CrowdStrike
Collect logs from Crowdstrike with Elastic Agent.
Version | 1.40.0 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
The CrowdStrike Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic:
- Falcon SIEM Connector: This is a pre-built integration designed to connect CrowdStrike Falcon with Security Information and Event Management (SIEM) systems. It streamlines the flow of security data from CrowdStrike Falcon to the SIEM, providing a standardized and structured way of feeding information into the SIEM platform. It includes the following datasets for receiving logs:
falcondataset: consists of endpoint data and Falcon platform audit data forwarded from Falcon SIEM Connector.
- CrowdStrike REST API: This provides a programmatic interface to interact with the CrowdStrike Falcon platform. It allows users to perform various operations such as querying information about unified alerts and hosts/devices. It includes the following datasets for receiving logs:
-
alertdataset: It is typically used to retrieve detailed information about unified alerts generated by the CrowdStrike Falcon platform, via Falcon Intelligence Alert API -/alerts/entities/alerts/v2. -
hostdataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API -/devices/entities/devices/v2. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc.
- Falcon Data Replicator: This Collect events in near real time from your endpoints and cloud workloads, identities and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
fdrdataset: consists of logs forwarded using the Falcon Data Replicator.
Compatibility
This integration is compatible with both CrowdStrike Falcon SIEM-Connector-v2.0 and REST API. For Rest API support, this module has been tested against the CrowdStrike API Version v1/v2.
The minimum kibana.version required is 8.12.0.
Setup
To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required:
-
Client ID
-
Client Secret
-
Token url
-
API Endpoint url
-
Required scopes for each data stream :
Data Stream Scope Alertread:alertHostread:host
Logs
Alert
This is the Alert dataset.
Example
An example event for alert looks as following:
{
"@timestamp": "2023-11-03T18:00:22.328Z",
"agent": {
"ephemeral_id": "704de05c-668d-431b-8483-ed43ec6a5942",
"id": "8f7b87ad-2943-4c25-88be-4eaac013beb6",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"crowdstrike": {
"alert": {
"agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b",
"aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
"alleged_filetype": "exe",
"cid": "92012896127c4a948236ba7601b886b0",
"cloud_indicator": false,
"cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"",
"composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"confidence": 10,
"context_timestamp": "2023-11-03T18:00:31.000Z",
"control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778",
"crawl_edge_ids": {
"Sensor": [
"KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N",
"KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!",
"KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr",
"N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!",
"N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N",
"N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'",
"N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!",
"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr",
"N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'",
"N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"
]
},
"crawl_vertex_ids": {
"Sensor": [
"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135",
"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993",
"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"
]
},
"crawled_timestamp": "2023-11-03T19:00:23.985Z",
"created_timestamp": "2023-11-03T18:01:23.995Z",
"data_domains": [
"Endpoint"
],
"description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
"device": {
"agent_load_flags": 0,
"agent_local_time": "2023-10-12T03:45:57.753Z",
"agent_version": "7.04.17605.0",
"bios_manufacturer": "ABC",
"bios_version": "F8CN42WW(V2.05)",
"cid": "92012896127c4a948236ba7601b886b0",
"config_id_base": "65994763",
"config_id_build": "17605",
"config_id_platform": 3,
"external_ip": "81.2.69.142",
"first_seen": "2023-04-07T09:36:36.000Z",
"groups": [
"18704e21288243b58e4c76266d38caaf"
],
"hostinfo": {
"active_directory_dn_display": [
"WinComputers",
"WinComputers\\ABC"
],
"domain": "ABC.LOCAL"
},
"hostname": "ABC709-1175",
"id": "2ce412d17b334ad4adc8c1c54dbfec4b",
"last_seen": "2023-11-03T17:51:42.000Z",
"local_ip": "81.2.69.142",
"mac_address": "AB-21-48-61-05-B2",
"machine_domain": "ABC.LOCAL",
"major_version": "10",
"minor_version": "0",
"modified_timestamp": "2023-11-03T17:53:43.000Z",
"os_version": "Windows11",
"ou": [
"ABC",
"WinComputers"
],
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"site_name": "Default-First-Site-Name",
"status": "normal",
"system_manufacturer": "LENOVO",
"system_product_name": "20VE"
},
"falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
"filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
"grandparent_details": {
"cmdline": "C:\\Windows\\system32\\userinit.exe",
"filename": "userinit.exe",
"filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe",
"local_process_id": "4328",
"md5": "b07f77fd3f9828b2c9d61f8a36609741",
"process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135",
"process_id": "392734873135",
"sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
"timestamp": "2023-10-30T16:49:19.000Z",
"user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
"user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
"user_name": "yuvraj.mahajan"
},
"has_script_or_module_ioc": true,
"id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"ioc_context": [
{
"ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
"ioc_source": "library_load",
"ioc_type": "hash_sha256",
"ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
"sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"type": "module"
}
],
"is_synthetic_quarantine_disposition": true,
"local_process_id": "17076",
"logon_domain": "ABSYS",
"md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
"name": "PrewittPupAdwareSensorDetect-Lowest",
"objective": "FalconDetectionMethod",
"parent_details": {
"cmdline": "C:\\WINDOWS\\Explorer.EXE",
"filename": "explorer.exe",
"filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe",
"local_process_id": "1040",
"md5": "8cc3fcdd7d52d2d5221303c213e044ae",
"process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
"process_id": "392736520876",
"sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
"timestamp": "2023-11-03T18:00:32.000Z",
"user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
"user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
"user_name": "mohit.jha"
},
"parent_process_id": "392736520876",
"pattern_disposition": 2176,
"pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.",
"pattern_disposition_details": {
"blocking_unsupported_or_disabled": false,
"bootup_safeguard_enabled": false,
"critical_process_disabled": false,
"detect": false,
"fs_operation_blocked": false,
"handle_operation_downgraded": false,
"inddet_mask": false,
"indicator": false,
"kill_action_failed": false,
"kill_parent": false,
"kill_process": false,
"kill_subprocess": false,
"operation_blocked": false,
"policy_disabled": false,
"process_blocked": true,
"quarantine_file": true,
"quarantine_machine": false,
"registry_operation_blocked": false,
"rooting": false,
"sensor_only": false,
"suspend_parent": false,
"suspend_process": false
},
"pattern_id": "5761",
"platform": "Windows",
"poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==",
"process_end_time": "2023-11-03T18:00:21.000Z",
"process_id": "399748687993",
"process_start_time": "2023-11-03T18:00:13.000Z",
"product": "epp",
"quarantined_files": [
{
"filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
"id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"state": "quarantined"
}
],
"scenario": "NGAV",
"severity": 30,
"sha1": "0000000000000000000000000000000000000000",
"sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"show_in_ui": true,
"source_products": [
"FalconInsight"
],
"source_vendors": [
"CrowdStrike"
],
"status": "new",
"tactic": "MachineLearning",
"tactic_id": "CSTA0004",
"technique": "Adware/PUP",
"technique_id": "CST0000",
"timestamp": "2023-11-03T18:00:22.328Z",
"tree_id": "1931778",
"tree_root": "38687993",
"triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993",
"type": "ldt",
"updated_timestamp": "2023-11-03T19:00:23.985Z",
"user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
"user_name": "mohit.jha"
}
},
"data_stream": {
"dataset": "crowdstrike.alert",
"namespace": "15119",
"type": "logs"
},
"device": {
"id": "2ce412d17b334ad4adc8c1c54dbfec4b"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8f7b87ad-2943-4c25-88be-4eaac013beb6",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"dataset": "crowdstrike.alert",
"id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
"ingested": "2024-08-08T07:13:48Z",
"kind": "alert",
"original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}",
"severity": 30
},
"file": {
"name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
"path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe"
},
"host": {
"domain": "ABC.LOCAL",
"hostname": "ABC709-1175",
"ip": [
"81.2.69.142"
],
"mac": [
"AB-21-48-61-05-B2"
],
"os": {
"full": "Windows11",
"platform": "Windows"
}
},
"input": {
"type": "cel"
},
"message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
"process": {
"end": "2023-11-03T18:00:21.000Z",
"parent": {
"command_line": "C:\\WINDOWS\\Explorer.EXE",
"hash": {
"md5": "8cc3fcdd7d52d2d5221303c213e044ae",
"sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4"
},
"pid": 392736520876
},
"pid": 399748687993,
"start": "2023-11-03T18:00:13.000Z",
"user": {
"id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
"name": "mohit.jha"
}
},
"related": {
"hash": [
"ABC709-1175",
"b07f77fd3f9828b2c9d61f8a36609741",
"cdf9cfebb400ce89d5b6032bfcdc693b",
"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
"8cc3fcdd7d52d2d5221303c213e044ae",
"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
"0000000000000000000000000000000000000000"
],
"hosts": [
"ABC.LOCAL"
],
"ip": [
"81.2.69.142"
],
"user": [
"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
"S-1-5-21-1909377054-3469629671-4104191496-4425",
"yuvraj.mahajan",
"mohit.jha"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"crowdstrike-alert"
],
"threat": {
"framework": "CrowdStrike Falcon Detections Framework",
"tactic": {
"id": [
"CSTA0004"
],
"name": [
"MachineLearning"
]
},
"technique": {
"id": [
"CST0000"
],
"name": [
"Adware/PUP"
]
}
},
"user": {
"id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
"name": "mohit.jha"
}
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
crowdstrike.alert.agent_id | Unique identifier for the CrowdStrike agent. | keyword |
crowdstrike.alert.aggregate_id | An aggregate identifier associated with the agent. | keyword |
crowdstrike.alert.alleged_filetype | The alleged file type of the detected file. | keyword |
crowdstrike.alert.cid | CrowdStrike identifier associated with the device. | keyword |
crowdstrike.alert.cloud_indicator | Indicates whether the activity is related to the cloud. | boolean |
crowdstrike.alert.cmdline | The command line used to execute the file. | keyword |
crowdstrike.alert.composite_id | A composite identifier associated with the device. | keyword |
crowdstrike.alert.confidence | Confidence level associated with the detection. | long |
crowdstrike.alert.context_timestamp | Timestamp when the alert was generated. | date |
crowdstrike.alert.control_graph_id | Identifier associated with the control graph. | keyword |
crowdstrike.alert.crawl_edge_ids.Sensor | Edge identifiers associated with crawling. | keyword |
crowdstrike.alert.crawl_vertex_ids.Sensor | Vertex identifiers associated with crawling. | keyword |
crowdstrike.alert.crawled_timestamp | Timestamp indicating when crawling occurred. | date |
crowdstrike.alert.created_timestamp | Timestamp indicating when the alert was created. | date |
crowdstrike.alert.data_domains | Data domains associated with the alert. | keyword |
crowdstrike.alert.description | Description of the detected file or activity. | keyword |
crowdstrike.alert.device.agent_load_flags | Flags indicating the load status of the agent. | long |
crowdstrike.alert.device.agent_local_time | Local time of the agent. | date |
