Collect CrowdStrike Detection logs

Supported in:

This document describes how you can export CrowdStrike Detection logs to Google Security Operations through Google Security Operations feed, and how CrowdStrike Detection fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of CrowdStrike and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product from which you collect logs.

  • CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes logs to Google SecOps.

  • Google Security Operations: Retains and analyzes the CrowdStrike Detection logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CS_DETECTS ingestion label.

Before you begin

  • Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone

  • Ensure that the device is running on a supported operating system.

    • The OS must be running on a 64-bit server. Microsoft Windows server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor versions 6.51 or later.
    • Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.

  • Obtain the Google Security Operations service account file and your customer ID from the Google Security Operations support team.

Configure CrowdStrike to ingest logs

To set up an ingestion feed, follow these steps:

  1. Create a new API client key pair at CrowdStrike Falcon. This key pair reads events and supplementary information from CrowdStrike Falcon.
  2. Provide READ permission to Detections while creating the key pair.

Configure a feed in Google Security Operations to ingest CrowdStrike Detection logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Third party API as the Source Type.
  5. Select CrowdStrike Detection Monitoring as the Log Type.
  6. Click Next.
  7. Configure the following mandatory input parameters:
    • OAuth Token Endpoint: specify the endpoint.
    • OAuth Client ID: specify the client ID that you obtained previously.
    • OAuth Client Secret: specify the client secret that you obtained previously.
    • Base URL: specify the Base URL.
  8. Click Next and then click Submit.

Field mapping reference

This section explains how the Google Security Operations parser maps CrowdStrike Detection fields to Google Security Operations Unified Data Model (UDM) fields. The following table lists the CS_DETECTS event identifiers and their corresponding UDM event types.

