).

schema: Crowdstrike.ManagedAssets
parser:
    native:
        name: Crowdstrike.ManagedAssets
description: 'Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)'
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets
fields:
    - name: _time
      required: true
      description: The host's local time in epoch format.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: aid
      required: true
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - trace_id
    - name: GatewayIP
      description: The gateway of the system where the sensor is installed.
      type: string
      indicators:
        - ip
    - name: GatewayMAC
      description: The MAC address of the gateway.
      type: string
    - name: MACPrefix
      required: true
      description: An identifier unique to the organization.
      type: string
    - name: MAC
      required: true
      description: The MAC address of the system.
      type: string
    - name: LocalAddressIP4
      required: true
      description: The device's local IP address in IPv4 format.
      type: string
      indicators:
        - ip
    - name: InterfaceAlias
      description: The user-friendly name of the IP interface.
      type: string
    - name: InterfaceDescription
      description: The network adapter used for the IP interface.
      type: string

Crowdstrike.NetworkConnect

This event is generated when an application attempts a remote connection on an interface.

schema: Crowdstrike.NetworkConnect
parser:
    native:
        name: Crowdstrike.NetworkConnect
description: This event is generated when an application attempts a remote connection on an interface
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: LocalAddressIP4
      description: Local IPv4 address for the connection
      type: string
      indicators:
        - ip
    - name: LocalAddressIP6
      description: Local IPv6 address for the connection
      type: string
      indicators:
        - ip
    - name: RemoteAddressIP4
      description: Remote IPv4 address for the connection
      type: string
      indicators:
        - ip
    - name: RemoteAddressIP6
      description: Remote IPv6 address for the connection
      type: string
      indicators:
        - ip
    - name: ConnectionFlags
      description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)
      type: int
    - name: Protocol
      description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17)
      type: int
    - name: LocalPort
      description: Connection local port
      type: int
    - name: RemotePort
      description: Connection remote port
      type: int
    - name: ConnectionDirection
      description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)
      type: int
    - name: IcmpType
      description: ICMP type (N/A on iOS)
      type: string
    - name: IcmpCode
      description: ICMP code (N/A on iOS)
      type: string

Crowdstrike.NetworkListen

This event is generated when an application establishes a socket in listening mode.

schema: Crowdstrike.NetworkListen
parser:
    native:
        name: Crowdstrike.NetworkListen
description: This event is generated when an application establishes a socket in listening mode
fields:
    - name: event_simpleName
      required: true
      description: event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: LocalAddressIP4
      description: Local IPv4 address for the connection
      type: string
      indicators:
        - ip
    - name: LocalAddressIP6
      description: Local IPv6 address for the connection
      type: string
      indicators:
        - ip
    - name: RemoteAddressIP4
      description: Remote IPv4 address for the connection
      type: string
      indicators:
        - ip
    - name: RemoteAddressIP6
      description: Remote IPv6 address for the connection
      type: string
      indicators:
        - ip
    - name: ConnectionFlags
      description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)
      type: int
    - name: Protocol
      description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17)
      type: int
    - name: LocalPort
      description: Connection local port
      type: int
    - name: RemotePort
      description: Connection remote port
      type: int
    - name: ConnectionDirection
      description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)
      type: int

Crowdstrike.NotManagedAssets

Unmanaged Host discovery information provided by Falcon Insight.

schema: Crowdstrike.NotManagedAssets
parser:
    native:
        name: Crowdstrike.NotManagedAssets
description: Unmanaged Host discovery information provided by Falcon Insight
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-notmanaged
fields:
    - name: _time
      required: true
      description: The host's local time in epoch format.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: aip
      required: true
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: aipCount
      required: true
      description: The number of public-facing IP addresses.
      type: bigint
    - name: localipCount
      required: true
      description: The number of local IP addresses.
      type: bigint
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - trace_id
    - name: CurrentLocalIP
      required: true
      description: The current local IP address of the machine, found via the IPv4 network discovery protocol.
      type: string
      indicators:
        - ip
    - name: subnet
      description: The subnet of the system.
      type: string
    - name: MAC
      required: true
      description: The MAC address of the system.
      type: string
    - name: MACPrefix
      required: true
      description: An identifier unique to the organization.
      type: string
    - name: discovererCount
      required: true
      description: The number of aid's that have discovered this system.
      type: bigint
    - name: discoverer_aid
      description: The agent IDs that have discovered this system.
      type: array
      element:
        type: string
    - name: discoverer_devicetype
      description: The type of device that discovered this system ('VM' or 'Server').
      type: string
    - name: FirstDiscoveredDate
      description: The first time the system was discovered in epoch format.
      type: timestamp
      timeFormat: unix
    - name: LastDiscoveredBy
      description: The host ID of the host that most recently discovered this device.
      type: string
    - name: LocalAddressIP4
      description: The device's local IP address in IPv4 format.
      type: string
      indicators:
        - ip
    - name: ComputerName
      description: The name of the host that discovered the neighbor.
      type: string
    - name: NeighborName
      description: The neighbor's host name.
      type: string

