Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

CIM extractions

New CIM extractions v1.2.0 vs v1.3.0

This table lists events and CIM fields extractions added in v1.3.0

sourcetype event_simpleName fields
crowdstrike:events:sensor AsepKeyUpdate registry_hive
tag
registry_value_type
eventtype
action
dest
process_id
registry_path
status
dest_ip
tag::eventtype
AsepValueUpdate registry_hive
tag
registry_value_type
eventtype
action
dest
process_id
registry_path
status
registry_value_data
dest_ip
tag::eventtype
ScheduledTaskRegistered,
CreateService 		service_name
tag
service_exec
eventtype
dest
user
process_id
service_path
status
service
dest_ip
tag::eventtype
DriverLoad tag
eventtype
process_name
action
dest
process_id
process_path
dest_ip
os
tag::eventtype
process_exec
ELFFileWritten eventtype
action
file_access_time
dest
process_id
file_path
file_create_time
file_hash
tag
file_name
tag::eventtype
HostedServiceStarted service_name
tag
service_exec
eventtype
dest
user
service_path
status
service
dest_ip
tag::eventtype
InjectedThread tag
eventtype
action
dest
process_id
dest_ip
os
tag::eventtype
ModifyServiceBinary service_name
tag
service_exec
eventtype
dest
service_path
process_id
status
service
dest_ip
tag::eventtype
NewExecutableRenamed result
tag
eventtype
action
dest
object
status
dvc
object_path
dest_ip
change_type
tag::eventtype
RarFileWritten eventtype
action
file_access_time
dest
process_id
file_path
file_create_time
tag
file_name
tag::eventtype
WmiCreateProcess,
ScreenshotTakenEtw 		process
tag
eventtype
process_name
action
dest
user
process_id
process_path
dest_ip
os
tag::eventtype
process_exec
SensitiveWmiQuery dest_name
result
user_type
tag
eventtype
action
dest
object_category
user
object_attrs
object
status
dvc
object_path
dest_ip
change_type
command
tag::eventtype

New CIM extractions v1.3.0 vs v1.5.0

This table lists events and CIM fields extractions added in v1.5.0

sourcetype event_simpleName fields
crowdstrike:events:sensor HostInfo dest
tag
enabled
eventtype
serial
os
tag::eventtype
SystemCapacity dest
tag
family
eventtype
cpu_cores
cpu_count
cpu_mhz
tag::eventtype
LFODownloadConfirmation action
tag
dest
eventtype
file_name
file_path
url_domain
tag::eventtype
ProcessRollup2Stats tag
eventtype
action
dest
os
parent_process_id
parent_process_path
process_exec
process_hash
process_path
tag::eventtype
KernelModeLoadImage tag
eventtype
action
dest
os
process
process_hash
process_id
process_name
process_path
tag::eventtype
CriticalEnvironmentVariableChanged tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status
tag::eventtype
InstanceMetadata tag
eventtype
dest
enabled
family
serial
version
tag::eventtype
InstalledApplication tag
eventtype
action
change_type
dest
dvc
object
object_attrs
object_category
result
src
status
tag::eventtype
Last modified on 14 December, 2023
PREVIOUS
Estimate input throughput 		  NEXT
Troubleshoot the Splunk Add-on for CrowdStrike FDR

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters