## Crowdstrike Schema

### CrowdstrikeTenant

Representation of a CrowdStrike customer tenant. The `id` field is the
customer's CID (Customer ID); CrowdstrikeHost and CrowdstrikeSpotlightVulnerability
nodes belonging to that tenant are linked via `RESOURCE` and cleaned up
together when stale. The node also carries the shared `:Tenant` label so
cross-module queries that match `(:Tenant)` discover this organizational
boundary, mirroring the convention used by other tenant roots such as
`KandjiTenant` and `GoogleWorkspaceTenant`.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The CrowdStrike CID for this tenant |

#### Relationships

- CrowdstrikeTenant owns CrowdstrikeHost and CrowdstrikeSpotlightVulnerability for cleanup scoping.
    ```
    (CrowdstrikeTenant)-[:RESOURCE]->(CrowdstrikeHost)
    (CrowdstrikeTenant)-[:RESOURCE]->(CrowdstrikeSpotlightVulnerability)
    ```

### CrowdstrikeHost

Representation of a Crowdstrike Host

> **Ontology Mapping**: This node participates in the canonical `Device` ontology, enabling cross-platform device correlation via `(:Device)-[:OBSERVED_AS]->(:CrowdstrikeHost)` relationships.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| id | The device ID for this host |
| cid | The customer ID |
| email | Email address associated with the host record in CrowdStrike. |
| instance\_id | The AWS instance ID associated with this host |
| status | Containment Status of the machine. "Normal" denotes good operations; other values might mean reduced functionality or support. |
| hostname | The name of the machine. |
| machine\_domain | Active Directory domain name. |
| crowdstrike\_first\_seen | Timestamp of device’s first connection to Falcon |
| crowdstrike\_last\_seen | Timestamp of device’s most recent connection to Falcon |
| local\_ip | The device's local IP address. |
| external\_ip | External IP of the device, as seen by CrowdStrike. |
| cpu\_signature | The CPU signature of the device. |
| bios\_manufacturer | Bios manufacture name. |
| bios\_version | Bios version. |
| mac\_address | The MAC address of the device |
| os\_version | Operating system version. |
| os\_build | The build of the OS |
| platform\_id | CrowdStrike agent configuration notes |
| platform\_name | Operating system platform. |
| service\_provider | The service provider for the device. |
| service\_provider\_account\_id | The service provider account ID associated with this device |
| agent\_version | CrowdStrike agent configuration notes |
| system\_manufacturer | Name of system manufacturer |
| system\_product\_name | Name of system product |
| product\_type | The product type |
| product\_type\_desc | Name of product type. |
| provision\_status | The provision status of the device |
| reduced\_functionality\_mode | Reduced functionality mode (RFM) status |
| kernel\_version | Kernel version of the host OS. |
| major\_version | Major version of the Operating System |
| minor\_version | Minor version of the Operating System |
| tags | Grouping tags for the device |
| modified\_timestamp | The last time that the machine record was updated. Can include status like containment status changes or configuration group changes |

#### Relationships

- CrowdstrikeHost has CrowdstrikeSpotlightVulnerability
    ```
    (CrowdstrikeHost)-[HAS_VULNERABILITY]->(CrowdstrikeSpotlightVulnerability)
    ```

- CrowdstrikeHost belongs to a CrowdstrikeTenant
    ```
    (CrowdstrikeTenant)-[:RESOURCE]->(CrowdstrikeHost)
    ```

### CrowdstrikeSpotlightVulnerability

Representation of a Crowdstrike Vulnerability
The legacy `SpotlightVulnerability` label remains attached for compatibility
until v1.0.0.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| id | The ID for this vulnerability |
| cid | The customer ID |
| aid | The unique identifier (agent ID) of the sensor where the vulnerability was found. |
| status | The vulnerability’s current status. One of open, closed, reopen, or expired. |
| created\_timestamp | The UTC date and time that the vulnerability was created in Spotlight. |
| closed\_timestamp | The date and time a vulnerability was set to a status of "closed" |
| updated\_timestamp | The UTC date and time of the last update made on a vulnerability. |
| cve\_id | The ID of the CVE. |
| host\_info\_local\_ip | The device’s local IP address. |
| remediation\_ids | The unique IDs of the remediations. |
| app\_product\_name\_version | The name and version of the product associated with the vulnerability. |

#### Relationships

- CrowdstrikeHost has CrowdstrikeSpotlightVulnerability
    ```
    (CrowdstrikeHost)-[HAS_VULNERABILITY]->(CrowdstrikeSpotlightVulnerability)
    ```

- CrowdstrikeSpotlightVulnerability has CVE
    ```
    (CrowdstrikeSpotlightVulnerability)-[HAS_CVE]->(CVE)
    ```

- CrowdstrikeSpotlightVulnerability belongs to a CrowdstrikeTenant
    ```
    (CrowdstrikeTenant)-[:RESOURCE]->(CrowdstrikeSpotlightVulnerability)
    ```

### CrowdstrikeFinding::CVE

Representation of a CVE

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| id | The ID for this CVE |
| base\_score | Base score of the CVE (float value between 1 and 10). |
| severity | Severity of the CVE. One of CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, or NONE. |
| exploitability\_score | Numeric value of the most severe known exploit. 0=UNPROVEN; 30=AVAILABLE; 60=EASILY\_ACCESSIBLE; 90=ACTIVELY\_USED |

#### Relationships

- CrowdstrikeSpotlightVulnerability has CVE
    ```
    (CrowdstrikeSpotlightVulnerability)-[HAS_CVE]->(CVE)
    ```
