Crowdstrike

Required fields are in bold.

Crowdstrike.DNSRequest

This event is generated for every attempted DNS name resolution on a host.

Column

Type

Description

event_simpleName

string

Event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

ContextThreadId

string

The unique ID of a process that was spawned by another process.

ContextThreadId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

ContextTimeStamp

timestamp

The time at which an event occurred on the system, as seen by the sensor.

ContextTimeStamp_decimal

timestamp

The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).

ContextProcessId

string

The unique ID of a process that was spawned by another process.

ContextProcessId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

InContext

string

In context (N/A on iOS)

EffectiveTransmissionClass

bigint

Effective transmission class

DomainName

string

The domain name requested

InterfaceIndex

bigint

The network interface index (Windows only)

DualRequest

bigint

If the event is dual request (Windows only)

DnsRequestCount

bigint

The number of DNS requests (Windows only)

AppIdentifier

string

The identifier of the app that made the request (Android, iOS)

IpAddress

string

The device ip address (Android, iOS)

RequestType

string

The DNS request type

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

Crowdstrike.NetworkConnect

This event is generated when an application attempts a remote connection on an interface

Column

Type

Description

event_simpleName

string

Event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

ContextThreadId

string

The unique ID of a process that was spawned by another process.

ContextThreadId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

ContextTimeStamp

timestamp

The time at which an event occurred on the system, as seen by the sensor.

ContextTimeStamp_decimal

timestamp

The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).

ContextProcessId

string

The unique ID of a process that was spawned by another process.

ContextProcessId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

InContext

string

In context (N/A on iOS)

LocalAddressIP4

string

Local IPv4 address for the connection

LocalAddressIP6

string

Local IPv6 address for the connection

RemoteAddressIP4

string

Remote IPv4 address for the connection

RemoteAddressIP6

string

Remote IPv6 address for the connection

ConnectionFlags

int

Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)

Protocol

int

IP Protocol (ICMP = 1, TCP = 6, UDP = 17)

LocalPort

int

Connection local port

RemotePort

int

Connection remote port

ConnectionDirection

int

Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)

IcmpType

string

ICMP type (N/A on iOS)

IcmpCode

string

ICMP code (N/A on iOS)

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

Crowdstrike.NetworkListen

This event is generated when an application establishes a socket in listening mode

Column

Type

Description

event_simpleName

string

event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

ContextThreadId

string

The unique ID of a process that was spawned by another process.

ContextThreadId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

ContextTimeStamp

timestamp

The time at which an event occurred on the system, as seen by the sensor.

ContextTimeStamp_decimal

timestamp

The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).

ContextProcessId

string

The unique ID of a process that was spawned by another process.

ContextProcessId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

InContext

string

In context (N/A on iOS)

LocalAddressIP4

string

Local IPv4 address for the connection

LocalAddressIP6

string

Local IPv6 address for the connection

RemoteAddressIP4

string

Remote IPv4 address for the connection

RemoteAddressIP6

string

Remote IPv6 address for the connection

ConnectionFlags

int

Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8)

Protocol

int

IP Protocol (ICMP = 1, TCP = 6, UDP = 17)

LocalPort

int

Connection local port

RemotePort

int

Connection remote port

ConnectionDirection

int

Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

Crowdstrike.ProcessRollup2

This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.

Column

Type

Description

event_simpleName

string

Event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

TargetProcessId

bigint

The unique ID of a target process

SourceProcessId

bigint

The unique ID of creating process.

SourceThreadId

bigint

The unique ID of thread from creating process.

ParentProcessId

bigint

The unique ID of the parent process.

ImageFileName

string

The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process

CommandLine

string

The command line used to create this process. May be empty in some circumstances

RawProcessId

bigint

The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier

ProcessStartTime

timestamp

The time the process began in UNIX epoch time (in decimal, non-hex format).

ProcessEndTime

timestamp

The time the process finished (in decimal, non-hex format).

SHA256HashData

string

The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.

SHA1HashData

string

The SHA1 hash of a file

MD5HashData

string

The MD5 hash of a file

ImageSubsystem

string

Subsystem of the image filename (Windows only)

UserSid

string

The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)

AuthenticationId

string

The authentication identifier (Windows only)

IntegrityLevel

string

The integrity level (Windows only)

ProcessCreateFlags

string

Captured flags from original process create. This is a bitfield. (Windows only)

ProcessParameterFlags

string

Flags from the ‘NtCreateUserProcess’ API. This bitfield includes data like if DLL redirection is enabled. (Windows only)

ProcessSxsFlags

string

Flags from the communications path with the Windows Subsystem Process. This bitfield includes data like if there’s a manifest and if it’s local or not. (Windows only)

ParentAuthenticationId

string

The authentication identifier for the parent process (Windows only)

TokenType

string

The token type (Windows only)

SessionId

string

The id of the session (Windows only)

WindowFlags

string

Flags from the window (Windows only)

ShowWindowFlags

string

Window visibility flags (Windows only)

WindowStartingPositionHorizontal

bigint

Start horizontal position of the process window (Windows only)

WindowStartingPositionVertical

bigint

Start vertical position of the process window (Windows only)

WindowStartingWidth

bigint

Start width of the process window (Windows only)

WindowStartingHeight

bigint

Start height of the process window (Windows only)

Desktop

string

The desktop of the process window (Windows only)

