CrowdStrike-Erkennungsprotokolle erfassen
In diesem Dokument wird beschrieben, wie Sie CrowdStrike-Erkennungsprotokolle über den Google Security Operations-Feed in Google Security Operations exportieren und wie CrowdStrike-Erkennungsfelder den UDM-Feldern (Unified Data Model) von Google Security Operations zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus CrowdStrike und dem Google Security Operations-Feed, der so konfiguriert ist, dass Logs an Google Security Operations gesendet werden. Jede Kundenimplementierung kann sich unterscheiden und möglicherweise komplexer sein.
Die Bereitstellung umfasst die folgenden Komponenten:
CrowdStrike Falcon Intelligence: Das CrowdStrike-Produkt, von dem Sie Protokolle erfassen.
CrowdStrike-Feed Der CrowdStrike-Feed, der Protokolle von CrowdStrike abholt und in Google SecOps schreibt.
Google Security Operations: Hier werden die CrowdStrike-Erkennungslogs aufbewahrt und analysiert.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel CS_DETECTS
.
Hinweise
Sie benötigen Administratorrechte für die CrowdStrike-Instanz, um den CrowdStrike Falcon-Host-Sensor zu installieren.
Alle Systeme in der Bereitstellungsarchitektur müssen in der UTC-Zeitzone konfiguriert sein.
Achten Sie darauf, dass auf dem Gerät ein unterstütztes Betriebssystem ausgeführt wird.
- Das Betriebssystem muss auf einem 64-Bit-Server ausgeführt werden. Microsoft Windows Server 2008 R2 SP1 wird für CrowdStrike Falcon-Hostsensorversionen 6.51 oder höher unterstützt.
- Auf Systemen mit älteren Betriebssystemversionen (z. B. Windows 7 SP1) muss die SHA-2-Codesignatur unterstützt werden.
Wenden Sie sich an das Google Security Operations-Supportteam, um die Datei des Google Security Operations-Dienstkontos und Ihre Kundennummer zu erhalten.
CrowdStrike für die Aufnahme von Protokollen konfigurieren
So richten Sie einen Datenaufnahmefeed ein:
- Erstellen Sie ein neues API-Client-Schlüsselpaar in CrowdStrike Falcon. Dieses Schlüsselpaar liest Ereignisse und ergänzende Informationen aus CrowdStrike Falcon.
- Gewähren Sie
READ
die BerechtigungDetections
, während Sie das Schlüsselpaar erstellen.
Feed in Google Security Operations für die Aufnahme von CrowdStrike-Erkennungsprotokollen konfigurieren
- Gehen Sie zu SIEM-Einstellungen > Feeds.
- Klicken Sie auf Add new (Neuen Eintrag hinzufügen).
- Geben Sie einen eindeutigen Namen für das Feld ein.
- Wählen Sie API von Drittanbietern als Quelltyp aus.
- Wählen Sie CrowdStrike Detection Monitoring als Logtyp aus.
- Klicken Sie auf Weiter.
- Konfigurieren Sie die folgenden obligatorischen Eingabeparameter:
- OAuth-Token-Endpunkt: Geben Sie den Endpunkt an.
- OAuth-Client-ID: Geben Sie die Client-ID an, die Sie zuvor abgerufen haben.
- OAuth-Clientschlüssel: Geben Sie den zuvor abgerufenen Clientschlüssel an.
- Basis-URL: Geben Sie die Basis-URL an.
- Klicken Sie auf Weiter und dann auf Senden.
Referenz für die Feldzuordnung
In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser CrowdStrike-Erkennungsfelder den Feldern des einheitlichen Datenmodells (Unified Data Model, UDM) von Google Security Operations zuordnet.
In der folgenden Tabelle sind die CS_DETECTS
-Ereignis-IDs und die entsprechenden UDM-Ereignistypen aufgeführt.
Event Identifier | Event Type | Security Category |
---|---|---|
.bash_profile and .bashrc |
SCAN_FILE |
|
/etc/passwd and /etc/shadow |
SCAN_UNCATEGORIZED |
|
Abuse Accessibility Features |
SCAN_UNCATEGORIZED |
|
Abuse Device Administrator Access to Prevent Removal |
SCAN_UNCATEGORIZED |
|
Abuse Elevation Control Mechanism |
SCAN_UNCATEGORIZED |
|
Access Calendar Entries |
SCAN_UNCATEGORIZED |
|
Access Call Log |
SCAN_UNCATEGORIZED |
|
Access Contact List |
SCAN_UNCATEGORIZED |
|
Access Notifications |
SCAN_UNCATEGORIZED |
|
Access Sensitive Data in Device Logs |
SCAN_UNCATEGORIZED |
|
Access Stored Application Data |
SCAN_UNCATEGORIZED |
|
Access Token Manipulation |
SCAN_UNCATEGORIZED |
|
Accessibility Features |
SCAN_UNCATEGORIZED |
|
Account Access Removal |
SCAN_UNCATEGORIZED |
|
Account Discovery |
SCAN_UNCATEGORIZED |
|
Account Manipulation |
SCAN_UNCATEGORIZED |
|
Active Setup |
SCAN_UNCATEGORIZED |
|
Add Office 365 Global Administrator Role |
SCAN_UNCATEGORIZED |
|
Add-ins |
SCAN_UNCATEGORIZED |
|
Additional Azure Service Principal Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Roles |
SCAN_UNCATEGORIZED |
|
Additional Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Adversary-in-the-Middle |
SCAN_UNCATEGORIZED |
|
Adware |
SCAN_UNCATEGORIZED |
|
Adware/PUP |
SCAN_PROCESS |
|
Alternate Network Mediums |
SCAN_NETWORK |
|
Android Intent Hijacking |
SCAN_UNCATEGORIZED |
|
App Auto-Start at Device Boot |
SCAN_UNCATEGORIZED |
|
AppCert DLLs |
SCAN_UNCATEGORIZED |
|
AppInit DLLs |
SCAN_UNCATEGORIZED |
|
AppleScript |
SCAN_FILE |
|
Application Access Token |
SCAN_UNCATEGORIZED |
|
Application Discovery |
SCAN_UNCATEGORIZED |
|
Application Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Application Layer Protocol |
SCAN_NETWORK |
|
Application or System Exploitation |
SCAN_UNCATEGORIZED |
|
Application Shimming |
SCAN_UNCATEGORIZED |
|
Application Window Discovery |
SCAN_UNCATEGORIZED |
|
Archive Collected Data |
SCAN_UNCATEGORIZED |
|
Archive via Custom Method |
SCAN_UNCATEGORIZED |
|
Archive via Library |
SCAN_FILE |
DATA_EXFILTRATION |
Archive via Utility |
SCAN_UNCATEGORIZED |
|
ARP Cache Poisoning |
SCAN_NETWORK |
|
AS-REP Roasting |
SCAN_UNCATEGORIZED |
|
Asymmetric Cryptography |
SCAN_NETWORK |
|
Asynchronous Procedure Call |
SCAN_PROCESS |
EXPLOIT |
At |
SCAN_UNCATEGORIZED |
|
At (Linux) |
SCAN_UNCATEGORIZED |
|
At (Windows) |
SCAN_UNCATEGORIZED |
|
