<span class="pill kill-chain">AuthenticationId</span>
<span class="pill kill-chain">AuthenticationId_meaning</span>
<span class="pill kill-chain">AuthenticodeHashData</span>
<span class="pill kill-chain">CommandLine</span>
<span class="pill kill-chain">ConfigBuild</span>
<span class="pill kill-chain">ConfigStateHash</span>
<span class="pill kill-chain">EffectiveTransmissionClass</span>
<span class="pill kill-chain">Entitlements</span>
<span class="pill kill-chain">EventOrigin</span>
<span class="pill kill-chain">ImageFileName</span>
<span class="pill kill-chain">ImageSubsystem</span>
<span class="pill kill-chain">ImageSubsystem_meaning</span>
<span class="pill kill-chain">IntegrityLevel</span>
<span class="pill kill-chain">IntegrityLevel_meaning</span>
<span class="pill kill-chain">MD5HashData</span>
<span class="pill kill-chain">ParentAuthenticationId</span>
<span class="pill kill-chain">ParentBaseFileName</span>
<span class="pill kill-chain">ParentProcessId</span>
<span class="pill kill-chain">ProcessCreateFlags</span>
<span class="pill kill-chain">ProcessEndTime</span>
<span class="pill kill-chain">ProcessParameterFlags</span>
<span class="pill kill-chain">ProcessParameterFlags_meaning</span>
<span class="pill kill-chain">ProcessStartTime</span>
<span class="pill kill-chain">ProcessSxsFlags</span>
<span class="pill kill-chain">ProcessSxsFlags_meaning</span>
<span class="pill kill-chain">RawProcessId</span>
<span class="pill kill-chain">SHA1HashData</span>
<span class="pill kill-chain">SHA256HashData</span>
<span class="pill kill-chain">SessionId</span>
<span class="pill kill-chain">SignInfoFlags</span>
<span class="pill kill-chain">SignInfoFlags_meaning</span>
<span class="pill kill-chain">SourceProcessId</span>
<span class="pill kill-chain">SourceThreadId</span>
<span class="pill kill-chain">Tags</span>
<span class="pill kill-chain">TargetProcessId</span>
<span class="pill kill-chain">TokenType</span>
<span class="pill kill-chain">TokenType_meaning</span>
<span class="pill kill-chain">UserSid</span>
<span class="pill kill-chain">WindowFlags</span>
<span class="pill kill-chain">WindowFlags_meaning</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">aid</span>
<span class="pill kill-chain">aid_city</span>
<span class="pill kill-chain">aid_computer_name</span>
<span class="pill kill-chain">aid_continent</span>
<span class="pill kill-chain">aid_country</span>
<span class="pill kill-chain">aid_machine_domain</span>
<span class="pill kill-chain">aid_os_version</span>
<span class="pill kill-chain">aid_ou</span>
<span class="pill kill-chain">aid_site_name</span>
<span class="pill kill-chain">aid_system_product_name</span>
<span class="pill kill-chain">aip</span>
<span class="pill kill-chain">cid</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">event_ingest_time</span>
<span class="pill kill-chain">event_platform</span>
<span class="pill kill-chain">event_simpleName</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host_res_aid</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">os</span>
<span class="pill kill-chain">parent_process_exec</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">process</span>
<span class="pill kill-chain">process_exec</span>
<span class="pill kill-chain">process_hash</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_integrity_level</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">process_path</span>
<span class="pill kill-chain">resolve_dest</span>
<span class="pill kill-chain">resolve_process_integrity_level</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: CrowdStrike ProcessRollup2
Description
Data source object for CrowdStrike ProcessRollup2
Details
| Property | Value |
|---|---|
| Source | crowdstrike |
| Sourcetype | crowdstrike:events:sensor |
| Separator | event_simpleName |
Supported Apps
- Splunk Add-on for CrowdStrike FDR (version 2.0.0)
Event Fields
Fields
Example Log
1{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1713805173418","event_simpleName":"ProcessRollup2","RawProcessId":"5012","ConfigStateHash":"840884426","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"2669499","ConfigBuild":"1007.3.0018207.1","WindowFlags":"3073","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentAuthenticationId":"2669499","TargetProcessId":"5642133882","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"30426051160","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1713805173.321","ProcessParameterFlags":"24577","aid":"168a90e125d443beb2a4e2914985084d","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
Source: GitHub | Version: 1