Skip to content

CrowdStrike Adaptive Shield

CrowdStrike Adaptive Shield

About

Adaptive Shield is a SaaS Security Posture Management (SSPM) platform that provides comprehensive visibility, control, and threat prevention across an organization's SaaS applications, users, and associated risks.

Product Details

Vendor URL: CrowdStrike Adaptive Shield

Product Type: SaaS

Product Tier: Tier III

Integration Method: Syslog

Parser Details

Log Format: JSON + SYSLOG

Expected Normalization Rate: 100%

Data Label: ADAPTIVE_SHIELD

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
timestamp metadata.event_timestamp
path target.file.full_path
host principal.hostname
status security_result.action
logType metadata.log_type
data.description security_result.description
data.source_id src.resource.product_object_id
data.affected_diff target.user.attribute.labels
integration.name about.labels
integration.id about.labels
data.new_affected_count additional.fields
data.alert_type security_result.category_details
data.id metadata.product_log_id
data.security_check_api_link security_result.url_back_to_product
data.account_id target.resource.product_object_id

Product Event Types

Event UDM Event Classification
Generic GENERIC_EVENT

Log Sample

<13>1 2025-08-16T05:33:00.000+00:00 host123.example.com adaptiveshield - - - {"event":{"original":"{\"data\":{\"source_id\":\"4d2c1f0a9b8e7d6c3a1b2e45\",\"description\":\"Security check \\\"Site Content Sensitivity Classification\\\" affected count changed from 4166 to 4167\",\"id\":\"ff12a0c8b7e4c2d9a3019d87\",\"new_affected_count\":1,\"alert_type\":\"Security Check Degraded\",\"is_archived\":false,\"account_id\":\"3e7d2a9c1f0b5d8e4c7a6b12\",\"source\":\"security_checks\",\"user_who_archived\":null,\"security_check_api_link\":\"https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45\",\"affected_diff\":[\"https://www.example.com/documents/sample"],\"integration\":{\"name\":\"SharePoint + OneDrive\",\"alias\":\"Sharepoint/OneDrive\",\"id\":\"a9f1d7c2b4e8391a5f7d4e21\"},\"timestamp\":\"2025-08-16T05:33:00Z\"},\"@timestamp\":\"2025-08-16T05:33:00.000Z\",\"total_size\":5,\"path\":\"/home/logstash/adaptive/2025-08-16-06-24-35.json\",\"@version\":\"1\",\"host\":\"test-node.internal.net\",\"status\":\"ok\",\"logType\":\"adaptive\"}"},"total_size":5,"@version":"1","data":{"description":"Security check \"Site Content Sensitivity Classification\" affected count changed from 4166 to 4167","source_id":"4d2c1f0a9b8e7d6c3a1b2e45","timestamp":"2025-08-16T05:33:00Z","affected_diff":["https://www.example.com/documents/sample"],"integration":{"id":"a9f1d7c2b4e8391a5f7d4e21","alias":"Sharepoint/OneDrive","name":"SharePoint + OneDrive"},"new_affected_count":1,"alert_type":"Security Check Degraded","is_archived":false,"id":"ff12a0c8b7e4c2d9a3019d87","user_who_archived":null,"security_check_api_link":"https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45","account_id":"3e7d2a9c1f0b5d8e4c7a6b12","source":"security_checks"},"path":"/home/logstash/adaptive/2025-08-16-06-24-35.json","logType":"adaptive","status":"ok","@timestamp":"2025-08-16T05:33:00.000Z","host":"test-node.internal.net"}

Sample Parsing

metadata.product_name = "Adaptive Shield"
metadata.vendor_name = "CrowdStrike"
observer.hostname = "host123.example.com"
metadata.event_timestamp = 2025-08-16T05:33:00Z
metadata.product_log_id = "ff12a0c8b7e4c2d9a3019d87"
target.resource.product_object_id = "3e7d2a9c1f0b5d8e4c7a6b12"
target.user.attribute.labels["affected_diff"] = "https://www.example.com/documents/sample"
target.file.full_path = "/home/logstash/adaptive/2025-08-16-06-24-35.json"
principal.hostname = "test-node.internal.net"
src.resource.product_object_id = "4d2c1f0a9b8e7d6c3a1b2e45"
metadata.log_type = "adaptive"
security_result.category_details = "Security Check Degraded"
security_result.description = "Security check \"Site Content Sensitivity Classification\" affected count changed from 4166 to 4167"
security_result.url_back_to_product = "https://api.adaptive-shield.com/api/v1/accounts/6633a9f9138b53738484f95e/security_checks/4d2c1f0a9b8e7d6c3a1b2e45"
additional.fields["new_affected_count"]= "1"
about.labels["Integration Name"] = "SharePoint + OneDrive
about.labels["Integration ID"] = "a9f1d7c2b4e8391a5f7d4e21"
security_result.action = "ALLOW"