CrowdStrike Falcon Data Replicator sample event message

The Falcon Data Replicator feed consists of regular transfers of data (data memory dumps) rather than ongoing streams of data.

The following sample event message shows primary and secondary events that are collected from falcon data replicator.

Primary Events

{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"401382615","NetworkContainmentState":"0","aip":"10.0.0.0","ConfigIDBase":"65994763","SensorStateBitMap":"0","ConfigBuild":"1007.3.0017706.11","event_platform":"Win","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatV4","ConfigIDPlatform":"3","id":"*****-****-490e-*****-****8","ConfigIDBuild":"17706","EffectiveTransmissionClass":"0","aid":"****11****","ProvisionState":"1","timestamp":"1705904285259","cid":"56177c****11****0a0d64485abf698b5018d95f6c"}

Table 1. Highlighted values in the CrowdStrike Falcon Data Replicator sample primary event
QRadar field name	Highlighted payload field name
Event ID	event_simpleName
Source IP	aip
Device Time	timestamp

{"eid":118,"UserIp":"10.0.0.3","CustomerIdString":"56177c****11****0a0d64485abf698b5018d95f6c","EventType":"Event_ExternalApiEvent","OperationName":"logged","UTCTimestamp":1705980053283,"AuditKeyValues":[{"ValueString":"123******","Key":"APIClientID"},{"ValueString":"56177c****11****0a0d64485abf698b5018d95f6c","Key":"cid"}],"Success":true,"ExternalApiType":"Event_AuthActivityAuditEvent","Nonce":1,"ServiceName":"api_request","UserId":"","AgentIdString":"","cid":"56177c****11****0a0d64485abf698b5018d95f6c","timestamp":"2024-01-23T03:20:53Z"}

Table 2. Highlighted values in the CrowdStrike Falcon Data Replicator sample primary event
QRadar field name	Highlighted payload field name
Event ID	EventType
Source IP	UserIp
Device Time	timestamp

Secondary Events

{"GatewayIP":"172.31.80.1","GatewayMAC":"00-00-5E-00-53-00","InterfaceAlias":"Ethernet 2","InterfaceDescription":"AWS PV Network Device #0","LocalAddressIP4":"10.0.0.12","MAC":"00-00-5E-00-53-01","MACPrefix":"00-00-5E","_time":"1704503615.475","aid":"123******","cid":"123******"}

Table 3. Highlighted values in the CrowdStrike Falcon Data Replicator sample secondary event
QRadar field name	Highlighted payload field name
Event ID	falcondatareplicator_secondary_event(Fixed for secondary events)
Source IP	aip
Source Mac	MAC
Device Time	time

Note: Secondary events are considered as metadata for primary events. If the feed is configured for secondary events, then the Event ID is parsed as described in table 3.

Types of Secondary Events

The different types of Secondary Events that are supported by IBM QRadar for CrowdStrike Falcon Data Replicator are given in the table.

Table 4. Types of secondary events in CrowdStrike Falcon Data Replicator
Event name	Description
aid_master	Contains information for each host, such as hostname, domain, country, and sensor version. Note: This event is updated approx. every 5 minutes.
managedassets	Contains a list of assets that are running the Falcon sensor.
notmanaged	Contains a list of assets that are discovered by Falcon, which do not have the sensor installed.
appinfo	Contains information for every visible application in the environment such as company, file name, and version.
userinfo	Contains user information such as username, login time, and also when the password was last set.