QUESTION

Does the Crowdstrike.FDREvent schema extract indicator mappings from nested fields within a JSON field (e.g., event.RemoteAddressIP4 or other indicators such as hashes, domains, etc.)?

ANSWER

Yes, Panther does extract indicators from nested fields in the Crowdstrike.FDREvent schema.

For fields that are of type JSON (e.g., the event field), the schema does not explicitly define indicator mappings for nested fields. However, Panther’s backend processes automatically extract indicators from these nested fields behind the scenes.