Documentation
¶
Index ¶
- Constants
- Variables
- func LogTypes() logtypes.Group
- type AIDMaster
- type AppInfo
- type BaseEvent
- type CommonIdentityFields
- type ContextEvent
- type DNSRequest
- type GroupIdentity
- type ManagedAssets
- type NetworkConnect
- type NetworkListen
- type NotManagedAssets
- type ProcessRollup2
- type SyntheticProcessRollup2
- type UnknownEvent
- type UnknownEventWithPayload
- type UserIdentity
- type UserInfo
Constants ¶
View Source
const TypePrefix = "Crowdstrike"
Variables ¶
View Source
var ( TypeAppInfo = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".AppInfo", Description: "Detected Application Information provided by Falcon Discover", ReferenceURL: "https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo", NewEvent: func() interface{} { return &AppInfo{} }, }) TypeUserInfo = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".UserInfo", Description: "User Account & Logon information provided by Falcon Discover", ReferenceURL: "https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-userinfo", NewEvent: func() interface{} { return &UserInfo{} }, }) )
View Source
var ( TypeUserIdentity = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".UserIdentity", Description: `The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms.`, ReferenceURL: `https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-UserIdentity`, NewEvent: func() interface{} { return &UserIdentity{} }, }) TypeGroupIdentity = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".GroupIdentity", Description: `Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform.`, ReferenceURL: `https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity`, NewEvent: func() interface{} { return &GroupIdentity{} }, }) )
nolint:lll
View Source
var ( TypeAIDMaster = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".AIDMaster", Description: "Sensor and Host information provided by Falcon Insight", ReferenceURL: "https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master", NewEvent: func() interface{} { return &AIDMaster{} }, }) TypeManagedAssets = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".ManagedAssets", Description: "Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)", ReferenceURL: "https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets", NewEvent: func() interface{} { return &ManagedAssets{} }, }) TypeNotManagedAssets = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".NotManagedAssets", Description: "Unmanaged Host discovery information provided by Falcon Insight", ReferenceURL: "https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-notmanaged", NewEvent: func() interface{} { return &NotManagedAssets{} }, }) )
nolint:lll
View Source
var ( TypeNetworkConnect = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".NetworkConnect", Description: `This event is generated when an application attempts a remote connection on an interface`, ReferenceURL: `-`, NewEvent: func() interface{} { return &NetworkConnect{} }, }) TypeNetworkListen = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".NetworkListen", Description: `This event is generated when an application establishes a socket in listening mode`, ReferenceURL: `-`, NewEvent: func() interface{} { return &NetworkListen{} }, }) )
nolint:lll
View Source
var ( TypeProcessRollup2 = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".ProcessRollup2", Description: `This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.`, ReferenceURL: `-`, NewEvent: func() interface{} { return &ProcessRollup2{} }, }) TypeSyntheticProcessRollup2 = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".SyntheticProcessRollup2", Description: `A synthetic version of the process rollup (PR2) event`, ReferenceURL: `-`, NewEvent: func() interface{} { return &SyntheticProcessRollup2{} }, }) )
nolint:lll
View Source
