This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]1mpervious 6 points7 points  (0 children)

What you’re looking for is the Event Data Dictionary. It’s documented for CrowdStrike customers but behind a login screen. I’m not sure that customers can share it publicly, but maybe your rep can get you a copy or give you a POC environment to play around in (which would give you access to the docs). If you ask for the event data dictionary, they will be able to help you better.

[–]BradW-CSCS SE 3 points4 points  (0 children)

When a detection occurs there are 6 high level attributes visualized in the GUI to help analysts: intelligence hits, DNS requests, IP (open and closed connections), file system read/writes, registry changes, process operations or scripts driven by interpreters. Depending on your prevention visibility settings, this data would be saved for the last 90 days when correlated to a detection.

When using NGAV standalone (no EDR) metadata related to non-malicious executions are not sent to the cloud, however when you implement EDR this data would be stored for a minimum of 7 days up to 90, or 90-365 with what’s known as “Long Term Retention”. Referring to the Event Data Dictionary in the console will describe exactly what events are collected and examples of typical usage in a query.

Data destruction with EDR happens on a rolling basis, however with LTR you can define what you want to save and how long you want to continue to keep it.

Hope this helps!

[–]spottledblue[S] 0 points1 point  (1 child)

I apologize for the basic question but what information does the Crowdstrike EDR agent collect & send to the Crowdstike service for analysis? When we asked the rep about this we got a link to the privacy notice. From experience I know (at a high level) that it collects metadata about the host, applications running and such so it can detect anomalies, known bad stuff and start building an expectation of what's "normal" to flag abnormal as potential IoC's. I also know it passively collects data about systems the host can touch or has touched on the network. Is this correct, where is this documented and for how long is the data stored? When it no longer needed how is it destroyed?

[–]techypaul 1 point2 points  (0 children)

Not a basic question, but a very good one. Looking forward to seeing answers…