Crowdstrike.ProcessRollup2

This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.

schema: Crowdstrike.ProcessRollup2
parser:
    native:
        name: Crowdstrike.ProcessRollup2
description: This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.
fields:
    - name: event_simpleName
      required: true
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: TargetProcessId
      description: The unique ID of a target process
      type: string
    - name: SourceProcessId
      description: The unique ID of creating process.
      type: string
    - name: SourceThreadId
      description: The unique ID of thread from creating process.
      type: string
    - name: ParentProcessId
      description: The unique ID of the parent process.
      type: string
    - name: ImageFileName
      description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process
      type: string
    - name: CommandLine
      description: The command line used to create this process. May be empty in some circumstances
      type: string
    - name: RawProcessId
      description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
      type: bigint
    - name: ProcessStartTime
      description: The time the process began in UNIX epoch time (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix
    - name: ProcessEndTime
      description: The time the process finished (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix
    - name: SHA256HashData
      description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
      type: string
      indicators:
        - sha256
    - name: SHA1HashData
      description: The SHA1 hash of a file
      type: string
      indicators:
        - sha1
    - name: MD5HashData
      description: The MD5 hash of a file
      type: string
      indicators:
        - md5
    - name: ImageSubsystem
      description: Subsystem of the image filename (Windows only)
      type: string
    - name: UserSid
      description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)
      type: string
    - name: UserName
      description: User name field
      type: string
      indicators:
        - username
    - name: AuthenticationId
      description: The authentication identifier (Windows only)
      type: string
    - name: IntegrityLevel
      description: The integrity level (Windows only)
      type: string
    - name: ProcessCreateFlags
      description: Captured flags from original process create. This is a bitfield. (Windows only)
      type: string
    - name: ProcessParameterFlags
      description: Flags from the ‘NtCreateUserProcess’ API. This bitfield includes data like if DLL redirection is enabled. (Windows only)
      type: string
    - name: ProcessSxsFlags
      description: Flags from the communications path with the Windows Subsystem Process. This bitfield includes data like if there’s a manifest and if it’s local or not. (Windows only)
      type: string
    - name: ParentAuthenticationId
      description: The authentication identifier for the parent process (Windows only)
      type: string
    - name: TokenType
      description: The token type (Windows only)
      type: string
    - name: SessionId
      description: The id of the session (Windows only)
      type: string
    - name: WindowFlags
      description: Flags from the window (Windows only)
      type: string
    - name: ShowWindowFlags
      description: Window visibility flags (Windows only)
      type: string
    - name: WindowStartingPositionHorizontal
      description: Start horizontal position of the process window (Windows only)
      type: bigint
    - name: WindowStartingPositionVertical
      description: Start vertical position of the process window (Windows only)
      type: bigint
    - name: WindowStartingWidth
      description: Start width of the process window (Windows only)
      type: bigint
    - name: WindowStartingHeight
      description: Start height of the process window (Windows only)
      type: bigint
    - name: Desktop
      description: The desktop of the process window (Windows only)
      type: string
    - name: WindowStation
      description: The  process window station (Windows only)
      type: string
    - name: WindowTitle
      description: The title of the process window (WindowsOnly)
      type: string
    - name: LinkName
      description: Link name (Windows only)
      type: string
    - name: ApplicationUserModelId
      description: Application user model id (WindowsOnly)
      type: string
    - name: CallStackModuleNames
      description: Call stack module names (Windows only)
      type: string
    - name: CallStackModuleNamesVersion
      description: Call stack module names version (Windows only)
      type: string
    - name: RpcClientProcessId
      description: RPC client process id (Windows only)
      type: string
    - name: CsaProcessDataCollectionInstanceId
      description: CSA process data collection instance id (Windows only)
      type: string
    - name: OriginalCommandLine
      description: The original command line used to create this process (Windows only)
      type: string
    - name: CreateProcessType
      description: Create process type (Windows only)
      type: string
    - name: ZoneIdentifier
      description: Zone identifier (Windows only)
      type: string
    - name: HostUrl
      description: Host URL (Windows only)
      type: string
    - name: ReferrerUrl
      description: Referrer URL (Windows only)
      type: string
      indicators:
        - url
    - name: GrandParent
      description: Grant parent (Windows only)
      type: string
    - name: BaseFileName
      description: Base file name (Windows only)
      type: string
    - name: Tags
      description: Process tags comma separated list (Windows, Mac)
      type: string
    - name: ParentBaseFileName
      description: Parent process base file name (Windows, Mac)
      type: string
    - name: ProcessGroupId
      description: Process group id (Windows, Mac)
      type: bigint
    - name: UID
      description: UID (Mac, Linux, Android)
      type: bigint
    - name: RUID
      description: RUID (Mac, Linux, Android)
      type: bigint
    - name: SVUID
      description: SVUID (Mac, Linux, Android)
      type: bigint
    - name: GID
      description: GID (Mac, Linux, Android)
      type: bigint
    - name: RGID
      description: RGID (Mac, Linux, Android)
      type: bigint
    - name: SVGID
      description: SVGID (Mac, Linux, Android)
      type: bigint
    - name: SessionProcessId
      description: Session process id (Mac, Linux)
      type: bigint
    - name: MachOSubType
      description: MachOSubType (Mac only)
      type: string
    - name: TtyName
      description: TTY name (Linux only)
      type: string
    - name: OciContainerId
      description: OCI Container id (Linux only)
      type: string
    - name: SourceAndroidComponentName
      description: Source component name (Android only)
      type: string
    - name: TargetAndroidComponentName
      description: Target component name (Android only)
      type: string
    - name: TargetAndroidComponentType
      description: Target component type (Android only)
      type: string

