Skip to content

CIM extractions

New CIM extractions v1.2.0 vs v1.3.0

This table lists events and CIM fields extractions added in v1.3.0

sourcetype

event_simpleName

fields

crowdstrike:events:sensor

AsepKeyUpdate

registry_hive

tag

registry_value_type

eventtype

action

dest

process_id

registry_path

status

dest_ip

tag::eventtype

AsepValueUpdate

registry_hive

tag

registry_value_type

eventtype

action

dest

process_id

registry_path

status

registry_value_data

dest_ip

tag::eventtype

ScheduledTaskRegistered,
CreateService

service_name

tag

service_exec

eventtype

dest

user

process_id

service_path

status

service

dest_ip

tag::eventtype

DriverLoad

tag

eventtype

process_name

action

dest

process_id

process_path

dest_ip

os

tag::eventtype

process_exec

ELFFileWritten

eventtype

action

file_access_time

dest

process_id

file_path

file_create_time

file_hash

tag

file_name

tag::eventtype

HostedServiceStarted

service_name

tag

service_exec

eventtype

dest

user

service_path

status

service

dest_ip

tag::eventtype

InjectedThread

tag

eventtype

action

dest

process_id

dest_ip

os |- b

ModifyServiceBinary

tag

service_exec

eventtype

dest

service_path

process_id

status

service

dest_ip

tag::eventtype

NewExecutableRenamed

result

tag

eventtype

action

dest

object

status

dvc

object_path

dest_ip

change_type

tag::eventtype

RarFileWritten

eventtype

action

file_access_time

dest

process_id

file_path

file_create_time

tag

file_name

tag::eventtype

WmiCreateProcess,
ScreenshotTakenEtw

process

tag

eventtype

process_name

action

dest

user

process_id

process_path

dest_ip

os

tag::eventtype

process_exec

SensitiveWmiQuery

dest_name

result

user_type

tag

eventtype

action

dest

object_category

user

object_attrs

object

status

dvc

object_path

dest_ip

change_type

command

tag::eventtype

New CIM extractions v1.3.0 vs v1.5.0

This table lists events and CIM fields extractions added in v1.5.0

sourcetype event_simpleName fields
crowdstrike:events:sensor HostInfo dest
tag
enabled
eventtype
serial
os
SystemCapacity dest
tag
family
eventtype
cpu_cores
cpu_count
cpu_mhz
LFODownloadConfirmation action
tag
dest
eventtype
file_name
file_path
url_domain
ProcessRollup2Stats tag
eventtype
action
dest
os
parent_process_id
parent_process_path
process_exec
process_hash
process_path
KernelModeLoadImage tag
eventtype
action
dest
os
process
process_hash
process_id
process_name
process_path
CriticalEnvironmentVariableChanged tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status
InstanceMetadata tag
eventtype
dest
enabled
family
serial
version
InstalledApplication tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status

New Events added in v2.0.0

This table lists events and CIM fields extractions added in v2.0.0

sourcetype event_simpleName fields
crowdstrike:events:sensor AssociateIndicator app
description
dest
id
signature
src
type
user
FsVolumeMounted action
dest
file_access_time
file_name
file_path
process_id
vendor_product
DmpFileWritten action
dest
file_create_time
file_name
file_path
file_size
process_id
vendor_product
RemovableMediaVolumeMounted action
dest
dest_ip
file_access_time
file_name
file_path
process_guid
process_id
vendor_product
ScriptControlScanInfo app
description
dest
dest_ip
id
signature
src
src_ip
type
ScriptControlDetectInfo app
description
dest
dest_ip
id
signature
src
src_ip
type

Changed Mappings in v2.0.0 vs v1.5.0

This table lists events and CIM fields extractions added in v2.0.0

event_simpleName Fields added Fields modified Fields removed 2.0.0 extractions 1.5.0 extractions Comments
UserLogon authentication_method LogonType added in v2.0.0
dest_nt_domain LogonDomain UserPrincipal changed from UserPrincipal to LogonDomain
src aid added in v2.0.0
src_ip aip added in v2.0.0
src_user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
user UserName or UserPrincipal FileOperatorSid or UserName changed in v2.0.0
UserIdentity enabled true enabled Static extraction changed from enabled to true
AsepValueUpdate action RegOperationType Based on lookups could be deleted, modified, created, read
registry_path RegObjectName added in v2.0.0
registry_value_name RegObjectName added in v2.0.0
registry_value_type RegType Based on lookup RegType
status success added in v2.0.0 static extraction
UserLogonFailed2 authentication_method LogonType added in v2.0.0
src_user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
user_type UserIsAdmin UserIsAdmin: 1 - admin, 0 - user
UserLogoff object_attrs static Login Session added in v2.0.0 static extraction Login Session
result event_simpleName static lockout
src_nt_domain LogonDomain added in v2.0.0
CriticalFileAccessed dest_ip aip
PeFileWritten user UserName FileOperatorSid
ExecutableDeleted file_hash FileIdentifier
NewScriptWritten_Win file_hash FileIdentifier
process_id ContextProcessId
DirectoryCreate file_name TargetFileName TargetFileName In v2.0.0 only file name after last \ is extracted
file_path TargetFileName Full path is extracted
process_id ContextProcessId
PeVersionInfo file_access_time timestamp
process_id TargetProcessId
NewExecutableWritten file_name TargetFileName Only file name after last \ is extracted
file_path TargetFileName
process_guid id
NewScriptWritten file_access_time ContextTimeStamp
file_create_time ContextTimeStamp
file_modify_time ContextTimeStamp
file_name TargetFileName Only file name after last \ is extracted
process_id ContextProcessId
ScheduledTaskRegistered description Periodic scan task