Event Identifier Event Type Security Category
.bash_profile and .bashrc SCAN_FILE
/etc/passwd and /etc/shadow SCAN_UNCATEGORIZED
Abuse Accessibility Features SCAN_UNCATEGORIZED
Abuse Device Administrator Access to Prevent Removal SCAN_UNCATEGORIZED
Abuse Elevation Control Mechanism SCAN_UNCATEGORIZED
Access Calendar Entries SCAN_UNCATEGORIZED
Access Call Log SCAN_UNCATEGORIZED
Access Contact List SCAN_UNCATEGORIZED
Access Notifications SCAN_UNCATEGORIZED
Access Sensitive Data in Device Logs SCAN_UNCATEGORIZED
Access Stored Application Data SCAN_UNCATEGORIZED
Access Token Manipulation SCAN_UNCATEGORIZED
Accessibility Features SCAN_UNCATEGORIZED
Account Access Removal SCAN_UNCATEGORIZED
Account Discovery SCAN_UNCATEGORIZED
Account Manipulation SCAN_UNCATEGORIZED
Active Setup SCAN_UNCATEGORIZED
Add Office 365 Global Administrator Role SCAN_UNCATEGORIZED
Add-ins SCAN_UNCATEGORIZED
Additional Azure Service Principal Credentials SCAN_UNCATEGORIZED
Additional Cloud Credentials SCAN_UNCATEGORIZED
Additional Cloud Roles SCAN_UNCATEGORIZED
Additional Email Delegate Permissions SCAN_UNCATEGORIZED
Adversary-in-the-Middle SCAN_UNCATEGORIZED
Adware SCAN_UNCATEGORIZED
Adware/PUP SCAN_PROCESS
Alternate Network Mediums SCAN_NETWORK
Android Intent Hijacking SCAN_UNCATEGORIZED
App Auto-Start at Device Boot SCAN_UNCATEGORIZED
AppCert DLLs SCAN_UNCATEGORIZED
AppInit DLLs SCAN_UNCATEGORIZED
AppleScript SCAN_FILE
Application Access Token SCAN_UNCATEGORIZED
Application Discovery SCAN_UNCATEGORIZED
Application Exhaustion Flood SCAN_UNCATEGORIZED
Application Layer Protocol SCAN_NETWORK
Application or System Exploitation SCAN_UNCATEGORIZED
Application Shimming SCAN_UNCATEGORIZED
Application Window Discovery SCAN_UNCATEGORIZED
Archive Collected Data SCAN_UNCATEGORIZED
Archive via Custom Method SCAN_UNCATEGORIZED
Archive via Library SCAN_FILE DATA_EXFILTRATION
Archive via Utility SCAN_UNCATEGORIZED
ARP Cache Poisoning SCAN_NETWORK
AS-REP Roasting SCAN_UNCATEGORIZED
Asymmetric Cryptography SCAN_NETWORK
Asynchronous Procedure Call SCAN_PROCESS EXPLOIT
At SCAN_UNCATEGORIZED
At (Linux) SCAN_UNCATEGORIZED
At (Windows) SCAN_UNCATEGORIZED
Attack PC via USB Connection SCAN_UNCATEGORIZED
Attributed to Adversary SCAN_UNCATEGORIZED
Audio Capture SCAN_UNCATEGORIZED
Authentication Package SCAN_UNCATEGORIZED
Automated Collection SCAN_UNCATEGORIZED
Automated Exfiltration SCAN_UNCATEGORIZED EXPLOIT
Bad device settings SCAN_HOST
Bash History SCAN_UNCATEGORIZED
Bidirectional Communication SCAN_NETWORK
Binary Padding SCAN_UNCATEGORIZED
BITS Jobs SCAN_UNCATEGORIZED
Boot or Logon Autostart Execution SCAN_UNCATEGORIZED
Boot or Logon Initialization Scripts SCAN_UNCATEGORIZED
Bootkit SCAN_UNCATEGORIZED
Broadcast Receivers SCAN_UNCATEGORIZED
Browser Bookmark Discovery SCAN_UNCATEGORIZED
Browser Exploit SCAN_UNCATEGORIZED EXPLOIT
Browser Extensions SCAN_UNCATEGORIZED
Browser Session Hijacking SCAN_UNCATEGORIZED
Brute Force SCAN_UNCATEGORIZED
Build Image on Host SCAN_UNCATEGORIZED
Bypass Monitoring SCAN_HOST
Bypass User Access Control SCAN_UNCATEGORIZED
Bypass User Account Control SCAN_UNCATEGORIZED
Cached Domain Credentials SCAN_UNCATEGORIZED
Calendar Entries SCAN_UNCATEGORIZED
Call Control SCAN_UNCATEGORIZED ACL_VIOLATION
Call Log SCAN_UNCATEGORIZED
Capture Audio SCAN_UNCATEGORIZED
Capture Camera SCAN_UNCATEGORIZED
Capture Clipboard Data SCAN_UNCATEGORIZED
Capture SMS Messages SCAN_UNCATEGORIZED
Carrier Billing Fraud SCAN_UNCATEGORIZED
Change Default File Association SCAN_FILE
Clear Command History SCAN_UNCATEGORIZED
Clear Linux or Mac System Logs SCAN_UNCATEGORIZED
Clear Windows Event Logs SCAN_UNCATEGORIZED
Clipboard Data SCAN_UNCATEGORIZED
Clipboard Modification SCAN_UNCATEGORIZED
Cloud Account SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Groups SCAN_NETWORK
Cloud Infrastructure Discovery SCAN_NETWORK
Cloud Instance Metadata API SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Service Dashboard SCAN_NETWORK
Cloud Service Discovery SCAN_NETWORK
Cloud Storage Object Discovery SCAN_NETWORK
Cloud-based ML SCAN_UNCATEGORIZED
CMSTP SCAN_UNCATEGORIZED
Code Injection SCAN_UNCATEGORIZED
Code Repositories SCAN_UNCATEGORIZED
Code Signing SCAN_UNCATEGORIZED
Code Signing Policy Modification SCAN_UNCATEGORIZED
Command and Scripting Interpreter SCAN_FILE
Command-Line Interface SCAN_UNCATEGORIZED
Commonly Used Port SCAN_NETWORK
Communication Through Removable Media SCAN_NETWORK
Compile After Delivery SCAN_FILE
Compiled HTML File SCAN_FILE
Component Firmware SCAN_UNCATEGORIZED
Component Object Model SCAN_UNCATEGORIZED
Component Object Model and Distributed COM SCAN_UNCATEGORIZED
Component Object Model Hijacking SCAN_UNCATEGORIZED
Compromise Application Executable SCAN_UNCATEGORIZED
Compromise Client Software Binary SCAN_UNCATEGORIZED
Compromise Hardware Supply Chain SCAN_UNCATEGORIZED
Compromise Software Dependencies and Development Tools SCAN_UNCATEGORIZED
Compromise Software Supply Chain SCAN_UNCATEGORIZED
Confluence SCAN_UNCATEGORIZED
Connection Proxy SCAN_NETWORK
Contact List SCAN_UNCATEGORIZED
Container Administration Command SCAN_UNCATEGORIZED
Container and Resource Discovery SCAN_NETWORK
Container API SCAN_UNCATEGORIZED ACL_VIOLATION
Container Orchestration Job SCAN_UNCATEGORIZED
Control Panel SCAN_UNCATEGORIZED
Control Panel Items SCAN_UNCATEGORIZED
COR_PROFILER SCAN_UNCATEGORIZED
