id: 5fbb24dd-7089-43fd-ba32-27e944e8c6aa Function: Title: Union Parser for all CrowdStrike Falcon Data Replicator V1 and V2 events Version: '2.0.0' LastUpdated: Jun 31st 2023 Category: CrowdStrikeParser FunctionName: CrowdStrikeReplicator FunctionAlias: CrowdStrikeReplicator FunctionParams: - Name: starttime Type: datetime Default: datetime(null) - Name: endtime Type: datetime Default: datetime(null) FunctionQuery: | let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null) ) { let CrowdStrikeFDRv1Schema = datatable( TimeGenerated: datetime, Type: string, timestamp_t: datetime, aip_s: string, aid_g: guid, EventType_s: string, LogonType_s: string, HostProcessType_s: string, UserPrincipal_s: string, DomainName_s: string, RemoteAddressIP_s: string, ConnectionDirection_s: string, TargetFileName_s: string, LocalAddressIP4_s: string, IsOnRemovableDisk_s: string, UserIsAdmin_s: string, LogonTime_s: string, LogonDomain_s: string, RemoteAccount_s: string, UserId_s: string, Prevalence_s: string, CurrentProcess_s: string, event_simpleName_s: string, TargetProcessId_s: string, ProcessStartTime_s: string, UserName_s: string, DeviceProductId_s: string, TargetSHA256HashData_s: string, SHA256HashData_s: string, MD5HashData_g: guid, TargetDirectoryName_s: string, FirewallRule_s: string, TaskName_s: string, TaskExecCommand_s: string, TargetAddress_s: string, SourceFileName_s: string, RegObjectName_s: string, RegValueName_g: guid, ServiceObjectName_s: string, RegistryPath_s: string, RawProcessId_s: string, event_platform_s: string, CommandLine_s: string, ParentProcessId_s: string, ParentCommandLine_s: string, ParentBaseFileName_s: string, GrandParentBaseFileName_s: string, RemotePort_s: string, VolumeDeviceType_s: string, VolumeName_s: string, ClientComputerName_s: string, ProductId_s: string, ComputerName_s: string, custom_fields_message_s: string )[]; let CrowdStrikeFDRv1Events = union isfuzzy = true CrowdStrikeFDRv1Schema, CrowdstrikeReplicatorLogs_CL | where (isnull(starttime) or TimeGenerated >= endtime) and (isnull(starttime) or TimeGenerated <= endtime) | extend customFields = parse_json(custom_fields_message_s) | extend EventMessage = tostring(event_simpleName_s), ContextTimeStamp = toreal(timestamp_t), Aip = aip_s, DvcInterfaceGuid = column_ifexists('aid_g', ''), EventType = tostring(EventType_s), LogonType = tostring(LogonType_s), HostProcessType = tostring(HostProcessType_s), UserPrincipal = tostring(UserPrincipal_s), DomainName = tostring(DomainName_s), RemoteAddressIP = tostring(RemoteAddressIP_s), ConnectionDirection = tostring(ConnectionDirection_s), TargetFileName = tostring(TargetFileName_s), LocalAddressIP4 = tostring(LocalAddressIP4_s), IsOnRemovableDisk = tostring(IsOnRemovableDisk_s), UserIsAdmin = tostring(UserIsAdmin_s), LogonTime = column_ifexists('LogonTime_s', ''), LogonDomain = tostring(LogonDomain_s), RemoteAccount = tostring(RemoteAccount_s), UserId = tostring(UserId_s), Prevalence = tostring(Prevalence_s), CurrentProcess = tostring(CurrentProcess_s), TargetProcessId = tostring(TargetProcessId_s), ProcessStartTime = column_ifexists('ProcessStartTime_s', ''), UserName = tostring(UserName_s), DeviceProductId = tostring(DeviceProductId_s), TargetSHA256HashData = tostring(TargetSHA256HashData_s), SHA256HashData = tostring(SHA256HashData_s), MD5HashData = column_ifexists('MD5HashData_g', column_ifexists('MD5HashData_s', '')), TargetDirectoryName = tostring(TargetDirectoryName_s), FirewallRule = tostring(FirewallRule_s), TaskName = tostring(TaskName_s), TaskExecCommand = tostring(TaskExecCommand_s), TargetAddress = tostring(TargetAddress_s), SourceFileName = tostring(SourceFileName_s), RegObjectName = tostring(RegObjectName_s), RegValueName = column_ifexists('RegValueName_g', ''), ServiceObjectName = tostring(ServiceObjectName_s), RegistryPath = tostring(RegistryPath_s), RawProcessId = tostring(RawProcessId_s), event_platform = tostring(event_platform_s), CommandLine = tostring(CommandLine_s), ParentProcessId = tostring(ParentProcessId_s), ParentCommandLine = tostring(ParentCommandLine_s), ParentBaseFileName = tostring(ParentBaseFileName_s), GrandParentBaseFileName = tostring(GrandParentBaseFileName_s), RemotePort = tostring(RemotePort_s), VolumeDeviceType = tostring(VolumeDeviceType_s), VolumeName = tostring(VolumeName_s), ClientComputerName = tostring(ClientComputerName_s), ProductId = tostring(ProductId_s), ComputerName = tostring(ComputerName_s), FileMode = tostring(customFields.FileMode), DeviceSerialNumber = tostring(customFields.DeviceSerialNumber), IcmpCode = tostring(customFields.IcmpCode), IcmpType = tostring(customFields.IcmpType), LastUpdateInstalledTime = tostring(customFields.LastUpdateInstalledTime), RebootRequired = tostring(customFields.RebootRequired), PendingUpdateIds = tostring(customFields.PendingUpdateIds), InstalledUpdateIds = tostring(customFields.InstalledUpdateIds), InstalledUpdateExtendedStatus = tostring(customFields.InstalledUpdateExtendedStatus), SupersededUpdateIds = tostring(customFields.SupersededUpdateIds), ConfigurationDescriptorValue = tostring(customFields.ConfigurationDescriptorValue), ConfigurationDescriptorAttributes = tostring(customFields.ConfigurationDescriptorAttributes), DeviceDescriptorUniqueIdentifier = tostring(customFields.DeviceDescriptorUniqueIdentifier), ConfigurationDescriptorName = tostring(customFields.ConfigurationDescriptorName), ConfigurationDescriptorNumInterfaces = tostring(customFields.ConfigurationDescriptorNumInterfaces), ConfigurationDescriptorMaxPowerDraw = tostring(customFields.ConfigurationDescriptorMaxPowerDraw), ScreenshotsTakenCount = tostring(customFields.ScreenshotsTakenCount), ExitCode = tostring(customFields.ExitCode), DstUserIdentity = tostring(customFields.DstUserIdentity), NetworkListenCount = tostring(customFields.NetworkListenCount), SuspiciousRawDiskReadCount = tostring(customFields.SuspiciousRawDiskReadCount), NetworkBindCount = tostring(customFields.NetworkBindCount), NetworkRecvAcceptCount = tostring(customFields.NetworkRecvAcceptCount), ContextData = tostring(customFields.ContextData), Id = tostring(customFields.Id), NewExecutableWrittenCount = tostring(customFields.NewExecutableWrittenCount), ExeAndServiceCount = tostring(customFields.ExeAndServiceCount), NetworkCloseCount = tostring(customFields.NetworkCloseCount), SuspectStackCount = tostring(customFields.SuspectStackCount), CLICreationCount = tostring(customFields.CLICreationCount), UnsignedModuleLoadCount = tostring(customFields.UnsignedModuleLoadCount), UserTime = tostring(customFields.UserTime), AllocateVirtualMemoryCount = tostring(customFields.AllocateVirtualMemoryCount), ContextProcessId = tostring(customFields.ContextProcessId), ServiceEventCount = tostring(customFields.ServiceEventCount), SnapshotFileOpenCount = tostring(customFields.SnapshotFileOpenCount), RemovableDiskFileWrittenCount = tostring(customFields.RemovableDiskFileWrittenCount), InjectedDllCount = tostring(customFields.InjectedDllCount), ModuleLoadCount = tostring(customFields.ModuleLoadCount), UserMemoryProtectExecutableCount = tostring(customFields.UserMemoryProtectExecutableCount), NetworkCapableAsepWriteCount = tostring(customFields.NetworkCapableAsepWriteCount), DnsRequestCount = tostring(customFields.DnsRequestCount), ArchiveFileWrittenCount = tostring(customFields.ArchiveFileWrittenCount), Entitlements = tostring(customFields.Entitlements), Name = tostring(customFields.Name), SetThreadContextCount = tostring(customFields.SetThreadContextCount), SuspiciousCredentialModuleLoadCount = tostring(customFields.SuspiciousCredentialModuleLoadCount), Cid = tostring(customFields.Cid), FileDeletedCount = tostring(customFields.FileDeletedCount), UserMemoryAllocateExecutableCount = tostring(customFields.UserMemoryAllocateExecutableCount), DirectoryCreatedCount = tostring(customFields.DirectoryCreatedCount), NetworkConnectCountUdp = tostring(customFields.NetworkConnectCountUdp), QueueApcCount = tostring(customFields.QueueApcCount), ContextThreadId = tostring(customFields.ContextThreadId), SuspiciousFontLoadCount = tostring(customFields.SuspiciousFontLoadCount), ConHostId = tostring(customFields.ConHostId), NetworkConnectCount = tostring(customFields.NetworkConnectCount), BinaryExecutableWrittenCount = tostring(customFields.BinaryExecutableWrittenCount), CycleTime = tostring(customFields.CycleTime), DvcOs = tostring(customFields.DvcOs), ConHostProcessId = tostring(customFields.ConHostProcessId), PrivilegedProcessHandleCount = tostring(customFields.PrivilegedProcessHandleCount), MaxThreadCount = tostring(customFields.MaxThreadCount), ImageSubsystem = tostring(customFields.ImageSubsystem), GenericFileWrittenCount = tostring(customFields.GenericFileWrittenCount), EffectiveTransmissionClass = tostring(customFields.EffectiveTransmissionClass), ScriptEngineInvocationCount = tostring(customFields.ScriptEngineInvocationCount), RunDllInvocationCount = tostring(customFields.RunDllInvocationCount), CreateProcessCount = toreal(customFields.CreateProcessCount), KernelTime = tostring(customFields.KernelTime), DirectoryEnumeratedCount = tostring(customFields.DirectoryEnumeratedCount), ConfigStateHash = tostring(customFields.ConfigStateHash), AsepWrittenCount = tostring(customFields.AsepWrittenCount), SuspiciousDnsRequestCount = tostring(customFields.SuspiciousDnsRequestCount), DocumentFileWrittenCount = tostring(customFields.DocumentFileWrittenCount), ProtectVirtualMemoryCount = tostring(customFields.ProtectVirtualMemoryCount), ProcessHashSha256 = tostring(customFields.ProcessHashSha256), UserMemoryProtectExecutableRemoteCount = tostring(customFields.UserMemoryProtectExecutableRemoteCount), ConfigBuild = tostring(customFields.ConfigBuild), UserMemoryAllocateExecutableRemoteCount = tostring(customFields.UserMemoryAllocateExecutableRemoteCount), ExecutableDeletedCount = tostring(customFields.ExecutableDeletedCount), RegKeySecurityDecreasedCount = tostring(customFields.RegKeySecurityDecreasedCount), InjectedThreadCount = tostring(customFields.InjectedThreadCount), NetworkModuleLoadCount = tostring(customFields.NetworkModuleLoadCount), WindowTitle = tostring(customFields.WindowTitle), ProcessCreateFlags = tostring(customFields.ProcessCreateFlags), IntegrityLevel = tostring(customFields.IntegrityLevel), SourceProcessId = tostring(customFields.SourceProcessId), ProcessHashSha1 = tostring(customFields.ProcessHashSha1), TokenType = tostring(customFields.TokenType), ProcessEndTime = toreal(customFields.ProcessEndTime), AuthenticodeHashData = tostring(customFields.AuthenticodeHashData), SessionId = tostring(customFields.SessionId), Tags = tostring(customFields.Tags), ProcessHashMd5 = tostring(customFields.ProcessHashMd5), ProcessSxsFlags = tostring(customFields.ProcessSxsFlags), AuthenticationId = tostring(customFields.AuthenticationId), WindowFlags = tostring(customFields.WindowFlags), ProcessCommandLine = tostring(customFields.ProcessCommandLine), ParentAuthenticationId = tostring(customFields.ParentAuthenticationId), FileName = tostring(customFields.FileName), SourceThreadId = tostring(customFields.SourceThreadId), ProcessParameterFlags = tostring(customFields.ProcessParameterFlags), SignInfoFlags = tostring(customFields.SignInfoFlags), ChannelVersion = tostring(customFields.ChannelVersion), ChannelVersionRequired = tostring(customFields.ChannelVersionRequired), ChannelId = tostring(customFields.ChannelId), DnsResponseType = tostring(customFields.DnsResponseType), IP4Records = tostring(customFields.IP4Records), CNAMERecords = tostring(customFields.CNAMERecords), QueryStatus = tostring(customFields.QueryStatus), InterfaceIndex = tostring(customFields.InterfaceIndex), DualRequest = tostring(customFields.DualRequest), FirstIP4Record = tostring(customFields.FirstIP4Record), UrlDomain = tostring(customFields.UrlDomain), RespondingDnsServer = tostring(customFields.RespondingDnsServer), RequestType = tostring(customFields.RequestType), FirewallRuleId = tostring(customFields.FirewallRuleId), Options = tostring(customFields.Options), MinorFunction = tostring(customFields.MinorFunction), FileIdentifier = tostring(customFields.FileIdentifier), Information = tostring(customFields.Information), ShareAccess = tostring(customFields.ShareAccess), FileObject = tostring(customFields.FileObject), FilePermission = tostring(customFields.FilePermission), Status = tostring(customFields.Status), IrpFlags = tostring(customFields.IrpFlags), MajorFunction = tostring(customFields.MajorFunction), DesiredAccess = tostring(customFields.DesiredAccess), OperationFlags = tostring(customFields.OperationFlags), CallStackModuleNamesVersion = tostring(customFields.CallStackModuleNamesVersion), CsaProcessDataCollectionInstanceId = tostring(customFields.CsaProcessDataCollectionInstanceId), CallStackModuleNames = tostring(customFields.CallStackModuleNames), CreateProcessType = tostring(customFields.CreateProcessType), EtwRawProcessId = tostring(customFields.EtwRawProcessId), EventMax = tostring(customFields.EventMax), EtwRawThreadId = tostring(customFields.EtwRawThreadId), Flags = tostring(customFields.Flags), EventMin = tostring(customFields.EventMin), RawThreadId = tostring(customFields.RawThreadId), SrcIpAddr = tostring(customFields.SrcIpAddr), ConnectionFlags = tostring(customFields.ConnectionFlags), DstIpPort = tostring(customFields.DstIpPort), SrcIpPort = tostring(customFields.SrcIpPort), Protocol = tostring(customFields.Protocol), DstIpAddr = tostring(customFields.DstIpAddr), InContext = tostring(customFields.InContext), NetworkContainmentState = tostring(customFields.NetworkContainmentState), ConfigIDBase = tostring(customFields.ConfigIDBase), SensorStateBitMap = tostring(customFields.SensorStateBitMap), ConfigurationVersion = tostring(customFields.ConfigurationVersion), ConfigIDPlatform = tostring(customFields.ConfigIDPlatform), ConfigIDBuild = tostring(customFields.ConfigIDBuild), ProvisionState = tostring(customFields.ProvisionState), Size = tostring(customFields.Size), IsOnNetwork = tostring(customFields.IsOnNetwork), DiskParentDeviceInstanceId = tostring(customFields.DiskParentDeviceInstanceId), TemporaryFileName = tostring(customFields.TemporaryFileName), FileEcpBitmask = tostring(customFields.FileEcpBitmask), ModuleCharacteristics = tostring(customFields.ModuleCharacteristics), OriginalEventTimeStamp = tostring(customFields.OriginalEventTimeStamp), MappedFromUserMode = tostring(customFields.MappedFromUserMode), TreeId = tostring(customFields.TreeId), PrimaryModule = tostring(customFields.PrimaryModule), LogoffTime = tostring(customFields.LogoffTime), UserFlags = tostring(customFields.UserFlags), LogonServer = tostring(customFields.LogonServer), DstUserName = tostring(customFields.DstUserName), AuthenticationPackage = tostring(customFields.AuthenticationPackage), PasswordLastSet = tostring(customFields.PasswordLastSet), UserLogoffType = tostring(customFields.UserLogoffType), UserLogonFlags = tostring(customFields.UserLogonFlags), Parameter2 = tostring(customFields.Parameter2), Parameter1 = tostring(customFields.Parameter1), Parameter3 = tostring(customFields.Parameter3), Line = tostring(customFields.Line), ErrorStatus = tostring(customFields.ErrorStatus), Facility = tostring(customFields.Facility), File = tostring(customFields.File), PublicKeys = tostring(customFields.PublicKeys), HandleCreated = tostring(customFields.HandleCreated), ExtendedKeyUsages = tostring(customFields.ExtendedKeyUsages), FileSigningTime = tostring(customFields.FileSigningTime), Object1Name = tostring(customFields.Object1Name), Object1Type = tostring(customFields.Object1Type), Certificate = tostring(customFields.Certificate), RpcClientProcessId = tostring(customFields.RpcClientProcessId), SyntheticPR2Flags = tostring(customFields.SyntheticPR2Flags), MachOSubType = tostring(customFields.MachOSubType), SessionProcessId = tostring(customFields.SessionProcessId), SVUID = tostring(customFields.SVUID), ProcessGroupId = tostring(customFields.ProcessGroupId), GID = tostring(customFields.GID), SVGID = tostring(customFields.SVGID), UID = tostring(customFields.UID), RGID = tostring(customFields.RGID), RUID = tostring(customFields.RUID), NeighborList = tostring(customFields.NeighborList), DownloadServer = tostring(customFields.DownloadServer), DownloadPath = tostring(customFields.DownloadPath), DownloadPort = tostring(customFields.DownloadPort), CompletionEventId = tostring(customFields.CompletionEventId), IsTransactedFile = tostring(customFields.IsTransactedFile), WindowStation = tostring(customFields.WindowStation), BoundingLimitCount = tostring(customFields.BoundingLimitCount), ProcessBehaviorBitfield = tostring(customFields.ProcessBehaviorBitfield), Desktop = tostring(customFields.Desktop), PatternId = tostring(customFields.PatternId), ExclusionType = tostring(customFields.ExclusionType), ExclusionSource = tostring(customFields.ExclusionSource), DriverLoadFlags = tostring(customFields.DriverLoadFlags), CompanyName = tostring(customFields.CompanyName), OriginalFilename = tostring(customFields.OriginalFilename), FileVersion = tostring(customFields.FileVersion), ShowWindowFlags = tostring(customFields.ShowWindowFlags), ThreadStartAddress = tostring(customFields.ThreadStartAddress), InjectedThreadFlag = tostring(customFields.InjectedThreadFlag), UserThread = tostring(customFields.UserThread), TargetThreadModule = tostring(customFields.TargetThreadModule), TargetThreadId = tostring(customFields.TargetThreadId), ThreadStartContext = tostring(customFields.ThreadStartContext), SourceThreadStartAddress = tostring(customFields.SourceThreadStartAddress), InterfaceGuid = tostring(customFields.InterfaceGuid), InterfaceVersion = tostring(customFields.InterfaceVersion), RpcClientThreadId = tostring(customFields.RpcClientThreadId), TaskXml = tostring(customFields.TaskXml), TaskAuthor = tostring(customFields.TaskAuthor), RpcOpNum = tostring(customFields.RpcOpNum), TaskExecArguments = tostring(customFields.TaskExecArguments), RpcNestingLevel = tostring(customFields.RpcNestingLevel), ErrorLocation = tostring(customFields.ErrorLocation), ErrorReason = tostring(customFields.ErrorReason), Parameter64_1 = tostring(customFields.Parameter64_1), ErrorSource = tostring(customFields.ErrorSource), ParameterSizedBuffer_1 = tostring(customFields.ParameterSizedBuffer_1), ErrorCode = tostring(customFields.ErrorCode), DeviceVersion = tostring(customFields.DeviceVersion), DeviceTimeStamp = toreal(customFields.DeviceTimeStamp), DeviceInstanceId = tostring(customFields.DeviceInstanceId), DeviceDescriptorSetHash = tostring(customFields.DeviceDescriptorSetHash), DeviceVendorId = tostring(customFields.DeviceVendorId), DeviceManufacturer = tostring(customFields.DeviceManufacturer), DeviceProduct = tostring(customFields.DeviceProduct), GroupRid = tostring(customFields.GroupRid), UserRid = tostring(customFields.UserRid), DomainSid = tostring(customFields.DomainSid), LightningLatencyState = tostring(customFields.LightningLatencyState), UnixMode = tostring(customFields.UnixMode), VnodeType = tostring(customFields.VnodeType), ApiReturnValue = tostring(customFields.ApiReturnValue), ServiceDisplayName = tostring(customFields.ServiceDisplayName), LinkName = tostring(customFields.LinkName), VersionInfo = tostring(customFields.VersionInfo), LanguageId = tostring(customFields.LanguageId), AsepFlags = tostring(customFields.AsepFlags), Data1 = tostring(customFields.Data1), RegOperationType = tostring(customFields.RegOperationType), ProcessArgs = tostring(customFields.ProcessArgs), RegStringValue = tostring(customFields.RegStringValue), RegType = tostring(customFields.RegType), AsepClass = tostring(customFields.AsepClass), AsepIndex = tostring(customFields.AsepIndex), AsepValueType = tostring(customFields.AsepValueType), LocalSession = tostring(customFields.LocalSession), DstDvcHostname = tostring(customFields.DstDvcHostname), PrivilegesBitmask = tostring(customFields.PrivilegesBitmask), EnabledPrivilegesBitmask = tostring(customFields.EnabledPrivilegesBitmask), UserGroupsBitmask = tostring(customFields.UserGroupsBitmask), Timeout = tostring(customFields.Timeout), ProcessCount = tostring(customFields.ProcessCount), SuppressType = tostring(customFields.SuppressType), BoundedCount = tolong(customFields.BoundedCount), IP6Records = tostring(customFields.IP6Records), FirstIP6Record = tostring(customFields.FirstIP6Record), WmiQuery = tostring(customFields.WmiQuery), WmiNamespaceName = tostring(customFields.WmiNamespaceName), RegClassificationIndex = tostring(customFields.RegClassificationIndex), RegClassificationFlags = tostring(customFields.RegClassificationFlags), RegClassification = tostring(customFields.RegClassification), SystemTableIndex = tostring(customFields.SystemTableIndex), ScreenshotType = tostring(customFields.ScreenshotType), SubStatus = tostring(customFields.SubStatus), UmppaInjectAbortCount = tostring(customFields.UmppaInjectAbortCount), UmppaInjectFailedCount = tostring(customFields.UmppaInjectFailedCount), UmppaInjectionType = tostring(customFields.UmppaInjectionType), UmppaInjectLoadFailCount = tostring(customFields.UmppaInjectLoadFailCount), UmppaInjectCfgCheckCount = tostring(customFields.UmppaInjectCfgCheckCount), UmppaInjectExtensionErrorCount = tostring(customFields.UmppaInjectExtensionErrorCount), UmppaInjectInvalidThreadCount = tostring(customFields.UmppaInjectInvalidThreadCount), UmppaInjectFileSectionCount = tostring(customFields.UmppaInjectFileSectionCount), TotalCount = tostring(customFields.TotalCount), UmppaInjectLoadErrorCount = tostring(customFields.UmppaInjectLoadErrorCount), UmppaInjectBadAlertCount = tostring(customFields.UmppaInjectBadAlertCount), UmppaInjectApcInsertionCount = tostring(customFields.UmppaInjectApcInsertionCount), UmppaInjectCopyFailCount = tostring(customFields.UmppaInjectCopyFailCount), RegNumericValue = tostring(customFields.RegNumericValue), VolumeDriveLetter = tostring(customFields.VolumeDriveLetter), VolumeSnapshotName = tostring(customFields.VolumeSnapshotName), UserCanonical = tostring(customFields.UserCanonical), LogonId = tostring(customFields.LogonId), ConfigStateData = tostring(customFields.ConfigStateData), FirewallProfile = tostring(customFields.FirewallProfile), FirewallOption = tostring(customFields.FirewallOption), FirewallOptionNumericValue = tostring(customFields.FirewallOptionNumericValue), SmbShareName = tostring(customFields.SmbShareName), IsCpuDataCommonOnAllCores = tostring(customFields.IsCpuDataCommonOnAllCores), SpibarDataFrap = tostring(customFields.SpibarDataFrap), EfiVariableDbxSha256Hash = tostring(customFields.EfiVariableDbxSha256Hash), PciConfigDataBgsm = tostring(customFields.PciConfigDataBgsm), PciConfigDataDpr = tostring(customFields.PciConfigDataDpr), CpuDataCommonSmrrSupported = tostring(customFields.CpuDataCommonSmrrSupported), SpibarDataHsfc = tostring(customFields.SpibarDataHsfc), EfiVariableSecureBoot = tostring(customFields.EfiVariableSecureBoot), PciConfigDataMesegMask = tostring(customFields.PciConfigDataMesegMask), PciConfigDataTolud = tostring(customFields.PciConfigDataTolud), EfiVariableDbxAttributes = tostring(customFields.EfiVariableDbxAttributes), PciConfigDataPavpc = tostring(customFields.PciConfigDataPavpc), EfiVariableCustomModeAttributes = tostring(customFields.EfiVariableCustomModeAttributes), SpibarDataFreg3 = tostring(customFields.SpibarDataFreg3), SpibarDataFreg4 = tostring(customFields.SpibarDataFreg4), SpibarDataFreg1 = tostring(customFields.SpibarDataFreg1), SpibarDataFreg2 = tostring(customFields.SpibarDataFreg2), SpibarDataFreg0 = tostring(customFields.SpibarDataFreg0), EfiSupported = tostring(customFields.EfiSupported), EfiVariablePkAttributes = tostring(customFields.EfiVariablePkAttributes), CpuDataCommonPrmrrUncorePhysicalMask = tostring(customFields.CpuDataCommonPrmrrUncorePhysicalMask), PciConfigDataGenPmconA = tostring(customFields.PciConfigDataGenPmconA), PciConfigDataTsegmb = tostring(customFields.PciConfigDataTsegmb), SpibarDataVscc0 = tostring(customFields.SpibarDataVscc0), EfiVariablePkSha256Hash = tostring(customFields.EfiVariablePkSha256Hash), SpibarDataVscc1 = tostring(customFields.SpibarDataVscc1), CpuDataCommonSmrrPhysicalMask = tostring(customFields.CpuDataCommonSmrrPhysicalMask), NorthBridgeDeviceId = tostring(customFields.NorthBridgeDeviceId), IsNorthBridgeSupported = tostring(customFields.IsNorthBridgeSupported), PciConfigDataTom = tostring(customFields.PciConfigDataTom), EfiVariableKekSha256Hash = tostring(customFields.EfiVariableKekSha256Hash), SouthBridgeVendorId = tostring(customFields.SouthBridgeVendorId), EfiVariableSignatureSupport = tostring(customFields.EfiVariableSignatureSupport), MmioDataTco1Cnt = tostring(customFields.MmioDataTco1Cnt), EfiVariableKekAttributes = tostring(customFields.EfiVariableKekAttributes), FirmwareAnalysisCpuSupported = tostring(customFields.FirmwareAnalysisCpuSupported), MmioDataSmiEn = tostring(customFields.MmioDataSmiEn), CpuDataCommonPrmrrUncoreSupported = tostring(customFields.CpuDataCommonPrmrrUncoreSupported), NorthBridgeVendorId = tostring(customFields.NorthBridgeVendorId), CpuDataCommonMsrApicBase = tostring(customFields.CpuDataCommonMsrApicBase), EfiVariableDbAttributes = tostring(customFields.EfiVariableDbAttributes), SpibarDataPr2 = tostring(customFields.SpibarDataPr2), SpibarDataBfpr = tostring(customFields.SpibarDataBfpr), SpibarDataPr1 = tostring(customFields.SpibarDataPr1), EfiVariableSecureBootAttributes = tostring(customFields.EfiVariableSecureBootAttributes), SpibarDataPr0 = tostring(customFields.SpibarDataPr0), IsSouthBridgeSupported = tostring(customFields.IsSouthBridgeSupported), PciConfigDataHfsts1 = tostring(customFields.PciConfigDataHfsts1), CpuDataCommonMsrFeatureControl = tostring(customFields.CpuDataCommonMsrFeatureControl), PciConfigDataRemaplimit = tostring(customFields.PciConfigDataRemaplimit), CpuDataCommonSiliconDebugFeatureControl = tostring(customFields.CpuDataCommonSiliconDebugFeatureControl), CpuDataCommonSmrrPhysicalBase = tostring(customFields.CpuDataCommonSmrrPhysicalBase), SouthBridgeDeviceId = tostring(customFields.SouthBridgeDeviceId), CpuDataCommonPrmrrPhysicalMask = tostring(customFields.CpuDataCommonPrmrrPhysicalMask), EfiVariableDbSha256Hash = tostring(customFields.EfiVariableDbSha256Hash), SpibarDataHsfs = tostring(customFields.SpibarDataHsfs), PciConfigDataRemapbase = tostring(customFields.PciConfigDataRemapbase), EfiVariableCustomMode = tostring(customFields.EfiVariableCustomMode), PciConfigDataGgc = tostring(customFields.PciConfigDataGgc), PciConfigDataTouud = tostring(customFields.PciConfigDataTouud), SpibarDataPr4 = tostring(customFields.SpibarDataPr4), SpibarDataPr3 = tostring(customFields.SpibarDataPr3), CpuDataCommonPrmrrSupported = tostring(customFields.CpuDataCommonPrmrrSupported), PciConfigDataSmramc = tostring(customFields.PciConfigDataSmramc), EfiVariableSignatureSupportAttributes = tostring(customFields.EfiVariableSignatureSupportAttributes), PciConfigDataBdsm = tostring(customFields.PciConfigDataBdsm), EfiVariableSetupModeAttributes = tostring(customFields.EfiVariableSetupModeAttributes), EfiVariableSetupMode = tostring(customFields.EfiVariableSetupMode), PciConfigDataBiosCntl = tostring(customFields.PciConfigDataBiosCntl), PciConfigDataMesegBase = tostring(customFields.PciConfigDataMesegBase), NewFileIdentifier = tostring(customFields.NewFileIdentifier), FeatureVector = tostring(customFields.FeatureVector), ModelPrediction = tostring(customFields.ModelPrediction), Malicious = tostring(customFields.Malicious), FeatureExtractionVersion = tostring(customFields.FeatureExtractionVersion), FXFileSize = tostring(customFields.FXFileSize), MLModelVersion = tostring(customFields.MLModelVersion), FontBufferLength = tostring(customFields.FontBufferLength), FontFileCount = tostring(customFields.FontFileCount), FontLoadOperation = tostring(customFields.FontLoadOperation), FontBuffer = tostring(customFields.FontBuffer), FontFileName = tostring(customFields.FontFileName), TemplateInstanceId = tostring(customFields.TemplateInstanceId), PatternDisposition = tostring(customFields.PatternDisposition), ServicePackMajor = tostring(customFields.ServicePackMajor), ProductSku = tostring(customFields.ProductSku), PointerSize = tostring(customFields.PointerSize), ProductName = tostring(customFields.ProductName), AgentVersion = tostring(customFields.AgentVersion), ServicePackMinor = tostring(customFields.ServicePackMinor), SuiteMask = tostring(customFields.SuiteMask), SubBuildNumber = tostring(customFields.SubBuildNumber), PlatformId = tostring(customFields.PlatformId), BuildType = tostring(customFields.BuildType), MajorVersion = tostring(customFields.MajorVersion), ProductType = tostring(customFields.ProductType), MinorVersion = tostring(customFields.MinorVersion), CheckedBuild = tostring(customFields.CheckedBuild), BuildNumber = tostring(customFields.BuildNumber), RFMState = tostring(customFields.RFMState), FirmwareAnalysisEclControlInterfaceVersion = tostring(customFields.FirmwareAnalysisEclControlInterfaceVersion), FirmwareAnalysisEclConsumerInterfaceVersion = tostring(customFields.FirmwareAnalysisEclConsumerInterfaceVersion), BootTimeFunctionalityLevel = tostring(customFields.BootTimeFunctionalityLevel), ReasonOfFunctionalityLevel = tostring(customFields.ReasonOfFunctionalityLevel), CurrentFunctionalityLevel = tostring(customFields.CurrentFunctionalityLevel), PciAttachmentState = tostring(customFields.PciAttachmentState), LocalAddressIP6 = tostring(customFields.LocalAddressIP6), RemoteAddressIP6 = tostring(customFields.RemoteAddressIP6), RegBinaryValue = tostring(customFields.RegBinaryValue), ServiceDescription = tostring(customFields.ServiceDescription), ServiceSecurity = tostring(customFields.ServiceSecurity), ServiceImagePath = tostring(customFields.ServiceImagePath), ServiceStart = tostring(customFields.ServiceStart), ServiceType = tostring(customFields.ServiceType), ServiceFailureActions = tostring(customFields.ServiceFailureActions), ServiceErrorControl = tostring(customFields.ServiceErrorControl), SymbolicLinkName = tostring(customFields.SymbolicLinkName), SymbolicLinkTarget = tostring(customFields.SymbolicLinkTarget), DevicePropertyClassName = tostring(customFields.DevicePropertyClassName), DeviceActiveConfigurationNumber = tostring(customFields.DeviceActiveConfigurationNumber), DevicePropertyClassGuid = tostring(customFields.DevicePropertyClassGuid), DeviceUsbSubclass = tostring(customFields.DeviceUsbSubclass), ParentHubInstanceId = tostring(customFields.ParentHubInstanceId), DeviceConnectionStatus = tostring(customFields.DeviceConnectionStatus), DeviceUsbClass = tostring(customFields.DeviceUsbClass), ParentHubPort = tostring(customFields.ParentHubPort), DevicePropertyManufacturer = tostring(customFields.DevicePropertyManufacturer), DevicePropertyLocationInformation = tostring(customFields.DevicePropertyLocationInformation), DeviceProtocol = tostring(customFields.DeviceProtocol), DevicePropertyDeviceDescription = tostring(customFields.DevicePropertyDeviceDescription), DeviceUsbVersion = tostring(customFields.DeviceUsbVersion), ModuleBaseAddress = tostring(customFields.ModuleBaseAddress), ModuleSize = tostring(customFields.ModuleSize), IsOnClearCaseMvfs = tostring(customFields.IsOnClearCaseMvfs), DllCharacteristics = tostring(customFields.DllCharacteristics), ActiveCpuCount = tostring(customFields.ActiveCpuCount), MemoryTotal = tostring(customFields.MemoryTotal), BillingType = tostring(customFields.BillingType), ConnectionCipher = tostring(customFields.ConnectionCipher), ConnectType = tostring(customFields.ConnectType), ConnectionProtocol = tostring(customFields.ConnectionProtocol), ConnectionHash = tostring(customFields.ConnectionHash), ConnectTime = tostring(customFields.ConnectTime), ConnectionHashStrength = tostring(customFields.ConnectionHashStrength), FailedConnectCount = tostring(customFields.FailedConnectCount), ConnectionCipherStrength = tostring(customFields.ConnectionCipherStrength), ConnectionExchangeStrength = tostring(customFields.ConnectionExchangeStrength), ConnectionExchange = tostring(customFields.ConnectionExchange), PreviousConnectTime = tostring(customFields.PreviousConnectTime), FalconServiceServletErrors = tostring(customFields.FalconServiceServletErrors), FalconServiceComponent = tostring(customFields.FalconServiceComponent), FalconServiceServletStarts = tostring(customFields.FalconServiceServletStarts), FalconServiceState = tostring(customFields.FalconServiceState), ScriptContent = tostring(customFields.ScriptContent), OriginalContentLength = tostring(customFields.OriginalContentLength), ScriptingLanguageId = tostring(customFields.ScriptingLanguageId), ParentImageFileName = tostring(customFields.ParentImageFileName), GrandparentImageFileName = tostring(customFields.GrandparentImageFileName), ScriptContentName = tostring(customFields.ScriptContentName), ProcessParentCommandLine = tostring(customFields.ProcessParentCommandLine), ContentSHA256HashData = tostring(customFields.ContentSHA256HashData), ProcessGrandparentCommandLine = tostring(customFields.ProcessGrandparentCommandLine), ThreatFirstReportedTime = tostring(customFields.ThreatFirstReportedTime), ThreatLastReportedTime = tostring(customFields.ThreatLastReportedTime), ThreatOriginalRiskLevel = toint(customFields.ThreatOriginalRiskLevel) | project TimeGenerated, FileMode, DeviceSerialNumber, IcmpCode, IcmpType, LastUpdateInstalledTime, RebootRequired, PendingUpdateIds, InstalledUpdateIds, InstalledUpdateExtendedStatus, SupersededUpdateIds, ConfigurationDescriptorValue, ConfigurationDescriptorAttributes, DeviceDescriptorUniqueIdentifier, ConfigurationDescriptorName, ConfigurationDescriptorNumInterfaces, ConfigurationDescriptorMaxPowerDraw, ScreenshotsTakenCount, ExitCode, ParentProcessId, DstUserIdentity, NetworkListenCount, SuspiciousRawDiskReadCount, NetworkBindCount, NetworkRecvAcceptCount, ContextData, Id, NewExecutableWrittenCount, ExeAndServiceCount, NetworkCloseCount, SuspectStackCount, CLICreationCount, UnsignedModuleLoadCount, UserTime, EventMessage, RawProcessId, ContextTimeStamp, AllocateVirtualMemoryCount, ContextProcessId, ServiceEventCount, SnapshotFileOpenCount, RemovableDiskFileWrittenCount, InjectedDllCount, ModuleLoadCount, UserMemoryProtectExecutableCount, NetworkCapableAsepWriteCount, TargetProcessId, DnsRequestCount, ArchiveFileWrittenCount, Entitlements, Name, ProcessStartTime, SetThreadContextCount, SuspiciousCredentialModuleLoadCount, DvcInterfaceGuid, Cid, FileDeletedCount, UserMemoryAllocateExecutableCount, DirectoryCreatedCount, NetworkConnectCountUdp, QueueApcCount, ContextThreadId, Aip, SuspiciousFontLoadCount, ConHostId, NetworkConnectCount, BinaryExecutableWrittenCount, CycleTime, DvcOs, ConHostProcessId, PrivilegedProcessHandleCount, MaxThreadCount, ImageSubsystem, GenericFileWrittenCount, EffectiveTransmissionClass, ScriptEngineInvocationCount, RunDllInvocationCount, CreateProcessCount, KernelTime, DirectoryEnumeratedCount, ConfigStateHash, AsepWrittenCount, SuspiciousDnsRequestCount, DocumentFileWrittenCount, ProtectVirtualMemoryCount, ProcessHashSha256, UserMemoryProtectExecutableRemoteCount, ConfigBuild, UserMemoryAllocateExecutableRemoteCount, ExecutableDeletedCount, RegKeySecurityDecreasedCount, InjectedThreadCount, NetworkModuleLoadCount, WindowTitle, ProcessCreateFlags, IntegrityLevel, SourceProcessId, ProcessHashSha1, TokenType, ProcessEndTime, AuthenticodeHashData, ParentBaseFileName, SessionId, Tags, ProcessHashMd5, ProcessSxsFlags, AuthenticationId, WindowFlags, ProcessCommandLine, ParentAuthenticationId, FileName, SourceThreadId, ProcessParameterFlags, SignInfoFlags, ChannelVersion, ChannelVersionRequired, ChannelId, DnsResponseType, IP4Records, CNAMERecords, QueryStatus, InterfaceIndex, DualRequest, FirstIP4Record, UrlDomain, RespondingDnsServer, RequestType, FirewallRuleId, Options, MinorFunction, FileIdentifier, Information, ShareAccess, FileObject, FilePermission, Status, IrpFlags, MajorFunction, DesiredAccess, OperationFlags, TargetFileName, CallStackModuleNamesVersion, CsaProcessDataCollectionInstanceId, CallStackModuleNames, CreateProcessType, EtwRawProcessId, EventMax, EtwRawThreadId, Flags, EventMin, RawThreadId, SrcIpAddr, ConnectionFlags, DstIpPort, SrcIpPort, Protocol, DstIpAddr, ConnectionDirection, InContext, NetworkContainmentState, ConfigIDBase, SensorStateBitMap, ConfigurationVersion, ConfigIDPlatform, ConfigIDBuild, ProvisionState, Size, IsOnNetwork, DiskParentDeviceInstanceId, TemporaryFileName, FileEcpBitmask, IsOnRemovableDisk, ModuleCharacteristics, OriginalEventTimeStamp, MappedFromUserMode, TreeId, PrimaryModule, UserIsAdmin, LogoffTime, LogonTime, LogonDomain, RemoteAccount, UserFlags, LogonServer, DstUserName, LogonType, AuthenticationPackage, UserPrincipal, PasswordLastSet, UserLogoffType, UserLogonFlags, Parameter2, Parameter1, Parameter3, Line, ErrorStatus, Facility, File, PublicKeys, HandleCreated, ExtendedKeyUsages, FileSigningTime, Object1Name, Object1Type, Certificate, RpcClientProcessId, SyntheticPR2Flags, MachOSubType, SessionProcessId, SVUID, ProcessGroupId, GID, SVGID, UID, RGID, RUID, NeighborList, DownloadServer, DownloadPath, DownloadPort, CompletionEventId, IsTransactedFile, WindowStation, BoundingLimitCount, ProcessBehaviorBitfield, Desktop, PatternId, ExclusionType, ExclusionSource, DriverLoadFlags, CompanyName, OriginalFilename, FileVersion, GrandParentBaseFileName, ShowWindowFlags, ThreadStartAddress, InjectedThreadFlag, UserThread, TargetThreadModule, TargetThreadId, ThreadStartContext, SourceThreadStartAddress, InterfaceGuid, InterfaceVersion, RpcClientThreadId, TaskXml, TaskAuthor, TaskName, RpcOpNum, TaskExecArguments, TaskExecCommand, RpcNestingLevel, ErrorLocation, ErrorReason, Parameter64_1, ErrorSource, ParameterSizedBuffer_1, ErrorCode, DeviceProductId, DeviceVersion, DeviceTimeStamp, DeviceInstanceId, DeviceDescriptorSetHash, DeviceVendorId, DeviceManufacturer, DeviceProduct, GroupRid, UserRid, DomainSid, LightningLatencyState, UnixMode, VnodeType, TargetDirectoryName, ApiReturnValue, ServiceDisplayName, LinkName, VersionInfo, LanguageId, AsepFlags, RegObjectName, Data1, RegOperationType, ProcessArgs, RegStringValue, RegType, AsepClass, AsepIndex, RegValueName, AsepValueType, LocalSession, DstDvcHostname, PrivilegesBitmask, EnabledPrivilegesBitmask, UserGroupsBitmask, Timeout, ProcessCount, SuppressType, BoundedCount, IP6Records, FirstIP6Record, WmiQuery, WmiNamespaceName, RegClassificationIndex, RegClassificationFlags, RegClassification, SystemTableIndex, ScreenshotType, SubStatus, UmppaInjectAbortCount, UmppaInjectFailedCount, UmppaInjectionType, UmppaInjectLoadFailCount, UmppaInjectCfgCheckCount, UmppaInjectExtensionErrorCount, UmppaInjectInvalidThreadCount, UmppaInjectFileSectionCount, TotalCount, UmppaInjectLoadErrorCount, UmppaInjectBadAlertCount, UmppaInjectApcInsertionCount, UmppaInjectCopyFailCount, FirewallRule, RegNumericValue, VolumeDriveLetter, VolumeSnapshotName, VolumeName, UserCanonical, LogonId, ConfigStateData, FirewallProfile, FirewallOption, FirewallOptionNumericValue, SmbShareName, TargetSHA256HashData, IsCpuDataCommonOnAllCores, SpibarDataFrap, EfiVariableDbxSha256Hash, PciConfigDataBgsm, PciConfigDataDpr, CpuDataCommonSmrrSupported, SpibarDataHsfc, EfiVariableSecureBoot, PciConfigDataMesegMask, PciConfigDataTolud, EfiVariableDbxAttributes, PciConfigDataPavpc, EfiVariableCustomModeAttributes, SpibarDataFreg3, SpibarDataFreg4, SpibarDataFreg1, SpibarDataFreg2, SpibarDataFreg0, EfiSupported, EfiVariablePkAttributes, CpuDataCommonPrmrrUncorePhysicalMask, PciConfigDataGenPmconA, PciConfigDataTsegmb, SpibarDataVscc0, EfiVariablePkSha256Hash, SpibarDataVscc1, CpuDataCommonSmrrPhysicalMask, NorthBridgeDeviceId, IsNorthBridgeSupported, PciConfigDataTom, EfiVariableKekSha256Hash, SouthBridgeVendorId, EfiVariableSignatureSupport, MmioDataTco1Cnt, EfiVariableKekAttributes, FirmwareAnalysisCpuSupported, MmioDataSmiEn, CpuDataCommonPrmrrUncoreSupported, NorthBridgeVendorId, CpuDataCommonMsrApicBase, EfiVariableDbAttributes, SpibarDataPr2, SpibarDataBfpr, SpibarDataPr1, EfiVariableSecureBootAttributes, SpibarDataPr0, IsSouthBridgeSupported, PciConfigDataHfsts1, CpuDataCommonMsrFeatureControl, PciConfigDataRemaplimit, CpuDataCommonSiliconDebugFeatureControl, CpuDataCommonSmrrPhysicalBase, SouthBridgeDeviceId, CpuDataCommonPrmrrPhysicalMask, EfiVariableDbSha256Hash, SpibarDataHsfs, PciConfigDataRemapbase, EfiVariableCustomMode, PciConfigDataGgc, PciConfigDataTouud, SpibarDataPr4, SpibarDataPr3, CpuDataCommonPrmrrSupported, PciConfigDataSmramc, EfiVariableSignatureSupportAttributes, PciConfigDataBdsm, EfiVariableSetupModeAttributes, EfiVariableSetupMode, PciConfigDataBiosCntl, PciConfigDataMesegBase, SourceFileName, NewFileIdentifier, FeatureVector, ModelPrediction, Malicious, FeatureExtractionVersion, FXFileSize, MLModelVersion, FontBufferLength, FontFileCount, FontLoadOperation, FontBuffer, FontFileName, TemplateInstanceId, PatternDisposition, ServicePackMajor, ProductSku, PointerSize, ProductName, AgentVersion, ServicePackMinor, SuiteMask, SubBuildNumber, PlatformId, BuildType, MajorVersion, ProductType, MinorVersion, CheckedBuild, BuildNumber, RFMState, FirmwareAnalysisEclControlInterfaceVersion, FirmwareAnalysisEclConsumerInterfaceVersion, BootTimeFunctionalityLevel, ReasonOfFunctionalityLevel, CurrentFunctionalityLevel, PciAttachmentState, LocalAddressIP6, RemoteAddressIP6, RegBinaryValue, ServiceDescription, ServiceSecurity, ServiceImagePath, ServiceStart, ServiceType, ServiceFailureActions, ServiceErrorControl, SymbolicLinkName, SymbolicLinkTarget, DevicePropertyClassName, DeviceActiveConfigurationNumber, DevicePropertyClassGuid, DeviceUsbSubclass, ParentHubInstanceId, DeviceConnectionStatus, DeviceUsbClass, ParentHubPort, DevicePropertyManufacturer, DevicePropertyLocationInformation, DeviceProtocol, DevicePropertyDeviceDescription, DeviceUsbVersion, ModuleBaseAddress, ModuleSize, IsOnClearCaseMvfs, DllCharacteristics, ActiveCpuCount, MemoryTotal, BillingType, ConnectionCipher, ConnectType, ConnectionProtocol, ConnectionHash, ConnectTime, ConnectionHashStrength, FailedConnectCount, ConnectionCipherStrength, ConnectionExchangeStrength, ConnectionExchange, PreviousConnectTime, FalconServiceServletErrors, FalconServiceComponent, FalconServiceServletStarts, FalconServiceState, ScriptContent, OriginalContentLength, ScriptingLanguageId, ParentImageFileName, GrandparentImageFileName, ScriptContentName, HostProcessType, ProcessParentCommandLine, ContentSHA256HashData, ProcessGrandparentCommandLine, Type ; let CrowdStrikeReplicator_All = union isfuzzy = true CrowdStrikeFDRv1Events, CrowdStrikeReplicatorV2(starttime = starttime, endtime = endtime) | extend EventVendor = "Crowdstrike", EventProduct = "Replicator", EventMessage = column_ifexists('event_simpleName', ''), ContextTimeStamp = column_ifexists('timestamp', ''), Aip = column_ifexists('aip', ''), DvcInterfaceGuid = column_ifexists('aid', '') ; CrowdStrikeReplicator_All }; parser( starttime=starttime, endtime=endtime )