Crowdstrike.ProcessRollup2Stats

When a process finishes running, the sensor generates and sends a ProcessRollup2 event. Mac and Linux sensors send far more ProcessRollup2 events than Windows (roughly 20x as many), so rather than send events for every process on those hosts, the sensor sends an initial ProcessRollup2 event, followed 10 minutes later by a ProcessRollup2Stats event with a SHA256 hash and the count of how many times the hash executed in the last 10 minutes.

schema: Crowdstrike.ProcessRollup2Stats
parser:
    native:
        name: Crowdstrike.ProcessRollup2Stats
description: When a process finishes running, the sensor generates and sends a ProcessRollup2 event. Mac and Linux sensors send far more ProcessRollup2 events than Windows (roughly 20x as many), so rather than send events for every process on those hosts, the sensor sends an initial ProcessRollup2 event, followed 10 minutes later by a ProcessRollup2Stats event with a SHA256 hash and the count of how many times the hash executed in the last 10 minutes.
fields:
    - name: event_simpleName
      required: true
      description: event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: EffectiveTransmissionClass
      description: Effective transmission class
      type: bigint
    - name: SHA256HashData
      description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
      type: string
      indicators:
        - sha256
    - name: CommandLine
      description: The command line used to create this process. May be empty in some circumstances
      type: string
    - name: UID
      description: UID (Mac)
      type: bigint
    - name: ProcessCount
      description: The ProcessCount.
      type: bigint
    - name: Timeout
      description: The timeout
      type: bigint
    - name: ParentProcessId
      description: The unique ID of the parent process.
      type: bigint
    - name: SuppressType
      description: 'Values: GLOBAL (0) PARENT (1) UID (2) UIDNORMALIZED (3) PREFILTER (4) TIMEOUT_CHECK (5)'
      type: bigint
    - name: BoundedCount
      description: The bounded count
      type: bigint

Crowdstrike.SyntheticProcessRollup2

A synthetic version of the process rollup (PR2) event.