Create Account SCAN_UNCATEGORIZED
Create Cloud Instance SCAN_UNCATEGORIZED
Create or Modify System Process SCAN_PROCESS
Create Process with Token SCAN_PROCESS
Create Snapshot SCAN_UNCATEGORIZED
Credential API Hooking SCAN_UNCATEGORIZED
Credential Dumping SCAN_UNCATEGORIZED
Credential Stuffing SCAN_UNCATEGORIZED
Credentials from Password Store SCAN_UNCATEGORIZED
Credentials from Password Stores SCAN_UNCATEGORIZED
Credentials from Web Browsers SCAN_FILE DATA_EXFILTRATION
Credentials In Files SCAN_FILE DATA_EXFILTRATION
Credentials in Registry SCAN_UNCATEGORIZED ACL_VIOLATION
Cron SCAN_UNCATEGORIZED
Custom Command and Control Protocol SCAN_NETWORK
Custom Cryptographic Protocol SCAN_NETWORK
Data Compressed SCAN_UNCATEGORIZED
Data Destruction SCAN_FILE
Data Encoding SCAN_NETWORK
Data Encrypted SCAN_UNCATEGORIZED
Data Encrypted for Impact SCAN_UNCATEGORIZED
Data from Cloud Storage Object SCAN_UNCATEGORIZED
Data from Configuration Repository SCAN_UNCATEGORIZED
Data from Information Repositories SCAN_UNCATEGORIZED
Data from Local System SCAN_UNCATEGORIZED
Data from Network Shared Drive SCAN_NETWORK
Data from Removable Media SCAN_UNCATEGORIZED
Data Manipulation SCAN_UNCATEGORIZED
Data Obfuscation SCAN_NETWORK
Data Staged SCAN_UNCATEGORIZED
Data Transfer Size Limits SCAN_UNCATEGORIZED
DCShadow SCAN_UNCATEGORIZED
DCSync SCAN_UNCATEGORIZED ACL_VIOLATION
Dead Drop Resolver SCAN_NETWORK
Debugger Evasion SCAN_UNCATEGORIZED
Defacement SCAN_UNCATEGORIZED
Default Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Delete Cloud Instance SCAN_UNCATEGORIZED
Delete Device Data SCAN_UNCATEGORIZED
Deliver Malicious App via Authorized App Store SCAN_UNCATEGORIZED
Deliver Malicious App via Other Means SCAN_UNCATEGORIZED
Deobfuscate/Decode Files or Information SCAN_FILE
Deploy Container SCAN_UNCATEGORIZED
Destructive Malware SCAN_UNCATEGORIZED
Device Administrator Permissions SCAN_UNCATEGORIZED
Device Lockout SCAN_UNCATEGORIZED
Device Registration SCAN_UNCATEGORIZED
DHCP Spoofing SCAN_NETWORK
Direct Network Flood SCAN_NETWORK
Direct Volume Access SCAN_UNCATEGORIZED
Disable Cloud Logs SCAN_UNCATEGORIZED
Disable Crypto Hardware SCAN_UNCATEGORIZED
Disable or Modify Cloud Firewall SCAN_NETWORK
Disable or Modify System Firewall SCAN_NETWORK
Disable or Modify Tools SCAN_UNCATEGORIZED
Disable Windows Event Logging SCAN_UNCATEGORIZED
Disabling Security Tools SCAN_UNCATEGORIZED
Disguise Root/Jailbreak Indicators SCAN_UNCATEGORIZED
Disk Content Wipe SCAN_UNCATEGORIZED
Disk Structure Wipe SCAN_UNCATEGORIZED
Disk Wipe SCAN_UNCATEGORIZED
DLL Search Order Hijacking SCAN_UNCATEGORIZED
DLL Side-Loading SCAN_UNCATEGORIZED
DNS SCAN_NETWORK
DNS Calculation SCAN_NETWORK
Domain Account SCAN_UNCATEGORIZED
Domain Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Domain Controller Authentication SCAN_UNCATEGORIZED
Domain Fronting SCAN_NETWORK
Domain Generation Algorithms SCAN_NETWORK
Domain Groups SCAN_UNCATEGORIZED
Domain Policy Modification SCAN_UNCATEGORIZED
Domain Trust Discovery SCAN_UNCATEGORIZED
Domain Trust Modification SCAN_UNCATEGORIZED
Double File Extension SCAN_FILE
Downgrade Attack SCAN_UNCATEGORIZED
Downgrade System Image SCAN_UNCATEGORIZED
Downgrade to Insecure Protocols SCAN_NETWORK
Download New Code at Runtime SCAN_UNCATEGORIZED
Drive-by Compromise SCAN_UNCATEGORIZED EXPLOIT
Dylib Hijacking SCAN_UNCATEGORIZED
Dynamic Data Exchange SCAN_UNCATEGORIZED
Dynamic Linker Hijacking SCAN_UNCATEGORIZED
Dynamic Resolution SCAN_NETWORK
Dynamic-link Library Injection SCAN_UNCATEGORIZED
Eavesdrop on Insecure Network Communication SCAN_NETWORK
Elevated Execution with Prompt SCAN_UNCATEGORIZED
Email Account SCAN_NETWORK
Email Collection SCAN_UNCATEGORIZED
Email Forwarding Rule SCAN_UNCATEGORIZED
Email Hiding Rules SCAN_UNCATEGORIZED
Emond SCAN_UNCATEGORIZED
Encrypted Channel SCAN_NETWORK
Endpoint Denial of Service SCAN_UNCATEGORIZED
Environmental Keying SCAN_UNCATEGORIZED
Escape to Host SCAN_UNCATEGORIZED
Evade Analysis Environment SCAN_UNCATEGORIZED
Event Triggered Execution SCAN_UNCATEGORIZED
Exchange Email Delegate Permissions SCAN_UNCATEGORIZED
Executable Installer File Permissions Weakness SCAN_UNCATEGORIZED
Execution Guardrails SCAN_UNCATEGORIZED
Execution through API SCAN_UNCATEGORIZED
Execution through Module Load SCAN_UNCATEGORIZED
Exfiltration Over Alternative Protocol SCAN_NETWORK EXPLOIT
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol SCAN_NETWORK
Exfiltration Over Bluetooth SCAN_UNCATEGORIZED
Exfiltration Over C2 Channel SCAN_NETWORK EXPLOIT
Exfiltration Over Command and Control Channel SCAN_NETWORK
Exfiltration Over Other Network Medium SCAN_NETWORK
Exfiltration Over Physical Medium SCAN_UNCATEGORIZED
Exfiltration Over Symmetric Encrypted Non-C2 Protocol SCAN_NETWORK
Exfiltration Over Unencrypted Non-C2 Protocol SCAN_NETWORK EXPLOIT
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol SCAN_NETWORK
Exfiltration over USB SCAN_UNCATEGORIZED
Exfiltration Over Web Service SCAN_NETWORK
Exfiltration to Cloud Storage SCAN_UNCATEGORIZED
Exfiltration to Code Repository SCAN_NETWORK
Exploit Enterprise Resources SCAN_NETWORK
Exploit Mitigation SCAN_UNCATEGORIZED EXPLOIT
Exploit OS Vulnerability SCAN_UNCATEGORIZED EXPLOIT
Exploit Public-Facing Application SCAN_UNCATEGORIZED EXPLOIT
Exploit SS7 to Redirect Phone Calls/SMS SCAN_NETWORK EXPLOIT
Exploit SS7 to Track Device Location SCAN_NETWORK EXPLOIT
