CrowdStrike

Latest Version: v5.1.0

Upgrade to this version for the latest improvements, fixes, and compatibility updates.

Released: Dec 2023

Note:

Use this reference config to create your own final config.
Specify the correct region in API & Request Token URLs. EU-1 region is taken as example here.
Syslog forwarding is enabled. Insert the IP address of the Logpoint in SYSLOG_SERVER_IP.
Events need to be enriched as the CrowdStrike's baseline config does not generate sufficiently detailed logs.
Enrichment added to the following events:
- DetectionSummaryEvent
- DetectionSummaryEvent_DnsRequests
- DetectionSummaryEvent_NetworkAccesses
- DetectionSummaryEvent_DocumentsAccessed
- DetectionSummaryEvent_ScanResults
- DetectionSummaryEvent_ExecutablesWritten
- DetectionSummaryEvent_QuarantineFiles
- UserActivityAuditEvent
- AuthActivityAuditEvent
- RemoteResponseSessionStartEvent
- RemoteResponseSessionEndEvent

Configuration file (reference)

crowdstrike_cef_config.conf

# Version: 1
# CrowdStrike SIEM Connector's CEF config file provided by Logpoint
# Released in: Dec 2023
# Note:
#   - Use this reference config to create your own final config.
#   - Specify the correct region in API & Request Token URLs. EU-1 region is taken as example here.
#   - Syslog forwarding is enabled. Insert the IP address of the Logpoint in SYSLOG_SERVER_IP.
#   - Events need to be enriched as the CrowdStrike's baseline config does not generate sufficiently detailed logs
#   - Enrichment added to following events:
#       - DetectionSummaryEvent
#       - DetectionSummaryEvent_DnsRequests
#       - DetectionSummaryEvent_NetworkAccesses
#       - DetectionSummaryEvent_DocumentsAccessed
#       - DetectionSummaryEvent_ScanResults
#       - DetectionSummaryEvent_ExecutablesWritten
#       - DetectionSummaryEvent_QuarantineFiles
#       - UserActivityAuditEvent
#       - AuthActivityAuditEvent
#       - RemoteResponseSessionStartEvent
#       - RemoteResponseSessionEndEvent
[Settings]
version = 3
api_url = https://api.eu-1.crowdstrike.com/sensors/entities/datafeed/v2
request_token_url = https://api.eu-1.crowdstrike.com/OAuth2/token
app_id = SIEM-Connector-CEF-v2.0.0
enable_correlation_id = false
format_floats_as_scientific = true
# API Client ID
client_id = <API_CLIENT_ID>
# API Client Secret
client_secret = <API_CLIENT_SECRET>
# Amount of time (in seconds) we will wait for a connect to complete.
connection_timeout = 10
# Amount of time to wait (in seconds) for a server's response headers after fully writing the request.
read_timeout = 30
# Specify partition number 0 to n or 'all' (without quote) for all partitions
partition = all
http_proxy =
# Output formats
# Supported formats are
#   1.syslog: will output syslog format with flat key=value pairs uses the mapping configuration below.
;             Use syslog format if CEF/LEEF output is required.
#   2.json: will output raw json format received from FalconHose API (default)
output_format = syslog
# Will be true regardless if Syslog is not enabled
# If path does not exist or user has no permission, log file will be used
output_to_file = true
output_path = /var/log/crowdstrike/falconhoseclient/output
# Offset file full filepath and filename
offset_path = /var/log/crowdstrike/falconhoseclient/stream_offsets
[Output_File_Rotation]
# If the output is writing to a file, then the settings below will govern output file rotation
#
# If true, then the rotation rules will apply. If not, the client will continue to write to the same file.
rotate_file = true
# Maximum individual output file size in MB
max_size = 500
# Number of backups of the output file to be stored
max_backups = 10
# Maximum age of backup output files before it is deleted in DAYS
max_age = 30
[Logging]
verbose_log = true
# Maximum individual log file size in MB
max_size = 500
# Number of backups to be stored
max_backups = 10
# Maximum age of backup files before it is deleted in DAYS
max_age = 30
[Syslog]
send_to_syslog_server = true
host = <SYSLOG_SERVER_IP>
port = 514
protocol = tcp
# CEF/LEEF Headers, header_prefix will be appended before any other header information
# Within each mapping section, we can add __header.{n} (note double underscore) where n is consecutive integer
# starting with 0 which will be added sequentially.
# Value of headers can be:
#   1. As specified: enclose by single-quote
#   2. Field value: just specify which field name
header_delim = |
header_prefix = CEF:0|CrowdStrike|FalconHost|1.0|
# Character Escaping Setting
# Syntax Guidelines:
#   - Enclose characters with double-quote i.e. "|"
#   - From and To characters are delimited by colon
#   - Character(s) that needs to be escaped is placed on the left side of a colon (:) and character to replace with is on the right i.e. "from":"to"
#   - Multiple character escape setting is delimited by a common i.e. "from1":"to1","from2":"to2" and so on
#   - header_prefix setting (above) will not be escaped
escape_header = "|":"\|","\\":"\\\\"
escape_ext = "\\":"\\\\","=":"\=","\n":"\\n","\r":"\\r"
# Delimiter separating key and value, example: if the delimiter is '='(equal): filename=abc.txt
key_val_delim = =
# Delimiter separating 2 key-value pairs , example: if the delimiter is ','(comma): filename=abc.txt,domain=www.google.com
# Note: For space just leave it empty
field_delim =
val_enclosure =
# These fields will be converted to time format, field name should be the key on the mapping section (RFC3339)
time_fields = deviceCustomDate1
time_format = MMM dd yyyy HH:mm:ss
# This will be use for filtering
event_type_field = metadata.eventType
event_subtype_field = event.subType
# Max length of syslog line in bytes
max_length = 2048
# Send retry interval in seconds (applicable only for TCP)
retry_interval_secs = 10
# Static order fields
keys_ordered = true
[EventTypeCollection]
DetectionSummaryEvent = true
AuthActivityAuditEvent = true
