Documentation
¶
Index ¶
Constants ¶
View Source
const TypePrefix = "Crowdstrike"
Variables ¶
View Source
var ( TypeNetworkConnect = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".NetworkConnect", Description: `This event is generated when an application attempts a remote connection on an interface`, ReferenceURL: `-`, NewEvent: func() interface{} { return &NetworkConnect{} }, }) TypeNetworkListen = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".NetworkListen", Description: `This event is generated when an application establishes a socket in listening mode`, ReferenceURL: `-`, NewEvent: func() interface{} { return &NetworkListen{} }, }) )
nolint:lll
View Source
var ( TypeProcessRollup2 = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".ProcessRollup2", Description: `This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process.`, ReferenceURL: `-`, NewEvent: func() interface{} { return &ProcessRollup2{} }, }) TypeSyntheticProcessRollup2 = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".SyntheticProcessRollup2", Description: `A synthetic version of the process rollup (PR2) event`, ReferenceURL: `-`, NewEvent: func() interface{} { return &SyntheticProcessRollup2{} }, }) )
nolint:lll
View Source
var TypeDNSRequest = mustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".DNSRequest", Description: `This event is generated for every attempted DNS name resolution on a host.`, ReferenceURL: `-`, NewEvent: func() interface{} { return &DNSRequest{} }, })
TypeDNSRequest is the logtype entry for Crowdstrike DNS request events. nolint:lll
View Source
var ( // TypeUnknownEvent is a special event collects all crowdstrike events that don't yet have a registered log type TypeUnknownEvent = logtypes.MustBuild(logtypes.ConfigJSON{ Name: TypePrefix + ".Unknown", Description: `This event is used to store all unknown crowdstrike log events`, ReferenceURL: `-`, NewEvent: func() interface{} { return &UnknownEventWithPayload{} }, }) )
Functions ¶
Types ¶
type BaseEvent ¶
type BaseEvent struct {
Name null.String `json:"name" validate:"required" description:"The event name"`
AID null.String `` /* 244-byte string literal not displayed */
AIP null.String `` /* 216-byte string literal not displayed */
CID null.String `json:"cid" description:"CID"`
ID null.String `json:"id" description:"ID"`
EventPlatform null.String `json:"event_platform" description:"The platform the sensor was running on"`
Timestamp time.Time `` /* 129-byte string literal not displayed */
TimestampHuman time.Time `` /* 146-byte string literal not displayed */
ComputerName null.String `json:"ComputerName" panther:"hostname" description:"The name of the host."`
ConfigBuild null.String `json:"ConfigBuild" description:"Config build"`
ConfigStateHash null.String `json:"ConfigStateHash" description:"Config state hash"`
Entitlements null.String `json:"Entitlements" description:"Entitlements"`
TreeID null.String `json:"TreeId" panther:"trace_id" description:"If this event is part of a detection tree, the tree ID it is part of"`
TreeIDDecimal null.Int64 `` /* 134-byte string literal not displayed */
}
Common fields for all croudstrike events nolint:lll
type ContextEvent ¶
type ContextEvent struct {
BaseEvent
ContextThreadID null.String `json:"ContextThreadId" description:"The unique ID of a process that was spawned by another process."`
ContextThreadIDDecimal null.Int64 `` /* 137-byte string literal not displayed */
ContextTimestamp time.Time `json:"ContextTimeStamp" tcodec:"unix" description:"The time at which an event occurred on the system, as seen by the sensor."`
ContextTimestampDecimal time.Time `` /* 165-byte string literal not displayed */
ContextProcessID null.String `json:"ContextProcessId" description:"The unique ID of a process that was spawned by another process."`
ContextProcessIDDecimal null.Int64 `` /* 138-byte string literal not displayed */
InContext null.String `json:"InContext" description:"In context (N/A on iOS)"`
}
Common context fields for events NOTE: All fields are not required so we can use this when parsing unknown events nolint:lll
func (*ContextEvent) PantherEventTime ¶
func (e *ContextEvent) PantherEventTime() time.Time
PantherEventTime implements pantherlog.EventTimer and tries to use the device timestamp else falls back to server timestamp.
type DNSRequest ¶
type DNSRequest struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=DnsRequest" description:"Event name"`
ContextEvent
EffectiveTransmissionClass null.Int64 `json:"EffectiveTransmissionClass" description:"Effective transmission class"`
DomainName null.String `json:"DomainName" panther:"domain" description:"The domain name requested"`
InterfaceIndex null.Int64 `json:"InterfaceIndex" description:"The network interface index (Windows only)"`
DualRequest null.Int64 `json:"DualRequest" description:"If the event is dual request (Windows only)"`
DNSRequestCount null.Int64 `json:"DnsRequestCount" description:"The number of DNS requests (Windows only)"`
AppIdentifier null.String `json:"AppIdentifier" description:"The identifier of the app that made the request (Android, iOS)"`
IPAddress null.String `json:"IpAddress" panther:"ip" description:"The device ip address (Android, iOS)"`
RequestType null.String `json:"RequestType" description:"The DNS request type"`
}
nolint:lll
type NetworkConnect ¶
type NetworkConnect struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,oneof=NetworkConnectIP4 NetworkConnectIP6" description:"Event name"`
ContextEvent
LocalAddressIP4 null.String `json:"LocalAddressIP4" panther:"ip" description:"Local IPv4 address for the connection"`
LocalAddressIP6 null.String `json:"LocalAddressIP6" panther:"ip" description:"Local IPv6 address for the connection"`
RemoteAddressIP4 null.String `json:"RemoteAddressIP4" panther:"ip" description:"Remote IPv4 address for the connection"`
RemoteAddressIP6 null.String `json:"RemoteAddressIP6" panther:"ip" description:"Remote IPv6 address for the connection"`
ConnectionFlags null.Uint16 `` /* 185-byte string literal not displayed */
Protocol null.Uint16 `json:"Protocol" description:"IP Protocol (ICMP = 1, TCP = 6, UDP = 17)"`
LocalPort null.Uint16 `json:"LocalPort" description:"Connection local port"`
RemotePort null.Uint16 `json:"RemotePort" description:"Connection remote port"`
ConnectionDirection null.Uint16 `json:"ConnectionDirection" description:"Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)"`
ICMPType null.String `json:"IcmpType" description:"ICMP type (N/A on iOS)"`
ICMPCode null.String `json:"IcmpCode" description:"ICMP code (N/A on iOS)"`
}
nolint:lll
type NetworkListen ¶
type NetworkListen struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,oneof=NetworkListenIP4 NetworkListenIP6" description:"event name"`
ContextEvent
LocalAddressIP4 null.String `json:"LocalAddressIP4" panther:"ip" description:"Local IPv4 address for the connection"`
LocalAddressIP6 null.String `json:"LocalAddressIP6" panther:"ip" description:"Local IPv6 address for the connection"`
RemoteAddressIP4 null.String `json:"RemoteAddressIP4" panther:"ip" description:"Remote IPv4 address for the connection"`
RemoteAddressIP6 null.String `json:"RemoteAddressIP6" panther:"ip" description:"Remote IPv6 address for the connection"`
ConnectionFlags null.Uint16 `` /* 185-byte string literal not displayed */
Protocol null.Uint16 `json:"Protocol" description:"IP Protocol (ICMP = 1, TCP = 6, UDP = 17)"`
LocalPort null.Uint16 `json:"LocalPort" description:"Connection local port"`
RemotePort null.Uint16 `json:"RemotePort" description:"Connection remote port"`
ConnectionDirection null.Uint16 `json:"ConnectionDirection" description:"Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3)"`
}
nolint:lll
type ProcessRollup2 ¶
type ProcessRollup2 struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=ProcessRollup2" description:"Event name"`
BaseEvent
TargetProcessID null.Int64 `json:"TargetProcessId" description:"The unique ID of a target process"`
SourceProcessID null.Int64 `json:"SourceProcessId" description:"The unique ID of creating process."`
SourceThreadID null.Int64 `json:"SourceThreadId" description:"The unique ID of thread from creating process."`
ParentProcessID null.Int64 `json:"ParentProcessId" description:"The unique ID of the parent process."`
ImageFileName null.String `` /* 243-byte string literal not displayed */
CommandLine null.String `json:"CommandLine" description:"The command line used to create this process. May be empty in some circumstances"`
RawProcessID null.Int64 `` /* 150-byte string literal not displayed */
ProcessStartTime time.Time `` /* 127-byte string literal not displayed */
ProcessEndTime time.Time `json:"ProcessEndTime" tcodec:"unix" description:"The time the process finished (in decimal, non-hex format)."`
SHA256HashData null.String `` /* 155-byte string literal not displayed */
SHA1HashData null.String `json:"SHA1HashData" panther:"sha1" description:"The SHA1 hash of a file"`
MD5HashData null.String `json:"MD5HashData" panther:"md5" description:"The MD5 hash of a file"`
// Windows only
ImageSubsystem null.String `json:"ImageSubsystem" description:"Subsystem of the image filename (Windows only)"`
UserSID null.String `` /* 170-byte string literal not displayed */
AuthenticationID null.String `json:"AuthenticationId" description:"The authentication identifier (Windows only)" `
IntegrityLevel null.String `json:"IntegrityLevel" description:"The integrity level (Windows only)" `
ProcessCreateFlags null.String `json:"ProcessCreateFlags" description:"Captured flags from original process create. This is a bitfield. (Windows only)"`
ProcessParameterFlags null.String `` /* 167-byte string literal not displayed */
ProcessSXSFlags null.String `` /* 207-byte string literal not displayed */
ParentAuthenticationID null.String `json:"ParentAuthenticationId" description:"The authentication identifier for the parent process (Windows only)" `
TokenType null.String `json:"TokenType" description:"The token type (Windows only)"`
SessionID null.String `json:"SessionId" description:"The id of the session (Windows only)"`
WindowFlags null.String `json:"WindowFlags" description:"Flags from the window (Windows only)"`
ShowWindowFlags null.String `json:"ShowWindowFlags" description:"Window visibility flags (Windows only)"`
WindowStartingPositionHorizontal null.Int64 `json:"WindowStartingPositionHorizontal" description:"Start horizontal position of the process window (Windows only)"`
WindowStartingPositionVertical null.Int64 `json:"WindowStartingPositionVertical" description:"Start vertical position of the process window (Windows only)"`
WindowStartingWidth null.Int64 `json:"WindowStartingWidth" description:"Start width of the process window (Windows only)"`
WindowStartingHeight null.Int64 `json:"WindowStartingHeight" description:"Start height of the process window (Windows only)"`
Desktop null.String `json:"Desktop" description:"The desktop of the process window (Windows only)"`
WindowStation null.String `json:"WindowStation" description:"The process window station (Windows only)"`
WindowTitle null.String `json:"WindowTitle" description:"The title of the process window (WindowsOnly)"`
LinkName null.String `json:"LinkName" description:"Link name (Windows only)"`
ApplicationUserModelID null.String `json:"ApplicationUserModelId" description:"Application user model id (WindowsOnly)"`
CallStackModuleNames null.String `json:"CallStackModuleNames" description:"Call stack module names (Windows only)"`
CallStackModuleNamesVersion null.String `json:"CallStackModuleNamesVersion" description:"Call stack module names version (Windows only)"`
RPCClientProcessID null.String `json:"RpcClientProcessId" description:"RPC client process id (Windows only)"`
CSAProcessDataCollectionInstanceID null.String `json:"CsaProcessDataCollectionInstanceId" description:"CSA process data collection instance id (Windows only)"`
OriginalCommandLine null.String `json:"OriginalCommandLine" description:"The original command line used to create this process (Windows only)"`
CreateProcessType null.String `json:"CreateProcessType" description:"Create process type (Windows only)"`
ZoneIdentifier null.String `json:"ZoneIdentifier" description:"Zone identifier (Windows only)"`
HostURL null.String `json:"HostUrl" description:"Host URL (Windows only)"`
ReferrerURL null.String `json:"ReferrerUrl" panther:"url" description:"Referrer URL (Windows only)"`
GrandParent null.String `json:"GrandParent" description:"Grant parent (Windows only)"`
BaseFileName null.String `json:"BaseFileName" description:"Base file name (Windows only)"`
Tags null.String `json:"Tags" description:"Process tags comma separated list (Windows, Mac)"`
ParentBaseFileName null.String `json:"ParentBaseFileName" description:"Parent process base file name (Windows, Mac)"`
ProcessGroupID null.Int64 `json:"ProcessGroupId" description:"Process group id (Windows, Mac)"`
