Skip to content

CIM extractions

New CIM extractions v1.2.0 vs v1.3.0

This table lists events and CIM fields extractions added in v1.3.0

sourcetype event_simpleName fields
crowdstrike:events:sensor AsepKeyUpdate registry_hive
crowdstrike:events:sensor AsepKeyUpdate tag
crowdstrike:events:sensor AsepKeyUpdate registry_value_type
crowdstrike:events:sensor AsepKeyUpdate eventtype
crowdstrike:events:sensor AsepKeyUpdate action
crowdstrike:events:sensor AsepKeyUpdate dest
crowdstrike:events:sensor AsepKeyUpdate process_id
crowdstrike:events:sensor AsepKeyUpdate registry_path
crowdstrike:events:sensor AsepKeyUpdate status
crowdstrike:events:sensor AsepKeyUpdate dest_ip
crowdstrike:events:sensor AsepKeyUpdate tag::eventtype
crowdstrike:events:sensor AsepValueUpdate registry_hive
crowdstrike:events:sensor AsepValueUpdate tag
crowdstrike:events:sensor AsepValueUpdate registry_value_type
crowdstrike:events:sensor AsepValueUpdate eventtype
crowdstrike:events:sensor AsepValueUpdate action
crowdstrike:events:sensor AsepValueUpdate dest
crowdstrike:events:sensor AsepValueUpdate process_id
crowdstrike:events:sensor AsepValueUpdate registry_path
crowdstrike:events:sensor AsepValueUpdate status
crowdstrike:events:sensor AsepValueUpdate registry_value_data
crowdstrike:events:sensor AsepValueUpdate dest_ip
crowdstrike:events:sensor AsepValueUpdate tag::eventtype
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService service_name
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService tag
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService service_exec
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService eventtype
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService dest
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService user
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService process_id
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService service_path
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService status
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService service
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService dest_ip
crowdstrike:events:sensor ScheduledTaskRegistered, CreateService tag::eventtype
crowdstrike:events:sensor DriverLoad tag
crowdstrike:events:sensor DriverLoad eventtype
crowdstrike:events:sensor DriverLoad process_name
crowdstrike:events:sensor DriverLoad action
crowdstrike:events:sensor DriverLoad dest
crowdstrike:events:sensor DriverLoad process_id
crowdstrike:events:sensor DriverLoad process_path
crowdstrike:events:sensor DriverLoad dest_ip
crowdstrike:events:sensor DriverLoad os
crowdstrike:events:sensor DriverLoad tag::eventtype
crowdstrike:events:sensor DriverLoad process_exec
crowdstrike:events:sensor ELFFileWritten eventtype
crowdstrike:events:sensor ELFFileWritten action
crowdstrike:events:sensor ELFFileWritten file_access_time
crowdstrike:events:sensor ELFFileWritten dest
crowdstrike:events:sensor ELFFileWritten process_id
crowdstrike:events:sensor ELFFileWritten file_path
crowdstrike:events:sensor ELFFileWritten file_create_time
crowdstrike:events:sensor ELFFileWritten file_hash
crowdstrike:events:sensor ELFFileWritten tag
crowdstrike:events:sensor ELFFileWritten file_name
crowdstrike:events:sensor ELFFileWritten tag::eventtype
crowdstrike:events:sensor HostedServiceStarted service_name
crowdstrike:events:sensor HostedServiceStarted tag
crowdstrike:events:sensor HostedServiceStarted service_exec
crowdstrike:events:sensor HostedServiceStarted eventtype
crowdstrike:events:sensor HostedServiceStarted dest
crowdstrike:events:sensor HostedServiceStarted user
crowdstrike:events:sensor HostedServiceStarted service_path
crowdstrike:events:sensor HostedServiceStarted status
crowdstrike:events:sensor HostedServiceStarted service
crowdstrike:events:sensor HostedServiceStarted dest_ip
crowdstrike:events:sensor HostedServiceStarted tag::eventtype
crowdstrike:events:sensor InjectedThread tag
crowdstrike:events:sensor InjectedThread eventtype
crowdstrike:events:sensor InjectedThread action
crowdstrike:events:sensor InjectedThread dest
crowdstrike:events:sensor InjectedThread process_id
crowdstrike:events:sensor InjectedThread dest_ip
crowdstrike:events:sensor InjectedThread os |- b
crowdstrike:events:sensor ModifyServiceBinary tag
crowdstrike:events:sensor ModifyServiceBinary service_exec
crowdstrike:events:sensor ModifyServiceBinary eventtype
crowdstrike:events:sensor ModifyServiceBinary dest
crowdstrike:events:sensor ModifyServiceBinary service_path
crowdstrike:events:sensor ModifyServiceBinary process_id
crowdstrike:events:sensor ModifyServiceBinary status
crowdstrike:events:sensor ModifyServiceBinary service
crowdstrike:events:sensor ModifyServiceBinary dest_ip
crowdstrike:events:sensor ModifyServiceBinary tag::eventtype
crowdstrike:events:sensor NewExecutableRenamed result
crowdstrike:events:sensor NewExecutableRenamed tag
crowdstrike:events:sensor NewExecutableRenamed eventtype
crowdstrike:events:sensor NewExecutableRenamed action
crowdstrike:events:sensor NewExecutableRenamed dest
crowdstrike:events:sensor NewExecutableRenamed object
crowdstrike:events:sensor NewExecutableRenamed status
crowdstrike:events:sensor NewExecutableRenamed dvc
crowdstrike:events:sensor NewExecutableRenamed object_path
crowdstrike:events:sensor NewExecutableRenamed dest_ip
crowdstrike:events:sensor NewExecutableRenamed change_type
crowdstrike:events:sensor NewExecutableRenamed tag::eventtype
crowdstrike:events:sensor RarFileWritten eventtype
crowdstrike:events:sensor RarFileWritten action
crowdstrike:events:sensor RarFileWritten file_access_time
crowdstrike:events:sensor RarFileWritten dest
crowdstrike:events:sensor RarFileWritten process_id
crowdstrike:events:sensor RarFileWritten file_path
crowdstrike:events:sensor RarFileWritten file_create_time
crowdstrike:events:sensor RarFileWritten tag
crowdstrike:events:sensor RarFileWritten file_name
crowdstrike:events:sensor RarFileWritten tag::eventtype
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw process
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw tag
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw eventtype
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw process_name
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw action
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw dest
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw user
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw process_id
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw process_path
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw dest_ip
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw os
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw tag::eventtype
crowdstrike:events:sensor WmiCreateProcess, ScreenshotTakenEtw process_exec
crowdstrike:events:sensor SensitiveWmiQuery dest_name
crowdstrike:events:sensor SensitiveWmiQuery result
crowdstrike:events:sensor SensitiveWmiQuery user_type
crowdstrike:events:sensor SensitiveWmiQuery tag
crowdstrike:events:sensor SensitiveWmiQuery eventtype
crowdstrike:events:sensor SensitiveWmiQuery action
crowdstrike:events:sensor SensitiveWmiQuery dest
crowdstrike:events:sensor SensitiveWmiQuery object_category
crowdstrike:events:sensor SensitiveWmiQuery user
crowdstrike:events:sensor SensitiveWmiQuery object_attrs
crowdstrike:events:sensor SensitiveWmiQuery object
crowdstrike:events:sensor SensitiveWmiQuery status
crowdstrike:events:sensor SensitiveWmiQuery dvc
crowdstrike:events:sensor SensitiveWmiQuery object_path
crowdstrike:events:sensor SensitiveWmiQuery dest_ip
crowdstrike:events:sensor SensitiveWmiQuery change_type
crowdstrike:events:sensor SensitiveWmiQuery command
crowdstrike:events:sensor SensitiveWmiQuery tag::eventtype

