Related Answers
Download topic as PDF
Source types for the Splunk Add-on for Crowdstrike
The Splunk Add-on for CrowdStrike FDR collects different logs and events from different sources monitored by the CrowdStrike platform. The add-on assigns different source types based on the source and type of each event or log message.
Based on the event source and event data, the Add-On assigns the sourcetype to one of the following:
| Source type | Description | Event Type | CIM data models |
|---|---|---|---|
| crowdstrike:events:external | CrowdStrike external security events triggered by actions coming from outside of the CrowdStrike environment, for example, user authentication to the CrowdStrike dashboard. | N/A | |
| crowdstrike:events:sensor | CrowdStrike events coming from agents/sensors. | See below | |
| crowdstrike:events:ztha | CrowdStrike zero trust host assessment (ZTA) events. | N/A | |
| crowdstrike:inventory:aidmaster | CrowdStrike aidmaster inventory updates. | N/A | |
| crowdstrike:inventory:managedassets | CrowdStrike managed assets inventory updates (for example, host network interfaces). | N/A | |
| crowdstrike:inventory:notmanaged | CrowdStrike "notmanaged" inventory updates (assets around managed hosts, detected by CrowdStrike agents). | N/A | |
| crowdstrike:inventory:appinfo | Application information inventory updates (file hashes and locations related to applications running at hosts). | N/A | |
| crowdstrike:inventory:userinfo | User information inventory updates (User SIDs, names and other user related information about users involved in external API events). | N/A |
Currently CIM normalization is done for a subset of crowdstrike:events:sensor events.
Crowdstrike FDR CIM normalization for crowdstrike:events:sensor events
| Event Type | Event simple names | CIM data models |
|---|---|---|
| crowdstrike_file_rename_info | FileRenameInfo | Change:Endpoint_Changes |
| crowdstrike_quarantined_file | QuarantinedFile | Malware:Malware_Attacks |
| crowdstrike_dns_request | DnsRequest | Network_Resolution:DNS |
| crowdstrike_os_version_info | OsVersionInfo | Inventory:OS |
| crowdstrike_quarantined_file_state | QuarantinedFileState | Malware:Malware_Attacks |
| crowdstrike_user_logoff | UserLogoff | Change:Account_Management |
| crowdstrike_local_ip_address_ip4 | LocalIpAddressIP4 | Compute_Inventory:Network |
| crowdstrike_local_ip_address_ip6 | LocalIpAddressIP6 | Compute_Inventory:Network |
| crowdstrike_network_listen_ip4 | NetworkListenIP4 | Endpoint:Ports |
| crowdstrike_network_listen_ip6 | NetworkListenIP6 | Endpoint:Ports |
| crowdstrike_network_receive_accept_ip4 | NetworkReceiveAcceptIP4 | Endpoint:Ports |
| crowdstrike_network_receive_accept_ip6 | NetworkReceiveAcceptIP6 | Endpoint:Ports |
| crowdstrike_command_history | CommandHistory | Endpoint:Processes |
| crowdstrike_process_rollup2 | ProcessRollup2 | Endpoint:Processes |
| crowdstrike_end_of_process | EndOfProcess | Endpoint:Processes |
| crowdstrike_synthetic_process_rollup2 | SyntheticProcessRollup2 | Endpoint:Processes |
| crowdstrike_image_hash | ImageHash | Endpoint:Processes |
| crowdstrike_process_blocked | ProcessBlocked | Endpoint:Processes |
| crowdstrike_privileged_process_handle_from_unsigned_module | PrivilegedProcessHandleFromUnsignedModule | Endpoint:Processes |
| crowdstrike_file_create_info | FileCreateInfo | Endpoint:Filesystem |
| crowdstrike_new_executable_written | NewExecutableWritten | Endpoint:Filesystem |
| crowdstrike_pe_file_written | PeFileWritten | Endpoint:Filesystem |
| crowdstrike_directory_create | DirectoryCreate | Endpoint:Filesystem |
| crowdstrike_critical_file_accessed | CriticalFileAccessed | Endpoint:Filesystem |
| crowdstrike_new_script_written | NewScriptWritten | Endpoint:Filesystem |
| crowdstrike_pe_version_info | PeVersionInfo | Endpoint:Filesystem |
| crowdstrike_file_open_info | FileOpenInfo | Endpoint:Filesystem |
| crowdstrike_executable_deleted | ExecutableDeleted | Endpoint:Filesystem |
| crowdstrike_packed_executable_written | PackedExecutableWritten | Endpoint:Filesystem |
| crowdstrike_user_identity | UserIdentity | Compute_Inventory:User |
| crowdstrike_service_started | ServiceStarted | Endpoint:Services |
| crowdstrike_user_logon | UserLogon, UserLogonFailed, UserLogonFailed2 | Authentication:Authentication |
| crowdstrike_network_connect_ip4 | NetworkConnectIP4 | Endpoint:Ports |
| crowdstrike_network_close_ip4 | NetworkCloseIP4 | Endpoint:Ports |
| crowdstrike_network_close_ip6 | NetworkCloseIP6 | Endpoint:Ports |
| crowdstrike_network_connect_ip6 | NetworkConnectIP6 | Endpoint:Ports |
| crowdstrike_asep_value_update | AsepValueUpdate | Endpoint:Registry |
| crowdstrike_asep_key_update | AsepKeyUpdate | Endpoint:Registry |
| crowdstrike_screenshot_taken_etw | ScreenshotTakenEtw | Endpoint:Processes |
| crowdstrike_new_executable_renamed | NewExecutableRenamed | Change:Endpoint_Changes |
| crowdstrike_wmi_create_process | WmiCreateProcess | Endpoint:Processes |
| crowdstrike_injected_thread | InjectedThread | Endpoint:Processes |
| crowdstrike_scheduled_task_registered | ScheduledTaskRegistered | Endpoint:Services |
| crowdstrike_create_service | CreateService | Endpoint:Services |
| crowdstrike_modify_service_binary | ModifyServiceBinary | Endpoint:Services |
| crowdstrike_hosted_service_started | HostedServiceStarted | Endpoint:Services |
| crowdstrike_sensitive_wmi_query | SensitiveWmiQuery | Change:Endpoint_Changes |
| crowdstrike_elf_file_written | ELFFileWritten | Endpoint:Filesystem |
| crowdstrike_driver_load | DriverLoad | Endpoint:Processes |
| crowdstrike_rar_file_written | RarFileWritten | Endpoint:Filesystem |
| crowdstrike_new_executable_renamed | NewExecutableRenamed | Change:Endpoint_Changes |
| crowdstrike_host_info | HostInfo | Inventory:OS |
| crowdstrike_system_capacity | SystemCapacity | Inventory:CPU |
| crowdstrike_lfo_download_confirmation | LFODownloadConfirmation | Endpoint:Filesystem |
| crowdstrike_process_rollup2_stats | ProcessRollup2Stats | Endpoint:Processes |
| crowdstrike_kernel_mode_load_image | KernelModeLoadImage | Endpoint:Processes |
| crowdstrike_critical_environment_variable_changed | CriticalEnvironmentVariableChanged | Change:Account_Management |
| crowdstrike_inctance_metadata | InstanceMetadata | Inventory:All_Inventory |
| crowdstrike_installed_application | InstalledApplication | Change:All_Changes |
Last modified on 14 December, 2023
|
PREVIOUS Index time vs search time JSON field extractions |
NEXT Lookups for the Splunk Add-on for CrowdStrike |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!