Exploit TEE Vulnerability SCAN_UNCATEGORIZED EXPLOIT
Exploit via Charging Station or PC SCAN_UNCATEGORIZED EXPLOIT
Exploit via Radio Interfaces SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Client Execution SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Credential Access SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Defense Evasion SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Privilege Escalation SCAN_UNCATEGORIZED EXPLOIT
Exploitation of Remote Services SCAN_NETWORK EXPLOIT
External Defacement SCAN_UNCATEGORIZED
External Proxy SCAN_NETWORK
External Remote Services SCAN_UNCATEGORIZED
Extra Window Memory Injection SCAN_UNCATEGORIZED
Fallback Channels SCAN_NETWORK
Fast Flux DNS SCAN_NETWORK
File and Directory Discovery SCAN_FILE
File and Directory Permissions Modification SCAN_FILE ACL_VIOLATION
File Deletion SCAN_FILE DATA_DESTRUCTION
File System Logical Offsets SCAN_FILE
File System Permissions Weakness SCAN_UNCATEGORIZED
File Transfer Protocols SCAN_FILE DATA_EXFILTRATION
Firmware Corruption SCAN_UNCATEGORIZED
Forced Authentication SCAN_UNCATEGORIZED
Foreground Persistence SCAN_UNCATEGORIZED
Forge Web Credentials SCAN_UNCATEGORIZED
Gatekeeper Bypass SCAN_UNCATEGORIZED
Generate Fraudulent Advertising Revenue SCAN_UNCATEGORIZED
Generate Traffic from Victim SCAN_UNCATEGORIZED
Geofencing SCAN_UNCATEGORIZED
Golden Ticket SCAN_UNCATEGORIZED
Graphical User Interface SCAN_UNCATEGORIZED
Group Policy Discovery SCAN_UNCATEGORIZED
Group Policy Modification SCAN_UNCATEGORIZED
Group Policy Preferences SCAN_UNCATEGORIZED ACL_VIOLATION
GUI Input Capture SCAN_UNCATEGORIZED
Hardware Additions SCAN_NETWORK
Hidden File System SCAN_UNCATEGORIZED
Hidden Files and Directories SCAN_FILE
Hidden Users SCAN_UNCATEGORIZED
Hidden Window SCAN_UNCATEGORIZED
Hide Artifacts SCAN_UNCATEGORIZED
Hijack Execution Flow SCAN_UNCATEGORIZED
HISTCONTROL SCAN_UNCATEGORIZED
Hooking SCAN_UNCATEGORIZED
HTML Smuggling SCAN_UNCATEGORIZED
Hypervisor SCAN_UNCATEGORIZED
IIS Components SCAN_UNCATEGORIZED
Image File Execution Options Injection SCAN_UNCATEGORIZED
Impair Command History Logging SCAN_UNCATEGORIZED
Impair Defenses SCAN_UNCATEGORIZED
Impersonate SS7 Nodes SCAN_UNCATEGORIZED
Implant Container Image SCAN_UNCATEGORIZED
Implant Internal Image SCAN_UNCATEGORIZED
Indicator Blocking SCAN_UNCATEGORIZED
Indicator of Compromise SCAN_UNCATEGORIZED
Indicator Removal from Tools SCAN_UNCATEGORIZED
Indicator Removal on Host SCAN_UNCATEGORIZED
Indirect Command Execution SCAN_UNCATEGORIZED
Ingress Tool Transfer SCAN_FILE DATA_EXFILTRATION
Inhibit System Recovery SCAN_UNCATEGORIZED
Input Capture SCAN_UNCATEGORIZED
Input Injection SCAN_UNCATEGORIZED
Input Prompt SCAN_UNCATEGORIZED
Install Insecure or Malicious Configuration SCAN_UNCATEGORIZED
Install Root Certificate SCAN_FILE
InstallUtil SCAN_UNCATEGORIZED
Intelligence Indicator - Domain SCAN_NETWORK
Intelligence Indicator - Hash SCAN_FILE
Intelligence Indicator - IP SCAN_NETWORK
Inter-Process Communication SCAN_PROCESS
Internal Defacement SCAN_UNCATEGORIZED
Internal Proxy SCAN_NETWORK
Internet Connection Discovery SCAN_NETWORK
Invalid Code Signature SCAN_UNCATEGORIZED
Jamming or Denial of Service SCAN_NETWORK
JavaScript SCAN_FILE
JavaScript/JScript SCAN_FILE
Junk Data SCAN_NETWORK
Kerberoasting SCAN_UNCATEGORIZED
Kernel Modules and Extensions SCAN_UNCATEGORIZED
KernelCallbackTable SCAN_UNCATEGORIZED
Keychain SCAN_UNCATEGORIZED
Keylogging SCAN_UNCATEGORIZED
Known Hash SCAN_FILE
Launch Agent SCAN_UNCATEGORIZED
Launch Daemon SCAN_UNCATEGORIZED
Launchctl SCAN_PROCESS
Launchd SCAN_UNCATEGORIZED
LC_LOAD_DYLIB Addition SCAN_UNCATEGORIZED
LC_MAIN Hijacking SCAN_UNCATEGORIZED
LD_PRELOAD SCAN_UNCATEGORIZED
Linux and Mac File and Directory Permissions Modification SCAN_FILE ACL_VIOLATION
ListPlanting SCAN_UNCATEGORIZED
LLMNR/NBT-NS Poisoning and Relay SCAN_UNCATEGORIZED
LLMNR/NBT-NS Poisoning and SMB Relay SCAN_NETWORK
Local Account SCAN_UNCATEGORIZED
Local Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Local Data Staging SCAN_UNCATEGORIZED
Local Email Collection SCAN_UNCATEGORIZED
Local Groups SCAN_UNCATEGORIZED
Local Job Scheduling SCAN_UNCATEGORIZED
Location Tracking SCAN_UNCATEGORIZED
Lockscreen Bypass SCAN_UNCATEGORIZED EXPLOIT
Login Hook SCAN_UNCATEGORIZED
Login Item SCAN_UNCATEGORIZED
Login Items SCAN_UNCATEGORIZED
Logon Script (Mac) SCAN_UNCATEGORIZED
Logon Script (Windows) SCAN_UNCATEGORIZED
Logon Scripts SCAN_UNCATEGORIZED
LSA Secrets SCAN_UNCATEGORIZED
LSASS Driver SCAN_UNCATEGORIZED
LSASS Memory SCAN_UNCATEGORIZED
Mail Protocols SCAN_NETWORK
Make and Impersonate Token SCAN_UNCATEGORIZED
Malicious Activity SCAN_UNCATEGORIZED
Malicious File SCAN_FILE
Malicious Image SCAN_FILE
Malicious Link SCAN_NETWORK
Malicious Tool Delivery SCAN_UNCATEGORIZED
Malicious Tool Execution SCAN_PROCESS
Man in the Browser SCAN_NETWORK
Man-in-the-Middle SCAN_NETWORK
Manipulate App Store Rankings or Ratings SCAN_UNCATEGORIZED
Manipulate Device Communication SCAN_NETWORK
Mark-of-the-Web Bypass SCAN_UNCATEGORIZED
Masquerade as Legitimate Application SCAN_UNCATEGORIZED
Masquerade Task or Service SCAN_UNCATEGORIZED
Masquerading SCAN_UNCATEGORIZED
Match Legitimate Name or Location SCAN_UNCATEGORIZED
Mavinject SCAN_UNCATEGORIZED
MMC SCAN_FILE
Modify Authentication Process SCAN_UNCATEGORIZED ACL_VIOLATION
Modify Cached Executable Code SCAN_UNCATEGORIZED
Modify Cloud Compute Infrastructure SCAN_UNCATEGORIZED
Modify Existing Service SCAN_UNCATEGORIZED
Modify OS Kernel or Boot Partition SCAN_UNCATEGORIZED AUTH_VIOLATION
Modify Registry SCAN_UNCATEGORIZED
Modify System Image SCAN_UNCATEGORIZED
Modify System Partition SCAN_UNCATEGORIZED AUTH_VIOLATION
Modify Trusted Execution Environment SCAN_UNCATEGORIZED AUTH_VIOLATION
MSBuild SCAN_UNCATEGORIZED
Mshta SCAN_UNCATEGORIZED
Msiexec SCAN_UNCATEGORIZED
Multi-Factor Authentication Interception SCAN_UNCATEGORIZED
Multi-Factor Authentication Request Generation SCAN_UNCATEGORIZED
Multi-hop Proxy SCAN_NETWORK
Multi-Stage Channels SCAN_NETWORK
Multiband Communication SCAN_NETWORK
Multilayer Encryption SCAN_NETWORK
Native API SCAN_UNCATEGORIZED
Native Code SCAN_UNCATEGORIZED
Netsh Helper DLL SCAN_UNCATEGORIZED
Network Address Translation Traversal SCAN_NETWORK
Network Boundary Bridging SCAN_NETWORK
Network Denial of Service SCAN_NETWORK
Network Device Authentication SCAN_NETWORK
Network Device CLI SCAN_NETWORK
Network Device Configuration Dump SCAN_NETWORK EXPLOIT
Network Information Discovery SCAN_NETWORK
Network Logon Script SCAN_UNCATEGORIZED
Network Service Discovery SCAN_NETWORK
Network Service Scanning SCAN_NETWORK
Network Share Connection Removal SCAN_NETWORK
Network Share Discovery SCAN_NETWORK
Network Sniffing SCAN_NETWORK
Network Traffic Capture or Redirection SCAN_NETWORK EXPLOIT
New Service SCAN_UNCATEGORIZED
Non-Application Layer Protocol SCAN_NETWORK
Non-Standard Encoding SCAN_NETWORK
Non-Standard Port SCAN_NETWORK
NTDS SCAN_UNCATEGORIZED
NTFS File Attributes SCAN_FILE
Obfuscated Files or Information SCAN_FILE
Obtain Device Cloud Backups SCAN_NETWORK
Odbcconf SCAN_UNCATEGORIZED
Office Application Startup SCAN_UNCATEGORIZED
Office Template Macros SCAN_UNCATEGORIZED
Office Test SCAN_UNCATEGORIZED
One-Way Communication SCAN_NETWORK
OS Credential Dumping SCAN_UNCATEGORIZED
OS Exhaustion Flood SCAN_UNCATEGORIZED
Out of Band Data SCAN_NETWORK
Outlook Forms SCAN_UNCATEGORIZED
Outlook Home Page SCAN_UNCATEGORIZED
Outlook Rules SCAN_UNCATEGORIZED
Parent PID Spoofing SCAN_PROCESS
Pass the Hash SCAN_UNCATEGORIZED
Pass the Ticket SCAN_UNCATEGORIZED
Password Cracking SCAN_UNCATEGORIZED
Password Filter DLL SCAN_UNCATEGORIZED
Password Guessing SCAN_UNCATEGORIZED
Password Managers SCAN_UNCATEGORIZED
Password Policy Discovery SCAN_UNCATEGORIZED
Password Spraying SCAN_UNCATEGORIZED
Patch System Image SCAN_UNCATEGORIZED
Path Interception SCAN_UNCATEGORIZED
Path Interception by PATH Environment Variable SCAN_UNCATEGORIZED
Path Interception by Search Order Hijacking SCAN_UNCATEGORIZED
Path Interception by Unquoted Path SCAN_UNCATEGORIZED
Peripheral Device Discovery SCAN_UNCATEGORIZED
Permission Groups Discovery SCAN_UNCATEGORIZED
Phishing SCAN_UNCATEGORIZED PHISHING
Plist File Modification SCAN_UNCATEGORIZED
Plist Modification SCAN_UNCATEGORIZED
Pluggable Authentication Modules SCAN_UNCATEGORIZED
Port Knocking SCAN_NETWORK
Port Monitors SCAN_UNCATEGORIZED
Portable Executable Injection SCAN_UNCATEGORIZED
PowerShell SCAN_FILE
PowerShell Profile SCAN_UNCATEGORIZED
Pre-OS Boot SCAN_UNCATEGORIZED
Premium SMS Toll Fraud SCAN_UNCATEGORIZED
Prevent Application Removal SCAN_UNCATEGORIZED
Print Processors SCAN_UNCATEGORIZED
Private Keys SCAN_UNCATEGORIZED ACL_VIOLATION
Proc Filesystem SCAN_FILE ACL_VIOLATION
Proc Memory SCAN_PROCESS
Process Argument Spoofing SCAN_PROCESS
Process Discovery SCAN_UNCATEGORIZED
Process Doppelgänging SCAN_PROCESS
Process Hollowing SCAN_PROCESS
Process Injection SCAN_PROCESS
Protected User Data SCAN_UNCATEGORIZED
Protocol Impersonation SCAN_NETWORK
Protocol Tunneling SCAN_NETWORK
Proxy SCAN_NETWORK
Proxy Through Victim SCAN_UNCATEGORIZED
Ptrace System Calls SCAN_PROCESS
PubPrn SCAN_FILE
PUP SCAN_UNCATEGORIZED
Python SCAN_FILE
Query Registry SCAN_UNCATEGORIZED
RC Scripts SCAN_UNCATEGORIZED
Rc.common SCAN_PROCESS
Re-opened Applications SCAN_UNCATEGORIZED
Reduce Key Space SCAN_UNCATEGORIZED
Redundant Access SCAN_UNCATEGORIZED
Reflection Amplification SCAN_NETWORK
Reflective Code Loading SCAN_UNCATEGORIZED
Registry Run Keys / Startup Folder SCAN_UNCATEGORIZED
Regsvcs/Regasm SCAN_UNCATEGORIZED
Regsvr32 SCAN_UNCATEGORIZED
Remote Access Software SCAN_NETWORK
Remote Access Tools SCAN_NETWORK
Remote Data Staging SCAN_UNCATEGORIZED
Remote Device Management Services SCAN_UNCATEGORIZED
Remote Email Collection SCAN_UNCATEGORIZED
Remote File Copy SCAN_FILE DATA_EXFILTRATION
Remote System Discovery SCAN_NETWORK
Remotely Track Device Without Authorization SCAN_NETWORK
Remotely Wipe Data Without Authorization SCAN_NETWORK
Rename System Utilities SCAN_UNCATEGORIZED
Replication Through Removable Media SCAN_UNCATEGORIZED EXPLOIT
Resource Forking SCAN_FILE
Resource Hijacking SCAN_UNCATEGORIZED
Reversible Encryption SCAN_UNCATEGORIZED
Revert Cloud Instance SCAN_UNCATEGORIZED
Right-to-Left Override SCAN_UNCATEGORIZED
Rogue Cellular Base Station SCAN_NETWORK
Rogue Domain Controller SCAN_UNCATEGORIZED
Rogue Wi-Fi Access Points SCAN_NETWORK
ROMMONkit SCAN_UNCATEGORIZED
Rootkit SCAN_UNCATEGORIZED
Run Virtual Instance SCAN_UNCATEGORIZED
Rundll32 SCAN_FILE
Runtime Data Manipulation SCAN_UNCATEGORIZED
Safe Mode Boot SCAN_UNCATEGORIZED
SAML Tokens SCAN_UNCATEGORIZED
Scheduled Task SCAN_UNCATEGORIZED
Scheduled Task/Job SCAN_UNCATEGORIZED
Scheduled Transfer SCAN_NETWORK
Screen Capture SCAN_UNCATEGORIZED
Screensaver SCAN_UNCATEGORIZED
Scripting SCAN_FILE
Security Account Manager SCAN_UNCATEGORIZED ACL_VIOLATION
Security Software Discovery SCAN_UNCATEGORIZED
Security Support Provider SCAN_UNCATEGORIZED
Securityd Memory SCAN_UNCATEGORIZED
Sensor-based ML SCAN_UNCATEGORIZED
Server Software Component SCAN_UNCATEGORIZED
Service Execution SCAN_FILE
Service Exhaustion Flood SCAN_NETWORK NETWORK_DENIAL_OF_SERVICE
Service Registry Permissions Weakness SCAN_UNCATEGORIZED
Service Stop SCAN_UNCATEGORIZED
Services File Permissions Weakness SCAN_UNCATEGORIZED
Services Registry Permissions Weakness SCAN_UNCATEGORIZED
Setuid and Setgid SCAN_UNCATEGORIZED EXPLOIT
Shared Modules SCAN_UNCATEGORIZED
Sharepoint SCAN_UNCATEGORIZED
Shortcut Modification SCAN_UNCATEGORIZED
SID-History Injection SCAN_UNCATEGORIZED
Signed Binary Proxy Execution SCAN_UNCATEGORIZED
Signed Script Proxy Execution SCAN_UNCATEGORIZED
Silver Ticket SCAN_UNCATEGORIZED
SIM Card Swap SCAN_NETWORK
SIP and Trust Provider Hijacking SCAN_UNCATEGORIZED
SMS Control SCAN_UNCATEGORIZED
SMS Messages SCAN_UNCATEGORIZED
SNMP (MIB Dump) SCAN_UNCATEGORIZED
Software Deployment Tools SCAN_UNCATEGORIZED
Software Discovery SCAN_UNCATEGORIZED
Software Packing SCAN_UNCATEGORIZED
Source SCAN_UNCATEGORIZED
Space after Filename SCAN_FILE
Spearphishing Attachment SCAN_FILE EXPLOIT
Spearphishing Link SCAN_NETWORK EXPLOIT
Spearphishing via Service SCAN_UNCATEGORIZED
SQL Stored Procedures SCAN_UNCATEGORIZED
SSH Authorized Keys SCAN_UNCATEGORIZED
Standard Application Layer Protocol SCAN_NETWORK
Standard Cryptographic Protocol SCAN_NETWORK
Standard Encoding SCAN_NETWORK
Standard Non-Application Layer Protocol SCAN_NETWORK
Startup Items SCAN_UNCATEGORIZED
Steal Application Access Token SCAN_UNCATEGORIZED
Steal or Forge Kerberos Tickets SCAN_UNCATEGORIZED
Steal Web Session Cookie SCAN_UNCATEGORIZED
Steganography SCAN_UNCATEGORIZED
Stored Application Data SCAN_UNCATEGORIZED
Stored Data Manipulation SCAN_UNCATEGORIZED ACL_VIOLATION
Subvert Trust Controls SCAN_UNCATEGORIZED
Sudo SCAN_UNCATEGORIZED
Sudo and Sudo Caching SCAN_UNCATEGORIZED
Sudo Caching SCAN_UNCATEGORIZED
Supply Chain Compromise SCAN_UNCATEGORIZED
Suppress Application Icon SCAN_UNCATEGORIZED
Suspicious Activity SCAN_UNCATEGORIZED
Symmetric Cryptography SCAN_NETWORK
System Binary Proxy Execution SCAN_UNCATEGORIZED
System Checks SCAN_UNCATEGORIZED
System Firmware SCAN_UNCATEGORIZED
System Information Discovery SCAN_UNCATEGORIZED
System Language Discovery SCAN_UNCATEGORIZED
System Location Discovery SCAN_UNCATEGORIZED
System Network Configuration Discovery SCAN_NETWORK
System Network Connections Discovery SCAN_NETWORK
System Owner/User Discovery SCAN_UNCATEGORIZED
System Runtime API Hijacking SCAN_UNCATEGORIZED
System Script Proxy Execution SCAN_FILE
System Service Discovery SCAN_UNCATEGORIZED
System Services SCAN_UNCATEGORIZED
System Shutdown/Reboot SCAN_UNCATEGORIZED
System Time Discovery SCAN_UNCATEGORIZED
Systemd Service SCAN_UNCATEGORIZED
Systemd Timers SCAN_UNCATEGORIZED
Template Injection SCAN_UNCATEGORIZED EXPLOIT
Terminal Services DLL SCAN_UNCATEGORIZED
TFTP Boot SCAN_NETWORK
Third-party Software SCAN_UNCATEGORIZED
Thread Execution Hijacking SCAN_UNCATEGORIZED
Thread Local Storage SCAN_UNCATEGORIZED
Time Based Evasion SCAN_UNCATEGORIZED
Time Providers SCAN_UNCATEGORIZED
Timestamp SCAN_UNCATEGORIZED
Token Impersonation/Theft SCAN_UNCATEGORIZED
Traffic Duplication SCAN_NETWORK
Traffic Signaling SCAN_NETWORK
Transfer Data to Cloud Account SCAN_NETWORK
Transmitted Data Manipulation SCAN_UNCATEGORIZED
Transport Agent SCAN_UNCATEGORIZED
Trap SCAN_UNCATEGORIZED
Trusted Developer Utilities SCAN_UNCATEGORIZED
Trusted Developer Utilities Proxy Execution SCAN_UNCATEGORIZED
Trusted Relationship SCAN_UNCATEGORIZED EXPLOIT
Two-Factor Authentication Interception SCAN_UNCATEGORIZED
Uncommonly Used Port SCAN_NETWORK NETWORK_SUSPICIOUS
Uninstall Malicious Application SCAN_UNCATEGORIZED
Unix Shell SCAN_FILE
Unix Shell Configuration Modification SCAN_UNCATEGORIZED
Unsecured Credentials SCAN_FILE ACL_VIOLATION
Unused/Unsupported Cloud Regions SCAN_UNCATEGORIZED
URI Hijacking SCAN_UNCATEGORIZED
URL Scheme Hijacking SCAN_UNCATEGORIZED
Use Alternate Authentication Material SCAN_UNCATEGORIZED
User Activity Based Checks SCAN_UNCATEGORIZED
User Evasion SCAN_UNCATEGORIZED
User Execution SCAN_FILE
Valid Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
VBA Stomping SCAN_UNCATEGORIZED
VDSO Hijacking SCAN_UNCATEGORIZED
Verclsid SCAN_UNCATEGORIZED
Video Capture SCAN_UNCATEGORIZED
Virtualization/Sandbox Evasion SCAN_UNCATEGORIZED
Visual Basic SCAN_UNCATEGORIZED
Weaken Encryption SCAN_UNCATEGORIZED
Web Cookies SCAN_UNCATEGORIZED
Web Portal Capture SCAN_UNCATEGORIZED
Web Protocols SCAN_NETWORK
Web Service SCAN_NETWORK
Web Session Cookie SCAN_NETWORK
Web Shell SCAN_UNCATEGORIZED
Windows Command Shell SCAN_UNCATEGORIZED
Windows Credential Manager SCAN_UNCATEGORIZED
Windows File and Directory Permissions Modification SCAN_UNCATEGORIZED
Windows Management Instrumentation SCAN_UNCATEGORIZED
Windows Management Instrumentation Event Subscription SCAN_UNCATEGORIZED
Windows Remote Management SCAN_UNCATEGORIZED
Windows Service SCAN_UNCATEGORIZED
Winlogon Helper DLL SCAN_UNCATEGORIZED
XDG Autostart Entries SCAN_UNCATEGORIZED
XPC Services SCAN_UNCATEGORIZED
XSL Script Processing SCAN_FILE