WindowStation

string

The process window station (Windows only)

WindowTitle

string

The title of the process window (WindowsOnly)

LinkName

string

Link name (Windows only)

ApplicationUserModelId

string

Application user model id (WindowsOnly)

CallStackModuleNames

string

Call stack module names (Windows only)

CallStackModuleNamesVersion

string

Call stack module names version (Windows only)

RpcClientProcessId

string

RPC client process id (Windows only)

CsaProcessDataCollectionInstanceId

string

CSA process data collection instance id (Windows only)

OriginalCommandLine

string

The original command line used to create this process (Windows only)

CreateProcessType

string

Create process type (Windows only)

ZoneIdentifier

string

Zone identifier (Windows only)

HostUrl

string

Host URL (Windows only)

ReferrerUrl

string

Referrer URL (Windows only)

GrandParent

string

Grant parent (Windows only)

BaseFileName

string

Base file name (Windows only)

Tags

string

Process tags comma separated list (Windows, Mac)

ParentBaseFileName

string

Parent process base file name (Windows, Mac)

ProcessGroupId

bigint

Process group id (Windows, Mac)

UID

bigint

UID (Mac, Linux, Android)

RUID

bigint

RUID (Mac, Linux, Android)

SVUID

bigint

SVUID (Mac, Linux, Android)

GID

bigint

GID (Mac, Linux, Android)

RGID

bigint

RGID (Mac, Linux, Android)

SVGID

bigint

SVGID (Mac, Linux, Android)

SessionProcessId

bigint

Session process id (Mac, Linux)

MachOSubType

string

MachOSubType (Mac only)

TtyName

string

TTY name (Linux only)

OciContainerId

string

OCI Container id (Linux only)

SourceAndroidComponentName

string

Source component name (Android only)

TargetAndroidComponentName

string

Target component name (Android only)

TargetAndroidComponentType

string

Target component type (Android only)

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

Crowdstrike.SyntheticProcessRollup2

A synthetic version of the process rollup (PR2) event

Column

Type

Description

event_simpleName

string

event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

ContextThreadId

string

The unique ID of a process that was spawned by another process.

ContextThreadId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

ContextTimeStamp

timestamp

The time at which an event occurred on the system, as seen by the sensor.

ContextTimeStamp_decimal

timestamp

The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).

ContextProcessId

string

The unique ID of a process that was spawned by another process.

ContextProcessId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

InContext

string

In context (N/A on iOS)

TargetProcessId

bigint

The unique ID of a target process

SourceProcessId

bigint

The unique ID of creating process.

SourceThreadId

bigint

The unique ID of thread from creating process.

ParentProcessId

bigint

The unique ID of the parent process.

ImageFileName

string

The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process

CommandLine

string

The command line used to create this process. May be empty in some circumstances

RawProcessId

bigint

The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier

ProcessStartTime

timestamp

The time the process began in UNIX epoch time (in decimal, non-hex format).

ProcessEndTime

timestamp

The time the process finished (in decimal, non-hex format).

SHA256HashData

string

The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field.

SHA1HashData

string

The SHA1 hash of a file

MD5HashData

string

The MD5 hash of a file

SyntheticPR2Flags

int

PR2 flags (PROCESS_RUNDOWN = 0, PROCESS_HOLLOWED = 1, IMAGEHASH_FAILURE = 4, FILE_PATH_EXCLUDED = 8, PROCESS_FORK_FOLDING = 16, APP_MONITORING = 2)

ImageSubsystem

string

Subsystem of the image filename (Windows only)

UserSid

string

The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only)

AuthenticationId

string

The authentication identifier (Windows only)

IntegrityLevel

string

The integrity level (Windows only)

ProcessGroupId

bigint

Process group id (Mac)

UID

bigint

UID (Mac)

RUID

bigint

RUID (Mac)

SVUID

bigint

SVUID (Mac)

GID

bigint

GID (Mac)

RGID

bigint

RGID (Mac)

SVGID

bigint

SVGID (Mac)

SessionProcessId

bigint

Session process id (Mac)

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

Crowdstrike.Unknown

This event is used to store all unknown crowdstrike log events

Column

Type

Description

event_simpleName

string

Event name

name

string

The event name

aid

string

The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time.

aip

string

The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network.

cid

string

CID

id

string

ID

event_platform

string

The platform the sensor was running on

timestamp

timestamp

Timestamp when the event was received by the CrowdStrike cloud.

_time

timestamp

Timestamp when the event was received by the CrowdStrike cloud (human readable)

ComputerName

string

The name of the host.

ConfigBuild

string

Config build

ConfigStateHash

string

Config state hash

Entitlements

string

Entitlements

TreeId

string

If this event is part of a detection tree, the tree ID it is part of

TreeId_decimal

bigint

If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format)

ContextThreadId

string

The unique ID of a process that was spawned by another process.

ContextThreadId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

ContextTimeStamp

timestamp

The time at which an event occurred on the system, as seen by the sensor.

ContextTimeStamp_decimal

timestamp

The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format).

ContextProcessId

string

The unique ID of a process that was spawned by another process.

ContextProcessId_decimal

bigint

The unique ID of a process that was spawned by another process (in decimal, non-hex format).

InContext

string

In context (N/A on iOS)

unknown_payload

string

The full JSON payload of the event

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers