CrowdStrike Adaptive Shield¶
About¶
Adaptive Shield is a SaaS Security Posture Management (SSPM) platform that provides comprehensive visibility, control, and threat prevention across an organization's SaaS applications, users, and associated risks.
Product Details¶
Vendor URL: CrowdStrike Adaptive Shield
Product Type: SaaS
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: JSON + SYSLOG
Expected Normalization Rate: 100%
Data Label: ADAPTIVE_SHIELD
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
timestamp | metadata.event_timestamp |
path | target.file.full_path |
host | principal.hostname |
status | security_result.action |
logType | metadata.log_type |
data.description | security_result.description |
data.source_id | src.resource.product_object_id |
data.affected_diff | target.user.attribute.labels |
integration.name | about.labels |
integration.id | about.labels |
data.new_affected_count | additional.fields |
data.alert_type | security_result.category_details |
data.id | metadata.product_log_id |
data.security_check_api_link | security_result.url_back_to_product |
data.account_id | target.resource.product_object_id |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Generic | GENERIC_EVENT |
Log Sample¶
<13>1 2025-08-16T05:33:00.000+00:00 host123.example.com adaptiveshield - - - {"event":{"original":"{\"data\":{\"source_id\":\"4d2c1f0a9b8e7d6c3a1b2e45\",\"description\":\"Security check \\\"Site Content Sensitivity Classification\\\" affected count changed from 4166 to 4167\",\"id\":\"ff12a0c8b7e4c2d9a3019d87\",\"new_affected_count\":1,\"alert_type\":\"Security Check Degraded\",\"is_archived\":false,\"account_id\":\"3e7d2a9c1f0b5d8e4c7a6b12\",\"source\":\"security_checks\",\"user_who_archived\":null,\"security_check_api_link\":\"https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45\",\"affected_diff\":[\"https://www.example.com/documents/sample"],\"integration\":{\"name\":\"SharePoint + OneDrive\",\"alias\":\"Sharepoint/OneDrive\",\"id\":\"a9f1d7c2b4e8391a5f7d4e21\"},\"timestamp\":\"2025-08-16T05:33:00Z\"},\"@timestamp\":\"2025-08-16T05:33:00.000Z\",\"total_size\":5,\"path\":\"/home/logstash/adaptive/2025-08-16-06-24-35.json\",\"@version\":\"1\",\"host\":\"test-node.internal.net\",\"status\":\"ok\",\"logType\":\"adaptive\"}"},"total_size":5,"@version":"1","data":{"description":"Security check \"Site Content Sensitivity Classification\" affected count changed from 4166 to 4167","source_id":"4d2c1f0a9b8e7d6c3a1b2e45","timestamp":"2025-08-16T05:33:00Z","affected_diff":["https://www.example.com/documents/sample"],"integration":{"id":"a9f1d7c2b4e8391a5f7d4e21","alias":"Sharepoint/OneDrive","name":"SharePoint + OneDrive"},"new_affected_count":1,"alert_type":"Security Check Degraded","is_archived":false,"id":"ff12a0c8b7e4c2d9a3019d87","user_who_archived":null,"security_check_api_link":"https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45","account_id":"3e7d2a9c1f0b5d8e4c7a6b12","source":"security_checks"},"path":"/home/logstash/adaptive/2025-08-16-06-24-35.json","logType":"adaptive","status":"ok","@timestamp":"2025-08-16T05:33:00.000Z","host":"test-node.internal.net"}
Sample Parsing¶
metadata.product_name = "Adaptive Shield"
metadata.vendor_name = "CrowdStrike"
observer.hostname = "host123.example.com"
metadata.event_timestamp = 2025-08-16T05:33:00Z
metadata.product_log_id = "ff12a0c8b7e4c2d9a3019d87"
target.resource.product_object_id = "3e7d2a9c1f0b5d8e4c7a6b12"
target.user.attribute.labels["affected_diff"] = "https://www.example.com/documents/sample"
target.file.full_path = "/home/logstash/adaptive/2025-08-16-06-24-35.json"
principal.hostname = "test-node.internal.net"
src.resource.product_object_id = "4d2c1f0a9b8e7d6c3a1b2e45"
metadata.log_type = "adaptive"
security_result.category_details = "Security Check Degraded"
security_result.description = "Security check \"Site Content Sensitivity Classification\" affected count changed from 4166 to 4167"
security_result.url_back_to_product = "https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45"
additional.fields["new_affected_count"]= "1"
about.labels["Integration Name"] = "SharePoint + OneDrive
about.labels["Integration ID"] = "a9f1d7c2b4e8391a5f7d4e21"
security_result.action = "ALLOW"