crowdstrike.alert.device.agent_version | Version of the CrowdStrike agent. | keyword |
crowdstrike.alert.device.bios_manufacturer | Manufacturer of the BIOS. | keyword |
crowdstrike.alert.device.bios_version | Version of the BIOS. | keyword |
crowdstrike.alert.device.cid | CrowdStrike identifier associated with the device. | keyword |
crowdstrike.alert.device.config_id_base | Base configuration identifier. | keyword |
crowdstrike.alert.device.config_id_build | Build configuration identifier. | keyword |
crowdstrike.alert.device.config_id_platform | Platform configuration identifier. | long |
crowdstrike.alert.device.external_ip | External IP address of the device. | ip |
crowdstrike.alert.device.first_seen | Timestamp indicating when the device was first seen. | date |
crowdstrike.alert.device.groups | Groups associated with the device. | keyword |
crowdstrike.alert.device.hostinfo.active_directory_dn_display | Display name for Active Directory. | keyword |
crowdstrike.alert.device.hostinfo.domain | Domain of the device. | keyword |
crowdstrike.alert.device.hostname | Hostname of the device. | keyword |
crowdstrike.alert.device.id | Unique identifier for the device. | keyword |
crowdstrike.alert.device.last_seen | Timestamp indicating when the device was last seen. | date |
crowdstrike.alert.device.local_ip | Local IP address of the device. | ip |
crowdstrike.alert.device.mac_address | MAC address of the device. | keyword |
crowdstrike.alert.device.machine_domain | Domain of the machine. | keyword |
crowdstrike.alert.device.major_version | Major version of the device. | keyword |
crowdstrike.alert.device.minor_version | Minor version of the device. | keyword |
crowdstrike.alert.device.modified_timestamp | Timestamp indicating when the device was last modified. | date |
crowdstrike.alert.device.os_version | Operating system version. | keyword |
crowdstrike.alert.device.ou | Organizational unit information. | keyword |
crowdstrike.alert.device.platform_id | Platform identifier. | keyword |
crowdstrike.alert.device.platform_name | Name of the platform. | keyword |
crowdstrike.alert.device.pod_labels | Labels associated with the device. | keyword |
crowdstrike.alert.device.product_type | Type of product associated with the device. | keyword |
crowdstrike.alert.device.product_type_desc | Description of the product type. | keyword |
crowdstrike.alert.device.site_name | Name of the site associated with the device. | keyword |
crowdstrike.alert.device.status | Status of the device. | keyword |
crowdstrike.alert.device.system_manufacturer | System manufacturer of the device. | keyword |
crowdstrike.alert.device.system_product_name | System product name. | keyword |
crowdstrike.alert.falcon_host_link | Link to CrowdStrike Falcon host activity. | keyword |
crowdstrike.alert.filename | Name of the detected file. | keyword |
crowdstrike.alert.filepath | Path to the detected file. | keyword |
crowdstrike.alert.grandparent_details.cmdline | Command line of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.filename | Filename of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.filepath | Filepath of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.local_process_id | Local process ID of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.md5 | grandparent_details.md5 MD5 hash of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.process_graph_id | Graph ID of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.process_id | Process ID of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.sha256 | grandparent_details.sha256 SHA256 hash of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.timestamp | Timestamp of the grandparent process. | date |
crowdstrike.alert.grandparent_details.user_graph_id | Graph ID of the grandparent process user. | keyword |
crowdstrike.alert.grandparent_details.user_id | User ID of the grandparent process. | keyword |
crowdstrike.alert.grandparent_details.user_name | Username of the grandparent process. | keyword |
crowdstrike.alert.has_script_or_module_ioc | Indicates if there is a script or module IOC (Indicator of Compromise). | boolean |
crowdstrike.alert.id | Identifier associated with the alert. | keyword |
crowdstrike.alert.indicator_id | Identifier of the detected indicator. | keyword |
crowdstrike.alert.ioc_context.cmdline | Command Line of the IOC context. | keyword |
crowdstrike.alert.ioc_context.ioc_description | Description of the IOC context. | keyword |
crowdstrike.alert.ioc_context.ioc_source | Source of the IOC. | keyword |
crowdstrike.alert.ioc_context.ioc_type | Type of IOC. | keyword |
crowdstrike.alert.ioc_context.ioc_value | Value of the IOC. | keyword |
crowdstrike.alert.ioc_context.md5 | ioc_context.md5 MD5 hash associated with the IOC. | keyword |
crowdstrike.alert.ioc_context.sha256 | ioc_context.sha256 SHA256 hash associated with the IOC. | keyword |
crowdstrike.alert.ioc_context.type | Type of IOC context. | keyword |
crowdstrike.alert.ioc_values | Values associated with the IOC. | keyword |
crowdstrike.alert.is_synthetic_quarantine_disposition | Indicates if the quarantine disposition is synthetic. | boolean |
crowdstrike.alert.local_process_id | Local process ID associated with the alert. | keyword |
crowdstrike.alert.logon_domain | Domain associated with the logon. | keyword |
crowdstrike.alert.md5 | md5 MD5 hash associated with the detected file. | keyword |
crowdstrike.alert.name | Name of the detection. | keyword |
crowdstrike.alert.objective | Objective of the detection. | keyword |
crowdstrike.alert.parent_details.cmdline | Command line of the parent process. | keyword |
crowdstrike.alert.parent_details.filename | Filename of the parent process. | keyword |
crowdstrike.alert.parent_details.filepath | Filepath of the parent process. | keyword |
crowdstrike.alert.parent_details.local_process_id | Local process ID of the parent process. | keyword |
crowdstrike.alert.parent_details.md5 | parent_details.md5 MD5 hash of the parent process. | keyword |
crowdstrike.alert.parent_details.process_graph_id | Graph ID of the parent process. | keyword |
crowdstrike.alert.parent_details.process_id | Process ID of the parent process. | keyword |
crowdstrike.alert.parent_details.sha256 | parent_details.sha256 SHA256 hash of the parent process. | keyword |
crowdstrike.alert.parent_details.timestamp | Timestamp of the parent process. | date |
crowdstrike.alert.parent_details.user_graph_id | Graph ID of the parent process user. | keyword |
crowdstrike.alert.parent_details.user_id | User ID of the parent process. | keyword |
crowdstrike.alert.parent_details.user_name | Username of the parent process. | keyword |
crowdstrike.alert.parent_process_id | Process ID of the parent process. | keyword |
crowdstrike.alert.pattern_disposition | Disposition of the pattern. | long |
crowdstrike.alert.pattern_disposition_description | Description of the pattern disposition. | keyword |
crowdstrike.alert.pattern_disposition_details.blocking_unsupported_or_disabled | Indicates if blocking is unsupported or disabled. | boolean |
crowdstrike.alert.pattern_disposition_details.bootup_safeguard_enabled | Indicates if the bootup safeguard is enabled. | boolean |
crowdstrike.alert.pattern_disposition_details.critical_process_disabled | Indicates if the critical process is disabled. | boolean |
crowdstrike.alert.pattern_disposition_details.detect | Indicates if the pattern detected the threat. | boolean |
crowdstrike.alert.pattern_disposition_details.fs_operation_blocked | Indicates if file system operation is blocked. | boolean |
crowdstrike.alert.pattern_disposition_details.handle_operation_downgraded | Indicates if handle operation is downgraded. | boolean |
crowdstrike.alert.pattern_disposition_details.inddet_mask | Indicates if the indicator detection mask is true. | boolean |
crowdstrike.alert.pattern_disposition_details.indicator | Indicates if the pattern detected an indicator. | boolean |
crowdstrike.alert.pattern_disposition_details.kill_action_failed | Indicates if the kill action failed. | boolean |
crowdstrike.alert.pattern_disposition_details.kill_parent | Indicates if the parent process was killed. | boolean |
crowdstrike.alert.pattern_disposition_details.kill_process | Indicates if the process was killed. | boolean |
crowdstrike.alert.pattern_disposition_details.kill_subprocess | Indicates if the subprocess was killed. | boolean |
crowdstrike.alert.pattern_disposition_details.operation_blocked | Indicates if the operation is blocked. | boolean |
crowdstrike.alert.pattern_disposition_details.policy_disabled | Indicates if the policy is disabled. | boolean |
crowdstrike.alert.pattern_disposition_details.process_blocked | Indicates if the process is blocked. | boolean |
crowdstrike.alert.pattern_disposition_details.quarantine_file | Indicates if the file is quarantined. | boolean |
crowdstrike.alert.pattern_disposition_details.quarantine_machine | Indicates if the machine is quarantined. | boolean |
crowdstrike.alert.pattern_disposition_details.registry_operation_blocked | Indicates if registry operation is blocked. | boolean |
crowdstrike.alert.pattern_disposition_details.rooting | Indicates if rooting is detected. | boolean |
crowdstrike.alert.pattern_disposition_details.sensor_only | Indicates if the detection is based on the sensor only. | boolean |
crowdstrike.alert.pattern_disposition_details.suspend_parent | Indicates if the parent process was suspended. | boolean |
crowdstrike.alert.pattern_disposition_details.suspend_process | Indicates if the process was suspended. | boolean |
crowdstrike.alert.pattern_id | Identifier associated with the pattern. | keyword |
crowdstrike.alert.platform | Platform associated with the alert. | keyword |
crowdstrike.alert.poly_id | Identifier associated with polymorphic behavior. | keyword |
crowdstrike.alert.process_end_time | Timestamp indicating when the process ended. | date |
crowdstrike.alert.process_id | Identifier associated with the process. | keyword |
crowdstrike.alert.process_start_time | Timestamp indicating when the process started. | date |
crowdstrike.alert.product | Product associated with the detection. | keyword |
crowdstrike.alert.quarantined_files.filename | Filename of quarantined files. | keyword |
crowdstrike.alert.quarantined_files.id | Identifier of quarantined files. | keyword |
crowdstrike.alert.quarantined_files.sha256 | quarantined_files.sha256 SHA256 hash of quarantined files. | keyword |
crowdstrike.alert.quarantined_files.state | State of quarantined files. | keyword |
crowdstrike.alert.scenario | Scenario associated with the detection. | keyword |
crowdstrike.alert.severity | Severity level associated with the detection. | long |
crowdstrike.alert.sha1 | sha1 SHA1 hash associated with the detected file. | keyword |
crowdstrike.alert.sha256 | sha256 SHA256 hash associated with the detected file. | keyword |
crowdstrike.alert.show_in_ui | Indicates if the alert should be displayed in the user interface. | boolean |
crowdstrike.alert.source_products | Products associated with the data source. | keyword |
crowdstrike.alert.source_vendors | Vendors associated with the data source. | keyword |
crowdstrike.alert.status | Status of the alert. | keyword |
crowdstrike.alert.tactic | Tactic associated with the detection. | keyword |
crowdstrike.alert.tactic_id | Identifier associated with the tactic. | keyword |
crowdstrike.alert.technique | Technique associated with the detection. | keyword |
crowdstrike.alert.technique_id | Identifier associated with the technique. | keyword |
crowdstrike.alert.timestamp | Timestamp associated with the alert. | date |
crowdstrike.alert.tree_id | Identifier associated with the tree. | keyword |
crowdstrike.alert.tree_root | Root identifier associated with the tree. | keyword |
crowdstrike.alert.triggering_process_graph_id | Graph ID of the triggering process. | keyword |
crowdstrike.alert.type | Type associated with the alert. | keyword |
crowdstrike.alert.updated_timestamp | Timestamp indicating when the alert was last updated. | date |
crowdstrike.alert.user_id | User ID associated with the alert. | keyword |
crowdstrike.alert.user_name | Username associated with the alert. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
input.type | Type of filebeat input. | keyword |
log.offset | Log offset. | long |
Falcon
Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector.
