Device Security
CrowdStrike Falcon Attribute Reference
Table of Contents
Expand All
|
Collapse All
Device Security Docs
CrowdStrike Falcon Attribute Reference
This reference lists the attributes that Device Security collects from CrowdStrike
Falcon, their names as stored in Device Security, and the Device Security device
fields they map to.
When Device Security integrates with CrowdStrike Falcon, it imports
endpoint protection data to enrich the device inventory. The attributes in this
reference cover device identification, OS, and agent status information from the
CrowdStrike Falcon platform.
The third-party attribute name in Device Security refers to the attribute name
as it appears in the Assets Inventory table and in Query Engine. This follows the format
of third-party-name.attribute-name.
When viewing the attribute name in the Assets Inventory table column selector or on a
Device Details page, where the third-party name can be found as a header for the
attributes section, then the third-party name is removed from the attribute name.
For example, micrsoft_defender_xdr.macAddress would appear in the
Query Builder and in the Assets Inventory table, but under Device DetailsAttributesIntegration Specific AttributesMicrosoft Defender, the attribute would appear as macAddress.
Device Attributes
Device Security collects device attributes from the CrowdStrike Falcon device
queries API, which provides detailed endpoint inventory, policy, and security
posture data for all managed endpoints. The following table lists each CrowdStrike
Falcon attribute, its name as stored in Device Security, the Device Security
device field it maps to (if applicable), and a description.
|
CrowdStrike Falcon Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
agent_load_flags
|
crowdstrike_falcon.agent_load_flags
|
—
|
Load flags for the CrowdStrike Falcon agent on the endpoint
|
|
agent_local_time
|
crowdstrike_falcon.agent_local_time
|
—
|
Local time on the endpoint as reported by the CrowdStrike
Falcon agent
|
|
agent_version
|
crowdstrike_falcon.agent_version
|
—
|
Version of the CrowdStrike Falcon agent installed on the
endpoint
|
|
bios_manufacturer
|
crowdstrike_falcon.bios_manufacturer
|
—
|
BIOS manufacturer of the endpoint hardware
|
|
bios_version
|
crowdstrike_falcon.bios_version
|
—
|
BIOS version of the endpoint hardware
|
|
build_number
|
crowdstrike_falcon.build_number
|
OS Build Number
|
OS build number of the endpoint
|
|
chassis_type
|
crowdstrike_falcon.chassis_type
|
—
|
Chassis type code for the endpoint hardware
|
|
chassis_type_desc
|
crowdstrike_falcon.chassis_type_desc
|
—
|
Human-readable chassis type description (for example, Notebook
or Desktop)
|
|
cid
|
crowdstrike_falcon.cid
|
—
|
Customer identifier (CID) for the CrowdStrike Falcon tenant
associated with the endpoint
|
|
config_id_base
|
crowdstrike_falcon.config_id_base
|
—
|
Base configuration identifier for the CrowdStrike Falcon agent
on the endpoint
|
|
config_id_build
|
crowdstrike_falcon.config_id_platform
|
—
|
Configuration build identifier for the CrowdStrike Falcon
agent on the endpoint
|
|
connection_ip
|
crowdstrike_falcon.connection_ip
|
—
|
IP address of the endpoint's active network connection
|
|
connection_mac_address
|
crowdstrike_falcon.connection_mac_address
|
—
|
MAC address of the endpoint's active network connection
|
|
cpu_signature
|
crowdstrike_falcon.cpu_signature
|
—
|
CPU signature of the endpoint processor
|
|
cpu_vendor
|
crowdstrike_falcon.cpu_vendor
|
—
|
CPU vendor of the endpoint processor
|
|
default_gateway_ip
|
crowdstrike_falcon.default_gateway_ip
|
—
|
Default gateway IP address of the endpoint
|
|
device_id
|
crowdstrike_falcon.device_id
|
—
|
Unique device identifier assigned by CrowdStrike Falcon
|
|
device_policies.content-update.*
|
crowdstrike_falcon.device_policies.content_update.*
|
—
|
Content update policy details (ID, type, applied status,
dates, settings hash) for the endpoint
|
|
device_policies.device_control.*
|
crowdstrike_falcon.device_policies.device_control.*
|
—
|
Device control policy details (ID, type, applied status,
dates, settings hash) for the endpoint
|
|
device_policies.firewall.*
|
crowdstrike_falcon.device_policies.firewall.*
|
—
|
Firewall policy details (ID, type, rule set, applied status,
dates, settings hash) for the endpoint
|
|
device_policies.global_config.*
|
crowdstrike_falcon.device_policies.global_config.*
|
—
|
Global configuration policy details (ID, type, applied status,
dates, settings hash) for the endpoint
|
|
device_policies.host-retention.*
|
crowdstrike_falcon.device_policies.host-retention.*
|
—
|
Host retention policy details (ID, type, applied status,
dates, settings hash) for the endpoint
|
|
device_policies.prevention.*
|
crowdstrike_falcon.device_policies.prevention.*
|
—
|
Prevention policy details (ID, type, rule groups, applied
status, dates, settings hash) for the endpoint in
CrowdStrike Falcon
|
|
device_policies.remote_response.*
|
crowdstrike_falcon.device_policies.remote_response.*
|
—
|