UserActivityAuditEvent = true
HashSpreadingEvent = true
RemoteResponseSessionStartEvent = true
RemoteResponseSessionEndEvent = true
FirewallMatchEvent = true
CSPMSearchStreamingEvent = true
CSPMIOAStreamingEvent = true
IncidentSummaryEvent = true
CustomerIOCEvent = true
IdentityProtectionEvent = true
ReconNotificationSummaryEvent = true
ScheduledReportNotificationEvent = true
MobileDetectionSummaryEvent = true
XdrDetectionSummaryEvent = true
IdpDetectionSummaryEvent = true
# ----------------------------------------------------------------------------------------------------------------
# Below configurations only applies if syslog is ENABLED (under Syslog: enabled=true)
# ----------------------------------------------------------------------------------------------------------------
[EventSubTypeCollection]
# Format: <EvenType>_<EventSubType> = true/false
DetectionSummaryEvent_DnsRequests = true
DetectionSummaryEvent_NetworkAccesses = true
DetectionSummaryEvent_DocumentsAccessed = true
DetectionSummaryEvent_ScanResults = true
DetectionSummaryEvent_ExecutablesWritten = true
DetectionSummaryEvent_QuarantineFiles = true
HashSpreadingEvent_Sensors = true
RemoteResponseSessionEndEvent_Commands = true
MobileDetectionSummaryEvent_SafetyNetErrors = true
MobileDetectionSummaryEvent_KeyStoreErrors = true
MobileDetectionSummaryEvent_MobileAppsDetails = true
MobileDetectionSummaryEvent_MobileNetworkConnections = true
MobileDetectionSummaryEvent_MobileDnsRequests = true
MobileDetectionSummaryEvent_MountedVolumes = true
MobileDetectionSummaryEvent_Trampolines = true
MobileDetectionSummaryEvent_LoadedObjects = true
MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered = true
MobileDetectionSummaryEvent_RootAccessIndicators = true
MobileDetectionSummaryEvent_Certificates = true
MobileDetectionSummaryEvent_EnvironmentVariables = true
MobileDetectionSummaryEvent_SystemProperties = true
# FIELD MAPPINGS
# Section name format: <EventType> OR <EventType>_<EventSubType>
# Reserved keys:
#       __header.{n} where n is integer starting with 0
#
# There are 2 possible values for the mapping
#       1. Literals which will be used as-is (for labelling) should be enclosed by single quotes
#       2. Value based on incoming event
#
# If field mapping is not specified, then field will not appear in the results
# DetectName has been deprecated because CrowdStrike now supports MITRE framework
[DetectionSummaryEvent]
__header.0 = metadata.eventType
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
cn1Label = 'ParentProcessId'
cn1 = event.ParentProcessId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
fname = event.FileName
filePath = event.FilePath
cs5Label = 'CommandLine'
cs5 = event.CommandLine
fileHash = event.MD5String
dntdom = event.MachineDomain
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
tags = event.Tags
hostGroups = event.HostGroups
associatedFile = event.AssociatedFile
sha256fileHash = event.SHA256String
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
iocType = event.IOCType
iocValue = event.IOCValue
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
pdf_BlockingUnsupportedOrDisabled = event.PatternDispositionFlags.BlockingUnsupportedOrDisabled
pdf_BootupSafeguardEnabled = event.PatternDispositionFlags.BootupSafeguardEnabled
pdf_CriticalProcessDisabled = event.PatternDispositionFlags.CriticalProcessDisabled
pdf_Detect = event.PatternDispositionFlags.Detect
pdf_FsOperationBlocked = event.PatternDispositionFlags.FsOperationBlocked
pdf_HandleOperationDowngraded = event.PatternDispositionFlags.HandleOperationDowngraded
pdf_InddetMask = event.PatternDispositionFlags.InddetMask
pdf_Indicator = event.PatternDispositionFlags.Indicator
pdf_KillActionFailed = event.PatternDispositionFlags.KillActionFailed
pdf_KillParent = event.PatternDispositionFlags.KillParent
pdf_KillProcess = event.PatternDispositionFlags.KillProcess
pdf_KillSubProcess = event.PatternDispositionFlags.KillSubProcess
pdf_OperationBlocked = event.PatternDispositionFlags.OperationBlocked
pdf_PolicyDisabled = event.PatternDispositionFlags.PolicyDisabled
pdf_ProcessBlocked = event.PatternDispositionFlags.ProcessBlocked
pdf_QuarantineFile = event.PatternDispositionFlags.QuarantineFile
pdf_QuarantineMachine = event.PatternDispositionFlags.QuarantineMachine
pdf_RegistryOperationBlocked = event.PatternDispositionFlags.RegistryOperationBlocked
pdf_Rooting = event.PatternDispositionFlags.Rooting
pdf_SensorOnly = event.PatternDispositionFlags.SensorOnly
pdf_SuspendParent = event.PatternDispositionFlags.SuspendParent
pdf_SuspendProcess = event.PatternDispositionFlags.SuspendProcess
[DetectionSummaryEvent_DnsRequests]
__header.0 = 'DNS Request In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
dntdom = event.MachineDomain
cs5Label = 'CommandLine'
cs5 = event.CommandLine
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'DNS Request Time'
deviceCustomDate1 = event.DnsRequests.LoadTime
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
domainName = event.DnsRequests.DomainName
causedDetect = event.DnsRequests.CausedDetect
requestType = event.DnsRequests.RequestType
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[DetectionSummaryEvent_NetworkAccesses]
__header.0 = 'Network Access In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
cs5Label = 'CommandLine'
cs5 = event.CommandLine
dntdom = event.MachineDomain
c6a2 = event.NetworkAccesses.LocalAddress
dst = event.NetworkAccesses.RemoteAddress
c6a3 = event.NetworkAccesses.RemoteAddress
spt = event.NetworkAccesses.LocalPort
dpt = event.NetworkAccesses.RemotePort
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'Network Access Timestamp'
deviceCustomDate1 = event.NetworkAccesses.AccessTimestamp
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[DetectionSummaryEvent_DocumentsAccessed]
__header.0 = 'Document Access In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
dntdom = event.MachineDomain