Falcon SIEM Connector configuration file
By default, the configuration file located at /opt/crowdstrike/etc/cs.falconhoseclient.cf provides configuration options related to the events collected by Falcon SIEM Connector.
Parts of the configuration file called EventTypeCollection and EventSubTypeCollection provides a list of event types that the connector should collect.
Current supported event types are:
- DetectionSummaryEvent
- IncidentSummaryEvent
- UserActivityAuditEvent
- AuthActivityAuditEvent
- FirewallMatchEvent
- RemoteResponseSessionStartEvent
- RemoteResponseSessionEndEvent
- CSPM Streaming events
- CSPM Search events
- IDP Incidents
- IDP Summary events
- Mobile Detection events
- Recon Notification events
- XDR Detection events
- Scheduled Report Notification events
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
crowdstrike.event.AccountCreationTimeStamp | The timestamp of when the source account was created in Active Directory. | date |
crowdstrike.event.AccountId | keyword | |
crowdstrike.event.ActivityId | ID of the activity that triggered the detection. | keyword |
crowdstrike.event.AddedPrivilege | The difference between their current and previous list of privileges. | keyword |
crowdstrike.event.AdditionalAccountObjectGuid | Additional involved user object GUID. | keyword |
crowdstrike.event.AdditionalAccountObjectSid | Additional involved user object SID. | keyword |
crowdstrike.event.AdditionalAccountUpn | Additional involved user UPN. | keyword |
crowdstrike.event.AdditionalActivityId | ID of an additional activity related to the detection. | keyword |
crowdstrike.event.AdditionalEndpointAccountObjectGuid | Additional involved endpoint object GUID. | keyword |
crowdstrike.event.AdditionalEndpointAccountObjectSid | Additional involved endpoint object SID. | keyword |
crowdstrike.event.AdditionalEndpointSensorId | Additional involved endpoint agent ID. | keyword |
crowdstrike.event.AdditionalLocationCountryCode | Additional involved country code. | keyword |
crowdstrike.event.AdditionalSsoApplicationIdentifier | Additional application identifier. | keyword |
crowdstrike.event.AgentIdString | keyword | |
crowdstrike.event.AnomalousTicketContentClassification | Ticket signature analysis. | keyword |
crowdstrike.event.AssociatedFile | The file associated with the triggering indicator. | keyword |
crowdstrike.event.Attributes | JSON objects containing additional information about the event. | flattened |
crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested |
crowdstrike.event.AuditKeyValues.Key | keyword | |
crowdstrike.event.AuditKeyValues.ValueString | keyword | |
crowdstrike.event.Category | IDP incident category. | keyword |
crowdstrike.event.CertificateTemplateIdentifier | The ID of the certificate template. | keyword |
crowdstrike.event.CertificateTemplateName | Name of the certificate template. | keyword |
crowdstrike.event.Certificates | Provides one or more JSON objects which includes related SSL/TLS Certificates. | nested |
crowdstrike.event.CloudPlatform | keyword | |
crowdstrike.event.CloudProvider | keyword | |
crowdstrike.event.CloudService | keyword | |
crowdstrike.event.Commands | Commands run in a remote session. | keyword |
crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword |
crowdstrike.event.CustomerId | Customer identifier. | keyword |
crowdstrike.event.DataDomains | Data domains of the event that was the primary indicator or created it. | keyword |
crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword |
crowdstrike.event.DetectName | Name of the detection. | keyword |
crowdstrike.event.DeviceId | Device on which the event occurred. | keyword |
crowdstrike.event.DnsRequests | Detected DNS requests done by a process. | nested |
crowdstrike.event.DocumentsAccessed | Detected documents accessed by a process. | nested |
crowdstrike.event.EmailAddresses | Summary list of all associated entity email addresses. | keyword |
crowdstrike.event.EnvironmentVariables | Provides one or more JSON objects which includes related environment variables. | nested |
crowdstrike.event.EventType | CrowdStrike provided event type. | keyword |
crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested |
crowdstrike.event.ExecutablesWritten.FileName | keyword | |
crowdstrike.event.ExecutablesWritten.FilePath | keyword | |
crowdstrike.event.ExecutablesWritten.Timestamp | keyword | |
crowdstrike.event.ExecutionID | keyword | |
crowdstrike.event.ExecutionMetadata.ExecutionDuration | long | |
crowdstrike.event.ExecutionMetadata.ExecutionStart | date | |
crowdstrike.event.ExecutionMetadata.ReportFileName | keyword | |
crowdstrike.event.ExecutionMetadata.ResultCount | long | |
crowdstrike.event.ExecutionMetadata.ResultID | keyword | |
crowdstrike.event.ExecutionMetadata.SearchWindowEnd | date | |
crowdstrike.event.ExecutionMetadata.SearchWindowStart | date | |
crowdstrike.event.Finding | The details of the finding. | keyword |
crowdstrike.event.FineScore | The highest incident score reached as of the time the event was sent. | float |
crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean |
crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean |
crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean |
crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword |
crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword |
crowdstrike.event.Highlights | Sections of content that matched the monitoring rule. | text |
crowdstrike.event.HostGroups | Array of related Host Group IDs. | keyword |
crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword |
crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword |
crowdstrike.event.IOARuleInstanceVersion | Version number of the InstanceID that triggered. | long |
crowdstrike.event.IOARuleName | Name given to the custom IOA rule that triggered. | keyword |
crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword |
crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword |
crowdstrike.event.IdpPolicyRuleAction | Identity Protection policy rule action. | keyword |
crowdstrike.event.IdpPolicyRuleName | Identity Protection policy rule name. | keyword |
crowdstrike.event.IdpPolicyRuleTrigger | Identity Protection policy rule trigger. | keyword |
crowdstrike.event.IncidentType | Incident Type | keyword |
crowdstrike.event.Ipv | Protocol for network request. | keyword |
crowdstrike.event.ItemPostedTimestamp | Time the raw intelligence was posted. | date |
crowdstrike.event.ItemType | Type of raw intelligence. | keyword |
crowdstrike.event.KeyStoreErrors | Describes a KeyStore error. | keyword |
crowdstrike.event.LMHostIDs | Array of host IDs seen to have experienced lateral movement because of the incident. | keyword |
crowdstrike.event.LateralMovement | Lateral movement field for incident. | long |
crowdstrike.event.LdapSearchQueryAttack | Detected LDAP tool attack. | keyword |
crowdstrike.event.LoadedObjects | Provides one or more JSON objects describing the loaded objects related to the detection. | nested |
crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword |
crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword |
crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword |
crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword |
crowdstrike.event.MatchCount | Number of firewall rule matches. | long |
crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long |
crowdstrike.event.MobileAppsDetails | Provides one or more JSON objects describing the related mobile applications. | nested |
crowdstrike.event.MobileAppsDetails.AndroidAppLabel | keyword | |
crowdstrike.event.MobileAppsDetails.AndroidAppVersionName | keyword | |
crowdstrike.event.MobileAppsDetails.AppIdentifier | keyword | |
crowdstrike.event.MobileAppsDetails.AppInstallerInformation | keyword | |
crowdstrike.event.MobileAppsDetails.DexFileHashes | keyword | |
crowdstrike.event.MobileAppsDetails.ImageFileName | keyword | |
crowdstrike.event.MobileAppsDetails.IsBeingDebugged | keyword | |
crowdstrike.event.MobileAppsDetails.IsContainerized | keyword | |
crowdstrike.event.MobileDnsRequests | Provides one or more JSON objects describing the related DNS requests from the mobile device. | nested |
crowdstrike.event.MobileNetworkConnections | Provides one or more JSON objects describing the related network connections from the mobile device. | nested |
crowdstrike.event.MostRecentActivityTimeStamp | The timestamp of the latest activity performed by the account. | date |
crowdstrike.event.MountedVolumes | Provides one or more JSON objects describing mounted volumes on the mobile device. | nested |
crowdstrike.event.NetworkAccesses | Detected Network traffic done by a process. | nested |
crowdstrike.event.NetworkAccesses.AccessTimestamp | keyword | |
crowdstrike.event.NetworkAccesses.AccessType | keyword | |
crowdstrike.event.NetworkAccesses.ConnectionDirection | keyword | |
crowdstrike.event.NetworkAccesses.IsIPV6 | keyword | |
crowdstrike.event.NetworkAccesses.LocalAddress | keyword | |
crowdstrike.event.NetworkAccesses.LocalPort | keyword | |
crowdstrike.event.NetworkAccesses.Protocol | keyword | |
crowdstrike.event.NetworkAccesses.RemoteAddress | keyword | |
crowdstrike.event.NetworkAccesses.RemotePort | keyword | |
crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword |
crowdstrike.event.NotificationId | ID of the generated notification. | keyword |
crowdstrike.event.NumberOfCompromisedEntities | Number of compromised entities, users and endpoints. | long |
crowdstrike.event.NumbersOfAlerts | Number of alerts in the identity-based incident. | long |
crowdstrike.event.OARuleInstanceID | Numerical ID of the custom IOA rule under a given CID. | keyword |
crowdstrike.event.Objective | Method of detection. | keyword |
crowdstrike.event.ObjectiveCRuntimesAltered | Provides one or more JSON objects describing the obj-c methods related to the malware. | nested |
crowdstrike.event.OperationName | Event subtype. | keyword |
crowdstrike.event.ParentImageFileName | The parent image file name involved. | keyword |
crowdstrike.event.PatternDispositionFlags.BlockingUnsupportedOrDisabled | boolean | |
crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled | boolean | |
crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled | boolean | |
crowdstrike.event.PatternDispositionFlags.Detect | boolean | |
crowdstrike.event.PatternDispositionFlags.FsOperationBlocked | boolean | |
crowdstrike.event.PatternDispositionFlags.HandleOperationDowngraded | boolean | |
crowdstrike.event.PatternDispositionFlags.InddetMask | boolean | |
crowdstrike.event.PatternDispositionFlags.Indicator | boolean | |
crowdstrike.event.PatternDispositionFlags.KillActionFailed | boolean | |
crowdstrike.event.PatternDispositionFlags.KillParent | boolean | |
crowdstrike.event.PatternDispositionFlags.KillProcess | boolean | |
crowdstrike.event.PatternDispositionFlags.KillSubProcess | boolean | |
crowdstrike.event.PatternDispositionFlags.OperationBlocked | boolean | |
crowdstrike.event.PatternDispositionFlags.PolicyDisabled | boolean | |
crowdstrike.event.PatternDispositionFlags.ProcessBlocked | boolean | |
crowdstrike.event.PatternDispositionFlags.QuarantineFile | boolean | |
crowdstrike.event.PatternDispositionFlags.QuarantineMachine | boolean | |
crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked | boolean | |
crowdstrike.event.PatternDispositionFlags.Rooting | boolean | |
crowdstrike.event.PatternDispositionFlags.SensorOnly | boolean | |
crowdstrike.event.PatternDispositionFlags.SuspendParent | boolean | |
crowdstrike.event.PatternDispositionFlags.SuspendProcess | boolean | |
crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer |
crowdstrike.event.PatternId | The numerical ID of the pattern associated with the action taken on the detection. | keyword |
crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword |
crowdstrike.event.PolicyId | The ID of the associated Policy. | long |
crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword |
crowdstrike.event.PrecedingActivityTimeStamp | The timestamp of the activity before the most recent activity was performed. | date |
