forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcrowdstrike_processrollup2.yml
More file actions
108 lines (108 loc) · 3.7 KB
/
crowdstrike_processrollup2.yml
File metadata and controls
108 lines (108 loc) · 3.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: CrowdStrike ProcessRollup2
id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for CrowdStrike ProcessRollup2
source: crowdstrike
sourcetype: crowdstrike:events:sensor
separator: event_simpleName
supported_TA:
- name: Splunk Add-on for CrowdStrike FDR
url: https://splunkbase.splunk.com/app/5579
version: 2.0.3
fields:
- AuthenticationId
- AuthenticationId_meaning
- AuthenticodeHashData
- CommandLine
- ConfigBuild
- ConfigStateHash
- EffectiveTransmissionClass
- Entitlements
- EventOrigin
- ImageFileName
- ImageSubsystem
- ImageSubsystem_meaning
- IntegrityLevel
- IntegrityLevel_meaning
- MD5HashData
- ParentAuthenticationId
- ParentBaseFileName
- ParentProcessId
- ProcessCreateFlags
- ProcessEndTime
- ProcessParameterFlags
- ProcessParameterFlags_meaning
- ProcessStartTime
- ProcessSxsFlags
- ProcessSxsFlags_meaning
- RawProcessId
- SHA1HashData
- SHA256HashData
- SessionId
- SignInfoFlags
- SignInfoFlags_meaning
- SourceProcessId
- SourceThreadId
- Tags
- TargetProcessId
- TokenType
- TokenType_meaning
- UserSid
- WindowFlags
- WindowFlags_meaning
- action
- aid
- aid_city
- aid_computer_name
- aid_continent
- aid_country
- aid_machine_domain
- aid_os_version
- aid_ou
- aid_site_name
- aid_system_product_name
- aip
- cid
- dest
- event_ingest_time
- event_platform
- event_simpleName
- eventtype
- host_res_aid
- id
- os
- parent_process_exec
- parent_process_id
- parent_process_name
- process
- process_exec
- process_hash
- process_id
- process_integrity_level
- process_name
- process_path
- resolve_dest
- resolve_process_integrity_level
- tag
- timestamp
- user
- user_id
- vendor_product
field_mappings:
- data_model: cim
data_set: Endpoint.Processes
mapping:
CommandLine: Processes.process
ImageFileName: Processes.process_path
ParentBaseFileName: Processes.parent_process_name
ParentProcessId: Processes.parent_process_id
RawProcessId: Processes.process_id
SHA256HashData: Processes.process_hash
UserSid: Processes.user
example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27,
40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605,
263882790666253","timestamp":"1713805173418","event_simpleName":"ProcessRollup2","RawProcessId":"5012","ConfigStateHash":"840884426","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"2669499","ConfigBuild":"1007.3.0018207.1","WindowFlags":"3073","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"
","ParentAuthenticationId":"2669499","TargetProcessId":"5642133882","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"30426051160","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1713805173.321","ProcessParameterFlags":"24577","aid":"168a90e125d443beb2a4e2914985084d","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}'