var TypeDNSRequest = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".DNSRequest", Description: `This event is generated for every attempted DNS name resolution on a host.`, ReferenceURL: `-`, NewEvent: func() interface{} { return &DNSRequest{} }, })
TypeDNSRequest is the logtype entry for Crowdstrike DNS request events. nolint:lll
View Source
var ( // TypeUnknownEvent is a special event collects all crowdstrike events that don't yet have a registered log type TypeUnknownEvent = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".Unknown", Description: `This event is used to store all unknown crowdstrike log events`, ReferenceURL: `-`, NewEvent: func() interface{} { return &UnknownEventWithPayload{} }, }) )
Functions ¶
Types ¶
type AIDMaster ¶ added in v1.16.0
type AIDMaster struct {
Time pantherlog.Time `` /* 397-byte string literal not displayed */
AgentLoadFlags pantherlog.Int32 `` /* 151-byte string literal not displayed */
AgentLocalTime pantherlog.Time `json:"AgentLocalTime" tcodec:"unix" validate:"required" description:"The local time for the sensor in epoch format."`
AgentTimeOffset pantherlog.Float64 `json:"AgentTimeOffset" validate:"required" description:"The time since the last reboot in epoch format."`
AgentVersion pantherlog.String `json:"AgentVersion" validate:"required" description:"The version of the sensor running on a host."`
AID pantherlog.String `` /* 264-byte string literal not displayed */
CID pantherlog.String `json:"cid" validate:"required" description:"The customer ID."`
AIP pantherlog.String `` /* 235-byte string literal not displayed */
BiosManufacturer pantherlog.String `json:"BiosManufacturer" description:"The manufacturer of the host's BIOS."`
BiosVersion pantherlog.String `json:"BiosVersion" description:"The version of the host's BIOS."`
ChassisType pantherlog.String `json:"ChassisType" description:"Type of system chassis, as defined in SMBIOS Standard."`
City pantherlog.String `json:"City" description:"The system's city of origin."`
Country pantherlog.String `json:"Country" description:"The system's country of origin."`
Continent pantherlog.String `json:"Continent" description:"The sensor's continent, as seen from the CrowdStrike cloud."`
ComputerName pantherlog.String `json:"ComputerName" description:"The name of the host."`
ConfigIDBuild pantherlog.String `json:"ConfigIDBuild" description:"Build number used as part of the ConfigID."`
EventPlatform pantherlog.String `json:"event_platform" description:"The platform the sensor is running on. Example values: 'Win', 'Lin', 'Mac'."`
FirstSeen pantherlog.Time `json:"FirstSeen" tcodec:"unix" description:"The first time the sensor was seen by the CrowdStrike cloud in epoch format."`
MachineDomain pantherlog.String `json:"MachineDomain" description:"The Windows domain name to which the host is currently joined."`
OU pantherlog.String `json:"OU" description:"The organizational unit of the host as seen by the sensor (defined by system admin)."`
PointerSize pantherlog.String `` /* 144-byte string literal not displayed */
ProductType pantherlog.String `` /* 156-byte string literal not displayed */
ServicePackMajor pantherlog.String `json:"ServicePackMajor" description:"The major version # of the OS Service Pack (in decimal, non-hex format)."`
SiteName pantherlog.String `json:"SiteName" description:"The site name of the domain to which the host is joined (defined by system admin)."`
SystemManufacturer pantherlog.String `json:"SystemManufacturer" description:"The host's system manufacturer."`
SystemProductName pantherlog.String `json:"SystemProductName" description:"The host's product name."`
Timezone pantherlog.String `json:"Timezone" description:"The sensor's time zone, as seen from the CrowdStrike cloud."`
Version pantherlog.String `json:"Version" description:"The host's system version."`
HostHiddenStatus pantherlog.String `json:"HostHiddenStatus" description:"Whether the host is visible or not."`
}
nolint:lll
type AppInfo ¶ added in v1.16.0
type AppInfo struct {
Time pantherlog.Time `json:"_time" validate:"required" tcodec:"unix" event_time:"true" description:"The host's local time in epoch format."`
CID pantherlog.String `json:"cid" validate:"required" description:"The customer ID."`
CompanyName pantherlog.String `json:"CompanyName" validate:"required" description:"The name of the company."`
DetectionCount pantherlog.Int64 `json:"detectioncount" validate:"required" description:"The number of detections."`
FileName pantherlog.String `json:"FileName" validate:"required" description:"The name of the file."`
SHA256HashData pantherlog.String `json:"SHA256HashData" validate:"required" panther:"sha256" description:"The file hash bashed on SHA-256."`
FileDescription pantherlog.String `json:"FileDescription" description:"The description of the file, if any."`
FileVersion pantherlog.String `json:"FileVersion" description:"The version of the file."`
ProductName pantherlog.String `json:"ProductName" description:"The name of the product."`
ProductVersion pantherlog.String `json:"ProductVersion" description:"The version of the product."`
}
nolint:lll
type BaseEvent ¶
type BaseEvent struct {
Name null.String `json:"name" validate:"required" description:"The event name"`
AID null.String `` /* 244-byte string literal not displayed */
AIP null.String `` /* 216-byte string literal not displayed */
CID null.String `json:"cid" description:"CID"`
ID null.String `json:"id" description:"ID"`
EventPlatform null.String `json:"event_platform" description:"The platform the sensor was running on"`
Timestamp time.Time `` /* 129-byte string literal not displayed */
TimestampHuman time.Time `` /* 146-byte string literal not displayed */
ComputerName null.String `json:"ComputerName" panther:"hostname" description:"The name of the host."`
ConfigBuild null.String `json:"ConfigBuild" description:"Config build"`
ConfigStateHash null.String `json:"ConfigStateHash" description:"Config state hash"`
Entitlements null.String `json:"Entitlements" description:"Entitlements"`
TreeID null.String `json:"TreeId" panther:"trace_id" description:"If this event is part of a detection tree, the tree ID it is part of"`
TreeIDDecimal null.Int64 `` /* 134-byte string literal not displayed */
}
Common fields for all Crowdstrike events nolint:lll
type CommonIdentityFields ¶ added in v1.16.0
type CommonIdentityFields struct {
AuthenticationID pantherlog.Int32 `` /* 166-byte string literal not displayed */
UserPrincipal pantherlog.String `json:"UserPrincipal" validate:"required"`
UserSid pantherlog.String `` /* 175-byte string literal not displayed */
}
nolint:lll
type ContextEvent ¶
type ContextEvent struct {
BaseEvent
ContextThreadID null.String `json:"ContextThreadId" description:"The unique ID of a process that was spawned by another process."`
ContextThreadIDDecimal null.Int64 `` /* 137-byte string literal not displayed */
ContextTimestamp time.Time `json:"ContextTimeStamp" tcodec:"unix" description:"The time at which an event occurred on the system, as seen by the sensor."`
ContextTimestampDecimal time.Time `` /* 165-byte string literal not displayed */
ContextProcessID null.String `json:"ContextProcessId" description:"The unique ID of a process that was spawned by another process."`
ContextProcessIDDecimal null.Int64 `` /* 138-byte string literal not displayed */
InContext null.String `json:"InContext" description:"In context (N/A on iOS)"`
}
Common context fields for events NOTE: All fields are not required so we can use this when parsing unknown events nolint:lll
func (*ContextEvent) PantherEventTime ¶
func (e *ContextEvent) PantherEventTime() time.Time
PantherEventTime implements pantherlog.EventTimer and tries to use the device timestamp else falls back to server timestamp.