schema: Crowdstrike.SyntheticProcessRollup2
parser:
    native:
        name: Crowdstrike.SyntheticProcessRollup2
description: A synthetic version of the process rollup (PR2) event
fields:
    - name: event_simpleName
      required: true
      description: event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: TargetProcessId
      description: The unique ID of a target process
      type: string
    - name: SourceProcessId
      description: The unique ID of creating process.
      type: string
    - name: SourceThreadId
      description: The unique ID of thread from creating process.
      type: string
    - name: ParentProcessId
      description: The unique ID of the parent process.
      type: string
    - name: ImageFileName
      description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process
      type: string
    - name: CommandLine
      description: The command line used to create this process. May be empty in some circumstances
      type: string
    - name: RawProcessId
      description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
      type: String
    - name: ProcessStartTime
      description: The time the process began in UNIX epoch time (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix
    - name: ProcessEndTime
      description: The time the process finished (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix
    - name: SHA256HashData
      description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.
      type: string
      indicators:
        - sha256
    - name: SHA1HashData
      description: The SHA1 hash of a file
      type: string
      indicators:
        - sha1
    - name: MD5HashData
      description: The MD5 hash of a file
      type: string
      indicators:
        - md5
    - name: SyntheticPR2Flags
      description: PR2 flags (PROCESS_RUNDOWN = 0, PROCESS_HOLLOWED = 1, IMAGEHASH_FAILURE = 4, FILE_PATH_EXCLUDED = 8, PROCESS_FORK_FOLDING = 16, APP_MONITORING = 2)
      type: int
    - name: ImageSubsystem
      description: Subsystem of the image filename (Windows only)
      type: string
    - name: UserSid
      description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)
      type: string
    - name: AuthenticationId
      description: The authentication identifier (Windows only)
      type: string
    - name: IntegrityLevel
      description: The integrity level (Windows only)
      type: string
    - name: ProcessGroupId
      description: Process group id (Mac)
      type: String
    - name: UID
      description: UID (Mac)
      type: String
    - name: RUID
      description: RUID (Mac)
      type: String
    - name: SVUID
      description: SVUID (Mac)
      type: String
    - name: GID
      description: GID (Mac)
      type: String
    - name: RGID
      description: RGID (Mac)
      type: String
    - name: SVGID
      description: SVGID (Mac)
      type: String
    - name: SessionProcessId
      description: Session process id (Mac)
      type: String

Crowdstrike.Unknown

This schema contains all the Crowdstrike events that don't match to any of the registered types.

schema: Crowdstrike.Unknown
parser:
    native:
        name: Crowdstrike.Unknown
description: This table contains all the Crowdstrike events that don't match to any of the registered types
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events
fields:
    - name: event_simpleName
      description: Event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: unknown_payload
      required: true
      description: The full JSON payload of the event
      type: json

Crowdstrike.UserIdentity

The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms.

schema: Crowdstrike.UserIdentity
parser:
    native:
        name: Crowdstrike.UserIdentity
description: The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms.
referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-UserIdentity
fields:
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: event_simpleName
      required: true
      description: Event Name
      type: string
    - name: AuthenticationId
      required: true
      description: 'Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)'
      type: int
    - name: UserPrincipal
      required: true
      description: UserPrincipal field
      type: string
    - name: UserSid
      required: true
      description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.
      type: string
    - name: AuthenticationUuid
      description: AuthenticationUUID field
      type: string
    - name: AuthenticationUuidAsString
      description: AuthenticationUUIDAsString field
      type: string
    - name: UID
      description: The User ID.
      type: bigint
    - name: UserName
      description: UserName field
      type: string
      indicators:
        - username
    - name: UserCanonical
      description: UserCanonical field
      type: string
    - name: LogonId
      description: LogonID field
      type: string
    - name: LogonDomain
      description: LogonDomain field
      type: string
    - name: AuthenticationPackage
      description: AuthenticationPackage field
      type: string
    - name: LogonType
      description: 'Values: INTERACTIVE (2), NETWORK (3), BATCH (4), SERVICE (5), PROXY (6), UNLOCK (7), NETWORK_CLEARTEXT (8), CACHED_UNLOCK (13), NEW_CREDENTIALS (9), REMOTE_INTERACTIVE (10), CACHED_INTERACTIVE (11), CACHED_REMOTE_INTERACTIVE (12)'
      type: int
    - name: LogonTime
      description: LogonTime field
      type: timestamp
      timeFormat: unix
    - name: LogonServer
      description: LogonServer field
      type: string
    - name: UserFlags
      description: 'Values: LOGON_OPTIMIZED (0x4000), LOGON_WINLOGON (0x8000), LOGON_PKINIT (0x10000), LOGON_NOT_OPTIMIZED (0x20000)'
      type: bigint
    - name: PasswordLastSet
      description: PasswordLastSet field
      type: timestamp
      timeFormat: unix
    - name: RemoteAccount
      description: RemoteAccount field
      type: int
    - name: UserIsAdmin
      description: UserIsAdmin field
      type: int
    - name: SessionId
      description: SessionID field
      type: string
      indicators:
        - trace_id
    - name: UserLogonFlags
      description: 'Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)'
      type: int