New CIM extractions v1.3.0 vs v1.5.0

This table lists events and CIM fields extractions added in v1.5.0

sourcetype event_simpleName fields
crowdstrike:events:sensor HostInfo dest
tag
enabled
eventtype
serial
os
SystemCapacity dest
tag
family
eventtype
cpu_cores
cpu_count
cpu_mhz
LFODownloadConfirmation action
tag
dest
eventtype
file_name
file_path
url_domain
ProcessRollup2Stats tag
eventtype
action
dest
os
parent_process_id
parent_process_path
process_exec
process_hash
process_path
KernelModeLoadImage tag
eventtype
action
dest
os
process
process_hash
process_id
process_name
process_path
CriticalEnvironmentVariableChanged tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status
InstanceMetadata tag
eventtype
dest
enabled
family
serial
version
InstalledApplication tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status

New Events added in v2.0.0

This table lists events and CIM fields extractions added in v2.0.0

sourcetype event_simpleName fields
crowdstrike:events:sensor AssociateIndicator app
description
dest
id
signature
src
type
user
FsVolumeMounted action
dest
file_access_time
file_name
file_path
process_id
vendor_product
DmpFileWritten action
dest
file_create_time
file_name
file_path
file_size
process_id
vendor_product
RemovableMediaVolumeMounted action
dest
dest_ip
file_access_time
file_name
file_path
process_guid
process_id
vendor_product
ScriptControlScanInfo app
description
dest
dest_ip
id
signature
src
src_ip
type
ScriptControlDetectInfo app
description
dest
dest_ip
id
signature
src
src_ip
type

Changed mappings in v2.0.0 vs v1.5.0

This table lists events and CIM fields extractions added in v2.0.0

event_simpleName Fields added Fields modified Fields removed 2.0.0 extractions 1.5.0 extractions Comments
UserLogon authentication_method LogonType added in v2.0.0
dest_nt_domain LogonDomain UserPrincipal changed from UserPrincipal to LogonDomain
src aid added in v2.0.0
src_ip aip added in v2.0.0
src_user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
user UserName or UserPrincipal FileOperatorSid or UserName changed in v2.0.0
UserIdentity enabled true enabled Static extraction changed from enabled to true
AsepValueUpdate action RegOperationType Based on lookups could be deleted, modified, created, read
registry_path RegObjectName added in v2.0.0
registry_value_name RegObjectName added in v2.0.0
registry_value_type RegType Based on lookup RegType
status success added in v2.0.0 static extraction
UserLogonFailed2 authentication_method LogonType added in v2.0.0
src_user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
UserLogoff object_attrs static Login Session added in v2.0.0 static extraction Login Session
result event_simpleName static lockout
src_nt_domain LogonDomain added in v2.0.0
CriticalFileAccessed dest_ip aip
PeFileWritten user UserName FileOperatorSid
ExecutableDeleted file_hash FileIdentifier
NewScriptWritten_Win file_hash FileIdentifier
process_id ContextProcessId
DirectoryCreate file_name TargetFileName TargetFileName In v2.0.0 only file name after last \ is extracted
file_path TargetFileName Full path is extracted
process_id ContextProcessId
PeVersionInfo file_access_time timestamp
process_id TargetProcessId
NewExecutableWritten file_name TargetFileName Only file name after last \ is extracted
file_path TargetFileName
process_guid id
NewScriptWritten file_access_time ContextTimeStamp
file_create_time ContextTimeStamp
file_modify_time ContextTimeStamp
file_name TargetFileName Only file name after last \ is extracted
process_id ContextProcessId
ScheduledTaskRegistered description Periodic scan task