<span class="pill kill-chain">action</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_nt_domain</span>
<span class="pill kill-chain">event.AssociatedFile</span>
<span class="pill kill-chain">event.CommandLine</span>
<span class="pill kill-chain">event.ComputerName</span>
<span class="pill kill-chain">event.DetectDescription</span>
<span class="pill kill-chain">event.DetectId</span>
<span class="pill kill-chain">event.DetectName</span>
<span class="pill kill-chain">event.DocumentsAccessed{}.FileName</span>
<span class="pill kill-chain">event.DocumentsAccessed{}.FilePath</span>
<span class="pill kill-chain">event.DocumentsAccessed{}.Timestamp</span>
<span class="pill kill-chain">event.ExecutablesWritten{}.FileName</span>
<span class="pill kill-chain">event.ExecutablesWritten{}.FilePath</span>
<span class="pill kill-chain">event.ExecutablesWritten{}.Timestamp</span>
<span class="pill kill-chain">event.FalconHostLink</span>
<span class="pill kill-chain">event.FileName</span>
<span class="pill kill-chain">event.FilePath</span>
<span class="pill kill-chain">event.GrandparentCommandLine</span>
<span class="pill kill-chain">event.GrandparentImageFileName</span>
<span class="pill kill-chain">event.HostGroups</span>
<span class="pill kill-chain">event.IOARuleGroupName</span>
<span class="pill kill-chain">event.IOARuleInstanceID</span>
<span class="pill kill-chain">event.IOARuleInstanceVersion</span>
<span class="pill kill-chain">event.IOARuleName</span>
<span class="pill kill-chain">event.IOCType</span>
<span class="pill kill-chain">event.IOCValue</span>
<span class="pill kill-chain">event.LocalIP</span>
<span class="pill kill-chain">event.MACAddress</span>
<span class="pill kill-chain">event.MD5String</span>
<span class="pill kill-chain">event.MachineDomain</span>
<span class="pill kill-chain">event.NetworkAccesses{}.AccessTimestamp</span>
<span class="pill kill-chain">event.NetworkAccesses{}.AccessType</span>
<span class="pill kill-chain">event.NetworkAccesses{}.ConnectionDirection</span>
<span class="pill kill-chain">event.NetworkAccesses{}.IsIPV6</span>
<span class="pill kill-chain">event.NetworkAccesses{}.LocalAddress</span>
<span class="pill kill-chain">event.NetworkAccesses{}.LocalPort</span>
<span class="pill kill-chain">event.NetworkAccesses{}.Protocol</span>
<span class="pill kill-chain">event.NetworkAccesses{}.RemoteAddress</span>
<span class="pill kill-chain">event.NetworkAccesses{}.RemotePort</span>
<span class="pill kill-chain">event.Objective</span>
<span class="pill kill-chain">event.ParentCommandLine</span>
<span class="pill kill-chain">event.ParentImageFileName</span>
<span class="pill kill-chain">event.ParentProcessId</span>
<span class="pill kill-chain">event.PatternDispositionDescription</span>
<span class="pill kill-chain">event.PatternDispositionFlags.BlockingUnsupportedOrDisabled</span>
<span class="pill kill-chain">event.PatternDispositionFlags.BootupSafeguardEnabled</span>
<span class="pill kill-chain">event.PatternDispositionFlags.CriticalProcessDisabled</span>
<span class="pill kill-chain">event.PatternDispositionFlags.Detect</span>
<span class="pill kill-chain">event.PatternDispositionFlags.FsOperationBlocked</span>
<span class="pill kill-chain">event.PatternDispositionFlags.HandleOperationDowngraded</span>
<span class="pill kill-chain">event.PatternDispositionFlags.InddetMask</span>
<span class="pill kill-chain">event.PatternDispositionFlags.Indicator</span>
<span class="pill kill-chain">event.PatternDispositionFlags.KillActionFailed</span>
<span class="pill kill-chain">event.PatternDispositionFlags.KillParent</span>
<span class="pill kill-chain">event.PatternDispositionFlags.KillProcess</span>
<span class="pill kill-chain">event.PatternDispositionFlags.KillSubProcess</span>
<span class="pill kill-chain">event.PatternDispositionFlags.OperationBlocked</span>
<span class="pill kill-chain">event.PatternDispositionFlags.PolicyDisabled</span>
<span class="pill kill-chain">event.PatternDispositionFlags.ProcessBlocked</span>
<span class="pill kill-chain">event.PatternDispositionFlags.QuarantineFile</span>
<span class="pill kill-chain">event.PatternDispositionFlags.QuarantineMachine</span>
<span class="pill kill-chain">event.PatternDispositionFlags.RegistryOperationBlocked</span>
<span class="pill kill-chain">event.PatternDispositionFlags.Rooting</span>
<span class="pill kill-chain">event.PatternDispositionFlags.SensorOnly</span>
