-
Notifications
You must be signed in to change notification settings - Fork 54
Database Schema
This page provides full documentation of the database schema applied to the Falcon Orchestrator backend. The database engine used is Microsoft SQL Server, tested with version 2014 however should be compatible with other versions as well. The version number identified the first schema version in which the given field first appeared.
Stores all detection events from the Falcon Host Streaming API.
| Attribute | Version | Type | Key | Description |
|---|---|---|---|---|
| DetectionId | 1 | int | PK | Unique identifier in database for each detection event |
| Offset | 1 | nvarchar(max) | Offset number provided by API to keep track of location i n stream. This is used to identify unique detection events from the API stream and ensure no duplicate entries are stored in the database | |
| Timestamp | 1 | datetime | timestamp of when the system saved the detection event to the database | |
| ProcessStartTime | 1 | datetime | Provided by API, timestamp for when the process started | |
| ProcessEndTime | 1 | datetime | ||
| ClosedDate | 1 | datetime | ||
| Name | 1 | nvarchar(max) | ||
| Description | 1 | nvarchar(200) | ||
| ProcessId | 1 | nvarchar(100) | ||
| ParentProcessId | 1 | nvarchar(100) | ||
| CommandLine | 1 | nvarchar(max) | ||
| FileName | 1 | nvarchar(max) | ||
| FilePath | 1 | nvarchar(max) | ||
| FalconHostLink | 1 | nvarchar(500) | ||
| SHA256 | 1 | nvarchar(64) | ||
| MD5 | 1 | nvarchar(32) | ||
| SHA1 | 1 | nvarchar(40) | ||
| Comment | 1 | nvarchar(max) | ||
| AccountId | 1 | int | FK | |
| DetectionDeviceId | 1 | int | FK | |
| StatusId | 1 | int | FK | |
| VendorSeverityId | 1 | int | ||
| CustomSeverityId | 1 | int | FK | |
| CustomerId | 1 | int | FK | |
| ResponderId | 1 | int | FK |
Application configuration settings are stored in this table. These are typically account credentials and attributes to enable integration functionality. Refer to the configuration itemization for the listing of predefined keys.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| ConfigId | PK | 1 | int | Unique identifier for configuration item |
| Key | 1 | nvarchar(max) | The name of the configuration key | |
| Value | 1 | nvarchar(max) | Configuration key value |
Stores all authentication audit logs provided by the Falcon Host Streaming API.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| AuthId | PK | 1 | int | Unique database identifier for each authentication log event |
| OperationName | 1 | nvarchar(50) | The name of the authentication related operation that was carried out | |
| ServiceName | 1 | nvarchar(50) | ||
| Success | 1 | bit | Whether the authentication activity was successful or not | |
| UserId | 1 | nvarchar(50) | The username of the account associated to the operation | |
| UserIp | 1 | nvarchar(45) | The IP address of the user account responsible for the operation | |
| Timestamp | 1 | datetime | Timestamp of when the operation occured | |
| Offset | 1 | nvarchar(max) | Provided by API to keep track of location in stream. Uniquely identified log to ensure no duplicates are stored. | |
| Entitlement | 1 | nvarchar(100) | ||
| EntitlementGroup | 1 | nvarchar(100) | ||
| TargetName | 1 | nvarchar(200) | ||
| CustomerId | FK | 1 | int | Identifier for the CID provided in API stream. This allows for differentiation of multiple Falcon Host instances. |
User account information is stored in this table. An account record is associated with each detection event. The majority of these fields are populated by integration to Active Directory.
| Attribute | Key | Version | Type | Description |
|---|---|---|---|---|
| AccountId | PK | 1 | int | Unique database identifier for each user account |
| Timestamp | 1 | datetime | Timestamp of when the account record was created or last modified | |
| AccountName | 1 | nvarchar(50) | The name of the user account, provided by the Falcon Host Streaming API | |
| FirstName | 1 | nvarchar(50) | The first name of the user associated to the account | |
| LastName | 1 | nvarchar(50) | The last name of the user associated to the account | |
| Department | 1 | nvarchar(50) | The department the user belongs to | |
| JobTitle | 1 | nvarchar(45) | The job title of the user | |
| Manager | 1 | nvarchar(75) | Email address of the user's manager | |
| EmailAddress | 1 | nvarchar(75) | Email address of the user associated to the account | |
| PhoneNumber | 1 | nvarchar(20) | User's phone number | |
| Country | 1 | nvarchar(50) | Country user is located in | |
| StateProvince | 1 | nvarchar(50) | State or Province user is located in | |
| City | 1 | nvarchar(50) | City user is located in | |
| StreetAddress | 1 | nvarchar(75) | Street and Address user is located in | |
| LastLogon | 1 | datetime | Timestamp of when user account last logged in | |
| OrganizationalUnit | 1 | nvarchar(max) | Active Directory OU user is stored under |