cs2Label = 'AccessedDocFileName'
cs2 = event.DocumentsAccessed.FileName
cs3Label = 'AccessedDocFilePath'
cs3 = event.DocumentsAccessed.FilePath
cs5Label = 'CommandLine'
cs5 = event.CommandLine
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'Document Accessed Timestamp'
deviceCustomDate1 = event.DocumentsAccessed.Timestamp
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[DetectionSummaryEvent_ScanResults]
__header.0 = 'AV Scan Results In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
fileHash = event.MD5String
dntdom = event.MachineDomain
cs2Label = 'ScanResultEngine'
cs2 = event.ScanResults.Engine
cs1Label = 'ScanResultName'
cs1 = event.ScanResults.ResultName
cs4Label = 'ScanResultVersion'
cs4 = event.ScanResults.Version
cs5Label = 'CommandLine'
cs5 = event.CommandLine
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[DetectionSummaryEvent_ExecutablesWritten]
__header.0 = 'Executable Written In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
dntdom = event.MachineDomain
cs2Label = 'WrittenExeFileName'
cs2 = event.ExecutablesWritten.FileName
cs3Label = 'WrittenExeFilePath'
cs3 = event.ExecutablesWritten.FilePath
cs5Label = 'CommandLine'
cs5 = event.CommandLine
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ExeWrittenTimestamp'
deviceCustomDate1 = event.ExecutablesWritten.Timestamp
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[DetectionSummaryEvent_QuarantineFiles]
__header.0 = 'Quarantined Files In A Detection Summary Event'
#__header.1 = event.DetectName
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cn2Label = 'ProcessId'
cn2 = event.ProcessId
dhost = event.ComputerName
duser = event.UserName
fname = event.FileName
filePath = event.FilePath
dntdom = event.MachineDomain
cs2Label = 'QuarantineFileSHA256'
cs2 = event.QuarantineFiles.SHA256HashData
cs3Label = 'QuarantineFilePath'
cs3 = event.QuarantineFiles.ImageFileName
cs5Label = 'CommandLine'
cs5 = event.CommandLine
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ExeWrittenTimestamp'
deviceCustomDate1 = event.ExecutablesWritten.Timestamp
rt = metadata.eventCreationTime
src = event.LocalIP
smac = event.MACAddress
cat = event.Tactic
act = event.Technique
reason = event.Objective
outcome = event.PatternDispositionValue
CSMTRPatternDisposition = event.PatternDispositionDescription
# Enriched section
detectionId = event.DetectId
hostGroups = event.HostGroups
severityName = event.SeverityName
parentCommandLine = event.ParentCommandLine
parentImageFileName = event.ParentImageFileName
grandparentCommandLine = event.GrandparentCommandLine
grandparentImageFileName = event.GrandparentImageFileName
[UserActivityAuditEvent]
__header.0 = metadata.eventType
__header.1 = event.OperationName
__header.2 = '1'
cat = metadata.eventType
destinationTranslatedAddress = event.UserIp
duser = event.UserId
deviceProcessName = event.ServiceName
cn3Label = 'Offset'
cn3 = metadata.offset
outcome = event.Success
rt = metadata.eventCreationTime
# Enriched section
assignToName = event.Attributes.assign_to_name
assignToUserId = event.Attributes.assign_to_user_id
detectionId = event.Attributes.detection_id
updateStatus = event.Attributes.update_status
appendComment = event.Attributes.append_comment
policyId = event.Attributes.policy_id
policyName = event.Attributes.policy_name
policyDescription = event.Attributes.policy_description
policyType = event.Attributes.policy_type
policyEnabled = event.Attributes.policy_enabled
policyPlatform = event.Attributes.policy_platform
policyAssignmentRule = event.Attributes.policy_assignment_rule
externalId = event.Attributes.SensorId
[AuthActivityAuditEvent]
__header.0 = event.OperationName
__header.1 = event.OperationName
__header.2 = '1'
cat = metadata.eventType
destinationTranslatedAddress = event.UserIp
duser = event.UserId
deviceProcessName = event.ServiceName
cn3Label = 'Offset'
cn3 = metadata.offset
outcome = event.Success
deviceCustomDate1Label = 'Timestamp'
deviceCustomDate1 = event.UTCTimestamp
rt = metadata.eventCreationTime
# Enriched section
appId = event.Attributes.appId
eventType = event.Attributes.eventType
targetName = event.Attributes.target_name
roles = event.Attributes.roles
actorUser = event.Attributes.actor_user
actorUserUUID = event.Attributes.actor_user_uuid
targetUserUUID = event.Attributes.target_user_uuid
[HashSpreadingEvent]
__header.0 = 'Hash Spreading Summary'
__header.1 = 'Hash Spreading Event-Summary'
__header.2 = '5'
cat = event.ExecutionType
deviceCustomDate1Label = 'DocAccessTimestamp'
deviceCustomDate1 = event.AlertTime
fname=event.FileName
fileHash=event.SHA256String
deviceCustomDate2Label = 'HashSpreadingEventTime'
deviceCustomDate2 = metadata.eventCreationTime
[HashSpreadingEvent_Sensors]
__header.0 = 'Hash Spreading Sensor'
__header.1 = 'Hash Spreading Event-Sensor Details'
__header.2 = '5'
cat = event.ExecutionType
deviceCustomDate1Label = 'DocAccessTimestamp'
deviceCustomDate1 = event.AlertTime
fname = event.Sensors.Filename
fileHash=event.SHA256String
dhost = event.Sensors.HostnameField
deviceCustomDate2Label = 'HashSpreadingSensorEventTime'
deviceCustomDate2 = event.Sensors.LastWriteTime
[RemoteResponseSessionStartEvent]
__header.0 = metadata.eventType
__header.1 = 'Remote Response Session Start event'
__header.2 = '1'
cat = metadata.eventType
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
dhost = event.HostnameField
duser = event.UserName
sessionStartTimestampLabel = 'RemoteResponseSessionStartTimestamp'
sessionStartTimestamp = event.StartTimestamp
agentIdStringLabel = 'AgentIdString'
agentIdString = event.AgentIdString
# Enriched section
sessionId = event.SessionId
[RemoteResponseSessionEndEvent]
__header.0 = metadata.eventType
__header.1 = 'Remote Response Session End event'
__header.2 = '1'
cat = metadata.eventType
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
dhost = event.HostnameField
