Crowdstrike Schema¶
CrowdstrikeHost¶
Representation of a Crowdstrike Host
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The device ID for this host |
cid |
The customer ID |
instance_id |
The AWS instance ID associated with this host |
status |
Containment Status of the machine. “Normal” denotes good operations; other values might mean reduced functionality or support. |
hostname |
The name of the machine. |
machine_domain |
Active Directory domain name. |
crowdstrike_first_seen |
Timestamp of device’s first connection to Falcon |
crowdstrike_last_seen |
Timestamp of device’s most recent connection to Falcon |
local_ip |
The device’s local IP address. |
external_ip |
External IP of the device, as seen by CrowdStrike. |
cpu_signature |
The CPU signature of the device. |
bios_manufacturer |
Bios manufacture name. |
bios_version |
Bios version. |
mac_address |
The MAC address of the device |
os_version |
Operating system version. |
os_build |
The build of the OS |
platform_id |
CrowdStrike agent configuration notes |
platform_name |
Operating system platform. |
service_provider |
The service provider for the device. |
service_provider_account_id |
The service provider account ID associated with this device |
agent_version |
CrowdStrike agent configuration notes |
system_manufacturer |
Name of system manufacturer |
system_product_name |
Name of system product |
product_type |
The product type |
product_type_desc |
Name of product type. |
provision_status |
The provision status of the device |
reduced_functionality_mode |
Reduced functionality mode (RFM) status |
kernel_version |
Kernel version of the host OS. |
major_version |
Major version of the Operating System |
minor_version |
Minor version of the Operating System |
tags |
Grouping tags for the device |
modified_timestamp |
The last time that the machine record was updated. Can include status like containment status changes or configuration group changes |
Relationships¶
CrowdstrikeHost has SpotlightVulnerability
(CrowdstrikeHost)-[HAS_VULNERABILITY]->(SpotlightVulnerability)
SpotlightVulnerability¶
Representation of a Crowdstrike Vulnerability
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID for this vulnerability |
cid |
The customer ID |
aid |
The unique identifier (agent ID) of the sensor where the vulnerability was found. |
status |
The vulnerability’s current status. One of open, closed, reopen, or expired. |
created_timestamp |
The UTC date and time that the vulnerability was created in Spotlight. |
closed_timestamp |
The date and time a vulnerability was set to a status of “closed” |
updated_timestamp |
The UTC date and time of the last update made on a vulnerability. |
cve_id |
The ID of the CVE. |
host_info_local_ip |
The device’s local IP address. |
remediation_ids |
The unique IDs of the remediations. |
app_product_name_version |
The name and version of the product associated with the vulnerability. |
Relationships¶
CrowdstrikeHost has SpotlightVulnerability
(CrowdstrikeHost)-[HAS_VULNERABILITY]->(SpotlightVulnerability)
SpotlightVulnerability has CVE
(SpotlightVulnerability)-[HAS_CVE]->(CVE)
CVE::CrowdstrikeFinding¶
Representation of a CVE
Field |
Description |
|---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID for this CVE |
base_score |
Base score of the CVE (float value between 1 and 10). |
severity |
Severity of the CVE. One of CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, or NONE. |
exploitability_score |
Numeric value of the most severe known exploit. 0=UNPROVEN; 30=AVAILABLE; 60=EASILY_ACCESSIBLE; 90=ACTIVELY_USED |
Relationships¶
SpotlightVulnerability has CVE
(SpotlightVulnerability)-[HAS_CVE]->(CVE)