Attack PC via USB Connection |
SCAN_UNCATEGORIZED |
|
Attributed to Adversary |
SCAN_UNCATEGORIZED |
|
Audio Capture |
SCAN_UNCATEGORIZED |
|
Authentication Package |
SCAN_UNCATEGORIZED |
|
Automated Collection |
SCAN_UNCATEGORIZED |
|
Automated Exfiltration |
SCAN_UNCATEGORIZED |
EXPLOIT |
Bad device settings |
SCAN_HOST |
|
Bash History |
SCAN_UNCATEGORIZED |
|
Bidirectional Communication |
SCAN_NETWORK |
|
Binary Padding |
SCAN_UNCATEGORIZED |
|
BITS Jobs |
SCAN_UNCATEGORIZED |
|
Boot or Logon Autostart Execution |
SCAN_UNCATEGORIZED |
|
Boot or Logon Initialization Scripts |
SCAN_UNCATEGORIZED |
|
Bootkit |
SCAN_UNCATEGORIZED |
|
Broadcast Receivers |
SCAN_UNCATEGORIZED |
|
Browser Bookmark Discovery |
SCAN_UNCATEGORIZED |
|
Browser Exploit |
SCAN_UNCATEGORIZED |
EXPLOIT |
Browser Extensions |
SCAN_UNCATEGORIZED |
|
Browser Session Hijacking |
SCAN_UNCATEGORIZED |
|
Brute Force |
SCAN_UNCATEGORIZED |
|
Build Image on Host |
SCAN_UNCATEGORIZED |
|
Bypass Monitoring |
SCAN_HOST |
|
Bypass User Access Control |
SCAN_UNCATEGORIZED |
|
Bypass User Account Control |
SCAN_UNCATEGORIZED |
|
Cached Domain Credentials |
SCAN_UNCATEGORIZED |
|
Calendar Entries |
SCAN_UNCATEGORIZED |
|
Call Control |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Call Log |
SCAN_UNCATEGORIZED |
|
Capture Audio |
SCAN_UNCATEGORIZED |
|
Capture Camera |
SCAN_UNCATEGORIZED |
|
Capture Clipboard Data |
SCAN_UNCATEGORIZED |
|
Capture SMS Messages |
SCAN_UNCATEGORIZED |
|
Carrier Billing Fraud |
SCAN_UNCATEGORIZED |
|
Change Default File Association |
SCAN_FILE |
|
Clear Command History |
SCAN_UNCATEGORIZED |
|
Clear Linux or Mac System Logs |
SCAN_UNCATEGORIZED |
|
Clear Windows Event Logs |
SCAN_UNCATEGORIZED |
|
Clipboard Data |
SCAN_UNCATEGORIZED |
|
Clipboard Modification |
SCAN_UNCATEGORIZED |
|
Cloud Account |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Groups |
SCAN_NETWORK |
|
Cloud Infrastructure Discovery |
SCAN_NETWORK |
|
Cloud Instance Metadata API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Service Dashboard |
SCAN_NETWORK |
|
Cloud Service Discovery |
SCAN_NETWORK |
|
Cloud Storage Object Discovery |
SCAN_NETWORK |
|
Cloud-based ML |
SCAN_UNCATEGORIZED |
|
CMSTP |
SCAN_UNCATEGORIZED |
|
Code Injection |
SCAN_UNCATEGORIZED |
|
Code Repositories |
SCAN_UNCATEGORIZED |
|
Code Signing |
SCAN_UNCATEGORIZED |
|
Code Signing Policy Modification |
SCAN_UNCATEGORIZED |
|
Command and Scripting Interpreter |
SCAN_FILE |
|
Command-Line Interface |
SCAN_UNCATEGORIZED |
|
Commonly Used Port |
SCAN_NETWORK |
|
Communication Through Removable Media |
SCAN_NETWORK |
|
Compile After Delivery |
SCAN_FILE |
|
Compiled HTML File |
SCAN_FILE |
|
Component Firmware |
SCAN_UNCATEGORIZED |
|
Component Object Model |
SCAN_UNCATEGORIZED |
|
Component Object Model and Distributed COM |
SCAN_UNCATEGORIZED |
|
Component Object Model Hijacking |
SCAN_UNCATEGORIZED |
|
Compromise Application Executable |
SCAN_UNCATEGORIZED |
|
Compromise Client Software Binary |
SCAN_UNCATEGORIZED |
|
Compromise Hardware Supply Chain |
SCAN_UNCATEGORIZED |
|
Compromise Software Dependencies and Development Tools |
SCAN_UNCATEGORIZED |
|
Compromise Software Supply Chain |
SCAN_UNCATEGORIZED |
|
Confluence |
SCAN_UNCATEGORIZED |
|
Connection Proxy |
SCAN_NETWORK |
|
Contact List |
SCAN_UNCATEGORIZED |
|
Container Administration Command |
SCAN_UNCATEGORIZED |
|
Container and Resource Discovery |
SCAN_NETWORK |
|
Container API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Container Orchestration Job |
SCAN_UNCATEGORIZED |
|
Control Panel |
SCAN_UNCATEGORIZED |
|
Control Panel Items |
SCAN_UNCATEGORIZED |
|
COR_PROFILER |
SCAN_UNCATEGORIZED |
|
Create Account |
SCAN_UNCATEGORIZED |
|
Create Cloud Instance |
SCAN_UNCATEGORIZED |
|
Create or Modify System Process |
SCAN_PROCESS |
|
Create Process with Token |
SCAN_PROCESS |
|
Create Snapshot |
SCAN_UNCATEGORIZED |
|
Credential API Hooking |
SCAN_UNCATEGORIZED |
|
Credential Dumping |
SCAN_UNCATEGORIZED |
|
Credential Stuffing |
SCAN_UNCATEGORIZED |
|
Credentials from Password Store |
SCAN_UNCATEGORIZED |
|
Credentials from Password Stores |
SCAN_UNCATEGORIZED |
|
Credentials from Web Browsers |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials In Files |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials in Registry |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cron |
SCAN_UNCATEGORIZED |
|
Custom Command and Control Protocol |
SCAN_NETWORK |
|
Custom Cryptographic Protocol |
SCAN_NETWORK |
|
Data Compressed |
SCAN_UNCATEGORIZED |
|
Data Destruction |
SCAN_FILE |
|
Data Encoding |
SCAN_NETWORK |
|
Data Encrypted |
SCAN_UNCATEGORIZED |
|
Data Encrypted for Impact |
SCAN_UNCATEGORIZED |
|
Data from Cloud Storage Object |
SCAN_UNCATEGORIZED |
|
Data from Configuration Repository |
SCAN_UNCATEGORIZED |
|
Data from Information Repositories |
SCAN_UNCATEGORIZED |
|
Data from Local System |
SCAN_UNCATEGORIZED |
|
Data from Network Shared Drive |
SCAN_NETWORK |
|
Data from Removable Media |
SCAN_UNCATEGORIZED |
|
Data Manipulation |
SCAN_UNCATEGORIZED |
|
Data Obfuscation |
SCAN_NETWORK |
|
Data Staged |
SCAN_UNCATEGORIZED |
|
Data Transfer Size Limits |
SCAN_UNCATEGORIZED |
|
DCShadow |
SCAN_UNCATEGORIZED |
|
DCSync |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Dead Drop Resolver |
SCAN_NETWORK |
|
Debugger Evasion |
SCAN_UNCATEGORIZED |
|
Defacement |
SCAN_UNCATEGORIZED |
|
Default Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Delete Cloud Instance |
SCAN_UNCATEGORIZED |
|
Delete Device Data |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Authorized App Store |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Other Means |