duser = event.UserName
sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp'
sessionEndTimestamp = event.EndTimestamp
agentIdStringLabel = 'AgentIdString'
agentIdString = event.AgentIdString
# Enriched section
sessionId = event.SessionId
[RemoteResponseSessionEndEvent_Commands]
__header.0 = metadata.eventType
__header.1 = 'Remote Response Session End event'
__header.2 = '1'
cat = metadata.eventType
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
dhost = event.HostnameField
duser = event.UserName
sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp'
sessionEndTimestamp = event.EndTimestamp
cmdLabel = 'Command'
cmd = event.Commands
[FirewallMatchEvent]
__header.0 = metadata.eventType
__header.1 = 'Firewall Match event'
__header.2 = '1'
cat = metadata.eventType
deviceId = event.DeviceId
ipVLabel = 'IpV'
ipV = event.IpV
cmdLineLabel = 'Command Line'
cmdLine = event.CommandLine
connectionDirectionLabel = 'Connection Direction'
connectionDirection = event.ConnectionDirection
eventType = event.EventType
flags = event.Flags
hostName = event.HostName
icmpCodeLabel = 'ICMP Code'
icmpCode = event.ICMPCode
icmpTypeLabel = 'ICMP Type'
icmpType = event.ICMPType
imageFileNameLabel = 'Image File Name'
imageFileName = event.ImageFileName
localAddressLabel = 'Local Address'
localAddress = event.LocalAddress
localPortLabel = 'Local Port'
localPort = event.LocalPort
matchCountLabel = 'Match Count'
matchCount = event.MatchCount
matchCountSinceLastReportLabel = 'Match Count Since Last Report'
matchCount = event.MatchCountSinceLastReport
networkProfileLabel = 'Network Profile'
networkProfile = event.NetworkProfile
PolicyNameLabel = 'Policy Name'
networkProfile = event.PolicyName
protocolLabel = 'Protocol'
protocol = event.Protocol
remoteAddressLabel = 'Remote Address'
remoteAddress = event.RemoteAddress
remotePortLabel = 'Remote Port'
remotePort = event.RemotePort
ruleActionLabel = 'Rule Action'
ruleAction = event.RuleAction
ruleDescriptionLabel = 'Rule Description'
ruleDescription = event.RuleDescription
ruleGroupNameLabel = 'Rule Group Name'
ruleGroupName = event.RuleGroupName
ruleNameLabel = 'Rule Name'
ruleName = event.RuleName
statusLabel = 'Status'
status = event.Status
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
[CSPMSearchStreamingEvent]
__header.0 = metadata.eventType
__header.1 = 'CSPM Search Streaming event'
__header.2 = '1'
cat = metadata.eventType
accountIdLabel = 'AccountId'
accountId = event.AccountId
regionLabel = 'Region'
region = event.Region
resourceIdLabel = 'ResourceId'
resourceId = event.ResourceId
resourceIdTypeLabel = 'ResourceIdType'
resourceIdType = event.ResourceIdType
resourceNameLabel = 'ResourceName'
resourceName = event.ResourceName
resourceCreateTimeLabel = 'ResourceCreateTime'
resourceCreateTime = event.ResourceCreateTime
policyStatementLabel = 'PolicyStatement'
policyStatement = event.PolicyStatement
severityNameLabel = 'SeverityName'
severityName = event.SeverityName
cloudPlatformLabel = 'CloudPlatform'
cloudPlatform = event.CloudPlatform
cloudServiceLabel = 'CloudService'
cloudService = event.CloudService
dispositionLabel = 'Disposition'
disposition = event.Disposition
resourceUrlLabel = 'ResourceUrl'
resourceUrl = event.ResourceUrl
findingLabel = 'Finding'
finding = event.Finding
resourceAttributesLabel = 'ResourceAttributes'
resourceAttributes = event.ResourceAttributes
tagsLabel = 'Tags'
tags = event.Tags
timestampLabel = 'Timestamp'
timestamp = event.Timestamp
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
[CSPMIOAStreamingEvent]
__header.0 = metadata.eventType
__header.1 = 'CSPM IOA Streaming event'
__header.2 = '1'
cat = metadata.eventType
accountIdLabel = 'AccountId'
accountId = event.AccountId
policyStatementLabel = 'PolicyStatement'
policyStatement = event.PolicyStatement
cloudProviderLabel = 'CloudProvider'
cloudProvider = event.CloudProvider
cloudServiceLabel = 'CloudService'
cloudService = event.CloudService
severityNameLabel = 'SeverityName'
severityName = event.SeverityName
eventActionLabel = 'EventAction'
eventAction = event.EventAction
eventSourceLabel = 'EventSource'
eventSource = event.EventSource
eventCreatedTimeLabel = 'EventCreatedTimestamp'
eventCreatedTime = event.EventCreatedTimestamp
userIdLabel = 'UserId'
userId = event.UserId
userNameLabel = 'UserName'
userName = event.UserName
userSourceIpLabel = 'UserSourceIp'
userSourceIp = event.UserSourceIp
tacticLabel = 'Tactic'
tactic = event.Tactic
techniqueLabel = 'Technique'
technique = event.Technique
cn3Label = 'Offset'
cn3 = metadata.offset
rt = metadata.eventCreationTime
[CustomerIOCEvent]
__header.0 = 'Indicator of Compromise'
cat = metadata.eventType
devTimeFormat='yyyy-MM-dd HH:mm:ss'
devTime = metadata.eventCreationTime
commandLine = event.CommandLine
resource = event.ComputerName
fileName = event.FileName
filePath = event.FilePath
dnsRequestDomain = event.DomainName
dstIPv4 = event.IPv4
dstIPv6 = event.IPv6
md5 = event.MD5String
sha1 = event.SHA1String
sha256 = event.SHA256String
[IncidentSummaryEvent]
__header.0 = metadata.eventType
__header.1 = metadata.eventType
__header.2 = '5'
cat = metadata.eventType
cs1Label = 'FalconHostLink'
cs1 = event.FalconHostLink
cs2Label = 'State'
cs2 = event.State
cn3Label = 'FineScore'
cn3 = event.FineScore
deviceCustomDate1Label = 'IncidentStartTime'
deviceCustomDate1 = event.IncidentStartTime
deviceCustomDate2Label = 'IncidentEndTime'
deviceCustomDate2 = event.IncidentEndTime
deviceCustomDate2 = event.IncidentEndTime
incidentId = event.IncidentID
externalId = event.HostID
incidentType = event.IncidentType
lateralMovement = event.LateralMovement
[IdentityProtectionEvent]
__header.0 = event.Category
__header.1 = event.Severity
cat = event.Category
cs1Label = 'incidentType'
cs1 = event.IncidentType
cs2Label = 'severityName'
cs2 = event.SeverityName
msg = event.IncidentDescription
start = event.StartTime
end  = event.EndTime
