Mappings: CrowdStrike Falcon Host API DetectionSummaryEvent
Input | Value |
---|---|
Vendor | CrowdStrike |
Product | Falcon Endpoint Protection |
Log Format | JSON |
Event ID Regex Pattern | DetectionSummaryEvent |
Output | Value |
---|---|
Vendor | CrowdStrike |
Product | Falcon |
Record Type | Audit |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
description | DetectDescription | |
device_hostname | ComputerName | |
device_ip | LocalIP | |
file_basename | FileName | |
file_hash_md5 | MD5String | |
file_hash_sha256 | SHA256String | |
file_path | FilePath | |
normalizedSeverity | Severity | This is a lookup field. More info to come in the catalog later... |
severity | Severity | |
threat_category | IOCType | |
threat_identifier | IOCValue | |
threat_name | DetectName | |
threat_referenceUrl | FalconHostLink | |
threat_ruleType | None | The static text direct is populated in this schema field. |
threat_signalName | DetectDescription | |
timestamp | metadata_eventCreationTime | We expect the orginal record value of metadata_eventCreationTime is in the format epoch_ms |
user_username | UserName |