SCAN_UNCATEGORIZED |
|
Deobfuscate/Decode Files or Information |
SCAN_FILE |
|
Deploy Container |
SCAN_UNCATEGORIZED |
|
Destructive Malware |
SCAN_UNCATEGORIZED |
|
Device Administrator Permissions |
SCAN_UNCATEGORIZED |
|
Device Lockout |
SCAN_UNCATEGORIZED |
|
Device Registration |
SCAN_UNCATEGORIZED |
|
DHCP Spoofing |
SCAN_NETWORK |
|
Direct Network Flood |
SCAN_NETWORK |
|
Direct Volume Access |
SCAN_UNCATEGORIZED |
|
Disable Cloud Logs |
SCAN_UNCATEGORIZED |
|
Disable Crypto Hardware |
SCAN_UNCATEGORIZED |
|
Disable or Modify Cloud Firewall |
SCAN_NETWORK |
|
Disable or Modify System Firewall |
SCAN_NETWORK |
|
Disable or Modify Tools |
SCAN_UNCATEGORIZED |
|
Disable Windows Event Logging |
SCAN_UNCATEGORIZED |
|
Disabling Security Tools |
SCAN_UNCATEGORIZED |
|
Disguise Root/Jailbreak Indicators |
SCAN_UNCATEGORIZED |
|
Disk Content Wipe |
SCAN_UNCATEGORIZED |
|
Disk Structure Wipe |
SCAN_UNCATEGORIZED |
|
Disk Wipe |
SCAN_UNCATEGORIZED |
|
DLL Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
DLL Side-Loading |
SCAN_UNCATEGORIZED |
|
DNS |
SCAN_NETWORK |
|
DNS Calculation |
SCAN_NETWORK |
|
Domain Account |
SCAN_UNCATEGORIZED |
|
Domain Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Domain Controller Authentication |
SCAN_UNCATEGORIZED |
|
Domain Fronting |
SCAN_NETWORK |
|
Domain Generation Algorithms |
SCAN_NETWORK |
|
Domain Groups |
SCAN_UNCATEGORIZED |
|
Domain Policy Modification |
SCAN_UNCATEGORIZED |
|
Domain Trust Discovery |
SCAN_UNCATEGORIZED |
|
Domain Trust Modification |
SCAN_UNCATEGORIZED |
|
Double File Extension |
SCAN_FILE |
|
Downgrade Attack |
SCAN_UNCATEGORIZED |
|
Downgrade System Image |
SCAN_UNCATEGORIZED |
|
Downgrade to Insecure Protocols |
SCAN_NETWORK |
|
Download New Code at Runtime |
SCAN_UNCATEGORIZED |
|
Drive-by Compromise |
SCAN_UNCATEGORIZED |
EXPLOIT |
Dylib Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Data Exchange |
SCAN_UNCATEGORIZED |
|
Dynamic Linker Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Resolution |
SCAN_NETWORK |
|
Dynamic-link Library Injection |
SCAN_UNCATEGORIZED |
|
Eavesdrop on Insecure Network Communication |
SCAN_NETWORK |
|
Elevated Execution with Prompt |
SCAN_UNCATEGORIZED |
|
Email Account |
SCAN_NETWORK |
|
Email Collection |
SCAN_UNCATEGORIZED |
|
Email Forwarding Rule |
SCAN_UNCATEGORIZED |
|
Email Hiding Rules |
SCAN_UNCATEGORIZED |
|
Emond |
SCAN_UNCATEGORIZED |
|
Encrypted Channel |
SCAN_NETWORK |
|
Endpoint Denial of Service |
SCAN_UNCATEGORIZED |
|
Environmental Keying |
SCAN_UNCATEGORIZED |
|
Escape to Host |
SCAN_UNCATEGORIZED |
|
Evade Analysis Environment |
SCAN_UNCATEGORIZED |
|
Event Triggered Execution |
SCAN_UNCATEGORIZED |
|
Exchange Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Executable Installer File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Execution Guardrails |
SCAN_UNCATEGORIZED |
|
Execution through API |
SCAN_UNCATEGORIZED |
|
Execution through Module Load |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Alternative Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Bluetooth |
SCAN_UNCATEGORIZED |
|
Exfiltration Over C2 Channel |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Command and Control Channel |
SCAN_NETWORK |
|
Exfiltration Over Other Network Medium |
SCAN_NETWORK |
|
Exfiltration Over Physical Medium |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Unencrypted Non-C2 Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration over USB |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Web Service |
SCAN_NETWORK |
|
Exfiltration to Cloud Storage |
SCAN_UNCATEGORIZED |
|
Exfiltration to Code Repository |
SCAN_NETWORK |
|
Exploit Enterprise Resources |
SCAN_NETWORK |
|
Exploit Mitigation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit OS Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit Public-Facing Application |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit SS7 to Redirect Phone Calls/SMS |
SCAN_NETWORK |
EXPLOIT |
Exploit SS7 to Track Device Location |
SCAN_NETWORK |
EXPLOIT |
Exploit TEE Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Charging Station or PC |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Radio Interfaces |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Client Execution |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Credential Access |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Defense Evasion |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Privilege Escalation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation of Remote Services |
SCAN_NETWORK |
EXPLOIT |
External Defacement |
SCAN_UNCATEGORIZED |
|
External Proxy |
SCAN_NETWORK |
|
External Remote Services |
SCAN_UNCATEGORIZED |
|
Extra Window Memory Injection |
SCAN_UNCATEGORIZED |
|
Fallback Channels |
SCAN_NETWORK |
|
Fast Flux DNS |
SCAN_NETWORK |
|
File and Directory Discovery |
SCAN_FILE |
|
File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
File Deletion |
SCAN_FILE |
DATA_DESTRUCTION |
File System Logical Offsets |
SCAN_FILE |
|
File System Permissions Weakness |
SCAN_UNCATEGORIZED |
|
File Transfer Protocols |
SCAN_FILE |
DATA_EXFILTRATION |
Firmware Corruption |
SCAN_UNCATEGORIZED |
|
Forced Authentication |
SCAN_UNCATEGORIZED |
|
Foreground Persistence |
SCAN_UNCATEGORIZED |
|
Forge Web Credentials |
SCAN_UNCATEGORIZED |
|
Gatekeeper Bypass |
SCAN_UNCATEGORIZED |
|
Generate Fraudulent Advertising Revenue |
SCAN_UNCATEGORIZED |
|
Generate Traffic from Victim |
SCAN_UNCATEGORIZED |
|
Geofencing |
SCAN_UNCATEGORIZED |
|
Golden Ticket |
SCAN_UNCATEGORIZED |
|
Graphical User Interface |
SCAN_UNCATEGORIZED |
|
Group Policy Discovery |
SCAN_UNCATEGORIZED |
|
Group Policy Modification |
SCAN_UNCATEGORIZED |
|
Group Policy Preferences |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
GUI Input Capture |
SCAN_UNCATEGORIZED |
|
Hardware Additions |
SCAN_NETWORK |
|
Hidden File System |
SCAN_UNCATEGORIZED |
|
Hidden Files and Directories |
SCAN_FILE |
|
Hidden Users |
SCAN_UNCATEGORIZED |
|
Hidden Window |
SCAN_UNCATEGORIZED |
|
Hide Artifacts |
SCAN_UNCATEGORIZED |
|
Hijack Execution Flow |
SCAN_UNCATEGORIZED |
|
HISTCONTROL |
SCAN_UNCATEGORIZED |
|
Hooking |
SCAN_UNCATEGORIZED |
|
HTML Smuggling |
SCAN_UNCATEGORIZED |
|
Hypervisor |
SCAN_UNCATEGORIZED |
|
IIS Components |
SCAN_UNCATEGORIZED |
|
Image File Execution Options Injection |
SCAN_UNCATEGORIZED |
|
Impair Command History Logging |
SCAN_UNCATEGORIZED |
|
Impair Defenses |
SCAN_UNCATEGORIZED |
|
Impersonate SS7 Nodes |
SCAN_UNCATEGORIZED |
|
Implant Container Image |
SCAN_UNCATEGORIZED |
|
Implant Internal Image |
SCAN_UNCATEGORIZED |
|
Indicator Blocking |
SCAN_UNCATEGORIZED |
|
Indicator of Compromise |
SCAN_UNCATEGORIZED |
|
Indicator Removal from Tools |
SCAN_UNCATEGORIZED |
|
Indicator Removal on Host |
SCAN_UNCATEGORIZED |
|
Indirect Command Execution |
SCAN_UNCATEGORIZED |
|
Ingress Tool Transfer |
SCAN_FILE |
DATA_EXFILTRATION |
Inhibit System Recovery |
SCAN_UNCATEGORIZED |
|
Input Capture |
SCAN_UNCATEGORIZED |
|
Input Injection |
SCAN_UNCATEGORIZED |
|
Input Prompt |
SCAN_UNCATEGORIZED |
|
Install Insecure or Malicious Configuration |
SCAN_UNCATEGORIZED |
|
Install Root Certificate |
SCAN_FILE |
|
InstallUtil |
SCAN_UNCATEGORIZED |
|
Intelligence Indicator - Domain |
SCAN_NETWORK |
|
Intelligence Indicator - Hash |
SCAN_FILE |
|
Intelligence Indicator - IP |
SCAN_NETWORK |
|
Inter-Process Communication |
SCAN_PROCESS |
|
Internal Defacement |
SCAN_UNCATEGORIZED |
|
Internal Proxy |
SCAN_NETWORK |
|
Internet Connection Discovery |
SCAN_NETWORK |
|
Invalid Code Signature |
SCAN_UNCATEGORIZED |
|
Jamming or Denial of Service |
SCAN_NETWORK |
|
JavaScript |
SCAN_FILE |
|
JavaScript/JScript |
SCAN_FILE |
|
Junk Data |
SCAN_NETWORK |
|
Kerberoasting |
SCAN_UNCATEGORIZED |
|
Kernel Modules and Extensions |
SCAN_UNCATEGORIZED |
|
KernelCallbackTable |
SCAN_UNCATEGORIZED |
|
Keychain |
SCAN_UNCATEGORIZED |
|
Keylogging |
SCAN_UNCATEGORIZED |
|
Known Hash |
SCAN_FILE |
|
Launch Agent |
SCAN_UNCATEGORIZED |
|
Launch Daemon |
SCAN_UNCATEGORIZED |
|
Launchctl |
SCAN_PROCESS |
|
Launchd |
SCAN_UNCATEGORIZED |
|
LC_LOAD_DYLIB Addition |
SCAN_UNCATEGORIZED |
|
LC_MAIN Hijacking |
SCAN_UNCATEGORIZED |
|
LD_PRELOAD |
SCAN_UNCATEGORIZED |
|
Linux and Mac File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
ListPlanting |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and Relay |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and SMB Relay |
SCAN_NETWORK |
|
Local Account |
SCAN_UNCATEGORIZED |
|
Local Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Local Data Staging |
SCAN_UNCATEGORIZED |
|
Local Email Collection |
SCAN_UNCATEGORIZED |
|
Local Groups |
SCAN_UNCATEGORIZED |
|
Local Job Scheduling |
SCAN_UNCATEGORIZED |
|
Location Tracking |
SCAN_UNCATEGORIZED |
|
Lockscreen Bypass |
SCAN_UNCATEGORIZED |
EXPLOIT |
Login Hook |
SCAN_UNCATEGORIZED |
|
Login Item |
SCAN_UNCATEGORIZED |
|
Login Items |
SCAN_UNCATEGORIZED |
|
Logon Script (Mac) |
SCAN_UNCATEGORIZED |
|
Logon Script (Windows) |
SCAN_UNCATEGORIZED |
|
Logon Scripts |
SCAN_UNCATEGORIZED |
|
LSA Secrets |
SCAN_UNCATEGORIZED |
|
LSASS Driver |
SCAN_UNCATEGORIZED |
|
LSASS Memory |
SCAN_UNCATEGORIZED |
|
Mail Protocols |
SCAN_NETWORK |
|
Make and Impersonate Token |
SCAN_UNCATEGORIZED |
|
Malicious Activity |
SCAN_UNCATEGORIZED |
|
Malicious File |
SCAN_FILE |
|
Malicious Image |
SCAN_FILE |
|
Malicious Link |
SCAN_NETWORK |
|
Malicious Tool Delivery |
SCAN_UNCATEGORIZED |
|
Malicious Tool Execution |
SCAN_PROCESS |
|
Man in the Browser |
SCAN_NETWORK |
|
Man-in-the-Middle |
SCAN_NETWORK |
|
Manipulate App Store Rankings or Ratings |
SCAN_UNCATEGORIZED |
|
Manipulate Device Communication |
SCAN_NETWORK |
|
Mark-of-the-Web Bypass |
SCAN_UNCATEGORIZED |
|
Masquerade as Legitimate Application |
SCAN_UNCATEGORIZED |
|
Masquerade Task or Service |
SCAN_UNCATEGORIZED |
|
Masquerading |
SCAN_UNCATEGORIZED |
|
Match Legitimate Name or Location |
SCAN_UNCATEGORIZED |
|
Mavinject |
SCAN_UNCATEGORIZED |
|
MMC |
SCAN_FILE |
|
Modify Authentication Process |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Modify Cached Executable Code |
SCAN_UNCATEGORIZED |
|
Modify Cloud Compute Infrastructure |
SCAN_UNCATEGORIZED |
|
Modify Existing Service |
SCAN_UNCATEGORIZED |
|
Modify OS Kernel or Boot Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Registry |
SCAN_UNCATEGORIZED |
|
Modify System Image |
SCAN_UNCATEGORIZED |
|
Modify System Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Trusted Execution Environment |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
MSBuild |
SCAN_UNCATEGORIZED |
|
Mshta |
SCAN_UNCATEGORIZED |
|
Msiexec |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Request Generation |
SCAN_UNCATEGORIZED |
|
Multi-hop Proxy |
SCAN_NETWORK |
|
Multi-Stage Channels |
SCAN_NETWORK |
|
Multiband Communication |
SCAN_NETWORK |
|
Multilayer Encryption |
SCAN_NETWORK |
|
Native API |
SCAN_UNCATEGORIZED |
|
Native Code |
SCAN_UNCATEGORIZED |
|
Netsh Helper DLL |
SCAN_UNCATEGORIZED |
|
Network Address Translation Traversal |
SCAN_NETWORK |
|
Network Boundary Bridging |
SCAN_NETWORK |
|
Network Denial of Service |
SCAN_NETWORK |
|
Network Device Authentication |
SCAN_NETWORK |
|
Network Device CLI |
SCAN_NETWORK |
