Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for Crowdstrike

The Splunk Add-on for CrowdStrike FDR collects different logs and events from different sources monitored by the CrowdStrike platform. The add-on assigns different source types based on the source and type of each event or log message.

Based on the event source and event data, the Add-On assigns the sourcetype to one of the following:


Source type Description Event Type CIM data models
crowdstrike:events:external CrowdStrike external security events triggered by actions coming from outside of the CrowdStrike environment, for example, user authentication to the CrowdStrike dashboard. N/A
crowdstrike:events:sensor CrowdStrike events coming from agents/sensors. See below
crowdstrike:events:ztha CrowdStrike zero trust host assessment security events. N/A
crowdstrike:inventory:aidmaster CrowdStrike aidmaster inventory updates. N/A
crowdstrike:inventory:managedassets CrowdStrike managed assets inventory updates (for example, host network interfaces). N/A
crowdstrike:inventory:notmanaged CrowdStrike not managed inventory updates (assets around managed hosts, detected by CrowdStrike agents). N/A

Currently CIM normalization is done for a subset of crowdstrike:events:sensor events.

Crowdstrike FDR CIM normalization for crowdstrike:events:sensor events

Event Type Event simple names CIM data models
crowdstrike_file_rename_info FileRenameInfo Change:Endpoint_Changes
crowdstrike_quarantined_file QuarantinedFile Malware:Malware_Attacks
crowdstrike_dns_request DnsRequest Network_Resolution:DNS
crowdstrike_os_version_info OsVersionInfo Inventory:OS
crowdstrike_quarantined_file_state QuarantinedFileState Malware:Malware_Attacks
crowdstrike_user_logoff UserLogoff Change:Account_Management
crowdstrike_local_ip_address_ip4 LocalIpAddressIP4 Compute_Inventory:Network
crowdstrike_local_ip_address_ip6 LocalIpAddressIP6 Compute_Inventory:Network
crowdstrike_network_listen_ip4 NetworkListenIP4 Endpoint:Ports
crowdstrike_network_listen_ip6 NetworkListenIP6 Endpoint:Ports
crowdstrike_network_receive_accept_ip4 NetworkReceiveAcceptIP4 Endpoint:Ports
crowdstrike_network_receive_accept_ip6 NetworkReceiveAcceptIP6 Endpoint:Ports
crowdstrike_command_history CommandHistory Endpoint:Processes
crowdstrike_process_rollup2 ProcessRollup2 Endpoint:Processes
crowdstrike_end_of_process EndOfProcess Endpoint:Processes
crowdstrike_synthetic_process_rollup2 SyntheticProcessRollup2 Endpoint:Processes
crowdstrike_image_hash ImageHash Endpoint:Processes
crowdstrike_process_blocked ProcessBlocked Endpoint:Processes
crowdstrike_privileged_process_handle_from_unsigned_module PrivilegedProcessHandleFromUnsignedModule Endpoint:Processes
crowdstrike_file_create_info FileCreateInfo Endpoint:Filesystem
crowdstrike_new_executable_written NewExecutableWritten Endpoint:Filesystem
crowdstrike_pe_file_written PeFileWritten Endpoint:Filesystem
crowdstrike_directory_create DirectoryCreate Endpoint:Filesystem
crowdstrike_critical_file_accessed CriticalFileAccessed Endpoint:Filesystem
crowdstrike_new_script_written NewScriptWritten Endpoint:Filesystem
crowdstrike_pe_version_info PeVersionInfo
crowdstrike_file_open_info FileOpenInfo Endpoint:Filesystem
crowdstrike_executable_deleted ExecutableDeleted Endpoint:Filesystem
crowdstrike_packed_executable_written PackedExecutableWritten Endpoint:Filesystem
crowdstrike_user_identity UserIdentity Compute_Inventory:User
crowdstrike_service_started ServiceStarted Endpoint:Services
crowdstrike_user_logon UserLogon, UserLogonFailed, UserLogonFailed2 Authentication:Authentication
crowdstrike_network_connect_ip4 NetworkConnectIP4 Endpoint:Ports
crowdstrike_network_close_ip4 NetworkCloseIP4 Endpoint:Ports
crowdstrike_network_close_ip6 NetworkCloseIP6 Endpoint:Ports
crowdstrike_network_connect_ip6 NetworkConnectIP6 Endpoint:Ports
Last modified on 26 April, 2022
PREVIOUS
Configure inputs for the Splunk Add-on for CrowdStrike FDR
  NEXT
Lookups for the Splunk Add-on for CrowdStrike

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters