Merge pull request #9015 from niralishah-crest/CrowdStrikeAuthentication
ASIM Authentication schema parser with its sample and test data for CrowdStrikeFalconHost
This commit is contained in:
v-atulyadav
GitHub
Коммит
50ea427d6f
|
|
@ -537,7 +537,7 @@ EventOwner,string,Optional,RegistryEvent,,,
|
|||
EventOwner,string,Optional,UserManagement,,,
|
||||
EventOwner,string,Optional,WebSession,,,
|
||||
EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki,
|
||||
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF,
|
||||
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost,
|
||||
EventProduct,string,Mandatory,Common,,,
|
||||
EventProduct,string,Mandatory,Dhcp,,,
|
||||
EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate,
|
||||
|
|
@ -667,7 +667,7 @@ EventUid,string,Recommended,RegistryEvent,,,
|
|||
EventUid,string,Recommended,UserManagement,,,
|
||||
EventUid,string,Recommended,WebSession,,,
|
||||
EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra,
|
||||
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
|
||||
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike,
|
||||
EventVendor,string,Mandatory,Common,,,
|
||||
EventVendor,string,Mandatory,Dhcp,,,
|
||||
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet,
|
||||
|
|
|
|||
|
|
|
@ -43,7 +43,8 @@ ParserQuery: |
|
|||
ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),
|
||||
ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),
|
||||
ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),
|
||||
ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) ))
|
||||
ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),
|
||||
ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))
|
||||
|
||||
Parsers:
|
||||
- _Im_Authentication_Empty
|
||||
|
|
@ -65,4 +66,5 @@ Parsers:
|
|||
- _ASim_Authentication_Su
|
||||
- _ASim_Authentication_VectraXDRAudit
|
||||
- _ASim_Authentication_SentinelOne
|
||||
- _ASim_Authentication_CrowdStrikeFalconHost
|
||||
|
||||
|
|
@ -0,0 +1,109 @@
|
|||
Parser:
|
||||
Title: ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection
|
||||
Version: '0.1.0'
|
||||
LastUpdated: Oct 26 2023
|
||||
Product:
|
||||
Name: CrowdStrike Falcon Endpoint Protection
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.3'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/ASimAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AboutASIM
|
||||
- Title: CrowdStrike Falcon Endpoint Protection Documentation
|
||||
Link:
|
||||
https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary
|
||||
https://falcon.us-2.crowdstrike.com/documentation/page/eb1587d1/siem-connector#mc98af8f
|
||||
Description: |
|
||||
This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Authentication normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel.
|
||||
ParserName: ASimAuthenticationCrowdStrikeFalconHost
|
||||
EquivalentBuiltInParser: _ASim_Authentication_CrowdStrikeFalconHost
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
ParserQuery: |
|
||||
let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)
|
||||
[
|
||||
"0", "Informational",
|
||||
"1", "Informational",
|
||||
"2", "Low",
|
||||
"3", "Medium",
|
||||
"4", "High",
|
||||
"5", "High"
|
||||
];
|
||||
let parser = (disabled: bool=false) {
|
||||
CommonSecurityLog
|
||||
| where not(disabled)
|
||||
| where (DeviceVendor == "CrowdStrike" and DeviceProduct == "FalconHost")
|
||||
| where DeviceEventCategory == "AuthActivityAuditEvent" and DeviceEventClassID in ("userAuthenticate", "twoFactorAuthenticate")
|
||||