|
Network Device Configuration Dump |
SCAN_NETWORK |
EXPLOIT |
Network Information Discovery |
SCAN_NETWORK |
|
Network Logon Script |
SCAN_UNCATEGORIZED |
|
Network Service Discovery |
SCAN_NETWORK |
|
Network Service Scanning |
SCAN_NETWORK |
|
Network Share Connection Removal |
SCAN_NETWORK |
|
Network Share Discovery |
SCAN_NETWORK |
|
Network Sniffing |
SCAN_NETWORK |
|
Network Traffic Capture or Redirection |
SCAN_NETWORK |
EXPLOIT |
New Service |
SCAN_UNCATEGORIZED |
|
Non-Application Layer Protocol |
SCAN_NETWORK |
|
Non-Standard Encoding |
SCAN_NETWORK |
|
Non-Standard Port |
SCAN_NETWORK |
|
NTDS |
SCAN_UNCATEGORIZED |
|
NTFS File Attributes |
SCAN_FILE |
|
Obfuscated Files or Information |
SCAN_FILE |
|
Obtain Device Cloud Backups |
SCAN_NETWORK |
|
Odbcconf |
SCAN_UNCATEGORIZED |
|
Office Application Startup |
SCAN_UNCATEGORIZED |
|
Office Template Macros |
SCAN_UNCATEGORIZED |
|
Office Test |
SCAN_UNCATEGORIZED |
|
One-Way Communication |
SCAN_NETWORK |
|
OS Credential Dumping |
SCAN_UNCATEGORIZED |
|
OS Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Out of Band Data |
SCAN_NETWORK |
|
Outlook Forms |
SCAN_UNCATEGORIZED |
|
Outlook Home Page |
SCAN_UNCATEGORIZED |
|
Outlook Rules |
SCAN_UNCATEGORIZED |
|
Parent PID Spoofing |
SCAN_PROCESS |
|
Pass the Hash |
SCAN_UNCATEGORIZED |
|
Pass the Ticket |
SCAN_UNCATEGORIZED |
|
Password Cracking |
SCAN_UNCATEGORIZED |
|
Password Filter DLL |
SCAN_UNCATEGORIZED |
|
Password Guessing |
SCAN_UNCATEGORIZED |
|
Password Managers |
SCAN_UNCATEGORIZED |
|
Password Policy Discovery |
SCAN_UNCATEGORIZED |
|
Password Spraying |
SCAN_UNCATEGORIZED |
|
Patch System Image |
SCAN_UNCATEGORIZED |
|
Path Interception |
SCAN_UNCATEGORIZED |
|
Path Interception by PATH Environment Variable |
SCAN_UNCATEGORIZED |
|
Path Interception by Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
Path Interception by Unquoted Path |
SCAN_UNCATEGORIZED |
|
Peripheral Device Discovery |
SCAN_UNCATEGORIZED |
|
Permission Groups Discovery |
SCAN_UNCATEGORIZED |
|
Phishing |
SCAN_UNCATEGORIZED |
PHISHING |
Plist File Modification |
SCAN_UNCATEGORIZED |
|
Plist Modification |
SCAN_UNCATEGORIZED |
|
Pluggable Authentication Modules |
SCAN_UNCATEGORIZED |
|
Port Knocking |
SCAN_NETWORK |
|
Port Monitors |
SCAN_UNCATEGORIZED |
|
Portable Executable Injection |
SCAN_UNCATEGORIZED |
|
PowerShell |
SCAN_FILE |
|
PowerShell Profile |
SCAN_UNCATEGORIZED |
|
Pre-OS Boot |
SCAN_UNCATEGORIZED |
|
Premium SMS Toll Fraud |
SCAN_UNCATEGORIZED |
|
Prevent Application Removal |
SCAN_UNCATEGORIZED |
|
Print Processors |
SCAN_UNCATEGORIZED |
|
Private Keys |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Proc Filesystem |
SCAN_FILE |
ACL_VIOLATION |
Proc Memory |
SCAN_PROCESS |
|
Process Argument Spoofing |
SCAN_PROCESS |
|
Process Discovery |
SCAN_UNCATEGORIZED |
|
Process Doppelgänging |
SCAN_PROCESS |
|
Process Hollowing |
SCAN_PROCESS |
|
Process Injection |
SCAN_PROCESS |
|
Protected User Data |
SCAN_UNCATEGORIZED |
|
Protocol Impersonation |
SCAN_NETWORK |
|
Protocol Tunneling |
SCAN_NETWORK |
|
Proxy |
SCAN_NETWORK |
|
Proxy Through Victim |
SCAN_UNCATEGORIZED |
|
Ptrace System Calls |
SCAN_PROCESS |
|
PubPrn |
SCAN_FILE |
|
PUP |
SCAN_UNCATEGORIZED |
|
Python |
SCAN_FILE |
|
Query Registry |
SCAN_UNCATEGORIZED |
|
RC Scripts |
SCAN_UNCATEGORIZED |
|
Rc.common |
SCAN_PROCESS |
|
Re-opened Applications |
SCAN_UNCATEGORIZED |
|
Reduce Key Space |
SCAN_UNCATEGORIZED |
|
Redundant Access |
SCAN_UNCATEGORIZED |
|
Reflection Amplification |
SCAN_NETWORK |
|
Reflective Code Loading |
SCAN_UNCATEGORIZED |
|
Registry Run Keys / Startup Folder |
SCAN_UNCATEGORIZED |
|
Regsvcs/Regasm |
SCAN_UNCATEGORIZED |
|
Regsvr32 |
SCAN_UNCATEGORIZED |
|
Remote Access Software |
SCAN_NETWORK |
|
Remote Access Tools |
SCAN_NETWORK |
|
Remote Data Staging |
SCAN_UNCATEGORIZED |
|
Remote Device Management Services |
SCAN_UNCATEGORIZED |
|
Remote Email Collection |
SCAN_UNCATEGORIZED |
|
Remote File Copy |
SCAN_FILE |
DATA_EXFILTRATION |
Remote System Discovery |
SCAN_NETWORK |
|
Remotely Track Device Without Authorization |
SCAN_NETWORK |
|
Remotely Wipe Data Without Authorization |
SCAN_NETWORK |
|
Rename System Utilities |
SCAN_UNCATEGORIZED |
|
Replication Through Removable Media |
SCAN_UNCATEGORIZED |
EXPLOIT |
Resource Forking |
SCAN_FILE |
|
Resource Hijacking |
SCAN_UNCATEGORIZED |
|
Reversible Encryption |
SCAN_UNCATEGORIZED |
|
Revert Cloud Instance |
SCAN_UNCATEGORIZED |
|
Right-to-Left Override |
SCAN_UNCATEGORIZED |
|
Rogue Cellular Base Station |
SCAN_NETWORK |
|
Rogue Domain Controller |
SCAN_UNCATEGORIZED |
|
Rogue Wi-Fi Access Points |
SCAN_NETWORK |
|
ROMMONkit |
SCAN_UNCATEGORIZED |
|
Rootkit |
SCAN_UNCATEGORIZED |
|
Run Virtual Instance |
SCAN_UNCATEGORIZED |
|
Rundll32 |
SCAN_FILE |
|
Runtime Data Manipulation |
SCAN_UNCATEGORIZED |
|
Safe Mode Boot |
SCAN_UNCATEGORIZED |
|
SAML Tokens |
SCAN_UNCATEGORIZED |
|
Scheduled Task |
SCAN_UNCATEGORIZED |
|
Scheduled Task/Job |
SCAN_UNCATEGORIZED |
|
Scheduled Transfer |
SCAN_NETWORK |
|
Screen Capture |
SCAN_UNCATEGORIZED |
|
Screensaver |
SCAN_UNCATEGORIZED |
|
Scripting |
SCAN_FILE |
|
Security Account Manager |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Security Software Discovery |
SCAN_UNCATEGORIZED |
|
Security Support Provider |
SCAN_UNCATEGORIZED |
|
Securityd Memory |
SCAN_UNCATEGORIZED |
|
Sensor-based ML |
SCAN_UNCATEGORIZED |
|
Server Software Component |
SCAN_UNCATEGORIZED |
|
Service Execution |
SCAN_FILE |
|
Service Exhaustion Flood |
SCAN_NETWORK |
NETWORK_DENIAL_OF_SERVICE |
Service Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Service Stop |
SCAN_UNCATEGORIZED |
|
Services File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Services Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Setuid and Setgid |
SCAN_UNCATEGORIZED |
EXPLOIT |
Shared Modules |
SCAN_UNCATEGORIZED |
|
Sharepoint |
SCAN_UNCATEGORIZED |
|
Shortcut Modification |
SCAN_UNCATEGORIZED |
|
SID-History Injection |
SCAN_UNCATEGORIZED |
|
Signed Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
Signed Script Proxy Execution |
SCAN_UNCATEGORIZED |
|
Silver Ticket |
SCAN_UNCATEGORIZED |
|
SIM Card Swap |
SCAN_NETWORK |
|
SIP and Trust Provider Hijacking |
SCAN_UNCATEGORIZED |
|
SMS Control |
SCAN_UNCATEGORIZED |
|
SMS Messages |
SCAN_UNCATEGORIZED |
|
SNMP (MIB Dump) |
SCAN_UNCATEGORIZED |
|
Software Deployment Tools |
SCAN_UNCATEGORIZED |
|
Software Discovery |
SCAN_UNCATEGORIZED |
|
Software Packing |
SCAN_UNCATEGORIZED |
|
Source |
SCAN_UNCATEGORIZED |
|
Space after Filename |
SCAN_FILE |
|
Spearphishing Attachment |
SCAN_FILE |
EXPLOIT |
Spearphishing Link |
SCAN_NETWORK |
EXPLOIT |
Spearphishing via Service |
SCAN_UNCATEGORIZED |
|
SQL Stored Procedures |
SCAN_UNCATEGORIZED |
|
SSH Authorized Keys |
SCAN_UNCATEGORIZED |
|
Standard Application Layer Protocol |
SCAN_NETWORK |
|
Standard Cryptographic Protocol |
SCAN_NETWORK |
|
Standard Encoding |
SCAN_NETWORK |
|
Standard Non-Application Layer Protocol |
SCAN_NETWORK |
|
Startup Items |
SCAN_UNCATEGORIZED |
|
Steal Application Access Token |
SCAN_UNCATEGORIZED |
|
Steal or Forge Kerberos Tickets |
SCAN_UNCATEGORIZED |
|
Steal Web Session Cookie |
SCAN_UNCATEGORIZED |
|
Steganography |
SCAN_UNCATEGORIZED |
|
Stored Application Data |
SCAN_UNCATEGORIZED |
|
Stored Data Manipulation |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Subvert Trust Controls |
SCAN_UNCATEGORIZED |
|
Sudo |
SCAN_UNCATEGORIZED |
|
Sudo and Sudo Caching |
SCAN_UNCATEGORIZED |
|
Sudo Caching |
SCAN_UNCATEGORIZED |
|
Supply Chain Compromise |
SCAN_UNCATEGORIZED |
|
Suppress Application Icon |
SCAN_UNCATEGORIZED |
|
Suspicious Activity |
SCAN_UNCATEGORIZED |
|
Symmetric Cryptography |
SCAN_NETWORK |
|
System Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
System Checks |
SCAN_UNCATEGORIZED |
|
System Firmware |
SCAN_UNCATEGORIZED |
|
System Information Discovery |
SCAN_UNCATEGORIZED |
|
System Language Discovery |
SCAN_UNCATEGORIZED |
|
System Location Discovery |
SCAN_UNCATEGORIZED |
|
System Network Configuration Discovery |
SCAN_NETWORK |
|
System Network Connections Discovery |
SCAN_NETWORK |
|
System Owner/User Discovery |
SCAN_UNCATEGORIZED |
|
System Runtime API Hijacking |
SCAN_UNCATEGORIZED |
|
System Script Proxy Execution |
SCAN_FILE |
|
System Service Discovery |
SCAN_UNCATEGORIZED |
|
System Services |
SCAN_UNCATEGORIZED |
|
System Shutdown/Reboot |
SCAN_UNCATEGORIZED |
|
System Time Discovery |
SCAN_UNCATEGORIZED |
|
Systemd Service |
SCAN_UNCATEGORIZED |
|
Systemd Timers |
SCAN_UNCATEGORIZED |
|
Template Injection |
SCAN_UNCATEGORIZED |
EXPLOIT |
Terminal Services DLL |
SCAN_UNCATEGORIZED |
|
TFTP Boot |
SCAN_NETWORK |
|
Third-party Software |
SCAN_UNCATEGORIZED |
|
Thread Execution Hijacking |
SCAN_UNCATEGORIZED |
|
Thread Local Storage |
SCAN_UNCATEGORIZED |
|
Time Based Evasion |
SCAN_UNCATEGORIZED |
|
Time Providers |
SCAN_UNCATEGORIZED |
|
Timestamp |
SCAN_UNCATEGORIZED |
|
Token Impersonation/Theft |
SCAN_UNCATEGORIZED |
|
Traffic Duplication |
SCAN_NETWORK |
|
Traffic Signaling |
SCAN_NETWORK |
|
Transfer Data to Cloud Account |
SCAN_NETWORK |
|
Transmitted Data Manipulation |
SCAN_UNCATEGORIZED |
|
Transport Agent |
SCAN_UNCATEGORIZED |
|
Trap |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities Proxy Execution |
SCAN_UNCATEGORIZED |
|
Trusted Relationship |
SCAN_UNCATEGORIZED |
EXPLOIT |
Two-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Uncommonly Used Port |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
Uninstall Malicious Application |
SCAN_UNCATEGORIZED |
|
Unix Shell |
SCAN_FILE |
|
Unix Shell Configuration Modification |
SCAN_UNCATEGORIZED |
|
Unsecured Credentials |
SCAN_FILE |
ACL_VIOLATION |
Unused/Unsupported Cloud Regions |
SCAN_UNCATEGORIZED |
|
URI Hijacking |
SCAN_UNCATEGORIZED |
|
URL Scheme Hijacking |
SCAN_UNCATEGORIZED |
|
Use Alternate Authentication Material |
SCAN_UNCATEGORIZED |
|
User Activity Based Checks |
SCAN_UNCATEGORIZED |
|
User Evasion |
SCAN_UNCATEGORIZED |
|
User Execution |
SCAN_FILE |
|
Valid Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
VBA Stomping |
SCAN_UNCATEGORIZED |
|
VDSO Hijacking |
SCAN_UNCATEGORIZED |
|
Verclsid |
SCAN_UNCATEGORIZED |
|
Video Capture |
SCAN_UNCATEGORIZED |
|
Virtualization/Sandbox Evasion |
SCAN_UNCATEGORIZED |
|
Visual Basic |
SCAN_UNCATEGORIZED |
|
Weaken Encryption |
SCAN_UNCATEGORIZED |
|
Web Cookies |
SCAN_UNCATEGORIZED |
|
Web Portal Capture |
SCAN_UNCATEGORIZED |
|
Web Protocols |
SCAN_NETWORK |
|
Web Service |
SCAN_NETWORK |
|
Web Session Cookie |
SCAN_NETWORK |
|
Web Shell |
SCAN_UNCATEGORIZED |
|
Windows Command Shell |
SCAN_UNCATEGORIZED |
|
Windows Credential Manager |
SCAN_UNCATEGORIZED |
|
Windows File and Directory Permissions Modification |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation Event Subscription |
SCAN_UNCATEGORIZED |
|
Windows Remote Management |
SCAN_UNCATEGORIZED |
|
Windows Service |
SCAN_UNCATEGORIZED |
|
Winlogon Helper DLL |
SCAN_UNCATEGORIZED |
|
XDG Autostart Entries |
SCAN_UNCATEGORIZED |
|
XPC Services |
SCAN_UNCATEGORIZED |
|
XSL Script Processing |
SCAN_FILE |
|
Referenz für die Feldzuordnung: CS_DETECTS
In der folgenden Tabelle sind die Protokollfelder desCS_DETECTS
-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.