Crowdstrike.UserInfo

User Account & Logon information provided by Falcon Discover.

schema: Crowdstrike.UserInfo
parser:
    native:
        name: Crowdstrike.UserInfo
description: User Account & Logon information provided by Falcon Discover
referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-userinfo
fields:
    - name: _time
      required: true
      description: The host's local time in epoch format.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: cid
      required: true
      description: The customer ID.
      type: string
      indicators:
        - trace_id
    - name: AccountType
      required: true
      description: 'The type of account set for the user: ''Domain User'', ''Domain Administrator'', ''Local User''.'
      type: string
    - name: DomainUser
      required: true
      description: 'Indicates if the user''s credentials are part of a domain controller: ''Yes'', ''No''.'
      type: string
    - name: UserName
      required: true
      description: The username of the system.
      type: string
      indicators:
        - username
    - name: UserSid_readable
      required: true
      description: The user SID associated with this process.
      type: string
    - name: LastLoggedOnHost
      description: The host that was last logged into the system.
      type: string
    - name: LocalAdminAccess
      description: 'Indicates whether a local user is an admin: ''Yes'', ''No''.'
      type: string
    - name: LoggedOnHostCount
      description: The number of hosts logged in at _time.
      type: int
    - name: LogonInfo
      description: The login information.
      type: string
    - name: LogonTime
      description: The last login time by this user in epoch format.
      type: timestamp
      timeFormat: unix
    - name: LogonType
      description: 'Values defined as follows, INTERACTIVE: The security principal is logging on interactively, NETWORK: The security principal is logging on using a network, TERMINAL SERVER: The security principal has logged in via a terminal server.'
      type: string
    - name: monthsincereset
      description: The number of months since this user's password was last reset.
      type: int
    - name: PasswordLastSet
      description: The last time in epoch format that this user's password in the system was set.
      type: timestamp
      timeFormat: unix
    - name: User
      description: A system username with domain.
      type: string
    - name: UserIsAdmin
      description: Indicates whether the user account has administrator privileges.
      type: smallint
    - name: UserLogonFlags_decimal
      description: A bitfield for various bits of a UserLogon, or failed user logon.
      type: int

Crowdstrike.UserLogonLogoff

Contains the UserLogon and UserLogoff events.

schema: Crowdstrike.UserLogonLogoff
parser:
    native:
        name: Crowdstrike.UserLogonLogoff
description: Contains the UserLogon and UserLogoff events
referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary
fields:
    - name: event_simpleName
      required: true
      description: event name
      type: string
    - name: name
      required: true
      description: The event name
      type: string
    - name: aid
      description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.
      type: string
      indicators:
        - trace_id
    - name: aip
      description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.
      type: string
      indicators:
        - ip
    - name: cid
      description: CID
      type: string
      indicators:
        - trace_id
    - name: id
      description: ID
      type: string
    - name: event_platform
      description: The platform the sensor was running on
      type: string
    - name: timestamp
      description: Timestamp when the event was received by the CrowdStrike cloud.
      type: timestamp
      timeFormat: unix_ms
      isEventTime: true
    - name: _time
      description: Timestamp when the event was received by the CrowdStrike cloud (human readable)
      type: timestamp
      timeFormat: layout=01/02/2006 15:04:05.999
    - name: ComputerName
      description: The name of the host.
      type: string
      indicators:
        - hostname
    - name: ConfigBuild
      description: Config build
      type: string
    - name: ConfigStateHash
      description: Config state hash
      type: string
    - name: Entitlements
      description: Entitlements
      type: string
    - name: TreeId
      description: If this event is part of a detection tree, the tree ID it is part of
      type: string
      indicators:
        - trace_id
    - name: TreeId_decimal
      description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)
      type: bigint
    - name: ContextThreadId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextThreadId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: ContextTimeStamp
      description: The time at which an event occurred on the system, as seen by the sensor.
      type: timestamp
      timeFormat: unix
    - name: ContextTimeStamp_decimal
      description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).
      type: timestamp
      timeFormat: unix_ms
    - name: ContextProcessId
      description: The unique ID of a process that was spawned by another process.
      type: string
    - name: ContextProcessId_decimal
      description: The unique ID of a process that was spawned by another process (in decimal, non-hex format).
      type: bigint
    - name: InContext
      description: In context (N/A on iOS)
      type: string
    - name: UserIsAdmin
      description: Indicates whether the user account has administrator privileges
      type: int
    - name: UserLogonFlags
      description: 'Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)'
      type: bigint
    - name: UserName
      description: The username
      type: string
      indicators:
        - username
    - name: UserPrincipal
      description: The user principal
      type: string
    - name: UserSid
      description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system
      type: string
    - name: LogonTime
      description: The logon time
      type: timestamp
      timeFormat: unix
    - name: LogonType
      description: 'Values: INTERACTIVE (2) NETWORK (3) BATCH (4) SERVICE (5) PROXY (6) UNLOCK (7) NETWORK_CLEARTEXT (8) CACHED_UNLOCK (13) REMOTE_INTERACTIVE (10) NEW_CREDENTIALS (9) CACHED_INTERACTIVE (11) CACHED_REMOTE_INTERACTIVE (12)'
      type: bigint
    - name: PasswordLastSet
      description: The time the password was last set
      type: timestamp
      timeFormat: unix
    - name: RawProcessId
      description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier
      type: bigint
    - name: UID
      description: The User ID
      type: bigint
    - name: UserGroupsBitmask
      description: The user group bitmask
      type: bigint
    - name: EffectiveTransmissionClass
      description: The user principal
      type: bigint
    - name: AuthenticationId
      description: The authentication identifier
      type: string
    - name: LogoffTime
      description: The logoff time
      type: timestamp
      timeFormat: unix
    - name: UserLogoffType
      description: 'Values: LOGOFF_EVENT_SOURCE (0x01) LOGOFF_PROFILE_UNLOAD (0x02) ETW (0x03) SYNTHETIC (0x04)'
      type: bigint