| lookup EventSeverityLookup on LogSeverity
|
||||
| extend
|
||||
EventResult = iff(EventOutcome == "true", "Success", "Failure"),
|
||||
EventStartTime = todatetime(DeviceCustomDate1),
|
||||
EventCount = int(1),
|
||||
EventSchema = "Authentication",
|
||||
EventSchemaVersion = "0.1.3",
|
||||
EventType = "Logon",
|
||||
EventProduct = "FalconHost",
|
||||
EventVendor = "CrowdStrike"
|
||||
| project-rename
|
||||
TargetIpAddr = DestinationTranslatedAddress,
|
||||
EventUid = _ItemId,
|
||||
EventOriginalSeverity = LogSeverity,
|
||||
EventOriginalSubType = DeviceEventClassID,
|
||||
EventOriginalType = DeviceEventCategory,
|
||||
EventProductVersion = DeviceVersion,
|
||||
EventOriginalResultDetails = EventOutcome,
|
||||
TargetUsername = DestinationUserName,
|
||||
TargetAppName = ProcessName
|
||||
| extend
|
||||
EventEndTime = EventStartTime,
|
||||
DvcIpAddr = TargetIpAddr,
|
||||
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
|
||||
TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
|
||||
TargetAppType = iff(isnotempty(TargetAppName), "Service", ""),
|
||||
LogonMethod = iff(EventOriginalSubType =~ "userAuthenticate", "Username and Password", "Two Factor Authentication")
|
||||
| extend
|
||||
User = TargetUsername,
|
||||
Dst = TargetIpAddr,
|
||||
Dvc = coalesce(DvcIpAddr, EventProduct),
|
||||
Application = TargetAppName
|
||||
| project-away
|
||||
Source*,
|
||||
Destination*,
|
||||
Device*,
|
||||
AdditionalExtensions,
|
||||
CommunicationDirection,
|
||||
Computer,
|
||||
EndTime,
|
||||
FieldDevice*,
|
||||
Flex*,
|
||||
File*,
|
||||
Old*,
|
||||
MaliciousIP*,
|
||||
OriginalLogSeverity,
|
||||
Process*,
|
||||
Protocol,
|
||||
Activity,
|
||||
ReceivedBytes,
|
||||
SentBytes,
|
||||
Remote*,
|
||||
Request*,
|
||||
SimplifiedDeviceAction,
|
||||
StartTime,
|
||||
TenantId,
|
||||
Threat*,
|
||||
IndicatorThreatType,
|
||||
ExternalID,
|
||||
ReportReferenceLink,
|
||||
ReceiptTime,
|
||||
Reason,
|
||||
ApplicationProtocol,
|
||||
_ResourceId,
|
||||
ExtID,
|
||||
Message
|
||||
};
|
||||
parser(disabled=disabled)
|
||||
|
|
@ -50,6 +50,7 @@ ParserQuery: |
|
|||
, vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))
|
||||
, vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))
|
||||
, vimAuthenticationSentinelOne (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))
|
||||
, vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )))
|
||||
};
|
||||
Generic(starttime, endtime, targetusername_has)
|
||||
|
||||
|
|
@ -73,4 +74,5 @@ Parsers:
|
|||
- _Im_Authentication_BarracudaWAF
|
||||
- _Im_Authentication_VectraXDRAudit
|
||||
- _Im_Authentication_SentinelOne
|
||||
- _Im_Authentication_CrowdStrikeFalconHost
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,192 @@
|
|||
Parser:
|
||||
Title: ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection
|
||||
Version: '0.1.0'
|
||||
LastUpdated: Oct 26 2023
|
||||
Product:
|
||||
Name: CrowdStrike Falcon Endpoint Protection
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.3'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/ASimAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AboutASIM
|
||||
- Title: CrowdStrike Falcon Endpoint Protection Documentation
|
||||
Link:
|
||||
https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary
|
||||
https://falcon.us-2.crowdstrike.com/documentation/page/eb1587d1/siem-connector#mc98af8f
|
||||
Description: |
|
||||
This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Authentication normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel.
|
||||
ParserName: vimAuthenticationCrowdStrikeFalconHost
|
||||
EquivalentBuiltInParser: _Im_Authentication_CrowdStrikeFalconHost
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: eventtype_in
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: eventresultdetails_in
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: targetusername_has_any
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: targetappname_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: actorusername_has_any
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: srcipaddr_has_any_prefix
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: srchostname_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: targetipaddr_has_any_prefix
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: dvcipaddr_has_any_prefix
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: dvchostname_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
ParserQuery: |
|
||||
let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)
|
||||
[
|
||||
"0", "Informational",
|
||||
"1", "Informational",
|
||||
"2", "Low",
|
||||
"3", "Medium",
|
||||
"4", "High",
|
||||
"5", "High"
|
||||
];
|
||||
let parser = (
|
||||
starttime: datetime=datetime(null),
|
||||
endtime: datetime=datetime(null),
|
||||
eventtype_in: dynamic=dynamic([]),
|
||||
eventresultdetails_in: dynamic=dynamic([]),
|
||||
eventresult: string='*',
|
||||
targetusername_has_any: string='*',
|
||||
targetappname_has_any: dynamic=dynamic([]),
|
||||
actorusername_has_any: string='*',
|
||||
srcipaddr_has_any_prefix: dynamic=dynamic([]),
|
||||
srchostname_has_any: dynamic=dynamic([]),
|
||||
targetipaddr_has_any_prefix: dynamic=dynamic([]),
|
||||
dvcipaddr_has_any_prefix: dynamic=dynamic([]),
|
||||
dvchostname_has_any: dynamic=dynamic([]),
|
||||
disabled: bool = false
|
||||
) {
|
||||
CommonSecurityLog
|
||||
| where not(disabled)
|
||||
| where (isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= endtime)
|
||||
and (DeviceVendor == "CrowdStrike" and DeviceProduct == "FalconHost")
|
||||
and (DeviceEventCategory == "AuthActivityAuditEvent" and DeviceEventClassID in ("userAuthenticate", "twoFactorAuthenticate"))
|
||||
and array_length(eventresultdetails_in) == 0
|
||||
and actorusername_has_any == '*'
|
||||
and array_length(srchostname_has_any) == 0
|
||||
and array_length(srcipaddr_has_any_prefix) == 0
|
||||
and (array_length(targetipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DestinationTranslatedAddress, targetipaddr_has_any_prefix))
|
||||
and array_length(dvchostname_has_any) == 0
|
||||
and (targetusername_has_any == '*' or DestinationUserName has targetusername_has_any)
|
||||
and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any))
|
||||
and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DestinationTranslatedAddress, dvcipaddr_has_any_prefix))
|
||||
| extend
|
||||
EventResult = iff(EventOutcome == "true", "Success", "Failure"),
|
||||
EventType = "Logon"
|
||||
| where (eventresult == '*' or eventresult =~ EventResult)
|
||||
and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))
|
||||
| lookup EventSeverityLookup on LogSeverity
|
||||
| extend
|
||||
EventStartTime = todatetime(DeviceCustomDate1),
|
||||
EventCount = int(1),
|
||||
EventSchema = "Authentication",
|
||||
EventSchemaVersion = "0.1.3",
|
||||
EventProduct = "FalconHost",
|
||||
EventVendor = "CrowdStrike"
|
||||
| project-rename
|
||||
TargetIpAddr = DestinationTranslatedAddress,
|
||||
EventUid = _ItemId,
|
||||
EventOriginalSeverity = LogSeverity,
|
||||
EventOriginalSubType = DeviceEventClassID,
|
||||
EventOriginalType = DeviceEventCategory,
|
||||
EventProductVersion = DeviceVersion,
|
||||
EventOriginalResultDetails = EventOutcome,
|
||||
TargetUsername = DestinationUserName,
|
||||
TargetAppName = ProcessName
|
||||
| extend
|
||||
EventEndTime = EventStartTime,
|
||||
DvcIpAddr = TargetIpAddr,
|
||||