UID null.Int64 `json:"UID" description:"UID (Mac, Linux, Android)"`
RUID null.Int64 `json:"RUID" description:"RUID (Mac, Linux, Android)"`
SVUID null.Int64 `json:"SVUID" description:"SVUID (Mac, Linux, Android)"`
GID null.Int64 `json:"GID" description:"GID (Mac, Linux, Android)"`
RGID null.Int64 `json:"RGID" description:"RGID (Mac, Linux, Android)"`
SVGID null.Int64 `json:"SVGID" description:"SVGID (Mac, Linux, Android)"`
SessionProcessID null.Int64 `json:"SessionProcessId" description:"Session process id (Mac, Linux)"`
MachOSubType null.String `json:"MachOSubType" description:"MachOSubType (Mac only)"`
TTYName null.String `json:"TtyName" description:"TTY name (Linux only)"`
OCIContainerID null.String `json:"OciContainerId" description:"OCI Container id (Linux only)"`
// Android only
SourceAndroidComponentName null.String `json:"SourceAndroidComponentName" description:"Source component name (Android only)"`
TargetAndroidComponentName null.String `json:"TargetAndroidComponentName" description:"Target component name (Android only)"`
TargetAndroidComponentType null.String `json:"TargetAndroidComponentType" description:"Target component type (Android only)"`
}
nolint:lll
type SyntheticProcessRollup2 ¶
type SyntheticProcessRollup2 struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required,eq=SyntheticProcessRollup2" description:"event name"`
ContextEvent
TargetProcessID null.Int64 `json:"TargetProcessId" description:"The unique ID of a target process"`
SourceProcessID null.Int64 `json:"SourceProcessId" description:"The unique ID of creating process."`
SourceThreadID null.Int64 `json:"SourceThreadId" description:"The unique ID of thread from creating process."`
ParentProcessID null.Int64 `json:"ParentProcessId" description:"The unique ID of the parent process."`
ImageFileName null.String `` /* 243-byte string literal not displayed */
CommandLine null.String `json:"CommandLine" description:"The command line used to create this process. May be empty in some circumstances"`
RawProcessID null.Int64 `` /* 150-byte string literal not displayed */
ProcessStartTime time.Time `` /* 127-byte string literal not displayed */
ProcessEndTime time.Time `json:"ProcessEndTime" tcodec:"unix" description:"The time the process finished (in decimal, non-hex format)."`
SHA256HashData null.String `` /* 155-byte string literal not displayed */
SHA1HashData null.String `json:"SHA1HashData" panther:"sha1" description:"The SHA1 hash of a file"`
MD5HashData null.String `json:"MD5HashData" panther:"md5" description:"The MD5 hash of a file"`
SyntheticPR2Flags null.Uint16 `` /* 186-byte string literal not displayed */
// Windows only
ImageSubsystem null.String `json:"ImageSubsystem" description:"Subsystem of the image filename (Windows only)"`
UserSID null.String `` /* 170-byte string literal not displayed */
AuthenticationID null.String `json:"AuthenticationId" description:"The authentication identifier (Windows only)" `
IntegrityLevel null.String `json:"IntegrityLevel" description:"The integrity level (Windows only)" `
// Mac only
ProcessGroupID null.Int64 `json:"ProcessGroupId" description:"Process group id (Mac)"`
UID null.Int64 `json:"UID" description:"UID (Mac)"`
RUID null.Int64 `json:"RUID" description:"RUID (Mac)"`
SVUID null.Int64 `json:"SVUID" description:"SVUID (Mac)"`
GID null.Int64 `json:"GID" description:"GID (Mac)"`
RGID null.Int64 `json:"RGID" description:"RGID (Mac)"`
SVGID null.Int64 `json:"SVGID" description:"SVGID (Mac)"`
SessionProcessID null.Int64 `json:"SessionProcessId" description:"Session process id (Mac)"`
}
nolint:lll
type UnknownEvent ¶
type UnknownEvent struct {
EventSimpleName null.String `json:"event_simpleName" validate:"required" description:"Event name"`
ContextEvent
}
This event holds all common fields for crowdstrike events.
type UnknownEventWithPayload ¶
type UnknownEventWithPayload struct {
// We neethe ed the embedding to parse the base fields of the payload
UnknownEvent
UnknownPayload *jsoniter.RawMessage `json:"unknown_payload" validate:"required" description:"The full JSON payload of the event"`
}
This event is a catch-all event for all (yet) unknown crowdstrike events
Source Files
Click to show internal directories.
Click to hide internal directories.