CrowdStrike Falcon
CrowdStrike Falcon Event Stream events — endpoint detections with MITRE ATT&CK mapping, authentication and user activity audits, firewall rule matches, incident summaries, and Real Time Response sessions in the native Event Streams envelope format.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/security-crowdstrike-falcon/generator.yml \
--id security-crowdstrike-falcon \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| epp-detection | Endpoint Detection (EPP) | 29.1% | intrusion_detection |
| auth-audit | Authentication Audit | 23.3% | authentication |
| user-audit | User Activity Audit | 17.4% | iam |
| firewall-match | Firewall Rule Match | 17.4% | network |
| incident-summary | Incident Summary | 5.8% | intrusion_detection |
| remote-session-start | Remote Response Session Start | 3.5% | session |
| remote-session-end | Remote Response Session End | 3.5% | session |
Realism Features
- 20 detection scenarios covering all MITRE ATT&CK tactics from Initial Access through Impact, plus CrowdStrike-specific objectives
- 25 process chains mixing benign and suspicious execution paths (e.g., winword->powershell->certutil)
- Pattern disposition flags with 20 boolean fields per detection reflecting realistic prevention/detection configurations
- Shared monotonic offset counter ensuring consistent event stream ordering across all event types
- Remote session correlation — session start events store state; session end events pop from a bounded pool of 20
Sample Output
{
"metadata": {
"customerIDString": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
"offset": 42,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1741276800000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1741276500,
"ProcessId": 15234,
"ParentProcessId": 8012,
"Hostname": "DESKTOP-HR01",
"UserName": "jsmith",
"Name": "Malicious PowerShell Execution",
"Severity": 80,
"SeverityName": "High",
"FileName": "powershell.exe",
"CommandLine": "powershell.exe -nop -w hidden -enc SQBF...",
"Tactic": "Execution",
"Technique": "PowerShell",
"Objective": "Falcon Detection Method",
"PatternDispositionDescription": "Prevention, process killed.",
"PatternDispositionFlags": {
"KillProcess": true,
"KillSubProcess": true,
"OperationBlocked": true,
"ProcessBlocked": true
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| customer_id | a1b2c3d4... | CrowdStrike Customer ID (CID) |
| falcon_base_url | https://falcon.crowdstrike.com | Falcon console base URL |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.