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
|
||||
TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
|
||||
TargetAppType = iff(isnotempty(TargetAppName), "Service", ""),
|
||||
LogonMethod = iff(EventOriginalSubType =~ "userAuthenticate", "Username and Password", "Two Factor Authentication")
|
||||
| extend
|
||||
User = TargetUsername,
|
||||
Dst = TargetIpAddr,
|
||||
Dvc = coalesce(DvcIpAddr, EventProduct),
|
||||
Application = TargetAppName
|
||||
| project-away
|
||||
Source*,
|
||||
Destination*,
|
||||
Device*,
|
||||
AdditionalExtensions,
|
||||
CommunicationDirection,
|
||||
Computer,
|
||||
EndTime,
|
||||
FieldDevice*,
|
||||
Flex*,
|
||||
File*,
|
||||
Old*,
|
||||
MaliciousIP*,
|
||||
OriginalLogSeverity,
|
||||
Process*,
|
||||
Protocol,
|
||||
Activity,
|
||||
ReceivedBytes,
|
||||
SentBytes,
|
||||
Remote*,
|
||||
Request*,
|
||||
SimplifiedDeviceAction,
|
||||
StartTime,
|
||||
TenantId,
|
||||
Threat*,
|
||||
IndicatorThreatType,
|
||||
ExternalID,
|
||||
ReportReferenceLink,
|
||||
ReceiptTime,
|
||||
Reason,
|
||||
ApplicationProtocol,
|
||||
_ResourceId,
|
||||
ExtID,
|
||||
Message
|
||||
};
|
||||
parser(
|
||||
starttime = starttime,
|
||||
endtime = endtime,
|
||||
eventtype_in = eventtype_in,
|
||||
eventresultdetails_in = eventresultdetails_in,
|
||||
eventresult = eventresult,
|
||||
targetusername_has_any = targetusername_has_any,
|
||||
targetappname_has_any = targetappname_has_any,
|
||||
actorusername_has_any = actorusername_has_any,
|
||||
srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
|
||||
srchostname_has_any = srchostname_has_any,
|
||||
targetipaddr_has_any_prefix = targetipaddr_has_any_prefix,
|
||||
dvcipaddr_has_any_prefix = dvcipaddr_has_any_prefix,
|
||||
dvchostname_has_any = dvchostname_has_any,
|
||||
disabled = disabled
|
||||
)
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
Result
|
||||
"(0) Error: 1 invalid value(s) (up to 10 listed) in 860 records (100.0%) for field [EventProduct] of type [Enumerated]: [""FalconHost""] (Schema:Authentication)"
|
||||
"(0) Error: 1 invalid value(s) (up to 10 listed) in 860 records (100.0%) for field [EventVendor] of type [Enumerated]: [""CrowdStrike""] (Schema:Authentication)"
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
Result
|
||||
"(1) Warning: Missing recommended field [DvcAction]"
|
||||
"(1) Warning: Missing recommended field [DvcDomain]"
|
||||
"(1) Warning: Missing recommended field [DvcHostname]"
|
||||
"(1) Warning: Missing recommended field [EventResultDetails]"
|
||||
"(1) Warning: Missing recommended field [SrcIpAddr]"
|
||||
"(1) Warning: Missing recommended field [Src]"
|
||||
"(1) Warning: Missing recommended field [TargetDomain]"
|
||||
"(1) Warning: Missing recommended field [TargetHostname]"
|
||||
"(2) Info: Missing optional field [ActingAppId]"
|
||||
"(2) Info: Missing optional field [ActingAppName]"
|
||||
"(2) Info: Missing optional field [ActingAppType]"
|
||||
"(2) Info: Missing optional field [ActorOriginalUserType]"
|
||||
"(2) Info: Missing optional field [ActorScopeId]"
|
||||
"(2) Info: Missing optional field [ActorScope]"
|
||||
"(2) Info: Missing optional field [ActorSessionId]"
|
||||
"(2) Info: Missing optional field [ActorUserId]"
|
||||
"(2) Info: Missing optional field [ActorUserType]"
|
||||
"(2) Info: Missing optional field [ActorUsername]"
|
||||
"(2) Info: Missing optional field [AdditionalFields]"
|
||||
"(2) Info: Missing optional field [DvcDescription]"
|
||||
"(2) Info: Missing optional field [DvcFQDN]"
|
||||
"(2) Info: Missing optional field [DvcId]"
|
||||
"(2) Info: Missing optional field [DvcInterface]"
|
||||
"(2) Info: Missing optional field [DvcMacAddr]"
|
||||
"(2) Info: Missing optional field [DvcOriginalAction]"
|
||||
"(2) Info: Missing optional field [DvcOsVersion]"
|
||||
"(2) Info: Missing optional field [DvcOs]"
|
||||
"(2) Info: Missing optional field [DvcScopeId]"
|
