Crowdstrike Falcon Data Replicator (FDR) replicates log data from your CrowdStrike environment to an S3 bucket, to enable ingestion of log data for SIEMs and other security tools. While our FDR integration ingests this data, unfortunately, Crowdstrike does not include important information such as hostname or username as part of these events, rendering the events unusable without that context.
As an example, a ProcessRollup event combines data from several sources into one event which describes a process which is running or has previously run on the host. UserSID field is included with the ProcessRollup2 event, The UserSid and AuthenticationId fields define the security context the process was created with. To determine details about this context, find a UserIdentity event with the same Agent ID, UserSid and AuthenticationId. Looking at a UserSid can tell you the user a process is running as, but without also looking at the AuthenticationId you will not be able to determine the full security context information.
For hostname/computername you can correlate the aid (agent id) with the aid_master file
With FDR you also get in addition to the events listed in the Events Data Dictionary, Falcon Insight customers can optionally request these events:
• aid_master (hosts)
• managedassets
• notmanaged
While we do not have an elegant solution to enrich these events today with hostname/username, this issue is intended to track our progress on researching possible solutions/workarounds.
Crowdstrike Falcon Data Replicator (FDR) replicates log data from your CrowdStrike environment to an S3 bucket, to enable ingestion of log data for SIEMs and other security tools. While our FDR integration ingests this data, unfortunately, Crowdstrike does not include important information such as hostname or username as part of these events, rendering the events unusable without that context.
As an example, a
ProcessRollupevent combines data from several sources into one event which describes a process which is running or has previously run on the host.UserSIDfield is included with theProcessRollup2event, TheUserSidandAuthenticationIdfields define the security context the process was created with. To determine details about this context, find aUserIdentityevent with the sameAgent ID,UserSidandAuthenticationId. Looking at aUserSidcan tell you the user a process is running as, but without also looking at theAuthenticationIdyou will not be able to determine the full security context information.For hostname/computername you can correlate the aid (agent id) with the aid_master file
With FDR you also get in addition to the events listed in the Events Data Dictionary, Falcon Insight customers can optionally request these events:
• aid_master (hosts)
• managedassets
• notmanaged
While we do not have an elegant solution to enrich these events today with hostname/username, this issue is intended to track our progress on researching possible solutions/workarounds.