Log field | UDM mapping | Logic |
---|---|---|
date_updated |
about.labels [date_updated] |
|
q |
about.labels [q] |
|
cid |
about.resource.product_object_id |
|
cid |
metadata.product_deployment_id |
|
|
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION . |
behaviors.timestamp |
about.labels [behavior_timestamp] |
|
behaviors.description |
metadata.description |
|
first_behavior |
metadata.event_timestamp |
|
created_timestamp |
metadata.collected_timestamp |
|
detection_id |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Falcon . |
url_back_to_product |
metadata.url_back_to_product |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Crowdstrike . |
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_flags] |
|
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_time] |
|
device.agent_version |
principal.asset.attribute.labels [agent_version] |
|
device.bios_manufacturer |
principal.asset.attribute.labels [bios_manufacturer] |
|
device.bios_version |
principal.asset.attribute.labels [bios_version] |
|
device.config_id_base |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_build |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_platform |
principal.asset.attribute.labels [device_config_id_platform] |
|
device.cpu_signature |
principal.asset.attribute.labels [device_cpu_signature] |
|
device.groups |
principal.asset.attribute.labels [device_groups] |
|
device.instance_id |
principal.asset.attribute.labels [device_instance_id] |
|
device.last_seen |
principal.asset.attribute.labels [device_last_seen] |
|
device.major_version |
principal.asset.attribute.labels [device_major_version] |
|
device.minor_version |
principal.asset.attribute.labels [device_minor_version] |
|
device.modified_timestamp |
principal.asset.attribute.labels [device_modified_timestamp] |
|
device.ou |
principal.asset.attribute.labels [device_ou] |
|
device.platform_id |
principal.asset.attribute.labels [device_platform_id] |
|
device.product_type |
principal.asset.attribute.labels [device_product_type] |
|
device.reduced_functionality_mode |
principal.asset.attribute.labels [device_reduced_functionality_mode] |
|
device.service_provider_account_id |
principal.asset.attribute.labels [device_service_provider_account_id] |
|
device.service_provider |
principal.asset.attribute.labels [device_service_provider] |
|
device.site_name |
principal.asset.attribute.labels [device_site_name] |
|
device.status |
principal.asset.attribute.labels [device_status] |
|
device.first_seen |
principal.asset.first_seen_time |
|
device.system_manufacturer |
principal.asset.hardware.manufacturer |
|
device.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.hostname |
|
device.platform_name |
principal.asset.platform_software.platform |
If the device.platform_name log field value matches the regular expression pattern Windows , then the target.asset.platform_software.platform UDM field is set to WINDOWS . |
device.system_product_name |
principal.asset.platform_software.platform_version |
|
device.device_id |
principal.asset_id |
|
device.product_type_desc |
principal.asset.type |
If the device.product_type_desc log field value matches the regular expression pattern (?i)(Computer or Workstation) , then the principal.asset.type UDM field is set to WORKSTATION .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Server , then the principal.asset.type UDM field is set to SERVER .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Mobile , then the principal.asset.type UDM field is set to MOBILE .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)iot , then the principal.asset.type UDM field is set to IOT .Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED . |
first_behavior |
principal.asset.vulnerabilities.first_found |
|
last_behavior |
principal.asset.vulnerabilities.last_found |
|
device.machine_domain |
principal.domain.name |
|
device.release_group |
principal.group.group_display_name |
|
device.local_ip |
principal.ip |
|
device.mac_address |
principal.mac |
|
device.external_ip |
principal.nat_ip |
|
device.os_version |
principal.platform_version |
|
device.cid |
principal.resource.product_object_id |
|
behaviors.user_name |
principal.user.user_display_name |
|
behaviors.user_id |
principal.user.windows_sid |
|
quarantined_files.id |
security_result.about.file attributes |
|
email_sent |
security_result.about.labels [email_sent] |
|
assigned_to_name |
security_result.about.user.user_display_name |
|
behaviors.tactic_id |
security_result.attack_details.tactics.id |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.attack_details.tactics.name |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic_id |
security_result.rule_labels [behavior_tactic_id] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.rule_labels [behavior_tactic] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.technique_id |
security_result.attack_details.techniques.id |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique_id log field is mapped to the security_result.attack_details.techniques.id UDM field. |
behaviors.technique |
security_result.attack_details.techniques.name |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique log field is mapped to the security_result.attack_details.techniques.name UDM field. |
behaviors.technique_id |
security_result.rule_id |
|
behaviors.technique |
security_result.rule_name |
|
behaviors.scenario |
security_result.category |
|
behaviors.confidence |
security_result.confidence_details |
|
hostinfo.active_directory_dn_display |
security_result.detection_fields [active_directory_dn_display] |
|
adversary_ids |
security_result.detection_fields [adversary_ids] |
|
behaviors.ioc_description |
security_result.detection_fields [behavior_ioc_description] |
|
behaviors.ioc_source |
security_result.detection_fields [behavior_ioc_source] |
|
behaviors.behavior_id |
security_result.detection_fields [behaviors_behavior_id] |
|
behaviors.objective |
security_result.detection_fields [behaviors_objective] |
|
behaviors.pattern_disposition_details.blocking_unsupported_or_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_blocking_unsupported_or_disabled] |
|
behaviors.pattern_disposition_details.bootup_safeguard_enabled |
security_result.detection_fields [behaviors_pattern_disposition_details_bootup_safeguard_enabled] |
|
behaviors.pattern_disposition_details.critical_process_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_critical_process_disabled] |
|
behaviors.pattern_disposition_details.detect |
security_result.detection_fields [behaviors_pattern_disposition_details_detect] |
|
behaviors.pattern_disposition_details.fs_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_fs_operation_blocked] |
|
behaviors.pattern_disposition_details.handle_operation_downgraded |
security_result.detection_fields [behaviors_pattern_disposition_details_handle_operation_downgraded] |
|
behaviors.pattern_disposition_details.inddet_mask |
security_result.detection_fields [behaviors_pattern_disposition_details_inddet_mask] |
|
behaviors.pattern_disposition_details.indicator |
security_result.detection_fields [behaviors_pattern_disposition_details_indicator] |
|
behaviors.pattern_disposition_details.kill_action_failed |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_action_failed] |
|
behaviors.pattern_disposition_details.kill_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_parent] |
|
behaviors.pattern_disposition_details.kill_process |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_process] |
|
behaviors.pattern_disposition_details.kill_subprocess |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_subprocess] |
|
behaviors.pattern_disposition_details.operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_operation_blocked] |
|