<span class="pill kill-chain">event.PatternDispositionFlags.SuspendParent</span>
<span class="pill kill-chain">event.PatternDispositionFlags.SuspendProcess</span>
<span class="pill kill-chain">event.PatternDispositionValue</span>
<span class="pill kill-chain">event.PatternId</span>
<span class="pill kill-chain">event.ProcessEndTime</span>
<span class="pill kill-chain">event.ProcessId</span>
<span class="pill kill-chain">event.ProcessStartTime</span>
<span class="pill kill-chain">event.SHA1String</span>
<span class="pill kill-chain">event.SHA256String</span>
<span class="pill kill-chain">event.SensorId</span>
<span class="pill kill-chain">event.Severity</span>
<span class="pill kill-chain">event.SeverityName</span>
<span class="pill kill-chain">event.Tactic</span>
<span class="pill kill-chain">event.Tags</span>
<span class="pill kill-chain">event.Technique</span>
<span class="pill kill-chain">event.UserName</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">file_hash</span>
<span class="pill kill-chain">file_name</span>
<span class="pill kill-chain">file_path</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">ip</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">metadata.customerIDString</span>
<span class="pill kill-chain">metadata.eventCreationTime</span>
<span class="pill kill-chain">metadata.eventType</span>
<span class="pill kill-chain">metadata.offset</span>
<span class="pill kill-chain">metadata.version</span>
<span class="pill kill-chain">parent_process</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">severity_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">ta_data.App_id</span>
<span class="pill kill-chain">ta_data.Cloud_environment</span>
<span class="pill kill-chain">ta_data.Event_types</span>
<span class="pill kill-chain">ta_data.Feed_id</span>
<span class="pill kill-chain">ta_data.Initial_start</span>
<span class="pill kill-chain">ta_data.Input</span>
<span class="pill kill-chain">ta_data.Multiple_feeds</span>
<span class="pill kill-chain">ta_data.TA_version</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">url</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: CrowdStrike Falcon Stream Alert
Description
Logs of CrowdStrike Falcon Stream Alerts
Details
| Property | Value |
|---|---|
| Source | CrowdStrike:Event:Streams |
| Sourcetype | CrowdStrike:Event:Streams:JSON |
| Separator | event.DetectName |
Supported Apps
- Splunk Add-on for CrowdStrike FDR (version 2.0.5)
Event Fields
Fields
Example Log
1{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 12570031, "eventType": "DetectionSummaryEvent", "eventCreationTime": 1748883058001, "version": "1.0"}, "event": {"ProcessStartTime": 1748883033, "ProcessEndTime": 1748883033, "ProcessId": 25482595567828, "ParentProcessId": 25482588177316, "ComputerName": "CROWDFAL1", "UserName": "Administrator", "DetectName": "Suspicious Activity", "DetectDescription": "For evaluation only - benign, no action needed.", "Severity": 2, "SeverityName": "Low", "FileName": "choice.exe", "FilePath": "\\Device\\HarddiskVolume2\\Windows\\System32", "CommandLine": "choice /m crowdstrike_sample_detection", "SHA256String": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5String": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SHA1String": "0000000000000000000000000000000000000000", "MachineDomain": "CROWDFAL1", "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/12e75112bdc44ac7a60b5ad1d2765303/10907785292170?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "SensorId": "12e75112bdc44ac7a60b5ad1d2765303", "DetectId": "ldt:12e75112bdc44ac7a60b5ad1d2765303:10907785292170", "LocalIP": "10.1.17.3", "MACAddress": "00-50-56-aa-64-1f", "Tactic": "Malware", "Technique": "Malicious File", "Objective": "Falcon Detection Method", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false}, "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", "ParentCommandLine": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"\"C:\\CS_Script.bat\"\"", "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "GrandparentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "HostGroups": "0ebde3fe33d547fc9bbe24f50be44da8,fd63f5073f644377a8150e9c1e5a86d0", "PatternId": 10197}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.5.0", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
Source: GitHub | Version: 1