data_sources/crowdstrike_processrollup2.yml

name: CrowdStrike ProcessRollup2
id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs process-related activities captured by CrowdStrike, including process
  creation, termination, and metadata such as hashes, parent processes, and command-line
  arguments.
mitre_components:
- Process Creation
- Process Termination
- Process Metadata
- Command Execution
- OS API Execution
source: crowdstrike
sourcetype: crowdstrike:events:sensor
separator: event_simpleName
separator_value: ProcessRollup2
supported_TA:
- name: Splunk Add-on for CrowdStrike FDR
  url: https://splunkbase.splunk.com/app/5579
  version: 2.0.4
fields:
- AuthenticationId
- AuthenticationId_meaning
- AuthenticodeHashData
- CommandLine
- ConfigBuild
- ConfigStateHash
- EffectiveTransmissionClass
- Entitlements
- EventOrigin
- ImageFileName
- ImageSubsystem
- ImageSubsystem_meaning
- IntegrityLevel
- IntegrityLevel_meaning
- MD5HashData
- ParentAuthenticationId
- ParentBaseFileName
- ParentProcessId
- ProcessCreateFlags
- ProcessEndTime
- ProcessParameterFlags
- ProcessParameterFlags_meaning
- ProcessStartTime
- ProcessSxsFlags
- ProcessSxsFlags_meaning
- RawProcessId
- SHA1HashData
- SHA256HashData
- SessionId
- SignInfoFlags
- SignInfoFlags_meaning
- SourceProcessId
- SourceThreadId
- Tags
- TargetProcessId
- TokenType
- TokenType_meaning
- UserSid
- WindowFlags
- WindowFlags_meaning
- action
- aid
- aid_city
- aid_computer_name
- aid_continent
- aid_country
- aid_machine_domain
- aid_os_version
- aid_ou
- aid_site_name
- aid_system_product_name
- aip
- cid
- dest
- event_ingest_time
- event_platform
- event_simpleName
- eventtype
- host_res_aid
- id
- os
- parent_process_exec
- parent_process_id
- parent_process_name
- process
- process_exec
- process_hash
- process_id
- process_integrity_level
- process_name
- process_path
- resolve_dest
- resolve_process_integrity_level
- tag
- timestamp
- user
- user_id
- vendor_product
output_fields:
  - action 
  - dest 
  - original_file_name 
  - parent_process 
  - parent_process_exec 
  - parent_process_guid 
  - parent_process_id 
  - parent_process_name 
  - parent_process_path 
  - process 
  - process_exec 
  - process_guid 
  - process_hash 
  - process_id 
  - process_integrity_level 
  - process_name 
  - process_path 
  - user 
  - user_id
  - vendor_product
field_mappings:
- data_model: cim
  data_set: Endpoint.Processes
  mapping:
    CommandLine: Processes.process
    ImageFileName: Processes.process_path
    ImageFileName|endswith: Processes.process_name
    ParentBaseFileName: Processes.parent_process_name
    ParentProcessId: Processes.parent_process_id
    RawProcessId: Processes.process_id
    SHA256HashData: Processes.process_hash
    UserSid: Processes.user
example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start
  Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27,
  40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605,
  263882790666253","timestamp":"1713805173418","event_simpleName":"ProcessRollup2","RawProcessId":"5012","ConfigStateHash":"840884426","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"2669499","ConfigBuild":"1007.3.0018207.1","WindowFlags":"3073","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"
  ","ParentAuthenticationId":"2669499","TargetProcessId":"5642133882","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"30426051160","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1713805173.321","ProcessParameterFlags":"24577","aid":"168a90e125d443beb2a4e2914985084d","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}'