externalId = event.IdentityProtectionIncidentId
duser = event.UserName
dhost = event.EndpointName
dst = event.EndpointIp
cs3Label = 'state'
cs3 = event.State
cn1Label = 'numberOfCompromisedEntities'
cn1 = event.NumberOfCompromisedEntities
cn2Label = 'numbersOfAlerts'
cn2 = event.NumbersOfAlerts
cs4Label = 'falconHostLink'
cs4 = event.FalconHostLink
[ReconNotificationSummaryEvent]
__header.0 = metadata.eventType
__header.1 = 'Recon Notification Summary Event'
__header.2 = '1'
cat = metadata.eventType
notificationIdLabel = 'NotificationId'
notificationId = event.NotificationId
highlightsLabel = 'MatchHighlights'
highlights = event.Highlights
matchedTimestampLabel = 'MatchTimestamp'
matchedTimestamp = event.MatchedTimestamp
ruleIdLabel = 'MonitoringRuleId'
ruleId = event.RuleId
ruleNameLabel = 'MonitoringRuleName'
ruleName = event.RuleName
ruleTopicLabel = 'MonitoringRuleTopic'
ruleTopic = event.RuleTopic
rulePriorityLabel = 'MonitoringRulePriority'
rulePriority = event.RulePriority
itemIdLabel = 'RawIntelligenceItemId'
itemId = event.ItemId
itemTypeLabel = 'RawIntelligenceItemType'
itemType = event.ItemType
itemPostedTimestampLabel = 'RawIntelligenceItemPostedTimestamp'
itemPostedTimestamp = event.ItemPostedTimestamp
[ScheduledReportNotificationEvent]
__header.0 = metadata.eventType
__header.1 = 'Scheduled Report Notification Event'
__header.2 = '1'
cat = metadata.eventType
userUUIDLabel = 'UserUUID'
userUUID = event.UserUUID
userIDLabel = 'UserID'
userID = event.UserID
executionIDLabel = 'ExecutionID'
executionID = event.ExecutionID
reportIDLabel = 'ReportID'
reportID = event.ReportID
reportNameLabel = 'ReportName'
reportName = event.ReportName
reportTypeLabel = 'ReportType'
reportType = event.ReportType
reportFileReferenceLabel = 'ReportFileReference'
reportFileReference = event.ReportFileReference
statusLabel = 'Status'
status = event.Status
statusMessageLabel = 'StatusMessage'
statusMessage = event.StatusMessage
executionMetadataLabel = 'ExecutionMetadata'
executionMetadata = event.ExecutionMetadata
[MobileDetectionSummaryEvent]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cn1Label = 'SELinuxEnforcementPolicy'
cn1 = event.SELinuxEnforcementPolicy
seLinuxEnforcementPolicy = event.SELinuxEnforcementPolicy
safetyNetCTSProfileMatch = event.SafetyNetCTSProfileMatch
safetyNetBasicIntegrity = event.SafetyNetBasicIntegrity
safetyNetEvaluationType = event.SafetyNetEvaluationType
safetyNetErrorMessage = event.SafetyNetErrorMessage
safetyNetAdvice = event.SafetyNetAdvice
cn4Label = 'VerifiedBootState'
cn4 = event.VerifiedBootState
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_SafetyNetErrors]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
safetyNetCTSProfileMatch = event.SafetyNetCTSProfileMatch
safetyNetBasicIntegrity = event.SafetyNetBasicIntegrity
cn2Label = 'SafetyNetEvaluationType'
cn2 = event.SafetyNetEvaluationType
cs2Label = 'SafetyNetErrorMessage'
cs2 = event.SafetyNetErrorMessage
cs3Label = event.SafetyNetAdvice
cs3 = event.SafetyNetAdvice
cn1Label = 'SafetyNetError'
cn1 = event.SafetyNetErrors
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_KeyStoreErrors]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
cn4Label = 'VerifiedBootState'
cn4 = event.VerifiedBootState
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
cn1Label = 'KeyStoreError'
cn1 = event.KeyStoreErrors
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_MobileAppsDetails]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
detectId = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'AppIdentifier'
cs1 = event.MobileAppsDetails.AppIdentifier
cs2Label = 'AppInstallerInformation'
cs2 = event.MobileAppsDetails.AppInstallerInformation
fname = event.MobileAppsDetails.ImageFileName
fileHash = event.MobileAppsDetails.SHA256HashData
cs3Label = 'DexFileHashes'
cs3 = event.MobileAppsDetails.DexFileHashes
cs4Label = 'AndroidAppVersionName'
cs4 = event.MobileAppsDetails.AndroidAppVersionName
cn1Label = 'HarmfulAppCategory'
cn1 = event.MobileAppsDetails.HarmfulAppCategory
cs5Label = 'AndroidComponentName'
cs5 = event.MobileAppsDetails.AndroidComponentName
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
maliciousDexHash.0 = event.MobileAppsDetails.MaliciousDexSHA256Hashes.0
maliciousDexHash.1 = event.MobileAppsDetails.MaliciousDexSHA256Hashes.1
maliciousDexHash.2 = event.MobileAppsDetails.MaliciousDexSHA256Hashes.2
maliciousDexHash.3 = event.MobileAppsDetails.MaliciousDexSHA256Hashes.3
maliciousDexHash.4 = event.MobileAppsDetails.MaliciousDexSHA256Hashes.4
maliciousApkHash.0 = event.MobileAppsDetails.MaliciousAPKSHA256Hashes.0
maliciousApkHash.1 = event.MobileAppsDetails.MaliciousAPKSHA256Hashes.1
maliciousApkHash.2 = event.MobileAppsDetails.MaliciousAPKSHA256Hashes.2
maliciousApkHash.3 = event.MobileAppsDetails.MaliciousAPKSHA256Hashes.3
maliciousApkHash.4 = event.MobileAppsDetails.MaliciousAPKSHA256Hashes.4
[MobileDetectionSummaryEvent_MobileNetworkConnections]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'Protocol'
cs1 = event.MobileNetworkConnections.Protocol
cn1Label = 'ConnectionFlags'
cn1 = event.MobileNetworkConnections.ConnectionFlags
src = event.MobileNetworkConnections.LocalAddress
c6a2 = event.MobileNetworkConnections.LocalAddress
dst = event.MobileNetworkConnections.RemoteAddress
c6a3 = event.MobileNetworkConnections.RemoteAddress
spt = event.MobileNetworkConnections.LocalPort
dpt = event.MobileNetworkConnections.RemotePort
deviceDirection = MobileNetworkConnections.ConnectionDirection
request = event.MobileNetworkConnections.Url
cs2Label = 'AppIdentifier'
cs2 = event.MobileNetworkConnections.AppIdentifier
cs3Label = 'IsAndroidAppContainerized'
cs3 = event.MobileNetworkConnections.IsAndroidAppContainerized
cn2Label = 'ContextProcessId'
cn2 = event.MobileNetworkConnections.ContextProcessId
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'Network Connection Timestamp'
