CrowdStrike TargetProcessId value is incorrect in Panther's Data Explorer
When querying the
targetProcessId of a CrowdStrike event in Data Explorer in the Panther Console, it returns an ID where the number rounds the last two digits to 00.
e.g. 154876524187563218 becomes 154876524187563200
To resolve this issue, cast the ID value to a string where possible. For example, before sending the ID as part of an alert context, try:
def alert_context(event): event = event.to_dict() event['targetProcessId'] = str(event['targetProcessId']) return event
This issue occurs because the JSON parser used to serialize event data for transport doesn't support more than 16 significant figures in a number. Changing the data type to string bypasses this limitation.