type DNSRequest ¶
type DNSRequest struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=DnsRequest" description:"Event name"`
ContextEvent
EffectiveTransmissionClass null.Int64 `json:"EffectiveTransmissionClass" description:"Effective transmission class"`
DomainName null.String `json:"DomainName" panther:"domain" description:"The domain name requested"`
InterfaceIndex null.Int64 `json:"InterfaceIndex" description:"The network interface index (Windows only)"`
DualRequest null.Int64 `json:"DualRequest" description:"If the event is dual request (Windows only)"`
DNSRequestCount null.Int64 `json:"DnsRequestCount" description:"The number of DNS requests (Windows only)"`
AppIdentifier null.String `json:"AppIdentifier" description:"The identifier of the app that made the request (Android, iOS)"`
IPAddress null.String `json:"IpAddress" panther:"ip" description:"The device ip address (Android, iOS)"`
RequestType null.String `json:"RequestType" description:"The DNS request type"`
}
nolint:lll
type GroupIdentity ¶ added in v1.16.0
type GroupIdentity struct {
ContextEvent
EventSimpleName pantherlog.String `json:"event_simpleName" validate:"required,eq=GroupIdentity" description:"Event Name"`
GID pantherlog.Int64 `json:"GID" validate:"required" description:"The user Group ID."`
AuthenticationUUID pantherlog.String `json:"AuthenticationUuid" validate:"required"`
AuthenticationUUIDAsString pantherlog.String `json:"AuthenticationUuidAsString" validate:"required"`
CommonIdentityFields
}
nolint:lll
type ManagedAssets ¶ added in v1.16.0
type ManagedAssets struct {
Time pantherlog.Time `json:"_time" tcodec:"unix" validate:"required" event_time:"true" description:"The host's local time in epoch format."`
AID pantherlog.String `` /* 264-byte string literal not displayed */
CID pantherlog.String `json:"cid" validate:"required" description:"The customer ID."`
GatewayIP pantherlog.String `json:"GatewayIP" validate:"required" panther:"ip" description:"The gateway of the system where the sensor is installed."`
GatewayMAC pantherlog.String `json:"GatewayMAC" validate:"required" description:"The MAC address of the gateway."`
MacPrefix pantherlog.String `json:"MacPrefix" validate:"required" description:"An identifier unique to the organization."`
MAC pantherlog.String `json:"MAC" validate:"required" description:"The MAC address of the system."`
LocalAddressIP4 pantherlog.String `json:"LocalAddressIP4" validate:"required" panther:"ip" description:"The device's local IP address in IPv4 format."`
InterfaceAlias pantherlog.String `json:"InterfaceAlias" description:"The user-friendly name of the IP interface."`
InterfaceDescription pantherlog.String `json:"InterfaceDescription" description:"The network adapter used for the IP interface."`
}
nolint:lll
type NetworkConnect ¶
type NetworkConnect struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,oneof=NetworkConnectIP4 NetworkConnectIP6" description:"Event name"`
ContextEvent
LocalAddressIP4 null.String `json:"LocalAddressIP4" panther:"ip" description:"Local IPv4 address for the connection"`
LocalAddressIP6 null.String `json:"LocalAddressIP6" panther:"ip" description:"Local IPv6 address for the connection"`
RemoteAddressIP4 null.String `json:"RemoteAddressIP4" panther:"ip" description:"Remote IPv4 address for the connection"`
RemoteAddressIP6 null.String `json:"RemoteAddressIP6" panther:"ip" description:"Remote IPv6 address for the connection"`
ConnectionFlags null.Uint16 `` /* 185-byte string literal not displayed */
Protocol null.Uint16 `json:"Protocol" description:"IP Protocol (ICMP = 1, TCP = 6, UDP = 17)"`
LocalPort null.Uint16 `json:"LocalPort" description:"Connection local port"`
RemotePort null.Uint16 `json:"RemotePort" description:"Connection remote port"`
ConnectionDirection null.Uint16 `json:"ConnectionDirection" description:"Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)"`
ICMPType null.String `json:"IcmpType" description:"ICMP type (N/A on iOS)"`
ICMPCode null.String `json:"IcmpCode" description:"ICMP code (N/A on iOS)"`
}
nolint:lll
type NetworkListen ¶
type NetworkListen struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,oneof=NetworkListenIP4 NetworkListenIP6" description:"event name"`
ContextEvent
LocalAddressIP4 null.String `json:"LocalAddressIP4" panther:"ip" description:"Local IPv4 address for the connection"`
LocalAddressIP6 null.String `json:"LocalAddressIP6" panther:"ip" description:"Local IPv6 address for the connection"`
RemoteAddressIP4 null.String `json:"RemoteAddressIP4" panther:"ip" description:"Remote IPv4 address for the connection"`
RemoteAddressIP6 null.String `json:"RemoteAddressIP6" panther:"ip" description:"Remote IPv6 address for the connection"`
ConnectionFlags null.Uint16 `` /* 185-byte string literal not displayed */
Protocol null.Uint16 `json:"Protocol" description:"IP Protocol (ICMP = 1, TCP = 6, UDP = 17)"`
LocalPort null.Uint16 `json:"LocalPort" description:"Connection local port"`
RemotePort null.Uint16 `json:"RemotePort" description:"Connection remote port"`
ConnectionDirection null.Uint16 `json:"ConnectionDirection" description:"Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)"`
}
nolint:lll
type NotManagedAssets ¶ added in v1.16.0
type NotManagedAssets struct {
Time pantherlog.Time `json:"_time" validate:"required" tcodec:"unix" event_time:"true" description:"The host's local time in epoch format."`
AIP pantherlog.String `` /* 235-byte string literal not displayed */
AIPCount pantherlog.Int64 `json:"aipcount" validate:"required" description:"The number of public-facing IP addresses."`
LocalIPCount pantherlog.Int64 `json:"localipCount" validate:"required" description:"The number of local IP addresses."`
CID pantherlog.String `json:"cid" validate:"required" description:"The customer ID."`
CurrentLocalIP pantherlog.String `` /* 160-byte string literal not displayed */
Subnet pantherlog.String `json:"subnet" description:"The subnet of the system."`
MAC pantherlog.String `json:"MAC" validate:"required" description:"The MAC address of the system."`
MacPrefix pantherlog.String `json:"MacPrefix" validate:"required" description:"An identifier unique to the organization."`
DiscovererCount pantherlog.Int64 `json:"discovererCount" validate:"required" description:"The number of aid's that have discovered this system."`
DiscovererAID []pantherlog.String `json:"discoverer_aid" description:"The agent IDs that have discovered this system."`
DiscovererDeviceType pantherlog.String `json:"discoverer_devicetype" description:"The type of device that discovered this system ('VM' or 'Server')."`
FirstDiscoveredDate pantherlog.Time `json:"FirstDiscoveredDate" tcodec:"unix" description:"The first time the system was discovered in epoch format."`
LastDiscoveredBy pantherlog.Time `json:"LastDiscoveredBy" tcodec:"unix" description:"The most recent time the system was discovered in epoch format."`
LocalAddressIP4 pantherlog.String `json:"LocalAddressIP4" panther:"ip" description:"The device's local IP address in IPv4 format."`
ComputerName pantherlog.String `json:"ComputerName" description:"The name of the host that discovered the neighbor."`
NeighborName pantherlog.String `json:"NeighborName" description:"The neighbor's host name."`
}
nolint:lll
type ProcessRollup2 ¶
type ProcessRollup2 struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=ProcessRollup2" description:"Event name"`
BaseEvent
TargetProcessID null.Int64 `json:"TargetProcessId" description:"The unique ID of a target process"`
SourceProcessID null.Int64 `json:"SourceProcessId" description:"The unique ID of creating process."`
SourceThreadID null.Int64 `json:"SourceThreadId" description:"The unique ID of thread from creating process."`
ParentProcessID null.Int64 `json:"ParentProcessId" description:"The unique ID of the parent process."`
ImageFileName null.String `` /* 243-byte string literal not displayed */
CommandLine null.String `json:"CommandLine" description:"The command line used to create this process. May be empty in some circumstances"`
RawProcessID null.Int64 `` /* 150-byte string literal not displayed */
ProcessStartTime time.Time `` /* 127-byte string literal not displayed */
ProcessEndTime time.Time `json:"ProcessEndTime" tcodec:"unix" description:"The time the process finished (in decimal, non-hex format)."`
SHA256HashData null.String `` /* 155-byte string literal not displayed */
SHA1HashData null.String `json:"SHA1HashData" panther:"sha1" description:"The SHA1 hash of a file"`
MD5HashData null.String `json:"MD5HashData" panther:"md5" description:"The MD5 hash of a file"`
// Windows only
ImageSubsystem null.String `json:"ImageSubsystem" description:"Subsystem of the image filename (Windows only)"`
UserSID null.String `` /* 170-byte string literal not displayed */
AuthenticationID null.String `json:"AuthenticationId" description:"The authentication identifier (Windows only)" `
IntegrityLevel null.String `json:"IntegrityLevel" description:"The integrity level (Windows only)" `
ProcessCreateFlags null.String `json:"ProcessCreateFlags" description:"Captured flags from original process create. This is a bitfield. (Windows only)"`
ProcessParameterFlags null.String `` /* 167-byte string literal not displayed */
ProcessSXSFlags null.String `` /* 207-byte string literal not displayed */
ParentAuthenticationID null.String `json:"ParentAuthenticationId" description:"The authentication identifier for the parent process (Windows only)" `
TokenType null.String `json:"TokenType" description:"The token type (Windows only)"`
SessionID null.String `json:"SessionId" description:"The id of the session (Windows only)"`
WindowFlags null.String `json:"WindowFlags" description:"Flags from the window (Windows only)"`
ShowWindowFlags null.String `json:"ShowWindowFlags" description:"Window visibility flags (Windows only)"`
WindowStartingPositionHorizontal null.Int64 `json:"WindowStartingPositionHorizontal" description:"Start horizontal position of the process window (Windows only)"`
WindowStartingPositionVertical null.Int64 `json:"WindowStartingPositionVertical" description:"Start vertical position of the process window (Windows only)"`
WindowStartingWidth null.Int64 `json:"WindowStartingWidth" description:"Start width of the process window (Windows only)"`
WindowStartingHeight null.Int64 `json:"WindowStartingHeight" description:"Start height of the process window (Windows only)"`
Desktop null.String `json:"Desktop" description:"The desktop of the process window (Windows only)"`
WindowStation null.String `json:"WindowStation" description:"The process window station (Windows only)"`
WindowTitle null.String `json:"WindowTitle" description:"The title of the process window (WindowsOnly)"`
LinkName null.String `json:"LinkName" description:"Link name (Windows only)"`
ApplicationUserModelID null.String `json:"ApplicationUserModelId" description:"Application user model id (WindowsOnly)"`
CallStackModuleNames null.String `json:"CallStackModuleNames" description:"Call stack module names (Windows only)"`
CallStackModuleNamesVersion null.String `json:"CallStackModuleNamesVersion" description:"Call stack module names version (Windows only)"`
RPCClientProcessID null.String `json:"RpcClientProcessId" description:"RPC client process id (Windows only)"`
CSAProcessDataCollectionInstanceID null.String `json:"CsaProcessDataCollectionInstanceId" description:"CSA process data collection instance id (Windows only)"`
OriginalCommandLine null.String `json:"OriginalCommandLine" description:"The original command line used to create this process (Windows only)"`
CreateProcessType null.String `json:"CreateProcessType" description:"Create process type (Windows only)"`
ZoneIdentifier null.String `json:"ZoneIdentifier" description:"Zone identifier (Windows only)"`
HostURL null.String `json:"HostUrl" description:"Host URL (Windows only)"`
ReferrerURL null.String `json:"ReferrerUrl" panther:"url" description:"Referrer URL (Windows only)"`
GrandParent null.String `json:"GrandParent" description:"Grant parent (Windows only)"`
BaseFileName null.String `json:"BaseFileName" description:"Base file name (Windows only)"`
Tags null.String `json:"Tags" description:"Process tags comma separated list (Windows, Mac)"`
ParentBaseFileName null.String `json:"ParentBaseFileName" description:"Parent process base file name (Windows, Mac)"`
ProcessGroupID null.Int64 `json:"ProcessGroupId" description:"Process group id (Windows, Mac)"`
UID null.Int64 `json:"UID" description:"UID (Mac, Linux, Android)"`
RUID null.Int64 `json:"RUID" description:"RUID (Mac, Linux, Android)"`
SVUID null.Int64 `json:"SVUID" description:"SVUID (Mac, Linux, Android)"`
GID null.Int64 `json:"GID" description:"GID (Mac, Linux, Android)"`
RGID null.Int64 `json:"RGID" description:"RGID (Mac, Linux, Android)"`
SVGID null.Int64 `json:"SVGID" description:"SVGID (Mac, Linux, Android)"`
SessionProcessID null.Int64 `json:"SessionProcessId" description:"Session process id (Mac, Linux)"`
MachOSubType null.String `json:"MachOSubType" description:"MachOSubType (Mac only)"`
TTYName null.String `json:"TtyName" description:"TTY name (Linux only)"`
OCIContainerID null.String `json:"OciContainerId" description:"OCI Container id (Linux only)"`
// Android only
SourceAndroidComponentName null.String `json:"SourceAndroidComponentName" description:"Source component name (Android only)"`
TargetAndroidComponentName null.String `json:"TargetAndroidComponentName" description:"Target component name (Android only)"`
TargetAndroidComponentType null.String `json:"TargetAndroidComponentType" description:"Target component type (Android only)"`
}
nolint:lll
type SyntheticProcessRollup2 ¶
type SyntheticProcessRollup2 struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=SyntheticProcessRollup2" description:"event name"`
ContextEvent
TargetProcessID null.Int64 `json:"TargetProcessId" description:"The unique ID of a target process"`
SourceProcessID null.Int64 `json:"SourceProcessId" description:"The unique ID of creating process."`
SourceThreadID null.Int64 `json:"SourceThreadId" description:"The unique ID of thread from creating process."`
ParentProcessID null.Int64 `json:"ParentProcessId" description:"The unique ID of the parent process."`
ImageFileName null.String `` /* 243-byte string literal not displayed */
CommandLine null.String `json:"CommandLine" description:"The command line used to create this process. May be empty in some circumstances"`
RawProcessID null.Int64 `` /* 150-byte string literal not displayed */
ProcessStartTime time.Time `` /* 127-byte string literal not displayed */
ProcessEndTime time.Time `json:"ProcessEndTime" tcodec:"unix" description:"The time the process finished (in decimal, non-hex format)."`
SHA256HashData null.String `` /* 155-byte string literal not displayed */
SHA1HashData null.String `json:"SHA1HashData" panther:"sha1" description:"The SHA1 hash of a file"`
MD5HashData null.String `json:"MD5HashData" panther:"md5" description:"The MD5 hash of a file"`
SyntheticPR2Flags null.Uint16 `` /* 186-byte string literal not displayed */
// Windows only
ImageSubsystem null.String `json:"ImageSubsystem" description:"Subsystem of the image filename (Windows only)"`
UserSID null.String `` /* 170-byte string literal not displayed */
AuthenticationID null.String `json:"AuthenticationId" description:"The authentication identifier (Windows only)" `
IntegrityLevel null.String `json:"IntegrityLevel" description:"The integrity level (Windows only)" `
// Mac only
ProcessGroupID null.Int64 `json:"ProcessGroupId" description:"Process group id (Mac)"`
UID null.Int64 `json:"UID" description:"UID (Mac)"`
RUID null.Int64 `json:"RUID" description:"RUID (Mac)"`
SVUID null.Int64 `json:"SVUID" description:"SVUID (Mac)"`
GID null.Int64 `json:"GID" description:"GID (Mac)"`
RGID null.Int64 `json:"RGID" description:"RGID (Mac)"`
SVGID null.Int64 `json:"SVGID" description:"SVGID (Mac)"`
SessionProcessID null.Int64 `json:"SessionProcessId" description:"Session process id (Mac)"`
}
nolint:lll
type UnknownEvent ¶
type UnknownEvent struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required" description:"Event name"`
ContextEvent
}
This event holds all common fields for crowdstrike events.
type UnknownEventWithPayload ¶
type UnknownEventWithPayload struct {
// We neethe ed the embedding to parse the base fields of the payload
UnknownEvent
UnknownPayload *jsoniter.RawMessage `json:"unknown_payload" validate:"required" description:"The full JSON payload of the event"`
}
This event is a catch-all event for all (yet) unknown crowdstrike events
type UserIdentity ¶ added in v1.16.0
type UserIdentity struct {
ContextEvent
EventSimpleName pantherlog.String `json:"event_simpleName" validate:"required,eq=UserIdentity" description:"Event Name"`
CommonIdentityFields
// Mac Only
AuthenticationUUID pantherlog.String `json:"AuthenticationUuid"`
AuthenticationUUIDAsString pantherlog.String `json:"AuthenticationUuidAsString"`
UID pantherlog.Int64 `json:"UID" description:"The User ID."`
// Windows only
UserName pantherlog.String `json:"UserName" panther:"username"`
UserCanonical pantherlog.String `json:"UserCanonical"`
LogonID pantherlog.String `json:"LogonId"`
LogonDomain pantherlog.String `json:"LogonDomain"`
AuthenticationPackage pantherlog.String `json:"AuthenticationPackage"`
LogonType pantherlog.Int32 `` /* 260-byte string literal not displayed */
LogonTime pantherlog.Time `json:"LogonTime" tcodec:"unix"`
LogonServer pantherlog.String `json:"LogonServer"`
UserFlags pantherlog.Int64 `` /* 143-byte string literal not displayed */
PasswordLastSet pantherlog.Time `json:"PasswordLastSet" tcodec:"unix"`
RemoteAccount pantherlog.Int32 `json:"RemoteAccount"`
UserIsAdmin pantherlog.Int32 `json:"UserIsAdmin"`
SessionID pantherlog.String `json:"SessionId" panther:"trace_id"`
UserLogonFlags pantherlog.Int32 `` /* 198-byte string literal not displayed */
}
nolint:lll
type UserInfo ¶ added in v1.16.0
type UserInfo struct {
Time pantherlog.Time `json:"_time" validate:"required" tcodec:"unix" event_time:"true" description:"The host's local time in epoch format."`
CID pantherlog.String `json:"cid" validate:"required" description:"The customer ID."`
AccountType pantherlog.String `` /* 143-byte string literal not displayed */
DomainUser pantherlog.String `` /* 133-byte string literal not displayed */
UserName pantherlog.String `json:"UserName" validate:"required" panther:"username" description:"The username of the system."`
UserSidReadable pantherlog.String `json:"UserSid_readable" validate:"required" description:"The user SID associated with this process."`
LastLoggedOnHost pantherlog.String `json:"LastLoggedOnHost" description:"The host that was last logged into the system."`
LocalAdminAccess pantherlog.String `json:"LocalAdminAccess" description:"Indicates whether a local user is an admin: 'Yes', 'No'."`
LoggedOnHostCount pantherlog.Int32 `json:"LoggedOnHostCount" description:"The number of hosts logged in at _time."`
LogonInfo pantherlog.String `json:"LogonInfo" description:"The login information."`
LogonTime pantherlog.Time `json:"LogonTime" tcodec:"unix" description:"The last login time by this user in epoch format."`
LogonType pantherlog.String `` /* 262-byte string literal not displayed */
MonthSinceReset pantherlog.Int32 `json:"monthsincereset" description:"The number of months since this user's password was last reset."`
PasswordLastSet pantherlog.Time `` /* 129-byte string literal not displayed */
User pantherlog.String `json:"User" description:"A system username with domain."`
UserIsAdmin pantherlog.Int8 `json:"UserIsAdmin" description:"Indicates whether the user account has administrator privileges."`
UserLogonFlagsDecimal pantherlog.Int32 `json:"UserLogonFlags_decimal" description:"A bitfield for various bits of a UserLogon, or failed user logon."`
}
nolint:lll
Source Files
Click to show internal directories.
Click to hide internal directories.