behaviors.pattern_disposition_details.policy_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_policy_disabled] |
|
behaviors.pattern_disposition_details.process_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_process_blocked] |
|
behaviors.pattern_disposition_details.quarantine_file |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_file] |
|
behaviors.pattern_disposition_details.quarantine_machine |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_machine] |
|
behaviors.pattern_disposition_details.registry_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_registry_operation_blocked] |
|
behaviors.pattern_disposition_details.rooting |
security_result.detection_fields [behaviors_pattern_disposition_details_rooting] |
|
behaviors.pattern_disposition_details.sensor_only |
security_result.detection_fields [behaviors_pattern_disposition_details_sensor_only] |
|
behaviors.pattern_disposition_details.suspend_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_parent] |
|
behaviors.pattern_disposition_details.suspend_process |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_process] |
|
behaviors.pattern_disposition |
security_result.detection_fields [behaviors_pattern_disposition] |
If the behaviors.pattern_disposition log field value is equal to 0 , then the security_result.detection_fields.key/value UDM field is set to Detection, standard detection .Else, if the behaviors.pattern_disposition log field value is equal to 16 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process killed .Else, if the behaviors.pattern_disposition log field value is equal to 128 , then the security_result.detection_fields.key/value UDM field is mapped to the Detection/Quarantine, standard detection and quarantine was attempted .Else, if the behaviors.pattern_disposition log field value is equal to 272 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 512 , then the security_result.detection_fields.key/value UDM field is set to Prevention, parent process killed .Else, if the behaviors.pattern_disposition log field value is equal to 768 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 1024 , then the security_result.detection_fields.key/value UDM field is set to Prevention, operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 1280 , then the security_result.detection_fields.key/value UDM field is set to Detection, operation would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2048 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process blocked from execution .Else, if the behaviors.pattern_disposition log field value is equal to 2176 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2304 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 4096 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 4112 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked and context process killed .Else, if the behaviors.pattern_disposition log field value is equal to 4638 , then the security_result.detection_fields.key/value UDM field is set to Detection, registry operation would have been blocked and context process would have been killed if a prevention policy setting was enabled . |
behaviors_processed [] |
security_result.detection_fields [behaviors_processed] |
|
behaviors.control_graph_id |
security_result.detection_fields [control_graph_id] |
|
behaviors.control_graph_id |
security_result.detection_fields [tree_id] |
The tree_id field is extracted from the behaviors.control_graph_id log field using the Grok pattern, and the tree_id extracted field is mapped to the security_result.detection_fields UDM field. |
hostinfo.domain |
security_result.detection_fields [hostinfo_domain] |
|
max_confidence |
security_result.detection_fields [max_confidence] |
|
max_severity |
security_result.detection_fields [max_severity] |
|
overwatch_notes |
security_result.detection_fields [overwatch_notes] |
|
quarantined_files.paths |
security_result.detection_fields [quarantined_files_paths] |
|
quarantined_files.sha256 |
security_result.detection_fields [quarantined_files_sha256] |
|
quarantined_files.state |
security_result.detection_fields [quarantined_files_state] |
|
seconds_to_resolved |
security_result.detection_fields [seconds_to_resolved] |
|
seconds_to_triaged |
security_result.detection_fields [seconds_to_triaged] |
|
show_in_ui |
security_result.detection_fields [show_in_ui] |
|
status |
security_result.detection_fields [status] |
|
behaviors.template_instance_id |
security_result.detection_fields [template_instance_id] |
|
behaviors.triggering_process_graph_id |
security_result.detection_fields [triggering_process_graph_id] |
|
behaviors.rule_instance_id |
security_result.rule_labels [rule_instance_id] |
|
behaviors.rule_instance_version |
security_result.rule_labels [rule_instance_version] |
|
max_severity_displayname |
security_result.severity |
If the max_severity_displayname log field value matches the regular expression pattern (?i)Low , then the security_result.severity UDM field is set to LOW .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Informational , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Medium , then the security_result.severity UDM field is set to MEDIUM .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)High , then the security_result.severity UDM field is set to HIGH .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Critical , then the security_result.severity UDM field is set to CRITICAL .Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY . |
behaviors.severity |
security_result.severity_details |
|
behaviors.display_name |
security_result.summary |
|
behaviors.ioc_type |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
behaviors.ioc_value |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
|
target.file.full_path |
If the behaviors.filepath log field value is equal to System , then the behaviors.ioc_description log field is mapped to the target.file.full_path UDM field.Else, the behaviors.filepath log field is mapped to the target.file.full_path UDM field. |
behaviors.alleged_filetype |
target.file.mime_type |
|
behaviors.filename |
target.file.names |
|
behaviors.sha256 |
target.file.sha256 |
If the behavior.sha256 log field value is not equal to empty or N/A , then the behavior.sha256 log field is mapped to the target.file.sha256 UDM field. |
behaviors.cmdline |
target.process.command_line |
|
behaviors.md5 |
target.process.file.md5 |
If the behavior.md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.md5 log field is mapped to the target.process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_md5 and the behavior.md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_cmdline |
target.process.parent_process.command_line |
|
behaviors.parent_details.parent_md5 |
target.process.parent_process.file.md5 |
If the behavior.parent_details.parent_md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.parent_details.parent_md5 log field is mapped to the target.process.parent_process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_parent_details_parent_md5 and the behavior.parent_details.parent_md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_sha256 |
target.process.parent_process.file.sha256 |
If the behavior.parent_details.parent_sha256 log field value is not equal to empty or N/A , then the behavior.parent_details.parent_sha256 log field is mapped to the target.process.parent_process.file.sha256 UDM field. |
behaviors.parent_details.parent_process_id |
target.process.parent_process.pid |
|
behaviors.parent_details.parent_process_graph_id |
target.process.parent_process.product_specific_process_id |
|
behaviors.triggering_process_id |
target.process.pid |
|
behaviors.device_id |
|
Contains same value as device.device_id . Hence, this field is not mapped. |