||||
"(2) Info: Missing optional field [DvcScope]"
|
||||
"(2) Info: Missing optional field [DvcZone]"
|
||||
"(2) Info: Missing optional field [EventMessage]"
|
||||
"(2) Info: Missing optional field [EventOriginalUid]"
|
||||
"(2) Info: Missing optional field [EventOwner]"
|
||||
"(2) Info: Missing optional field [EventReportUrl]"
|
||||
"(2) Info: Missing optional field [EventSubType]"
|
||||
"(2) Info: Missing optional field [HttpUserAgent]"
|
||||
"(2) Info: Missing optional field [LogonProtocol]"
|
||||
"(2) Info: Missing optional field [LogonTarget]"
|
||||
"(2) Info: Missing optional field [RuleName]"
|
||||
"(2) Info: Missing optional field [RuleNumber]"
|
||||
"(2) Info: Missing optional field [Rule]"
|
||||
"(2) Info: Missing optional field [SrcDescription]"
|
||||
"(2) Info: Missing optional field [SrcDeviceType]"
|
||||
"(2) Info: Missing optional field [SrcDomain]"
|
||||
"(2) Info: Missing optional field [SrcDvcId]"
|
||||
"(2) Info: Missing optional field [SrcDvcOs]"
|
||||
"(2) Info: Missing optional field [SrcDvcScopeId]"
|
||||
"(2) Info: Missing optional field [SrcDvcScope]"
|
||||
"(2) Info: Missing optional field [SrcFQDN]"
|
||||
"(2) Info: Missing optional field [SrcGeoCity]"
|
||||
"(2) Info: Missing optional field [SrcGeoCountry]"
|
||||
"(2) Info: Missing optional field [SrcGeoLatitude]"
|
||||
"(2) Info: Missing optional field [SrcGeoLongitude]"
|
||||
"(2) Info: Missing optional field [SrcGeoRegion]"
|
||||
"(2) Info: Missing optional field [SrcHostname]"
|
||||
"(2) Info: Missing optional field [SrcIsp]"
|
||||
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [SrcPortNumber]"
|
||||
"(2) Info: Missing optional field [SrcRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetAppId]"
|
||||
"(2) Info: Missing optional field [TargetDescription]"
|
||||
"(2) Info: Missing optional field [TargetDeviceType]"
|
||||
"(2) Info: Missing optional field [TargetDvcId]"
|
||||
"(2) Info: Missing optional field [TargetDvcOs]"
|
||||
"(2) Info: Missing optional field [TargetDvcScopeId]"
|
||||
"(2) Info: Missing optional field [TargetDvcScope]"
|
||||
"(2) Info: Missing optional field [TargetFQDN]"
|
||||
"(2) Info: Missing optional field [TargetGeoCity]"
|
||||
"(2) Info: Missing optional field [TargetGeoCountry]"
|
||||
"(2) Info: Missing optional field [TargetGeoLatitude]"
|
||||
"(2) Info: Missing optional field [TargetGeoLongitude]"
|
||||
"(2) Info: Missing optional field [TargetGeoRegion]"
|
||||
"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetOriginalUserType]"
|
||||
"(2) Info: Missing optional field [TargetPortNumber]"
|
||||
"(2) Info: Missing optional field [TargetRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetSessionId]"
|
||||
"(2) Info: Missing optional field [TargetUrl]"
|
||||
"(2) Info: Missing optional field [TargetUserId]"
|
||||
"(2) Info: Missing optional field [TargetUserScopeId]"
|
||||
"(2) Info: Missing optional field [TargetUserScope]"
|
||||
"(2) Info: Missing optional field [ThreatCategory]"
|
||||
"(2) Info: Missing optional field [ThreatConfidence]"
|
||||
"(2) Info: Missing optional field [ThreatField]"
|
||||
"(2) Info: Missing optional field [ThreatFirstReportedTime]"
|
||||
"(2) Info: Missing optional field [ThreatId]"
|
||||
"(2) Info: Missing optional field [ThreatIpAddr]"
|
||||
"(2) Info: Missing optional field [ThreatIsActive]"
|
||||
"(2) Info: Missing optional field [ThreatLastReportedTime]"
|
||||
"(2) Info: Missing optional field [ThreatName]"
|
||||
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
|
||||
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [ThreatRiskLevel]"
|
||||
"(2) Info: Missing recommended alias [IpAddr] aliasing non-existent column [SrcIpAddr]"
|
||||
"(2) Info: extra unnormalized column [CollectorHostName]"
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
Result
|
||||