crowdstrike.event.PreviousPrivileges | A list of the source account's privileges before privilege changes were made. | keyword |
crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword |
crowdstrike.event.ProtocolAnomalyClassification | Authentication signature analysis. | keyword |
crowdstrike.event.Region | keyword | |
crowdstrike.event.ReportFileReference | keyword | |
crowdstrike.event.ReportID | keyword | |
crowdstrike.event.ReportName | keyword | |
crowdstrike.event.ReportType | keyword | |
crowdstrike.event.ResourceAttributes | A JSON blob with all resource attributes. | flattened |
crowdstrike.event.ResourceId | The cloud resource identifier. | keyword |
crowdstrike.event.ResourceIdType | The type of the detected resource identifier. | keyword |
crowdstrike.event.ResourceName | Resource name if any. | keyword |
crowdstrike.event.ResourceUrl | The URL to the cloud resource. | keyword |
crowdstrike.event.RootAccessIndicators | Provides one or more JSON objects which includes logs and stack traces from the suspicious source. | nested |
crowdstrike.event.RpcOpClassification | RPC operation type. | keyword |
crowdstrike.event.RuleAction | Firewall rule action. | keyword |
crowdstrike.event.RulePriority | Priority of the monitoring rule that found the match. | keyword |
crowdstrike.event.SELinuxEnforcementPolicy | State of SELinux enforcement policy on an Android device. | keyword |
crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword |
crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword |
crowdstrike.event.SafetyNetAdvice | Provides information to help explain why the Google SafetyNet Attestation API set eitherCTSProfileMatch or BasicIntegrity fields to false. | keyword |
crowdstrike.event.SafetyNetBasicIntegrity | The result of a more lenient verdict for device integrity. | keyword |
crowdstrike.event.SafetyNetCTSProfileMatch | The result of a stricter verdict for device integrity. | keyword |
crowdstrike.event.SafetyNetErrorMessage | An encoded error message. | keyword |
crowdstrike.event.SafetyNetErrors | Describes a SafetyNet error | keyword |
crowdstrike.event.SafetyNetEvaluationType | Provides information about the type of measurements used to compute fields likeCTSProfileMatch and BasicIntegrity. | keyword |
crowdstrike.event.ScanResults | Array of scan results. | nested |
crowdstrike.event.ScheduledSearchExecutionId | ID of the specific search execution. | keyword |
crowdstrike.event.ScheduledSearchId | Unique identifier of the associated scheduled search. | keyword |
crowdstrike.event.ScheduledSearchUserId | User ID of the user that created the the associated scheduled search. | keyword |
crowdstrike.event.ScheduledSearchUserUUID | UUID of the user that created the the associated scheduled search. | keyword |
crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword |
crowdstrike.event.ServiceName | Description of which related service was involved in the event. | keyword |
crowdstrike.event.SessionId | Session ID of the remote response session. | keyword |
crowdstrike.event.SeverityName | The severity level of the detection, as a string (High/Medium/Informational). | keyword |
crowdstrike.event.SourceAccountUpn | Source user UPN. | keyword |
crowdstrike.event.SourceEndpointAccountObjectGuid | Source endpoint object GUID | keyword |
crowdstrike.event.SourceEndpointAccountObjectSid | Source endpoint object SID. | keyword |
crowdstrike.event.SourceEndpointIpReputation | Source endpoint IP reputation. | keyword |
crowdstrike.event.SourceEndpointSensorId | Source endpoint agent ID. | keyword |
crowdstrike.event.SourceProducts | Names of the products from which the source data originated. | keyword |
crowdstrike.event.SourceVendors | Names of the vendors from which the source data originated. | keyword |
crowdstrike.event.SsoApplicationIdentifier | Destination application identifier. | keyword |
crowdstrike.event.State | Identity-based detection or incident status. | keyword |
crowdstrike.event.Status | CrowdStrike status. | keyword |
crowdstrike.event.StatusMessage | keyword | |
crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean |
crowdstrike.event.SuspiciousMachineAccountAlterationType | Machine alteration type. | keyword |
crowdstrike.event.SystemProperties | Provides one or more JSON objects which includes related system properties. | nested |
crowdstrike.event.Tags | Tags on the cloud resources if any. | nested |
crowdstrike.event.TargetAccountDomain | Target user domain. | keyword |
crowdstrike.event.TargetAccountName | Target user name. | keyword |
crowdstrike.event.TargetAccountObjectSid | Target user object SID. | keyword |
crowdstrike.event.TargetAccountUpn | Target user UPN. | keyword |
crowdstrike.event.TargetEndpointAccountObjectGuid | Target endpoint object GUID. | keyword |
crowdstrike.event.TargetEndpointAccountObjectSid | Target endpoint object SID. | keyword |
crowdstrike.event.TargetEndpointHostName | Target endpoint hostname. | keyword |
crowdstrike.event.TargetEndpointSensorId | Target endpoint agent ID. | keyword |
crowdstrike.event.TargetServiceAccessIdentifier | Target SPN. | keyword |
crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date |
crowdstrike.event.Trampolines | Provides one or more JSON objects describing the relevant functions and processes performing inline API hooks. | nested |
crowdstrike.event.TreeID | CrowdStrike tree id. | keyword |
crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword |
crowdstrike.event.UserUUID | keyword | |
crowdstrike.event.VerifiedBootState | Provides the device’s current boot state. | keyword |
crowdstrike.event.XdrType | Type of detection: xdr or xdr-scheduled-search. | keyword |
crowdstrike.metadata.customerIDString | Customer identifier | keyword |
crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword |
crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer |
crowdstrike.metadata.version | Schema version | keyword |
data_stream.dataset | Data stream dataset name. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Type of Filebeat input. | keyword |
log.flags | Flags for the log file. | keyword |
log.offset | Offset of the entry in the log file. | long |
An example event for falcon looks as following:
{
"@timestamp": "2020-02-12T21:29:10.000Z",
"agent": {
"ephemeral_id": "fe495f50-2dbf-43ee-9c49-b35ef8bf9235",
"id": "df7cb44a-7978-449c-992e-c6b22e788ae9",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.11.0"
},
"crowdstrike": {
"event": {
"AuditKeyValues": [
{
"Key": "APIClientID",
"ValueString": "1234567890abcdefghijklmnopqr"
},
{
"Key": "partition",
"ValueString": "0"
},
{
"Key": "offset",
"ValueString": "-1"
},
{
"Key": "appId",
"ValueString": "siem-connector-v2.0.0"
},
{
"Key": "eventType",
"ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]"
}
],
"OperationName": "streamStarted",
"Success": true
},
"metadata": {
"customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"eventType": "AuthActivityAuditEvent",
"offset": 0,
"version": "1.0"
}
},
"data_stream": {
"dataset": "crowdstrike.falcon",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "df7cb44a-7978-449c-992e-c6b22e788ae9",
"snapshot": false,
"version": "8.11.0"
},
"event": {
"action": [
"streamStarted"
],
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2020-02-12T21:29:10.710Z",
"dataset": "crowdstrike.falcon",
"ingested": "2024-01-29T08:59:16Z",
"kind": "event",
"original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}",
"outcome": "success"
},
"input": {
"type": "log"
},
"log": {
"file": {
"path": "/tmp/service_logs/falcon-audit-events.log"
},
"flags": [
"multiline"
],
"offset": 910
},
"message": "Crowdstrike Streaming API",
"observer": {
"product": "Falcon",
"vendor": "Crowdstrike"
},
"related": {
"ip": [
"10.10.0.8"
],
"user": [
"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
]
},
"source": {
"ip": "10.10.0.8"
},
"tags": [
"preserve_original_event",
"forwarded",
"crowdstrike-falcon"
],
"user": {
"name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
}
}FDR
The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is available in S3.
This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket and the integration can read from there.
In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time.
Use with CrowdStrike managed S3/SQS
This is the simplest way to setup the integration, and also the default.
You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR.
Ensure the Is FDR queue option is enabled.
Use with FDR tool and data replicated to a self-managed S3 bucket
This option can be used if you want to archive the raw CrowdStrike data.
You need to follow the steps below:
- Create a S3 bucket to receive the logs.
- Create a SQS queue.
- Configure your S3 bucket to send object created notifications to your SQS queue.
- Follow the FDR tool instructions to replicate data to your own S3 bucket.
- Configure the integration to read from your self-managed SQS topic.
- Disable the
Is FDR queueoption in the integration.
NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files.
Configuration for the S3 input
AWS credentials are required for running this integration if you want to use the S3 input.
Configuration parameters
access_key_id: first part of access key.secret_access_key: second part of access key.session_token: required when using temporary security credentials.credential_profile_name: profile name in shared credentials file.shared_credential_file: directory of the shared credentials file.endpoint: URL of the entry point for an AWS web service.role_arn: AWS IAM Role to assume.
Credential Types
There are three types of AWS credentials can be used:
- access keys,
- temporary security credentials, and
- IAM role ARN.
Access keys
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are the two parts of access keys.
They are long-term credentials for an IAM user, or the AWS account root user.
Please see AWS Access Keys and Secret Access Keys
for more details.
Temporary security credentials
Temporary security credentials has a limited lifetime and consists of an
access key ID, a secret access key, and a security token which typically returned
from GetSessionToken.
MFA-enabled IAM users would need to submit an MFA code
while calling GetSessionToken. default_region identifies the AWS Region
whose servers you want to send your first API request to by default.
This is typically the Region closest to you, but it can be any Region. Please see Temporary Security Credentials for more details.
sts get-session-token AWS CLI can be used to generate temporary credentials.
For example. with MFA-enabled:
aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456Because temporary security credentials are short term, after they expire, the
user needs to generate new ones and manually update the package configuration in
order to continue collecting aws metrics.
This will cause data loss if the configuration is not updated with new credentials before the old ones expire.
IAM role ARN
An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS.
A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials.
Please see AssumeRole API documentation for more details.
Supported Formats
- Use access keys: Access keys include
access_key_id,secret_access_keyand/orsession_token. - Use
role_arn:role_arnis used to specify which AWS IAM role to assume for generating temporary credentials. Ifrole_arnis given, the package will check if access keys are given. If not, the package will check for credential profile name. If neither is given, default credential profile will be used.
Please make sure credentials are given under either a credential profile or
access keys.
3. Use credential_profile_name and/or shared_credential_file:
If access_key_id, secret_access_key and role_arn are all not given, then
the package will check for credential_profile_name.
If you use different credentials for different tools or applications, you can use profiles to
configure multiple access keys in the same configuration file.
If there is no credential_profile_name given, the default profile will be used.
shared_credential_file is optional to specify the directory of your shared
credentials file.
If it's empty, the default directory will be used.
