Download topic as PDF
CIM extractions
New CIM extractions v1.2.0 vs v1.3.0
This table lists events and CIM fields extractions added in v1.3.0
sourcetype | event_simpleName | fields |
---|---|---|
crowdstrike:events:sensor | AsepKeyUpdate | registry_hive |
tag | ||
registry_value_type | ||
eventtype | ||
action | ||
dest | ||
process_id | ||
registry_path | ||
status | ||
dest_ip | ||
tag::eventtype | ||
AsepValueUpdate | registry_hive | |
tag | ||
registry_value_type | ||
eventtype | ||
action | ||
dest | ||
process_id | ||
registry_path | ||
status | ||
registry_value_data | ||
dest_ip | ||
tag::eventtype | ||
ScheduledTaskRegistered, CreateService |
service_name | |
tag | ||
service_exec | ||
eventtype | ||
dest | ||
user | ||
process_id | ||
service_path | ||
status | ||
service | ||
dest_ip | ||
tag::eventtype | ||
DriverLoad | tag | |
eventtype | ||
process_name | ||
action | ||
dest | ||
process_id | ||
process_path | ||
dest_ip | ||
os | ||
tag::eventtype | ||
process_exec | ||
ELFFileWritten | eventtype | |
action | ||
file_access_time | ||
dest | ||
process_id | ||
file_path | ||
file_create_time | ||
file_hash | ||
tag | ||
file_name | ||
tag::eventtype | ||
HostedServiceStarted | service_name | |
tag | ||
service_exec | ||
eventtype | ||
dest | ||
user | ||
service_path | ||
status | ||
service | ||
dest_ip | ||
tag::eventtype | ||
InjectedThread | tag | |
eventtype | ||
action | ||
dest | ||
process_id | ||
dest_ip | ||
os | ||
tag::eventtype | ||
ModifyServiceBinary | service_name | |
tag | ||
service_exec | ||
eventtype | ||
dest | ||
service_path | ||
process_id | ||
status | ||
service | ||
dest_ip | ||
tag::eventtype | ||
NewExecutableRenamed | result | |
tag | ||
eventtype | ||
action | ||
dest | ||
object | ||
status | ||
dvc | ||
object_path | ||
dest_ip | ||
change_type | ||
tag::eventtype | ||
RarFileWritten | eventtype | |
action | ||
file_access_time | ||
dest | ||
process_id | ||
file_path | ||
file_create_time | ||
tag | ||
file_name | ||
tag::eventtype | ||
WmiCreateProcess, ScreenshotTakenEtw |
process | |
tag | ||
eventtype | ||
process_name | ||
action | ||
dest | ||
user | ||
process_id | ||
process_path | ||
dest_ip | ||
os | ||
tag::eventtype | ||
process_exec | ||
SensitiveWmiQuery | dest_name | |
result | ||
user_type | ||
tag | ||
eventtype | ||
action | ||
dest | ||
object_category | ||
user | ||
object_attrs | ||
object | ||
status | ||
dvc | ||
object_path | ||
dest_ip | ||
change_type | ||
command | ||
tag::eventtype | ||
New CIM extractions v1.3.0 vs v1.5.0
This table lists events and CIM fields extractions added in v1.5.0
sourcetype | event_simpleName | fields |
---|---|---|
crowdstrike:events:sensor | HostInfo | dest |
tag | ||
enabled | ||
eventtype | ||
serial | ||
os | ||
tag::eventtype | ||
SystemCapacity | dest | |
tag | ||
family | ||
eventtype | ||
cpu_cores | ||
cpu_count | ||
cpu_mhz | ||
tag::eventtype | ||
LFODownloadConfirmation | action | |
tag | ||
dest | ||
eventtype | ||
file_name | ||
file_path | ||
url_domain | ||
tag::eventtype | ||
ProcessRollup2Stats | tag | |
eventtype | ||
action | ||
dest | ||
os | ||
parent_process_id | ||
parent_process_path | ||
process_exec | ||
process_hash | ||
process_path | ||
tag::eventtype | ||
KernelModeLoadImage | tag | |
eventtype | ||
action | ||
dest | ||
os | ||
process | ||
process_hash | ||
process_id | ||
process_name | ||
process_path | ||
tag::eventtype | ||
CriticalEnvironmentVariableChanged | tag | |
eventtype | ||
action | ||
change_type | ||
dest | ||
dvc | ||
object | ||
object_attrs | ||
object_category | ||
result | ||
src | ||
status | ||
tag::eventtype | ||
InstanceMetadata | tag | |
eventtype | ||
dest | ||
enabled | ||
family | ||
serial | ||
version | ||
tag::eventtype | ||
InstalledApplication | tag | |
eventtype | ||
action | ||
change_type | ||
dest | ||
dvc | ||
object | ||
object_attrs | ||
object_category | ||
result | ||
src | ||
status | ||
tag::eventtype |
Last modified on 14 December, 2023
PREVIOUS Estimate input throughput |
NEXT Troubleshoot the Splunk Add-on for CrowdStrike FDR |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!