deviceCustomDate1 = event.MobileNetworkConnections.AccessTimestamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_MobileDnsRequests]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
destinationDnsDomain = event.MobileDnsRequests.DomainName
cs1Label = 'RequestType'
cs1 = event.MobileDnsRequests.RequestType
cs2Label = 'AppIdentifier'
cs2 = event.MobileDnsRequests.AppIdentifier
dst = event.MobileDnsRequests.IpAddress
c6a3 = event.MobileDnsRequests.IpAddress
cn1Label = 'ContextProcessId'
cn1 = event.MobileDnsRequests.ContextProcessId
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'DNS Request Timestamp'
deviceCustomDate1 = event.MobileDnsRequests.AccessTimestamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_MountedVolumes]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'Type'
cs1 = event.MountedVolumes.Type
cs2Label = 'MountPoint'
cs2 = event.MountedVolumes.MountPoint
cs3Label = 'MountFlags'
cs3 = event.MountedVolumes.MountFlags
cs4Label = 'RealDeviceName'
cs4 = event.MountedVolumes.RealDeviceName
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_Trampolines]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'FunctionName'
cs1 = event.Trampolines.FunctionName
cs2Label = 'ExecutableBytes'
cs2 = event.Trampolines.ExecutableBytes
fname = event.Trampolines.ImageFileName
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_LoadedObjects]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
fname = event.LoadedObjects.FileName
fileHash = event.LoadedObjects.SHA256HashData
cs1Label = 'CodeSigningFlags'
cs1 = event.LoadedObjects.CodeSigningFlags
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'MethodSignature'
cs1 = event.ObjectiveCRuntimesAltered.MethodSignature
fname = event.ObjectiveCRuntimesAltered.ImageFileName
cs2Label = 'ExpectedImageFileName'
cs2 = event.ObjectiveCRuntimesAltered.ExpectedImageFileName
cs3Label = 'SuspectAddress'
cs3 = event.ObjectiveCRuntimesAltered.SuspectAddress
cs4Label = 'ExpectedAddress'
cs4 = event.ObjectiveCRuntimesAltered.ExpectedAddress
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_RootAccessIndicators]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'LogcatMessage'
cs1 = event.RootAccessIndicators.LogcatMessage
cs2Label = 'AndroidStackTrace'
cs2 = event.RootAccessIndicators.AndroidStackTrace
cs3Label = 'HookedFunctionName'
cs3 = event.RootAccessIndicators.HookedFunctionName
cs4Label = 'AndroidInitServiceName'
cs4 = event.RootAccessIndicators.AndroidInitServiceName
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_Certificates]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'CertificateName'
cs1 = event.Certificates.Name
cs2Label = 'CertificateIssuer'
cs2 = event.Certificates.Issuer
cs3Label = 'CertificateFingerPrint'
cs3 = event.Certificates.FingerPrint
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_EnvironmentVariables]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'EnvironmentVariableName'
cs1 = event.EnvironmentVariables.Name
cs2Label = 'EnvironmentVariableValue'
cs2 = event.EnvironmentVariables.Value
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[MobileDetectionSummaryEvent_SystemProperties]
__header.0 = metadata.eventType
__header.1 = event.Tactic
__header.2 = event.Severity
__header.3 = event.subType
externalId = event.SensorId
cs5Label = 'DetectId'
cs5 = event.DetectId
dhost = event.ComputerName
duser = event.UserName
msg = event.DetectDescription
dvcpid = event.ProcessId
cs1Label = 'SystemPropertyName'
cs1 = event.SystemProperties.Name
cs2Label = 'SystemPropertyValue'
cs2 = event.SystemProperties.Value
cs6Label = 'FalconHostLink'
cs6 = event.FalconHostLink
cn3Label = 'Offset'
cn3 = metadata.offset
deviceCustomDate1Label = 'ContextTimeStamp'
deviceCustomDate1 = event.ContextTimeStamp
rt = metadata.eventCreationTime
cat = event.Tactic
act = event.Technique
reason = event.Objective
[XdrDetectionSummaryEvent]
__header.0 = metadata.eventType
__header.1 = 'XDR Detection Summary Event'
__header.2 = event.Severity
cat = metadata.eventType
msg = event.Description
rt = metadata.eventCreationTime
tactics = event.Tactics
techniques = event.Techniques
xdrTypeLabel = 'XdrType'
xdrType = event.XdrType
authorLabel = 'Author'
author = event.Author
scheduledSearchExecutionIdLabel = 'ScheduledSearchExecutionId'
scheduledSearchExecutionId = event.ScheduledSearchExecutionId
scheduledSearchIdLabel = 'ScheduledSearchId'
scheduledSearchId = event.ScheduledSearchId
scheduledSearchUserIdLabel = 'ScheduledSearchUserId'
scheduledSearchUserId = event.ScheduledSearchUserId
scheduledSearchUserUUIDLabel = 'ScheduledSearchUserUUID'
scheduledSearchUserUUID = event.ScheduledSearchUserUUID
sourceProductsLabel = 'SourceProducts'
sourceProducts = event.SourceProducts
sourceVendorsLabel = 'SourceVendors'
sourceVendors = event.SourceVendors
dataDomainsLabel = 'DataDomains'
dataDomains = event.DataDomains
ipv4AddressesLabel = 'IPv4Addresses'
ipv4Addresses = event.IPv4Addresses
ipv6AddressesLabel = 'IPv6Addresses'
ipv6Addresses = event.IPv6Addresses
hostNamesLabel = 'HostNames'
hostNames = event.HostNames
domainNamesLabel = 'DomainNames'
domainNames = event.DomainNames
emailAddressesLabel = 'EmailAddresses'
emailAddresses = event.EmailAddresses
sha256HashesLabel = 'SHA256Hashes'
sha256Hashes = event.SHA256Hashes
md5HashesLabel = 'MD5Hashes'
md5Hashes = event.MD5Hashes
usersLabel = 'Users'
users = event.Users
cn3Label = 'Offset'
cn3 = metadata.offset
[IdpDetectionSummaryEvent]
__header.0 = metadata.eventType
__header.1 = 'Identity Protection Detection Summary Event'
__header.2 = event.Severity
cat = metadata.eventType
msg = event.DetectDescription
rt = metadata.eventCreationTime
tactic = event.Tactic
technique = event.Technique
targetServiceAccessIdentifierLabel = 'TargetServiceAccessIdentifier'
targetServiceAccessIdentifier = event.TargetServiceAccessIdentifier
targetEndpointSensorIdLabel = 'TargetEndpointSensorId'