In Windows, shared credentials file is at C:\Users\<yourUserName>\.aws\credentials.
For Linux, macOS or Unix, the file locates at ~/.aws/credentials.
Please seeCreate Shared Credentials File
for more details.
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
crowdstrike.AccountType | keyword | |
crowdstrike.AgentIdString | keyword | |
crowdstrike.AgentLoadFlags | keyword | |
crowdstrike.AgentLocalTime | date | |
crowdstrike.AgentTimeOffset | float | |
crowdstrike.AgentVersion | keyword | |
crowdstrike.AllocateVirtualMemoryCount | long | |
crowdstrike.ApiReturnValue | keyword | |
crowdstrike.ArchiveFileWrittenCount | long | |
crowdstrike.AsepWrittenCount | long | |
crowdstrike.AssociatedFile | keyword | |
crowdstrike.AttemptNumber | long | |
crowdstrike.AuthenticationId | keyword | |
crowdstrike.AuthenticationPackage | keyword | |
crowdstrike.AuthenticationUuid | keyword | |
crowdstrike.AuthenticationUuidAsString | keyword | |
crowdstrike.BinaryExecutableWrittenCount | long | |
crowdstrike.BiosManufacturer | keyword | |
crowdstrike.BiosReleaseDate | date | |
crowdstrike.BiosVersion | keyword | |
crowdstrike.BootArgs | keyword | |
crowdstrike.BootTimeFunctionalityLevel | keyword | |
crowdstrike.BoundedCount | long | |
crowdstrike.BundleID | keyword | |
crowdstrike.CLICreationCount | long | |
crowdstrike.CallStackModuleNames | keyword | |
crowdstrike.CallStackModuleNamesVersion | version | |
crowdstrike.ChannelDiffStatus | keyword | |
crowdstrike.ChannelId | keyword | |
crowdstrike.ChannelVersion | keyword | |
crowdstrike.ChannelVersionRequired | keyword | |
crowdstrike.ChasisManufacturer | keyword | |
crowdstrike.ChassisType | keyword | |
crowdstrike.ClientComputerName | keyword | |
crowdstrike.CompletionEventId | keyword | |
crowdstrike.ConHostId | keyword | |
crowdstrike.ConHostProcessId | keyword | |
crowdstrike.ConfigBuild | keyword | |
crowdstrike.ConfigIDBase | keyword | |
crowdstrike.ConfigIDBuild | keyword | |
crowdstrike.ConfigIDPlatform | keyword | |
crowdstrike.ConfigStateData | text | |
crowdstrike.ConfigStateHash | keyword | |
crowdstrike.ConfigurationVersion | keyword | |
crowdstrike.ConnectTime | date | |
crowdstrike.ConnectType | keyword | |
crowdstrike.ConnectionFlags | keyword | |
crowdstrike.ContextProcessId | keyword | |
crowdstrike.ContextTimeStamp | System local time of event creation. | date |
crowdstrike.CpuClockSpeed | keyword | |
crowdstrike.CpuFeaturesMask | keyword | |
crowdstrike.CpuProcessorName | keyword | |
crowdstrike.CpuSignature | keyword | |
crowdstrike.CpuVendor | keyword | |
crowdstrike.CreateProcessCount | long | |
crowdstrike.CreateProcessType | keyword | |
crowdstrike.CurrentFunctionalityLevel | keyword | |
crowdstrike.CurrentLocalIP | ip | |
crowdstrike.CustomerIdString | keyword | |
crowdstrike.CycleTime | long | |
crowdstrike.DesiredAccess | keyword | |
crowdstrike.DetectDescription | keyword | |
crowdstrike.DetectId | keyword | |
crowdstrike.DetectName | keyword | |
crowdstrike.DeviceId | keyword | |
crowdstrike.DirectoryCreatedCount | long | |
crowdstrike.DirectoryEnumeratedCount | long | |
crowdstrike.DnsRequestCount | long | |
crowdstrike.DocumentFileWrittenCount | long | |
crowdstrike.DownloadPath | keyword | |
crowdstrike.DownloadPort | long | |
crowdstrike.DownloadServer | keyword | |
crowdstrike.DualRequest | keyword | |
crowdstrike.ELFSubType | keyword | |
crowdstrike.EffectiveTransmissionClass | keyword | |
crowdstrike.EnabledPrivilegesBitmask | keyword | |
crowdstrike.EndTime | date | |
crowdstrike.Entitlements | keyword | |
crowdstrike.ErrorCode | keyword | |
crowdstrike.ErrorStatus | keyword | |
crowdstrike.EtwRawThreadId | long | |
crowdstrike.EventType | keyword | |
crowdstrike.EventUUID | keyword | |
crowdstrike.ExeAndServiceCount | long | |
crowdstrike.ExecutableDeletedCount | long | |
crowdstrike.ExternalApiType | keyword | |
crowdstrike.FXFileSize | keyword | |
crowdstrike.Facility | keyword | |
crowdstrike.FailedConnectCount | long | |
crowdstrike.FalconGroupingTags | keyword | |
crowdstrike.FalconHostLink | keyword | |
crowdstrike.FeatureExtractionVersion | keyword | |
crowdstrike.FeatureVector | match_only_text | |
crowdstrike.File | keyword | |
crowdstrike.FileAttributes | keyword | |
crowdstrike.FileDeletedCount | long | |
crowdstrike.FileEcpBitmask | keyword | |
crowdstrike.FileName | keyword | |
crowdstrike.FileObject | keyword | |
crowdstrike.FilePath | keyword | |
crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | keyword | |
crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | keyword | |
crowdstrike.FirstDiscoveredDate | date | |
crowdstrike.FirstSeen | date | |
crowdstrike.Flags | keyword | |
crowdstrike.GenericFileWrittenCount | long | |
crowdstrike.GrandParentBaseFileName | keyword | |
crowdstrike.GrandparentCommandLine | keyword | |
crowdstrike.GrandparentImageFileName | keyword | |
crowdstrike.HostGroups | keyword | |
crowdstrike.HostHiddenStatus | keyword | |
crowdstrike.IOCType | keyword | |
crowdstrike.IOCValue | keyword | |
crowdstrike.IOServiceClass | keyword | |
crowdstrike.IOServiceName | keyword | |
crowdstrike.IOServicePath | keyword | |
crowdstrike.ImageSubsystem | keyword | |
crowdstrike.InContext | keyword | |
crowdstrike.InDiscards | keyword | |
crowdstrike.InErrors | keyword | |
crowdstrike.InMulticastPkts | keyword | |
crowdstrike.InOctets | keyword | |
crowdstrike.InUcastPkts | keyword | |
crowdstrike.InUnknownProtos | keyword | |
crowdstrike.Information | keyword | |
crowdstrike.InjectedDllCount | long | |
crowdstrike.InjectedThreadCount | long | |
crowdstrike.IntegrityLevel | keyword | |
crowdstrike.InterfaceAlias | keyword | |
crowdstrike.InterfaceGuid | keyword | |
crowdstrike.InterfaceIndex | long | |
crowdstrike.InterfaceType | keyword | |
crowdstrike.InterfaceVersion | keyword | |
crowdstrike.IrpFlags | keyword | |
crowdstrike.IsOnNetwork | keyword | |
crowdstrike.IsOnRemovableDisk | keyword | |
crowdstrike.IsTransactedFile | keyword | |
crowdstrike.KernelTime | long | |
crowdstrike.LastDiscoveredBy | keyword | |
crowdstrike.LastLoggedOnHost | keyword | |
crowdstrike.LfoUploadFlags | keyword | |
crowdstrike.LightningLatencyState | keyword | |
crowdstrike.Line | keyword | |
crowdstrike.LocalAddressIP4 | ip | |
crowdstrike.LocalAddressIP6 | ip | |
crowdstrike.LocalAdminAccess | keyword | |
crowdstrike.LocalIP | ip | |
crowdstrike.LogicalCoreCount | long | |
crowdstrike.LoginSessionId | keyword | |
crowdstrike.LogoffTime | date | |
crowdstrike.LogonDomain | keyword | |
crowdstrike.LogonId | keyword | |
crowdstrike.LogonInfo | keyword | |
crowdstrike.LogonServer | keyword | |
crowdstrike.LogonTime | date | |
crowdstrike.LogonType | keyword | |
crowdstrike.MACAddress | keyword | |
crowdstrike.MACPrefix | keyword | |
crowdstrike.MD5String | keyword | |
crowdstrike.MLModelVersion | keyword | |
crowdstrike.MachOSubType | keyword | |
crowdstrike.MajorFunction | keyword | |
crowdstrike.MajorVersion | keyword | |
crowdstrike.Malicious | keyword | |
crowdstrike.MaxThreadCount | long | |
crowdstrike.MemoryTotal | keyword | |
crowdstrike.MicrocodeSignature | keyword | |
crowdstrike.MinorFunction | keyword | |
crowdstrike.MinorVersion | keyword | |
crowdstrike.MoboManufacturer | keyword | |
crowdstrike.MoboProductName | keyword | |
crowdstrike.ModelPrediction | keyword | |
crowdstrike.ModuleLoadCount | long | |
crowdstrike.NDRoot | keyword | |
crowdstrike.NeighborList | keyword | |
crowdstrike.NeighborName | keyword | |
crowdstrike.NetLuidIndex | long | |
crowdstrike.NetworkBindCount | long | |
crowdstrike.NetworkCapableAsepWriteCount | long | |
crowdstrike.NetworkCloseCount | long | |
crowdstrike.NetworkConnectCount | long | |
crowdstrike.NetworkConnectCountUdp | long | |
crowdstrike.NetworkContainmentState | keyword | |
crowdstrike.NetworkListenCount | long | |
crowdstrike.NetworkModuleLoadCount | long | |
crowdstrike.NetworkRecvAcceptCount | long | |
crowdstrike.NewExecutableWrittenCount | long | |
crowdstrike.NewFileIdentifier | keyword | |
crowdstrike.Nonce | integer | |
crowdstrike.OSVersionFileData | match_only_text | |
crowdstrike.OSVersionFileName | keyword | |
crowdstrike.OU | keyword | |
crowdstrike.Objective | keyword | |
crowdstrike.OperationFlags | keyword | |
crowdstrike.Options | keyword | |
crowdstrike.OutErrors | keyword | |
crowdstrike.OutMulticastPkts | keyword | |
crowdstrike.OutOctets | keyword | |
crowdstrike.OutUcastPkts | keyword | |
crowdstrike.Parameter1 | keyword | |
crowdstrike.Parameter2 | keyword | |
crowdstrike.Parameter3 | keyword | |
crowdstrike.ParentAuthenticationId | keyword | |
crowdstrike.ParentCommandLine | keyword | |
crowdstrike.ParentImageFileName | keyword | |
crowdstrike.PasswordLastSet | keyword | |
crowdstrike.PatternDispositionDescription | keyword | |
crowdstrike.PatternDispositionFlags.BlockingUnsupportedOrDisabled | boolean | |
crowdstrike.PatternDispositionFlags.BootupSafeguardEnabled | boolean | |
crowdstrike.PatternDispositionFlags.CriticalProcessDisabled | boolean | |
crowdstrike.PatternDispositionFlags.Detect | boolean | |
crowdstrike.PatternDispositionFlags.FsOperationBlocked | boolean | |
crowdstrike.PatternDispositionFlags.HandleOperationDowngraded | boolean | |
crowdstrike.PatternDispositionFlags.InddetMask | boolean | |
crowdstrike.PatternDispositionFlags.Indicator | boolean | |
crowdstrike.PatternDispositionFlags.KillActionFailed | boolean | |
crowdstrike.PatternDispositionFlags.KillParent | boolean | |
crowdstrike.PatternDispositionFlags.KillProcess | boolean | |
crowdstrike.PatternDispositionFlags.KillSubProcess | boolean | |
crowdstrike.PatternDispositionFlags.OperationBlocked | boolean | |
crowdstrike.PatternDispositionFlags.PolicyDisabled | boolean | |
crowdstrike.PatternDispositionFlags.ProcessBlocked | boolean | |
crowdstrike.PatternDispositionFlags.QuarantineFile | boolean | |
crowdstrike.PatternDispositionFlags.QuarantineMachine | boolean | |
crowdstrike.PatternDispositionFlags.RegistryOperationBlocked | boolean | |
crowdstrike.PatternDispositionFlags.Rooting | boolean | |
crowdstrike.PatternDispositionFlags.SensorOnly | boolean | |
crowdstrike.PatternDispositionFlags.SuspendParent | boolean | |
crowdstrike.PatternDispositionFlags.SuspendProcess | boolean | |
crowdstrike.PatternDispositionValue | long | |
crowdstrike.PciAttachmentState | keyword | |
crowdstrike.PhysicalAddress | keyword | |
crowdstrike.PhysicalAddressLength | long | |
crowdstrike.PhysicalCoreCount | long | |
crowdstrike.PointerSize | keyword | |
crowdstrike.PreviousConnectTime | date | |
crowdstrike.PrivilegedProcessHandleCount | long | |
crowdstrike.PrivilegesBitmask | keyword | |
crowdstrike.ProcessCount | long | |
crowdstrike.ProcessCreateFlags | keyword | |
crowdstrike.ProcessId | long | |
crowdstrike.ProcessParameterFlags | keyword | |
crowdstrike.ProcessSxsFlags | keyword | |
crowdstrike.ProcessorPackageCount | long | |
crowdstrike.ProductType | keyword | |
crowdstrike.ProtectVirtualMemoryCount | long | |
crowdstrike.ProvisionState | keyword | |
crowdstrike.PupAdwareConfidence | keyword | |
crowdstrike.PupAdwareDecisionValue | keyword | |
crowdstrike.QueueApcCount | long | |
crowdstrike.RFMState | keyword | |
crowdstrike.RGID | keyword | |
crowdstrike.RUID | keyword | |
crowdstrike.ReasonOfFunctionalityLevel | keyword | |
crowdstrike.RegKeySecurityDecreasedCount | long | |
crowdstrike.RemoteAccount | keyword | |
crowdstrike.RemovableDiskFileWrittenCount | long | |
crowdstrike.RequestType | keyword | |
crowdstrike.RpcClientProcessId | keyword | |
crowdstrike.RpcClientThreadId | keyword | |
crowdstrike.RpcNestingLevel | keyword | |
crowdstrike.RpcOpNum | keyword | |
crowdstrike.RunDllInvocationCount | long | |
crowdstrike.SHA1String | keyword | |
crowdstrike.SHA256String | keyword | |
crowdstrike.SVGID | keyword | |
crowdstrike.SVUID | keyword | |
crowdstrike.ScreenshotsTakenCount | long | |
crowdstrike.ScriptEngineInvocationCount | long | |
crowdstrike.SensorGroupingTags | keyword | |
crowdstrike.SensorId | keyword | |
crowdstrike.SensorStateBitMap | keyword | |
crowdstrike.ServiceDisplayName | keyword | |
crowdstrike.ServiceEventCount | long | |
crowdstrike.ServicePackMajor | keyword | |
crowdstrike.SessionId | keyword | |
crowdstrike.SessionProcessId | keyword | |
crowdstrike.SetThreadContextCount | long | |
crowdstrike.Severity | integer | |
crowdstrike.SeverityName | keyword | |
crowdstrike.ShareAccess | keyword | |
crowdstrike.SiteName | keyword | |
crowdstrike.Size | long | |
crowdstrike.SnapshotFileOpenCount | long | |
crowdstrike.SourceFileName | keyword | |
crowdstrike.SourceProcessId | keyword | |
crowdstrike.SourceThreadId | keyword | |
crowdstrike.StartTime | date | |
crowdstrike.Status | keyword | |
crowdstrike.SubStatus | keyword | |
crowdstrike.SuppressType | keyword | |
crowdstrike.SuspectStackCount | long | |
crowdstrike.SuspiciousCredentialModuleLoadCount | long | |
crowdstrike.SuspiciousDnsRequestCount | long | |
crowdstrike.SuspiciousFontLoadCount | long | |
crowdstrike.SuspiciousRawDiskReadCount | long | |
crowdstrike.SyntheticPR2Flags | keyword | |
crowdstrike.SystemManufacturer | keyword | |
crowdstrike.SystemProductName | keyword | |
crowdstrike.SystemSerialNumber | keyword | |
crowdstrike.SystemSku | keyword | |
crowdstrike.SystemTableIndex | long | |
crowdstrike.Tactic | keyword | |
crowdstrike.Tags | keyword | |
crowdstrike.TargetFileName | keyword | |
crowdstrike.TargetThreadId | keyword | |
crowdstrike.Technique | keyword | |
crowdstrike.Timeout | long | |
crowdstrike.TokenType | keyword | |
crowdstrike.USN | keyword | |
crowdstrike.UnixMode | keyword | |
crowdstrike.UnsignedModuleLoadCount | long | |
crowdstrike.UploadId | keyword | |
crowdstrike.User | keyword | |
crowdstrike.UserFlags | keyword | |
crowdstrike.UserGroupsBitmask | keyword | |
crowdstrike.UserLogoffType | keyword | |
crowdstrike.UserLogonFlags | keyword | |
crowdstrike.UserLogonFlags_decimal | keyword | |
crowdstrike.UserMemoryAllocateExecutableCount | long | |
crowdstrike.UserMemoryAllocateExecutableRemoteCount | long | |
crowdstrike.UserMemoryProtectExecutableCount | long | |
crowdstrike.UserMemoryProtectExecutableRemoteCount | long | |
crowdstrike.UserName | keyword | |
crowdstrike.UserSid | keyword | |
crowdstrike.UserSid_readable | keyword | |
crowdstrike.UserTime | long | |
crowdstrike.VerifiedCertificate | keyword | |
crowdstrike.VnodeModificationType | keyword | |
crowdstrike.VnodeType | keyword | |
crowdstrike.VolumeAppearanceTime | keyword | |
crowdstrike.VolumeBusName | keyword | |
crowdstrike.VolumeBusPath | keyword | |
crowdstrike.VolumeDeviceCharacteristics | keyword | |
crowdstrike.VolumeDeviceInternal | keyword | |
crowdstrike.VolumeDeviceModel | keyword | |
crowdstrike.VolumeDeviceObjectFlags | keyword | |
crowdstrike.VolumeDevicePath | keyword | |
crowdstrike.VolumeDeviceProtocol | keyword | |
crowdstrike.VolumeDeviceRevision | keyword | |
crowdstrike.VolumeDeviceType | keyword | |
crowdstrike.VolumeDriveLetter | keyword | |
crowdstrike.VolumeFileSystemDevice | keyword | |
crowdstrike.VolumeFileSystemDriver | keyword | |
crowdstrike.VolumeFileSystemType | keyword | |
crowdstrike.VolumeIsEncrypted | keyword | |
crowdstrike.VolumeIsNetwork | keyword | |
crowdstrike.VolumeMediaBSDMajor | keyword | |
crowdstrike.VolumeMediaBSDMinor | keyword | |
crowdstrike.VolumeMediaBSDName | keyword | |
crowdstrike.VolumeMediaBSDUnit | keyword | |
crowdstrike.VolumeMediaContent | keyword | |
crowdstrike.VolumeMediaEjectable | keyword | |
crowdstrike.VolumeMediaName | keyword | |
crowdstrike.VolumeMediaPath | keyword | |
crowdstrike.VolumeMediaRemovable | keyword | |
crowdstrike.VolumeMediaSize | keyword | |
crowdstrike.VolumeMediaUUID | keyword | |
crowdstrike.VolumeMediaWhole | keyword | |
crowdstrike.VolumeMediaWritable | keyword | |
crowdstrike.VolumeMountPoint | keyword | |
crowdstrike.VolumeName | keyword | |
crowdstrike.VolumeRealDeviceName | keyword | |
crowdstrike.VolumeSectorSize | keyword | |
crowdstrike.VolumeType | keyword | |
crowdstrike.VolumeUUID | keyword | |
crowdstrike.WindowFlags | keyword | |
crowdstrike.__mv_LocalAddressIP4 | keyword | |
crowdstrike.__mv_aip | keyword | |
crowdstrike.__mv_discoverer_aid | keyword | |
crowdstrike.aipCount | integer | |
crowdstrike.cid | keyword | |
crowdstrike.discovererCount | integer | |
crowdstrike.discoverer_aid | keyword | |
crowdstrike.eid | integer | |
crowdstrike.info.host.* | Host information enriched from aidmaster data. | object |
crowdstrike.info.user.* | User information enriched from userinfo data. | object |
crowdstrike.localipCount | integer | |
crowdstrike.monthsincereset | keyword | |
crowdstrike.name | keyword | |
crowdstrike.subnet | keyword | |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
input.type | keyword | |
log.offset | long | |
observer.address | keyword |
An example event for fdr looks as following:
{
"@timestamp": "2020-10-01T09:58:32.519Z",
"agent": {
"ephemeral_id": "9eabd9f1-861b-4007-80d9-7ca2e4b6bb03",
"id": "8e3dcae6-8d1c-46c1-bed0-bf69fdde05e5",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.11.1"
},
"crowdstrike": {
"AuthenticationId": "3783389",
"ConfigStateHash": "3998263252",
"EffectiveTransmissionClass": "3",
"Entitlements": "15",
"ImageSubsystem": "2",
"IntegrityLevel": "4096",
"ParentAuthenticationId": "3783389",
"ProcessCreateFlags": "525332",
"ProcessParameterFlags": "16385",
"ProcessSxsFlags": "1600",
"RpcClientProcessId": "2439558094566",
"SessionId": "1",
"SourceProcessId": "2439558094566",
"SourceThreadId": "77538684027214",
"Tags": [
"41",
"12094627905582",
"12094627906234"
],
"TokenType": "2",
"WindowFlags": "128",
"cid": "ffffffff30a3407dae27d0503611022d",
"info": {
"host": {
"AgentLoadFlags": "1",
"AgentLocalTime": "1697775225",
"AgentTimeOffset": "15889.017",
"AgentVersion": "7.01.13922.0",
"BiosManufacturer": "Iris",
"BiosVersion": "vG17V.21040423/z64",
"ChassisType": "Other",
"City": "Chicago",
"ConfigBuild": "1007.3.0017312.1",
"ConfigIDBuild": "13922",
"Continent": "North America",
"Country": "United States of America",
"FalconGroupingTags": "'FalconGroupingTags/AMERICA'",
"FirstSeen": "1628678052.0",
"HostHiddenStatus": "Visible",
"MachineDomain": "groot.org",
"OU": "Servers;America;Offices",
"PointerSize": "8",
"ProductType": "3.0",
"ServicePackMajor": "0",
"SiteName": "BCL",
"SystemManufacturer": "Iris",
"SystemProductName": "IrOS",
"Time": "1697992719.22",
"Timezone": "America/Chicago",
"Version": "Windows Server 2021",
"cid": "ffffffff30a3407dae27d0503611022d",
"event_platform": "Win"
},
"user": {
"AccountType": "Domain User",
"LastLoggedOnHost": "COMPUTER1",
"LocalAdminAccess": "No",
"LogonInfo": "Domain User Logon",
"LogonTime": "1702546155.197",
"LogonType": "Interactive",
"PasswordLastSet": "1699971198.062",
"User": "DOMAIN\\BRADLEYA",
"UserIsAdmin": "0",
"UserLogonFlags_decimal": "0",
"_time": "1702546168.576",
"cid": "ffffffff15754bcfb5f9152ec7ac90ac",
"event_platform": "Win",
"monthsincereset": "1.0"
}
},
"name": "ProcessRollup2V18"
},
"data_stream": {