"(0) Error: 1 invalid value(s) (up to 10 listed) in 860 records (100.0%) for field [EventProduct] of type [Enumerated]: [""FalconHost""] (Schema:Authentication)"
|
||||
"(0) Error: 1 invalid value(s) (up to 10 listed) in 860 records (100.0%) for field [EventVendor] of type [Enumerated]: [""CrowdStrike""] (Schema:Authentication)"
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
Result
|
||||
"(1) Warning: Missing recommended field [DvcAction]"
|
||||
"(1) Warning: Missing recommended field [DvcDomain]"
|
||||
"(1) Warning: Missing recommended field [DvcHostname]"
|
||||
"(1) Warning: Missing recommended field [EventResultDetails]"
|
||||
"(1) Warning: Missing recommended field [SrcIpAddr]"
|
||||
"(1) Warning: Missing recommended field [Src]"
|
||||
"(1) Warning: Missing recommended field [TargetDomain]"
|
||||
"(1) Warning: Missing recommended field [TargetHostname]"
|
||||
"(2) Info: Missing optional field [ActingAppId]"
|
||||
"(2) Info: Missing optional field [ActingAppName]"
|
||||
"(2) Info: Missing optional field [ActingAppType]"
|
||||
"(2) Info: Missing optional field [ActorOriginalUserType]"
|
||||
"(2) Info: Missing optional field [ActorScopeId]"
|
||||
"(2) Info: Missing optional field [ActorScope]"
|
||||
"(2) Info: Missing optional field [ActorSessionId]"
|
||||
"(2) Info: Missing optional field [ActorUserId]"
|
||||
"(2) Info: Missing optional field [ActorUserType]"
|
||||
"(2) Info: Missing optional field [ActorUsername]"
|
||||
"(2) Info: Missing optional field [AdditionalFields]"
|
||||
"(2) Info: Missing optional field [DvcDescription]"
|
||||
"(2) Info: Missing optional field [DvcFQDN]"
|
||||
"(2) Info: Missing optional field [DvcId]"
|
||||
"(2) Info: Missing optional field [DvcInterface]"
|
||||
"(2) Info: Missing optional field [DvcMacAddr]"
|
||||
"(2) Info: Missing optional field [DvcOriginalAction]"
|
||||
"(2) Info: Missing optional field [DvcOsVersion]"
|
||||
"(2) Info: Missing optional field [DvcOs]"
|
||||
"(2) Info: Missing optional field [DvcScopeId]"
|
||||
"(2) Info: Missing optional field [DvcScope]"
|
||||
"(2) Info: Missing optional field [DvcZone]"
|
||||
"(2) Info: Missing optional field [EventMessage]"
|
||||
"(2) Info: Missing optional field [EventOriginalUid]"
|
||||
"(2) Info: Missing optional field [EventOwner]"
|
||||
"(2) Info: Missing optional field [EventReportUrl]"
|
||||
"(2) Info: Missing optional field [EventSubType]"
|
||||
"(2) Info: Missing optional field [HttpUserAgent]"
|
||||
"(2) Info: Missing optional field [LogonProtocol]"
|
||||
"(2) Info: Missing optional field [LogonTarget]"
|
||||
"(2) Info: Missing optional field [RuleName]"
|
||||
"(2) Info: Missing optional field [RuleNumber]"
|
||||
"(2) Info: Missing optional field [Rule]"
|
||||
"(2) Info: Missing optional field [SrcDescription]"
|
||||
"(2) Info: Missing optional field [SrcDeviceType]"
|
||||
"(2) Info: Missing optional field [SrcDomain]"
|
||||
"(2) Info: Missing optional field [SrcDvcId]"
|
||||
"(2) Info: Missing optional field [SrcDvcOs]"
|
||||
"(2) Info: Missing optional field [SrcDvcScopeId]"
|
||||
"(2) Info: Missing optional field [SrcDvcScope]"
|
||||
"(2) Info: Missing optional field [SrcFQDN]"
|
||||
"(2) Info: Missing optional field [SrcGeoCity]"
|
||||
"(2) Info: Missing optional field [SrcGeoCountry]"
|
||||
"(2) Info: Missing optional field [SrcGeoLatitude]"
|
||||
"(2) Info: Missing optional field [SrcGeoLongitude]"
|
||||
"(2) Info: Missing optional field [SrcGeoRegion]"
|
||||
"(2) Info: Missing optional field [SrcHostname]"
|
||||
"(2) Info: Missing optional field [SrcIsp]"
|
||||
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [SrcPortNumber]"
|
||||
"(2) Info: Missing optional field [SrcRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetAppId]"
|
||||
"(2) Info: Missing optional field [TargetDescription]"
|
||||
"(2) Info: Missing optional field [TargetDeviceType]"
|
||||
"(2) Info: Missing optional field [TargetDvcId]"
|
||||
"(2) Info: Missing optional field [TargetDvcOs]"