targetEndpointSensorId = event.TargetEndpointSensorId
targetEndpointHostNameLabel = 'TargetEndpointHostName'
targetEndpointHostName = event.TargetEndpointHostName
targetEndpointAccountObjectSidLabel = 'TargetEndpointAccountObjectSid'
targetEndpointAccountObjectSid = event.TargetEndpointAccountObjectSid
targetEndpointAccountObjectGuidLabel = 'TargetEndpointAccountObjectGuid'
targetEndpointAccountObjectGuid = event.TargetEndpointAccountObjectGuid
targetAccountUpnLabel = 'TargetAccountUpn'
targetAccountUpn = event.TargetAccountUpn
targetAccountObjectSidLabel = 'TargetAccountObjectSid'
targetAccountObjectSid = event.TargetAccountObjectSid
targetAccountNameLabel = 'TargetAccountName'
targetAccountName = event.TargetAccountName
targetAccountDomainLabel = 'TargetAccountDomain'
targetAccountDomain = event.TargetAccountDomain
suspiciousMachineAccountAlterationTypeLabel = 'SuspiciousMachineAccountAlterationType'
suspiciousMachineAccountAlterationType = event.SuspiciousMachineAccountAlterationType
startTimeLabel = 'StartTime'
startTime = event.StartTime
ssoApplicationIdentifierLabel = 'SsoApplicationIdentifier'
ssoApplicationIdentifier = event.SsoApplicationIdentifier
sourceEndpointSensorIdLabel = 'SourceEndpointSensorId'
sourceEndpointSensorId = event.SourceEndpointSensorId
sourceEndpointIpReputationLabel = 'SourceEndpointIpReputation'
sourceEndpointIpReputation = event.SourceEndpointIpReputation
sourceEndpointIpAddressLabel = 'SourceEndpointIpAddress'
sourceEndpointIpAddress = event.SourceEndpointIpAddress
sourceEndpointHostNameLabel = 'SourceEndpointHostName'
sourceEndpointHostName = event.SourceEndpointHostName
sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectGuid'
sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectGuid
sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectSid'
sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectSid
sourceAccountUpnLabel = 'SourceAccountUpn'
sourceAccountUpn = event.SourceAccountUpn
sourceAccountObjectSidLabel = 'SourceAccountObjectSid'
sourceAccountObjectSid = event.SourceAccountObjectSid
sourceAccountNameLabel = 'SourceAccountName'
sourceAccountName = event.SourceAccountName
sourceAccountDomainLabel = 'SourceAccountDomain'
sourceAccountDomain = event.SourceAccountDomain
severityNameLabel = 'SeverityName'
severityName = event.SeverityName
rpcOpClassificationLabel = 'RpcOpClassification'
rpcOpClassification = event.RpcOpClassification
protocolAnomalyClassificationLabel = 'ProtocolAnomalyClassification'
protocolAnomalyClassification = event.ProtocolAnomalyClassification
previousPrivilegesLabel = 'PreviousPrivileges'
previousPrivileges = event.PreviousPrivileges
precedingActivityTimeStampLabel = 'PrecedingActivityTimeStamp'
precedingActivityTimeStamp = event.PrecedingActivityTimeStamp
patternIdLabel = 'PatternId'
patternId = event.PatternId
objectiveLabel = 'Objective'
objective = event.Objective
mostRecentActivityTimeStampLabel = 'MostRecentActivityTimeStamp'
mostRecentActivityTimeStamp = event.MostRecentActivityTimeStamp
locationCountryCodeLabel = 'LocationCountryCode'
locationCountryCode = event.LocationCountryCode
ldapSearchQueryAttackLabel = 'LdapSearchQueryAttack'
ldapSearchQueryAttack = event.LdapSearchQueryAttack
idpPolicyRuleTriggerLabel = 'IdpPolicyRuleTrigger'
idpPolicyRuleTrigger = event.IdpPolicyRuleTrigger
idpPolicyRuleNameLabel = 'IdpPolicyRuleName'
idpPolicyRuleName = event.IdpPolicyRuleName
idpPolicyRuleActionLabel = 'IdpPolicyRuleAction'
idpPolicyRuleAction = event.IdpPolicyRuleAction
falconHostLinkLabel = 'FalconHostLink'
falconHostLink = event.FalconHostLink
endTimeLabel = 'EndTime'
endTime = event.EndTime
detectNameLabel = 'DetectName'
detectName = event.DetectName
detectIdLabel = 'DetectId'
detectId = event.DetectId
contextTimeStampLabel = 'ContextTimeStamp'
contextTimeStamp = event.ContextTimeStamp
attemptOutcomeLabel = 'AttemptOutcome'
attemptOutcome = event.AttemptOutcome
anomalousTicketContentClassificationLabel = 'AnomalousTicketContentClassification'
anomalousTicketContentClassification = event.AnomalousTicketContentClassification
additionalSsoApplicationIdentifierLabel = 'AdditionalSsoApplicationIdentifier'
additionalSsoApplicationIdentifier = event.AdditionalSsoApplicationIdentifier
additionalLocationCountryCodeLabel = 'AdditionalLocationCountryCode'
additionalLocationCountryCode = event.AdditionalLocationCountryCode
additionalEndpointSensorIdLabel = 'AdditionalEndpointSensorId'
additionalEndpointSensorId = event.AdditionalEndpointSensorId
additionalEndpointIpAddressLabel = 'AdditionalEndpointIpAddress'
additionalEndpointIpAddress = event.AdditionalEndpointIpAddress
additionalEndpointHostNameLabel = 'AdditionalEndpointHostName'
additionalEndpointHostName = event.AdditionalEndpointHostName
additionalEndpointAccountObjectSidLabel = 'AdditionalEndpointAccountObjectSid'
additionalEndpointAccountObjectSid = event.AdditionalEndpointAccountObjectSid
additionalEndpointAccountObjectGuidLabel = 'AdditionalEndpointAccountObjectGuid'
additionalEndpointAccountObjectGuid = event.AdditionalEndpointAccountObjectGuid
additionalActivityIdLabel = 'AdditionalActivityId'
additionalActivityId = event.AdditionalActivityId
additionalAccountUpnLabel = 'AdditionalAccountUpn'
additionalAccountUpn = event.AdditionalAccountUpn
additionalAccountObjectSidLabel = 'AdditionalAccountObjectSid'
additionalAccountObjectSid = event.AdditionalAccountObjectSid
additionalAccountNameLabel = 'AdditionalAccountName'
additionalAccountName = event.AdditionalAccountName
additionalAccountDomainLabel = 'AdditionalAccountDomain'
additionalAccountDomain = event.AdditionalAccountDomain
addedPrivilegeLabel = 'AddedPrivilege'
addedPrivilege = event.AddedPrivilege
activityIdLabel = 'ActivityId'
activityId = event.ActivityId
accountCreationTimeStampLabel = 'AccountCreationTimeStamp'
accountCreationTimeStamp = event.AccountCreationTimeStamp
cn3Label = 'Offset'
cn3 = metadata.offset