Remote response policy details (ID, type, applied status,
dates, settings hash) for the endpoint in CrowdStrike
Falcon
|
|
device_policies.sensor_update.*
|
crowdstrike_falcon.device_policies.sensor_update.*
|
—
|
Sensor update policy details (ID, type, applied status,
dates, settings hash, uninstall protection) for the
endpoint in CrowdStrike Falcon
|
|
device_policies.system-tray.*
|
—
|
crowdstrike_falcon.device_policies.system-tray.*
|
System tray policy details (ID, type, applied status, dates,
settings hash) for the endpoint in CrowdStrike Falcon
|
|
external_ip
|
crowdstrike_falcon.external_ip
|
public_ip_address
|
External (public) IP address of the endpoint
|
|
filesystem_containment_status
|
crowdstrike_falcon.filesystem_containment_status
|
—
|
Filesystem containment status of the endpoint in CrowdStrike
Falcon
|
|
first_seen
|
crowdstrike_falcon.first_seen
|
First Seen
|
Timestamp when the endpoint was first seen by CrowdStrike
Falcon
|
|
group_hash
|
crowdstrike_falcon.group_hash
|
—
|
Hash identifier of the policy group associated with the
endpoint in CrowdStrike Falcon
|
|
hostname
|
crowdstrike_falcon.hostname
|
Hostname
|
Hostname of the endpoint
|
|
ipv4_address
|
—
|
ipv4_address
|
Primary IPv4 address of the endpoint
|
|
kernel_version
|
crowdstrike_falcon.kernel_version
|
—
|
Kernel version of the endpoint OS
|
|
last_login_timestamp
|
crowdstrike_falcon.last_login_timestamp
|
—
|
Timestamp of the last user login on the endpoint
|
|
last_login_user
|
crowdstrike_falcon.last_login_user
|
AD Username
|
Username of the last user who logged into the endpoint
|
|
last_login_user_sid
|
crowdstrike_falcon.last_login_user_sid
|
—
|
Security Identifier (SID) of the last user who logged into
the endpoint
|
|
last_reboot
|
crowdstrike_falcon.last_reboot
|
—
|
Timestamp of the last reboot of the endpoint
|
|
last_seen
|
crowdstrike_falcon.last_seen
|
Last Third-Party Activity
|
Timestamp when the endpoint was last seen by CrowdStrike
Falcon
|
|
local_ip
|
crowdstrike_falcon.local_ip
|
—
|
Local IP address of the endpoint
|
|
mac_address
|
crowdstrike_falcon.mac_address
|
MAC; id
|
MAC address of the endpoint. Used as
the primary device identifier.
|
|
machine_domain
|
crowdstrike_falcon.machine_domain
|
AD Domain
|
Active Directory domain the endpoint is joined to
|
|
major_version
|
crowdstrike_falcon.major_version
|
—
|
Major OS version number of the endpoint
|
|
meta.version
|
crowdstrike_falcon.meta.version
|
—
|
Agent metadata version for the endpoint
|
|
meta.version_string
|
crowdstrike_falcon.meta.version_string
|
—
|
Human-readable agent metadata version string for the endpoint
|
|
minor_version
|
crowdstrike_falcon.minor_version
|
—
|
Minor OS version number of the endpoint
|
|
modified_timestamp
|
crowdstrike_falcon.modified_timestamp
|
—
|
Timestamp when the endpoint record was last modified in
CrowdStrike Falcon
|
|
os_build
|
crowdstrike_falcon.os_build
|
OS Build Number
|
OS build identifier of the endpoint
|
|
os_product_name
|
crowdstrike_falcon.os_product_name
|
raw_os; os_edition
|
OS product name of the endpoint
|
|
os_version
|
crowdstrike_falcon.os_version
|
OS Version
|
OS version string of the endpoint
|
|
platform_id
|
crowdstrike_falcon.platform_id
|
—
|
Numeric platform identifier for the endpoint
|
|
platform_name
|
crowdstrike_falcon.platform_name
|
—
|
Platform name (for example, Windows or Mac) of the endpoint
|
|
pointer_size
|
crowdstrike_falcon.pointer_size
|
—
|
Pointer size (32-bit or 64-bit) of the endpoint OS
|
|
policies
|
crowdstrike_falcon.policies
|
—
|
List of policies applied to the endpoint
|
|
product_type
|
crowdstrike_falcon.product_type
|
—
|
Product type identifier for the endpoint
|
|
product_type_desc
|
crowdstrike_falcon.product_type_desc
|
—
|
Human-readable product type description (for example, Workstation
or server) of the endpoint
|
|
provision_status
|
crowdstrike_falcon.provision_status
|
—
|
Provisioning status of the endpoint
|
|
reduced_functionality_mode
|
crowdstrike_falcon.reduced_functionality_mode
|
—
|
Indicates whether the Falcon agent is operating in reduced
functionality mode on the endpoint
|
|
rtr_state
|
crowdstrike_falcon.rtr_state
|
—
|
Real Time Response (RTR) connection state of the endpoint
|
|
serial_number
|
crowdstrike_falcon.serial_number
|
Serial Number
|
Serial number of the endpoint hardware
|
|
service_pack_minor
|
crowdstrike_falcon.service_pack_minor
|
—
|
Minor service pack version installed on the endpoint
|
|
site_name
|
crowdstrike_falcon.site_name
|
—
|
Site name associated with the endpoint
|
|
status
|
crowdstrike_falcon.status
|
—
|
Containment status of the endpoint
|
|
system_manufacturer
|
crowdstrike_falcon.system_manufacturer
|
Vendor
|
System manufacturer (hardware vendor) of the endpoint
|
|
system_product_name
|
crowdstrike_falcon.system_product_name
|
raw_model
|
System product name (hardware model) of the endpoint
|
|
tags
|
crowdstrike_falcon.tags
|
—
|
Tags assigned to the endpoint in CrowdStrike Falcon
|
* Only some attributes map to a Device Security Common Attribute.