CIM extractions¶
New CIM extractions v1.2.0 vs v1.3.0¶
This table lists events and CIM fields extractions added in v1.3.0
sourcetype |
event_simpleName |
fields |
|---|---|---|
crowdstrike:events:sensor |
AsepKeyUpdate |
registry_hive |
tag |
||
registry_value_type |
||
eventtype |
||
action |
||
dest |
||
process_id |
||
registry_path |
||
status |
||
dest_ip |
||
AsepValueUpdate |
registry_hive |
|
tag |
||
registry_value_type |
||
eventtype |
||
action |
||
dest |
||
process_id |
||
registry_path |
||
status |
||
registry_value_data |
||
dest_ip |
||
ScheduledTaskRegistered, |
service_name |
|
tag |
||
service_exec |
||
eventtype |
||
dest |
||
user |
||
process_id |
||
service_path |
||
status |
||
service |
||
dest_ip |
||
DriverLoad |
tag |
|
eventtype |
||
process_name |
||
action |
||
dest |
||
process_id |
||
process_path |
||
dest_ip |
||
os |
||
process_exec |
||
ELFFileWritten |
eventtype |
|
action |
||
file_access_time |
||
dest |
||
process_id |
||
file_path |
||
file_create_time |
||
file_hash |
||
tag |
||
file_name |
||
HostedServiceStarted |
service_name |
|
tag |
||
service_exec |
||
eventtype |
||
dest |
||
user |
||
service_path |
||
status |
||
service |
||
dest_ip |
||
InjectedThread |
tag |
|
eventtype |
||
action |
||
dest |
||
process_id |
||
dest_ip |
||
os |- b |
||
ModifyServiceBinary |
||
tag |
||
service_exec |
||
eventtype |
||
dest |
||
service_path |
||
process_id |
||
status |
||
service |
||
dest_ip |
||
NewExecutableRenamed |
result |
|
tag |
||
eventtype |
||
action |
||
dest |
||
object |
||
status |
||
dvc |
||
object_path |
||
dest_ip |
||
change_type |
||
RarFileWritten |
eventtype |
|
action |
||
file_access_time |
||
dest |
||
process_id |
||
file_path |
||
file_create_time |
||
tag |
||
file_name |
||
WmiCreateProcess, |
process |
|
tag |
||
eventtype |
||
process_name |
||
action |
||
dest |
||
user |
||
process_id |
||
process_path |
||
dest_ip |
||
os |
||
process_exec |
||
SensitiveWmiQuery |
dest_name |
|
result |
||
user_type |
||
tag |
||
eventtype |
||
action |
||
dest |
||
object_category |
||
user |
||
object_attrs |
||
object |
||
status |
||
dvc |
||
object_path |
||
dest_ip |
||
change_type |
||
command |
||
New CIM extractions v1.3.0 vs v1.5.0¶
This table lists events and CIM fields extractions added in v1.5.0
| sourcetype | event_simpleName | fields |
|---|---|---|
| crowdstrike:events:sensor | HostInfo | dest |
| tag | ||
| enabled | ||
| eventtype | ||
| serial | ||
| os | ||
| SystemCapacity | dest | |
| tag | ||
| family | ||
| eventtype | ||
| cpu_cores | ||
| cpu_count | ||
| cpu_mhz | ||
| LFODownloadConfirmation | action | |
| tag | ||
| dest | ||
| eventtype | ||
| file_name | ||
| file_path | ||
| url_domain | ||
| ProcessRollup2Stats | tag | |
| eventtype | ||
| action | ||
| dest | ||
| os | ||
| parent_process_id | ||
| parent_process_path | ||
| process_exec | ||
| process_hash | ||
| process_path | ||
| KernelModeLoadImage | tag | |
| eventtype | ||
| action | ||
| dest | ||
| os | ||
| process | ||
| process_hash | ||
| process_id | ||
| process_name | ||
| process_path | ||
| CriticalEnvironmentVariableChanged | tag | |
| eventtype | ||
| action | ||
| change_type | ||
| dest | ||
| dvc | ||
| object | ||
| object_attrs | ||
| object_category | ||
| result | ||
| src | ||
| status | ||
| InstanceMetadata | tag | |
| eventtype | ||
| dest | ||
| enabled | ||
| family | ||
| serial | ||
| version | ||
| InstalledApplication | tag | |
| eventtype | ||
| action | ||
| change_type | ||
| dest | ||
| dvc | ||
| object | ||
| object_attrs | ||
| object_category | ||
| result | ||
| src | ||
| status | ||
New Events added in v2.0.0¶