"dataset": "crowdstrike.fdr",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8e3dcae6-8d1c-46c1-bed0-bf69fdde05e5",
"snapshot": false,
"version": "8.11.1"
},
"event": {
"action": "ProcessRollup2",
"agent_id_status": "verified",
"category": [
"process"
],
"created": "2020-10-01T09:58:32.519Z",
"dataset": "crowdstrike.fdr",
"id": "ffffffff-1111-11eb-8462-02ade3b2f949",
"ingested": "2023-12-19T11:18:43Z",
"kind": "event",
"original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1601546312519\"}",
"outcome": "success",
"timezone": "+00:00",
"type": [
"start"
]
},
"host": {
"ip": [
"16.15.12.10"
],
"name": "FEVWSN1-234",
"os": {
"type": "windows"
}
},
"input": {
"type": "aws-s3"
},
"log": {
"file": {
"path": "https://elastic-package-crowdstrike-fdr-12701.s3.us-east-1.amazonaws.com/data"
},
"offset": 107991
},
"observer": {
"address": [
"67.43.156.14"
],
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": [
"67.43.156.14"
],
"serial_number": "ffffffff655344736aca58d17fb570f0",
"type": "agent",
"vendor": "crowdstrike",
"version": "1007.3.0012309.1"
},
"process": {
"args": [
"C:\\WINDOWS\\system32\\backgroundTaskHost.exe",
"-ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca"
],
"args_count": 2,
"command_line": "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca",
"entity_id": "2450046082233",
"executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe",
"hash": {
"md5": "50d5fd1290d94d46acca0585311e74d5",
"sha256": "b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37"
},
"name": "backgroundTaskHost.exe",
"parent": {
"entity_id": "2439558094566",
"name": "svchost.exe"
},
"pid": 22272,
"start": "2020-11-08T17:06:21.648Z"
},
"related": {
"hash": [
"50d5fd1290d94d46acca0585311e74d5",
"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37",
"3998263252"
],
"hosts": [
"FEVWSN1-234",
"COMPUTER1"
],
"ip": [
"67.43.156.14",
"16.15.12.10"
],
"user": [
"Alan-One",
"DOMAIN\\BRADLEYA"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"crowdstrike-fdr"
],
"url": {
"scheme": "http"
},
"user": {
"id": "S-1-12-1-3697283754-1083485977-2164330645-2516515886",
"name": "Alan-One"
}
}Host
This is the Host dataset.
Example
An example event for host looks as following:
{
"@timestamp": "2023-11-07T10:26:53.000Z",
"agent": {
"ephemeral_id": "0a68d2e5-292d-47a5-9b2f-3b34992483c2",
"id": "8f7b87ad-2943-4c25-88be-4eaac013beb6",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"crowdstrike": {
"host": {
"agent": {
"load_flags": "0",
"local_time": "2023-11-07T04:51:16.678Z",
"version": "7.05.17603.0"
},
"bios": {
"manufacturer": "ABCInc.",
"version": "2020.0.1.0.0(iBridge:22.11.000.0.0,0)"
},
"chassis_type": {
"desc": "Laptop",
"value": "9"
},
"cid": "92012896127c4948236ba7601b886b0",
"config_id": {
"base": "6594763",
"build": "1703",
"platform": "4"
},
"connection_ip": "81.2.69.192",
"cpu_signature": "460517",
"device_policies": {
"device_control": {
"applied": true,
"applied_date": "2023-06-20T08:45:26.341Z",
"assigned_date": "2023-06-20T08:43:47.736Z",
"policy_id": "2f88daf0177f467dae69262a5ce71775",
"policy_type": "device-control"
},
"firewall": {
"applied": true,
"applied_date": "2023-09-11T10:33:44.174Z",
"assigned_date": "2023-09-11T10:32:47.853Z",
"policy": {
"id": "1ee301f7e3e24e96ad6a23c73aaac1e3",
"type": "firewall"
},
"rule_set_id": "1ee301f7e3e24e96ad6a23c73aaac1e3"
},
"global_config": {
"applied": true,
"applied_date": "2023-11-07T04:52:59.515Z",
"assigned_date": "2023-11-07T04:51:18.946Z",
"policy": {
"id": "7e3078b60976486cac5dc998808d9135",
"type": "globalconfig"
},
"settings_hash": "f01def74"
},
"prevention": {
"applied": true,
"applied_date": "2023-06-08T10:04:47.643Z",
"assigned_date": "2023-06-08T10:03:49.505Z",
"policy": {
"id": "1024fac1b279424fa7300b8ac2d56be5",
"type": "prevention"
},
"settings_hash": "f7a54ca1"
},
"remote_response": {
"applied": true,
"applied_date": "2023-06-08T10:04:47.017Z",
"assigned_date": "2023-06-08T10:03:49.505Z",
"policy": {
"id": "dabb4def99034f11b9b3d52271584c9f",
"type": "remote-response"
},
"settings_hash": "8a548e5e"
},
"sensor_update": {
"applied": true,
"applied_date": "2023-11-07T04:52:59.659Z",
"assigned_date": "2023-11-07T04:47:43.342Z",
"policy": {
"id": "64bfa2bbcd4e46da92a66b107933da11",
"type": "sensor-update"
},
"settings_hash": "tagged|18;101",
"uninstall_protection": "ENABLED"
}
},
"external_ip": "81.2.69.192",
"first_seen": "2023-06-08T10:00:19.000Z",
"group_hash": "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77",
"groups": [
"182388a8dbea4c44b5e019cfd32c2695"
],
"hostname": "CLM101-131.local",
"id": "3114433dbce478ca48d9a828b9b34be",
"kernel_version": "22.6.0",
"last_seen": "2023-11-07T10:25:24.000Z",
"local_ip": "81.2.69.142",
"mac_address": "14-7D-DA-AD-AC-71",
"machine_domain": "SYS",
"major_version": "22",
"meta": {
"version": "6002",
"version_string": "7:43570272778"
},
"minor_version": "6",
"modified_timestamp": "2023-11-07T10:26:53.000Z",
"os": {
"build": "22G120",
"version": "Ventura(13)"
},
"platform": {
"id": "1",
"name": "Mac"
},
"policies": [
{
"applied": true,
"applied_date": "2023-06-08T10:04:47.643Z",
"assigned_date": "2023-06-08T10:03:49.505Z",
"policy": {
"id": "1024fac1b279424fa7300b8ac2d56be5",
"type": "prevention"
},
"settings_hash": "f7a54ca1"
}
],
"product_type_desc": "Workstation",
"provision_status": "Provisioned",
"reduced_functionality_mode": "no",
"serial_number": "FVFDH73HMNHX",
"site_name": "Default-First-Site-Name",
"status": "normal",
"system": {
"manufacturer": "ABCInc.",
"product_name": "Air,1"
},
"tags": [
"tags"
]
}
},
"data_stream": {
"dataset": "crowdstrike.host",
"namespace": "42315",
"type": "logs"
},
"device": {
"id": "3114433dbce478ca48d9a828b9b34be"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8f7b87ad-2943-4c25-88be-4eaac013beb6",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"dataset": "crowdstrike.host",
"ingested": "2024-08-08T07:14:40Z",
"kind": "event",
"original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}",
"type": [
"info"
]
},
"host": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"hostname": "CLM101-131.local",
"ip": [
"81.2.69.192"
],
"mac": [
"14-7D-DA-AD-AC-71"
],
"os": {
"full": "Ventura(13)",
"platform": "Mac"
}
},
"input": {
"type": "cel"
},
"related": {
"hash": [
"f01def74",
"f7a54ca1",
"8a548e5e",
"tagged|18;101",
"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77"
],
"hosts": [
"CLM101-131.local",
"SYS"
],
"ip": [
"81.2.69.192",
"81.2.69.142"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"crowdstrike-host"
]
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
crowdstrike.host.agent.load_flags | Any errors associated with the incident. | keyword |
crowdstrike.host.agent.local_time | The fine score associated with the incident. | date |
crowdstrike.host.agent.version | The list of host IDs associated with the incident. | keyword |
crowdstrike.host.bios.manufacturer | Flags indicating the load status of the agent on the host. | keyword |
crowdstrike.host.bios.version | The local time on the host where the agent is running. | keyword |
crowdstrike.host.chassis_type.desc | The version of the agent running on the host. | keyword |
crowdstrike.host.chassis_type.value | The manufacturer of the BIOS on the host. | keyword |
crowdstrike.host.cid | The version of the BIOS on the host. | keyword |
crowdstrike.host.config_id.base | The customer ID associated with the host. | keyword |
crowdstrike.host.config_id.build | The base configuration ID associated with the host. | keyword |
crowdstrike.host.config_id.platform | The build configuration ID associated with the host. | keyword |
crowdstrike.host.connection_ip | The platform configuration ID associated with the host. | ip |
crowdstrike.host.cpu_signature | The device ID associated with the host. | keyword |
crowdstrike.host.device_policies.device_control.applied | Timestamp indicating when the host was first seen. | boolean |
crowdstrike.host.device_policies.device_control.applied_date | The groups associated with the host. | date |
crowdstrike.host.device_policies.device_control.assigned_date | Timestamp indicating when the host was last seen. | date |
crowdstrike.host.device_policies.device_control.policy_id | The local IP address of the host. | keyword |
crowdstrike.host.device_policies.device_control.policy_type | The domain to which the machine belongs. | keyword |
crowdstrike.host.device_policies.firewall.applied | The major version of the operating system on the host. | boolean |
crowdstrike.host.device_policies.firewall.applied_date | The minor version of the operating system on the host. | date |
crowdstrike.host.device_policies.firewall.assigned_date | Timestamp indicating when the host information was last modified. | date |
crowdstrike.host.device_policies.firewall.policy.id | The organizational units associated with the host. | keyword |
crowdstrike.host.device_policies.firewall.policy.type | The platform ID of the host. | keyword |
crowdstrike.host.device_policies.firewall.rule_set_id | The platform name of the host. | keyword |
crowdstrike.host.device_policies.global_config.applied | The description of the product type of the host. | boolean |
crowdstrike.host.device_policies.global_config.applied_date | The product type of the host. | date |
crowdstrike.host.device_policies.global_config.assigned_date | The site name associated with the host. | date |
crowdstrike.host.device_policies.global_config.policy.id | The status of the host. | keyword |
crowdstrike.host.device_policies.global_config.policy.type | The manufacturer of the system on the host. | keyword |
crowdstrike.host.device_policies.global_config.settings_hash | The product name of the system on the host. | keyword |
crowdstrike.host.device_policies.prevention.applied | The objectives associated with the incident. | boolean |
crowdstrike.host.device_policies.prevention.applied_date | The state of the incident, whether open or closed. | date |
crowdstrike.host.device_policies.prevention.assigned_date | The status of the incident. | date |
crowdstrike.host.device_policies.prevention.policy.id | The tactics associated with the incident. | keyword |
crowdstrike.host.device_policies.prevention.policy.type | The techniques associated with the incident. | keyword |
crowdstrike.host.device_policies.prevention.rule_groups | The type of incident. | keyword |
crowdstrike.host.device_policies.prevention.settings_hash | The users associated with the incident. | keyword |
crowdstrike.host.device_policies.remote_response.applied | boolean | |
crowdstrike.host.device_policies.remote_response.applied_date | date | |
crowdstrike.host.device_policies.remote_response.assigned_date | date | |
crowdstrike.host.device_policies.remote_response.policy.id | keyword | |
crowdstrike.host.device_policies.remote_response.policy.type | keyword | |
crowdstrike.host.device_policies.remote_response.settings_hash | keyword | |
crowdstrike.host.device_policies.sensor_update.applied | boolean | |
crowdstrike.host.device_policies.sensor_update.applied_date | date | |
crowdstrike.host.device_policies.sensor_update.assigned_date | date | |
crowdstrike.host.device_policies.sensor_update.policy.id | keyword | |
crowdstrike.host.device_policies.sensor_update.policy.type | keyword | |
crowdstrike.host.device_policies.sensor_update.settings_hash | keyword | |
crowdstrike.host.device_policies.sensor_update.uninstall_protection | keyword | |
crowdstrike.host.external_ip | The external IP address of the host. | ip |
crowdstrike.host.first_seen | date | |
crowdstrike.host.group_hash | keyword | |
crowdstrike.host.groups | keyword | |
crowdstrike.host.hostname | The hostname of the host. | keyword |
crowdstrike.host.id | Timestamp indicating when the incident started. | keyword |
crowdstrike.host.kernel_version | keyword | |
crowdstrike.host.last_seen | date | |
crowdstrike.host.local_ip | ip | |
crowdstrike.host.mac_address | The MAC address of the host. | keyword |
crowdstrike.host.machine_domain | keyword | |
crowdstrike.host.major_version | keyword | |
crowdstrike.host.meta.version | keyword | |
crowdstrike.host.meta.version_string | keyword | |
crowdstrike.host.minor_version | keyword | |
crowdstrike.host.modified_timestamp | Timestamp indicating when the incident was created. | date |
crowdstrike.host.os.build | keyword | |
crowdstrike.host.os.version | The version of the operating system on the host. | keyword |
crowdstrike.host.platform.id | keyword | |
crowdstrike.host.platform.name | The identifier associated with the customer. | keyword |
crowdstrike.host.policies.applied | boolean | |
crowdstrike.host.policies.applied_date | date | |
crowdstrike.host.policies.assigned_date | date | |
crowdstrike.host.policies.policy.id | keyword | |
crowdstrike.host.policies.policy.type | keyword | |
crowdstrike.host.policies.rule_groups | keyword | |
crowdstrike.host.policies.settings_hash | keyword | |
crowdstrike.host.product_type_desc | keyword | |
crowdstrike.host.provision_status | keyword | |
crowdstrike.host.reduced_functionality_mode | keyword | |
crowdstrike.host.serial_number | keyword | |
crowdstrike.host.site_name | keyword | |
crowdstrike.host.status | keyword | |
crowdstrike.host.system.manufacturer | keyword | |
crowdstrike.host.system.product_name | keyword | |
crowdstrike.host.tags | keyword | |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
input.type | Type of filebeat input. | keyword |
log.offset | Log offset. | long |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.40.0 | Enhancement View pull request | 8.13.0 or higher |
1.39.3 | Bug fix View pull request | 8.13.0 or higher |
1.39.2 | Bug fix View pull request | 8.13.0 or higher |
1.39.1 | Bug fix View pull request | 8.13.0 or higher |
1.39.0 | Enhancement View pull request | 8.13.0 or higher |
1.38.0 | Enhancement View pull request | 8.13.0 or higher |
1.37.1 | Bug fix View pull request | 8.13.0 or higher |
1.37.0 | Enhancement View pull request | 8.13.0 or higher |
1.36.0 | Enhancement View pull request | 8.12.0 or higher |
1.35.0 | Enhancement View pull request | 8.12.0 or higher |
1.34.3 | Bug fix View pull request | 8.12.0 or higher |
1.34.2 | Bug fix View pull request | 8.12.0 or higher |
1.34.1 | Bug fix View pull request | 8.12.0 or higher |
1.34.0 | Enhancement View pull request | 8.12.0 or higher |
1.33.0 | Enhancement View pull request | 8.12.0 or higher |
1.32.2 | Bug fix View pull request | 8.12.0 or higher |
1.32.1 | Bug fix View pull request | 8.12.0 or higher |
1.32.0 | Enhancement View pull request | 8.12.0 or higher |
1.31.0 | Enhancement View pull request | 8.12.0 or higher |
1.30.0 | Enhancement View pull request | 8.12.0 or higher |
1.29.0 | Enhancement View pull request | 8.11.0 or higher |
1.28.3 | Bug fix View pull request | 8.11.0 or higher |
1.28.2 | Bug fix View pull request | 8.11.0 or higher |
1.28.1 | Enhancement View pull request | 8.11.0 or higher |
1.28.0 | Enhancement View pull request | 8.11.0 or higher |
1.27.0 | Enhancement View pull request | 8.11.0 or higher |
1.26.2 | Bug fix View pull request | 8.11.0 or higher |
1.26.1 | Bug fix View pull request | 8.11.0 or higher |
1.26.0 | Enhancement View pull request | 8.11.0 or higher |
1.25.1 | Enhancement View pull request | 8.7.1 or higher |
1.25.0 | Enhancement View pull request | 8.7.1 or higher |
1.24.0 | Enhancement View pull request | 8.0.0 or higher |
1.23.1 | Bug fix View pull request | 8.0.0 or higher |
1.23.0 | Enhancement View pull request | 8.0.0 or higher |
1.22.1 | Bug fix View pull request | 8.0.0 or higher |
1.22.0 | Enhancement View pull request | 8.0.0 or higher |
1.21.0 | Bug fix View pull request | 8.0.0 or higher |
1.20.0 | Enhancement View pull request | 8.0.0 or higher |
1.19.0 | Enhancement View pull request | 8.0.0 or higher |
1.18.3 | Bug fix View pull request | 8.0.0 or higher |
1.18.2 | Bug fix View pull request | 8.0.0 or higher |
1.18.1 | Bug fix View pull request | 8.0.0 or higher |
1.18.0 | Enhancement View pull request | 8.0.0 or higher |
1.17.0 | Enhancement View pull request | 8.0.0 or higher |
1.16.1 | Bug fix View pull request | 8.0.0 or higher |
1.16.0 | Enhancement View pull request | 8.0.0 or higher |
1.15.0 | Enhancement View pull request | 8.0.0 or higher |
1.14.0 | Enhancement View pull request | 8.0.0 or higher |
1.13.0 | Enhancement View pull request | 8.0.0 or higher |
1.12.1 | Bug fix View pull request | 8.0.0 or higher |
1.12.0 | Enhancement View pull request | 8.0.0 or higher |
1.11.2 | Bug fix View pull request | 8.0.0 or higher |
1.11.1 | Bug fix View pull request | 8.0.0 or higher |
1.11.0 | Enhancement View pull request | 8.0.0 or higher |
1.10.2 | Bug fix View pull request | 8.0.0 or higher |
1.10.1 | Enhancement View pull request | 8.0.0 or higher |
1.10.0 | Enhancement View pull request | 8.0.0 or higher |
1.9.0 | Enhancement View pull request | 8.0.0 or higher |
1.8.2 | Bug fix View pull request | 8.0.0 or higher |
1.8.1 | Bug fix View pull request | 8.0.0 or higher |
1.8.0 | Enhancement View pull request | 8.0.0 or higher |
1.7.0 | Enhancement View pull request | 8.0.0 or higher |
1.6.1 | Enhancement View pull request | 7.17.0 or higher |
1.6.0 | Enhancement View pull request | 7.17.0 or higher |
1.5.1 | Bug fix View pull request | 7.17.0 or higher |
1.5.0 | Enhancement View pull request | 7.17.0 or higher |
1.4.2 | Bug fix View pull request | 7.17.0 or higher |
1.4.1 | Enhancement View pull request | 7.17.0 or higher |
1.4.0 | Enhancement View pull request | 7.17.0 or higher |
1.3.4 | Bug fix View pull request | 7.17.0 or higher |
1.3.3 | Bug fix View pull request | 7.17.0 or higher |
1.3.2 | Bug fix View pull request | 7.16.0 or higher |
1.3.1 | Enhancement View pull request | 7.16.0 or higher |
1.3.0 | Enhancement View pull request | — |
1.2.7 | Enhancement View pull request | 7.16.0 or higher |
1.2.6 | Enhancement View pull request | 7.16.0 or higher |
1.2.5 | Bug fix View pull request | 7.16.0 or higher |
1.2.4 | Bug fix View pull request | — |
1.2.3 | Bug fix View pull request | 7.16.0 or higher |
1.2.2 | Bug fix View pull request | 7.16.0 or higher |
1.2.1 | Bug fix View pull request | 7.16.0 or higher |
1.2.0 | Enhancement View pull request | — |
1.1.2 | Bug fix View pull request | 7.16.0 or higher |
1.1.1 | Bug fix View pull request | — |
1.1.0 | Enhancement View pull request | 7.16.0 or higher |
1.0.4 | Bug fix View pull request | 7.16.0 or higher |
1.0.3 | Enhancement View pull request | 7.16.0 or higher |
1.0.2 | Enhancement View pull request | 7.16.0 or higher |
1.0.1 | Bug fix View pull request | — |
1.0.0 | Enhancement View pull request | — |
0.9.0 | Enhancement View pull request | — |
0.8.1 | Enhancement View pull request | — |
0.8.0 | Enhancement View pull request | — |
0.7.1 | Enhancement View pull request | — |
0.7.0 | Enhancement View pull request | — |
0.6.0 | Enhancement View pull request | — |
0.5.0 | Enhancement View pull request | — |
0.4.1 | Enhancement View pull request | — |
0.4.0 | Enhancement View pull request | — |
0.3.1 | Bug fix View pull request | — |
0.1.0 | Enhancement View pull request | — |