|
||||
"(2) Info: Missing optional field [TargetDvcScopeId]"
|
||||
"(2) Info: Missing optional field [TargetDvcScope]"
|
||||
"(2) Info: Missing optional field [TargetFQDN]"
|
||||
"(2) Info: Missing optional field [TargetGeoCity]"
|
||||
"(2) Info: Missing optional field [TargetGeoCountry]"
|
||||
"(2) Info: Missing optional field [TargetGeoLatitude]"
|
||||
"(2) Info: Missing optional field [TargetGeoLongitude]"
|
||||
"(2) Info: Missing optional field [TargetGeoRegion]"
|
||||
"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetOriginalUserType]"
|
||||
"(2) Info: Missing optional field [TargetPortNumber]"
|
||||
"(2) Info: Missing optional field [TargetRiskLevel]"
|
||||
"(2) Info: Missing optional field [TargetSessionId]"
|
||||
"(2) Info: Missing optional field [TargetUrl]"
|
||||
"(2) Info: Missing optional field [TargetUserId]"
|
||||
"(2) Info: Missing optional field [TargetUserScopeId]"
|
||||
"(2) Info: Missing optional field [TargetUserScope]"
|
||||
"(2) Info: Missing optional field [ThreatCategory]"
|
||||
"(2) Info: Missing optional field [ThreatConfidence]"
|
||||
"(2) Info: Missing optional field [ThreatField]"
|
||||
"(2) Info: Missing optional field [ThreatFirstReportedTime]"
|
||||
"(2) Info: Missing optional field [ThreatId]"
|
||||
"(2) Info: Missing optional field [ThreatIpAddr]"
|
||||
"(2) Info: Missing optional field [ThreatIsActive]"
|
||||
"(2) Info: Missing optional field [ThreatLastReportedTime]"
|
||||
"(2) Info: Missing optional field [ThreatName]"
|
||||
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
|
||||
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
|
||||
"(2) Info: Missing optional field [ThreatRiskLevel]"
|
||||
"(2) Info: Missing recommended alias [IpAddr] aliasing non-existent column [SrcIpAddr]"
|
||||
"(2) Info: extra unnormalized column [CollectorHostName]"
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,"EndTime [UTC]",ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,"StartTime [UTC]",SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,"_ResourceId"
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/13/2023, 5:05:34.381 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.40",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694581534037,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,36312,Offset,,,,,,,,,,,,,"Sep 13 2023 10:35:34",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/13/2023, 5:05:52.830 AM",CrowdStrike,FalconHost,"1.0",twoFactorAuthenticate,twoFactorAuthenticate,1,,,,,,,,"160.110.200.40",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694581552278,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,36315,Offset,,,,,,,,,,,,,"Sep 13 2023 10:35:52",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/13/2023, 5:05:53.130 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.40",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694581552787,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,36316,Offset,,,,,,,,,,,,,"Sep 13 2023 10:35:52",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 8:14:03.713 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.10",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,false,,,,,,,,1694160843352,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26087,Offset,,,,,,,,,,,,,"Sep 08 2023 13:44:03",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 12:23:37.170 PM",CrowdStrike,FalconHost,"1.0",twoFactorAuthenticate,twoFactorAuthenticate,1,,,,,,,,"160.110.200.20",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694175816818,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26157,Offset,,,,,,,,,,,,,"Sep 08 2023 17:53:36",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 12:23:37.610 PM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.20",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694175817244,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26158,Offset,,,,,,,,,,,,,"Sep 