This table lists events and CIM fields extractions added in v2.0.0
| sourcetype | event_simpleName | fields |
|---|---|---|
| crowdstrike:events:sensor | AssociateIndicator | app |
| description | ||
| dest | ||
| id | ||
| signature | ||
| src | ||
| type | ||
| user | ||
| FsVolumeMounted | action | |
| dest | ||
| file_access_time | ||
| file_name | ||
| file_path | ||
| process_id | ||
| vendor_product | ||
| DmpFileWritten | action | |
| dest | ||
| file_create_time | ||
| file_name | ||
| file_path | ||
| file_size | ||
| process_id | ||
| vendor_product | ||
| RemovableMediaVolumeMounted | action | |
| dest | ||
| dest_ip | ||
| file_access_time | ||
| file_name | ||
| file_path | ||
| process_guid | ||
| process_id | ||
| vendor_product | ||
| ScriptControlScanInfo | app | |
| description | ||
| dest | ||
| dest_ip | ||
| id | ||
| signature | ||
| src | ||
| src_ip | ||
| type | ||
| ScriptControlDetectInfo | app | |
| description | ||
| dest | ||
| dest_ip | ||
| id | ||
| signature | ||
| src | ||
| src_ip | ||
| type |
Changed Mappings in v2.0.0 vs v1.5.0¶
This table lists events and CIM fields extractions added in v2.0.0
| event_simpleName | Fields added | Fields modified | Fields removed | 2.0.0 extractions | 1.5.0 extractions | Comments |
|---|---|---|---|---|---|---|
| UserLogon | authentication_method | LogonType | added in v2.0.0 | |||
| dest_nt_domain | LogonDomain | UserPrincipal | changed from UserPrincipal to LogonDomain | |||
| src | aid | added in v2.0.0 | ||||
| src_ip | aip | added in v2.0.0 | ||||
| src_user_type | UserIsAdmin | UserIsAdmin: 1 - admin, 0 - user | ||||
| user | UserName or UserPrincipal | FileOperatorSid or UserName | changed in v2.0.0 | |||
| UserIdentity | enabled | true | enabled | Static extraction changed from enabled to true | ||
| AsepValueUpdate | action | RegOperationType | Based on lookups could be deleted, modified, created, read | |||
| registry_path | RegObjectName | added in v2.0.0 | ||||
| registry_value_name | RegObjectName | added in v2.0.0 | ||||
| registry_value_type | RegType | Based on lookup RegType | ||||
| status | success | added in v2.0.0 static extraction | ||||
| UserLogonFailed2 | authentication_method | LogonType | added in v2.0.0 | |||
| src_user_type | UserIsAdmin | UserIsAdmin: 1 - admin, 0 - user | ||||
| user_type | UserIsAdmin | UserIsAdmin: 1 - admin, 0 - user | ||||
| UserLogoff | object_attrs | static Login Session | added in v2.0.0 static extraction Login Session | |||
| result | event_simpleName | static lockout | ||||
| src_nt_domain | LogonDomain | added in v2.0.0 | ||||
| CriticalFileAccessed | dest_ip | aip | ||||
| PeFileWritten | user | UserName | FileOperatorSid | |||
| ExecutableDeleted | file_hash | FileIdentifier | ||||
| NewScriptWritten_Win | file_hash | FileIdentifier | ||||
| process_id | ContextProcessId | |||||
| DirectoryCreate | file_name | TargetFileName | TargetFileName | In v2.0.0 only file name after last \ is extracted | ||
| file_path | TargetFileName | Full path is extracted | ||||
| process_id | ContextProcessId | |||||
| PeVersionInfo | file_access_time | timestamp | ||||
| process_id | TargetProcessId | |||||
| NewExecutableWritten | file_name | TargetFileName | Only file name after last \ is extracted | |||
| file_path | TargetFileName | |||||
| process_guid | id | |||||
| NewScriptWritten | file_access_time | ContextTimeStamp | ||||
| file_create_time | ContextTimeStamp | |||||
| file_modify_time | ContextTimeStamp | |||||
| file_name | TargetFileName | Only file name after last \ is extracted | ||||
| process_id | ContextProcessId | |||||
| ScheduledTaskRegistered | description | Periodic scan task |