You must have an active subscription to , and it must be enabled in CrowdStrike.

Click Create feed.

Enter a Feed name and configure additional settings as desired.

Your credentials will be displayed. Copy these values and store them in a secure location, as you will need them in the following step.

You can optionally enable one or more .

See rules for CrowdStrike in the .

A complete list of primary event types supported by Crowdstrike.FDREvent can be viewed on .

A complete list of secondary event types supported by Crowdstrike.FDREvent can be viewed on .

If the FDR event is a secondary event, fdr_event_type = the event type as described in .

For more information, see .

Existing CrowdStrike log source configurations set up prior to Panther version 1.52 will continue to function using the legacy log types below, until you transition them to . Please contact your Panther support team if you would like assistance with this transition.

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

Reference:

FDR
Detection Packs
Panther-managed
panther-analysis GitHub repository
CrowdStrike's documentation on streaming API events
CrowdStrike's documentation on data for seeing additional environment information
CrowdStrike's documentation on seeing additional environment information
CrowdStrike's FDR setup documentation
CrowdStrike Documentation on Falcon Data Replicator.
CrowdStrike Documentation on Streaming API Event Authentication.
CrowdStrike Documentation on Falcon Data Replicator AppInfo.
CrowdStrike Documentation on CriticalFile.
CrowdStrike Documentation on DNSRequest.
CrowdStrike Documentation on Streaming API Detection Summary.
CrowdStrike Documentation on Group Identity Events.
CrowdStrike Documentation on Falcon Data Replicator Managed Assets.
CrowdStrike Documentation on NetworkConnect.
CrowdStrike Documentation on NetworkListen.
CrowdStrike Documentation on Falcon Data Replicator Notmanaged Assets.
CrowdStrike Documentation on ProcessRollup2.
CrowdStrike Documentation on ProcessRollup2Stats.
CrowdStrike Documentation on SyntheticProcessRollup2.
CrowdStrike Documentation on API Event Types.
CrowdStrike Documentation on User Identity Events.
CrowdStrike Documentation on Falcon Data Replicator UserInfo.
CrowdStrike Documentation on User Logon Logoff.
Crowdstrike.FDREvent
CrowdStrike Falcon Data Replicator
FDR
adapting your CrowdStrike detections and queries (created prior to version 1.52) to work with the Crowdstrike.FDREvent log type
Crowdstrike.FDREvent schema
The image shows the configuration fields for the CrowdStrike integration in the Panther Console. There are fields for Name, SQS URL, AWS Access Key, and AWS Secret Key.
The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day