08 2023 17:53:37",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 9:16:12.737 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.50",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694164572384,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26097,Offset,,,,,,,,,,,,,"Sep 08 2023 14:46:12",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 9:16:40.844 AM",CrowdStrike,FalconHost,"1.0",twoFactorAuthenticate,twoFactorAuthenticate,1,,,,,,,,"160.110.200.50",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694164600474,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26098,Offset,,,,,,,,,,,,,"Sep 08 2023 14:46:40",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 9:16:41.270 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"160.110.200.50",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694164600919,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26099,Offset,,,,,,,,,,,,,"Sep 08 2023 14:46:40",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
"233edde4-51bb-435b-be84-b2de15aea7f9","9/8/2023, 9:23:19.603 AM",CrowdStrike,FalconHost,"1.0",userAuthenticate,userAuthenticate,1,,,,,,,,"100.200.160.20",,,,,,,,,,"CrowdStrike Authentication",,,,,,,,,,,,"sanitized@sanitized.com",,,,,,,,,,,,,,,,,,,,,,,,,,,,,true,,,,,,,,1694164999251,,,,,,,,,,,,,,,,,AuthActivityAuditEvent,,,,,,,,,,,,,,,,,,,,,,,,26102,Offset,,,,,,,,,,,,,"Sep 08 2023 14:53:19",Timestamp,,,,,,,,,,,,,,,,,,,,,,,,"10.20.30.40",OpsManager,,,CommonSecurityLog,
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.40 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=36312 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 13 2023 10:35:34 rt=1694581534037
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|twoFactorAuthenticate|twoFactorAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.40 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=36315 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 13 2023 10:35:52 rt=1694581552278
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.40 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=36316 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 13 2023 10:35:52 rt=1694581552787
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.10 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26087 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 13:44:03 rt=1694160843352
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|twoFactorAuthenticate|twoFactorAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.20 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26157 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 17:53:36 rt=1694175816818
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.20 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26158 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 17:53:37 rt=1694175817244
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.50 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26097 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 14:46:12 rt=1694164572384
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|twoFactorAuthenticate|twoFactorAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.50 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26098 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 14:46:40 rt=1694164600474
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=160.110.200.50 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26099 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 14:46:40 rt=1694164600919
|
||||
CEF:0|CrowdStrike|FalconHost|1.0|userAuthenticate|userAuthenticate|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=100.200.160.20 duser=sanitized@sanitized.com deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=26102 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 08 2023 14:53:19 rt=1694164999251
|
||||
Загрузка…
Ссылка в новой задаче