Procedures and UI workflows

Checking Installed Integrations

In the Navigation Bar, click System Settings.
Click Applications.
You can search for the integration, or use the column headers to filter the list.

Download and Install the .pak

Download the .pak file from the Service Desk: https://servicedesk.logpoint.com/hc/en-us
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
After installing it, you can find it under Settings >> System Settings >> Plugins.

Use Log Source Template to Ingest Logs

See: Log Source Templates

Using a Device to Ingest Logs

To use a device there are 5 steps:

Configuring a Repo

Repos are locations where incoming logs are stored.

Go to Settings >> Configuration from the navigation bar and click Repos.
Click Add.
Enter a Repo Name.
Select a Repo Path to store incoming logs.
Set a Retention Day to keep logs in a repository before they are automatically deleted.
1. You can add and remove multiple Repo Path and Retention Day.
Select a Remote LogPoint and set a Available for (day).
Click Submit.

Normalizing Crowdstrike logs

Normalization Packages contain one or more signature-based normalizers. Each normalizer contains a list of signatures that are looked up in the log message. The signature ID of the line that the log message was matched against is added as a field to the log, in addition to a norm_id field with the name of the normalizer package used.

There are two types of Normalization Packages.

Vendor Packages are the Normalization Packages Logpoint developed and are part of the Log Source Integration. You can't modify or edit Vendor Packages. You can clone them and then make your changes or edits.
My Packages are the Normalization Packages that you create. You can create your own packages based on Vendor Packages. First clone a package, then make your changes. After that you can share your packages with other Logpoint A/Susers.

Compiled Normalizer

CrowdStrikeCEFCompiledNormalizer

Guide

1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

2. Click Add.

3. Enter a Policy Name.

4. Select the required Compiled Normalizers and Normalization Packages.

5. Click Submit.

Configuring a process policy

1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

2. Click Add .

3. Enter a Policy Name.

4. Select the previously created Normalization Policy.

5. Select the Enrichment Policy.

6. Select the Routing Policy.

7. Click Submit.

Adding CrowdStrike as a Device

To collect CrowdStrike logs, add the Linux server IP address(es) where Falcon SIEM Connector is configured in Logpoint. The IP address(es) enables a connection between the CrowdStrike device in Logpoint and the Falcon SIEM Connector.

Go to Settings>>Configuration from the navigation bar and click Devices.
Click Add.
Enter a device Name.
Enter the Linux server IP address(es).
Select the Device Groups.
Select a Log Collection Policy for the logs.
Select a collector or a forwarder from the Distributed Collector drop-down.
1. It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.
Select a Time Zone. The timezone of the device must be same as its log source.
Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.
Click Submit.

Configuring the Syslog Collector

Syslog Collector gathers and stores log data from Falcon SIEM Connector. It uses the 514 port, and TCP or UDP protocol to collect log messages.

Go to Settings>>Configuration from the navigation bar and click Devices.
Click the Add icon from Actions of the previously added device.
Click Syslog Collector.
1. You can select a different collector depending on your requirements and added device. To learn more about available collectors go to collectors. If you require assistance, contact our support team.
Select Syslog Parser as Parser.
Select the previously created Processing Policy.
Select the Charset.
In Proxy Server, select None
Click Submit.

Expected Log Sample (CEF)

CEF:0|CrowdStrike|FalconHost|1.0|DNS Request In A Detection Summary Event|DNS Request In A Detection Summary Event|2|externalId=xxxxxxxxxxxxxxxxxxxxxxxxx cn2Label=ProcessId cn2=12786498086 dhost=ABC duser=XYZ fname=abc.exe filePath=\\Device\\HarddiskVolume3\\Program Files (x86)\\LANDesk\\LDClient\\Antivirus\\ dntdom=XXXXXXXXX cs5Label=CommandLine cs5="C:\\Program Files (x86)\\LANDesk\\LDClient\\antivirus\\kav10.2.4.509\\avp.exe" -r cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/8a49753809f543e580ab01a5c940f20e/1369930393423323624?_cid\=5f3116b030654c77a633ba6d596fb469 cn3Label=Offset cn3=27 deviceCustomDate1Label=DNS Request Time deviceCustomDate1=Mar 11 2022 08:45:24 rt=1615452656000 tactic=Machine Learning technique=Cloud-based ML objective=Falcon Detection Method patternDisposition=Detection, standard detection. outcome=0

We do our best to ensure that the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.

Last updated 3 days ago

Was this helpful?