Field mapping reference: CS_DETECTS

The following table lists the log fields of the CS_DETECTS log type and their corresponding UDM fields.
Log field UDM mapping Logic
date_updated about.labels [date_updated]
q about.labels [q]
cid about.resource.product_object_id
cid metadata.product_deployment_id
about.resource.resource_type The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.
behaviors.timestamp about.labels [behavior_timestamp]
behaviors.description metadata.description
first_behavior metadata.event_timestamp
created_timestamp metadata.collected_timestamp
detection_id metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to Falcon.
url_back_to_product metadata.url_back_to_product
metadata.vendor_name The metadata.vendor_name UDM field is set to Crowdstrike.
device.agent_load_flags principal.asset.attribute.labels [agent_load_flags]
device.agent_load_flags principal.asset.attribute.labels [agent_load_time]
device.agent_version principal.asset.attribute.labels [agent_version]
device.bios_manufacturer principal.asset.attribute.labels [bios_manufacturer]
device.bios_version principal.asset.attribute.labels [bios_version]
device.config_id_base principal.asset.attribute.labels [device_config_id_base]
device.config_id_build principal.asset.attribute.labels [device_config_id_base]
device.config_id_platform principal.asset.attribute.labels [device_config_id_platform]
device.cpu_signature principal.asset.attribute.labels [device_cpu_signature]
device.groups principal.asset.attribute.labels [device_groups]
device.instance_id principal.asset.attribute.labels [device_instance_id]
device.last_seen principal.asset.attribute.labels [device_last_seen]
device.major_version principal.asset.attribute.labels [device_major_version]
device.minor_version principal.asset.attribute.labels [device_minor_version]
device.modified_timestamp principal.asset.attribute.labels [device_modified_timestamp]
device.ou principal.asset.attribute.labels [device_ou]
device.platform_id principal.asset.attribute.labels [device_platform_id]
device.product_type principal.asset.attribute.labels [device_product_type]
device.reduced_functionality_mode principal.asset.attribute.labels [device_reduced_functionality_mode]
device.service_provider_account_id principal.asset.attribute.labels [device_service_provider_account_id]
device.service_provider principal.asset.attribute.labels [device_service_provider]
device.site_name principal.asset.attribute.labels [device_site_name]
device.status principal.asset.attribute.labels [device_status]
device.first_seen principal.asset.first_seen_time
device.system_manufacturer principal.asset.hardware.manufacturer
device.serial_number principal.asset.hardware.serial_number
device.hostname principal.hostname
device.platform_name principal.asset.platform_software.platform If the device.platform_name log field value matches the regular expression pattern Windows, then the target.asset.platform_software.platform UDM field is set to WINDOWS.
device.system_product_name principal.asset.platform_software.platform_version
device.device_id principal.asset_id
device.product_type_desc principal.asset.type If the device.product_type_desc log field value matches the regular expression pattern (?i)(Computer or Workstation), then the principal.asset.type UDM field is set to WORKSTATION.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Server, then the principal.asset.type UDM field is set to SERVER.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Mobile, then the principal.asset.type UDM field is set to MOBILE.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)iot, then the principal.asset.type UDM field is set to IOT.

Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED.
first_behavior principal.asset.vulnerabilities.first_found
last_behavior principal.asset.vulnerabilities.last_found
device.machine_domain principal.domain.name
device.release_group principal.group.group_display_name
device.local_ip principal.ip
device.mac_address principal.mac
device.external_ip principal.nat_ip
device.os_version principal.platform_version
device.cid principal.resource.product_object_id
behaviors.user_name principal.user.user_display_name
behaviors.user_id principal.user.windows_sid
quarantined_files.id security_result.about.file attributes
email_sent security_result.about.labels [email_sent]
assigned_to_name security_result.about.user.user_display_name
behaviors.tactic_id security_result.attack_details.tactics.id If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.

Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic security_result.attack_details.tactics.name If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.

Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic_id security_result.rule_labels [behavior_tactic_id] If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.

Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic security_result.rule_labels [behavior_tactic] If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.

Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field.
behaviors.technique_id security_result.attack_details.techniques.id If the behaviors.technique_id log field value does not match the regular expression pattern ^CS, then the behaviors.technique_id log field is mapped to the security_result.attack_details.techniques.id UDM field.
behaviors.technique security_result.attack_details.techniques.name If the behaviors.technique_id log field value does not match the regular expression pattern ^CS, then the behaviors.technique log field is mapped to the security_result.attack_details.techniques.name UDM field.
behaviors.technique_id security_result.rule_id
behaviors.technique security_result.rule_name
behaviors.scenario security_result.category
behaviors.confidence security_result.confidence_details
hostinfo.active_directory_dn_display security_result.detection_fields [active_directory_dn_display]
adversary_ids security_result.detection_fields [adversary_ids]
behaviors.ioc_description security_result.detection_fields [behavior_ioc_description]
behaviors.ioc_source security_result.detection_fields [behavior_ioc_source]
behaviors.behavior_id security_result.detection_fields [behaviors_behavior_id]
behaviors.objective security_result.detection_fields [behaviors_objective]
behaviors.pattern_disposition_details.blocking_unsupported_or_disabled security_result.detection_fields [behaviors_pattern_disposition_details_blocking_unsupported_or_disabled]
behaviors.pattern_disposition_details.bootup_safeguard_enabled security_result.detection_fields [behaviors_pattern_disposition_details_bootup_safeguard_enabled]
behaviors.pattern_disposition_details.critical_process_disabled security_result.detection_fields [behaviors_pattern_disposition_details_critical_process_disabled]
behaviors.pattern_disposition_details.detect security_result.detection_fields [behaviors_pattern_disposition_details_detect]
behaviors.pattern_disposition_details.fs_operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_fs_operation_blocked]
behaviors.pattern_disposition_details.handle_operation_downgraded security_result.detection_fields [behaviors_pattern_disposition_details_handle_operation_downgraded]
behaviors.pattern_disposition_details.inddet_mask security_result.detection_fields [behaviors_pattern_disposition_details_inddet_mask]
behaviors.pattern_disposition_details.indicator security_result.detection_fields [behaviors_pattern_disposition_details_indicator]
behaviors.pattern_disposition_details.kill_action_failed security_result.detection_fields [behaviors_pattern_disposition_details_kill_action_failed]
behaviors.pattern_disposition_details.kill_parent security_result.detection_fields [behaviors_pattern_disposition_details_kill_parent]
behaviors.pattern_disposition_details.kill_process security_result.detection_fields [behaviors_pattern_disposition_details_kill_process]
behaviors.pattern_disposition_details.kill_subprocess security_result.detection_fields [behaviors_pattern_disposition_details_kill_subprocess]
behaviors.pattern_disposition_details.operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_operation_blocked]
behaviors.pattern_disposition_details.policy_disabled security_result.detection_fields [behaviors_pattern_disposition_details_policy_disabled]
behaviors.pattern_disposition_details.process_blocked security_result.detection_fields [behaviors_pattern_disposition_details_process_blocked]
behaviors.pattern_disposition_details.quarantine_file security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_file]
behaviors.pattern_disposition_details.quarantine_machine security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_machine]
behaviors.pattern_disposition_details.registry_operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_registry_operation_blocked]
behaviors.pattern_disposition_details.rooting security_result.detection_fields [behaviors_pattern_disposition_details_rooting]
behaviors.pattern_disposition_details.sensor_only security_result.detection_fields [behaviors_pattern_disposition_details_sensor_only]
behaviors.pattern_disposition_details.suspend_parent security_result.detection_fields [behaviors_pattern_disposition_details_suspend_parent]
behaviors.pattern_disposition_details.suspend_process security_result.detection_fields [behaviors_pattern_disposition_details_suspend_process]
behaviors.pattern_disposition security_result.detection_fields [behaviors_pattern_disposition] If the behaviors.pattern_disposition log field value is equal to 0, then the security_result.detection_fields.key/value UDM field is set to Detection, standard detection.

Else, if the behaviors.pattern_disposition log field value is equal to 16, then the security_result.detection_fields.key/value UDM field is set to Prevention, process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 128, then the security_result.detection_fields.key/value UDM field is mapped to the Detection/Quarantine, standard detection and quarantine was attempted.

Else, if the behaviors.pattern_disposition log field value is equal to 272, then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 512, then the security_result.detection_fields.key/value UDM field is set to Prevention, parent process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 768, then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 1024, then the security_result.detection_fields.key/value UDM field is set to Prevention, operation blocked.

Else, if the behaviors.pattern_disposition log field value is equal to 1280, then the security_result.detection_fields.key/value UDM field is set to Detection, operation would have been blocked if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 2048, then the security_result.detection_fields.key/value UDM field is set to Prevention, process blocked from execution.

Else, if the behaviors.pattern_disposition log field value is equal to 2176, then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 2304, then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been blocked if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 4096, then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked.

Else, if the behaviors.pattern_disposition log field value is equal to 4112, then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked and context process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 4638, then the security_result.detection_fields.key/value UDM field is set to Detection, registry operation would have been blocked and context process would have been killed if a prevention policy setting was enabled.
behaviors_processed [] security_result.detection_fields [behaviors_processed]
behaviors.control_graph_id security_result.detection_fields [control_graph_id]
behaviors.control_graph_id security_result.detection_fields [tree_id] The tree_id field is extracted from the behaviors.control_graph_id log field using the Grok pattern, and the tree_id extracted field is mapped to the security_result.detection_fields UDM field.
hostinfo.domain security_result.detection_fields [hostinfo_domain]
max_confidence security_result.detection_fields [max_confidence]
max_severity security_result.detection_fields [max_severity]
overwatch_notes security_result.detection_fields [overwatch_notes]
quarantined_files.paths security_result.detection_fields [quarantined_files_paths]
quarantined_files.sha256 security_result.detection_fields [quarantined_files_sha256]
quarantined_files.state security_result.detection_fields [quarantined_files_state]
seconds_to_resolved security_result.detection_fields [seconds_to_resolved]
seconds_to_triaged security_result.detection_fields [seconds_to_triaged]
show_in_ui security_result.detection_fields [show_in_ui]
status security_result.detection_fields [status]
behaviors.template_instance_id security_result.detection_fields [template_instance_id]
behaviors.triggering_process_graph_id security_result.detection_fields [triggering_process_graph_id]
behaviors.rule_instance_id security_result.rule_labels [rule_instance_id]
behaviors.rule_instance_version security_result.rule_labels [rule_instance_version]
max_severity_displayname security_result.severity If the max_severity_displayname log field value matches the regular expression pattern (?i)Low, then the security_result.severity UDM field is set to LOW.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Informational, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)High, then the security_result.severity UDM field is set to HIGH.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Critical, then the security_result.severity UDM field is set to CRITICAL.

Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
behaviors.severity security_result.severity_details
behaviors.display_name security_result.summary
behaviors.ioc_type security_result.threat_name The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field.
behaviors.ioc_value security_result.threat_name The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field.

behaviors.filepath

behaviors.ioc_description

 target.file.full_path If the behaviors.filepath log field value is equal to System, then the behaviors.ioc_description log field is mapped to the target.file.full_path UDM field.

Else, the behaviors.filepath log field is mapped to the target.file.full_path UDM field.
behaviors.alleged_filetype target.file.mime_type
behaviors.filename target.file.names
behaviors.sha256 target.file.sha256 If the behavior.sha256 log field value is not equal to empty or N/A, then the behavior.sha256 log field is mapped to the target.file.sha256 UDM field.
behaviors.cmdline target.process.command_line
behaviors.md5 target.process.file.md5 If the behavior.md5 log field value matches the regular expression pattern ^(0-9a-f)+$, then the behavior.md5 log field is mapped to the target.process.file.md5 UDM field.

Else, the target.labels.key UDM field is set to behavior_md5 and the behavior.md5 log field is mapped to the target.labels.value UDM field.
behaviors.parent_details.parent_cmdline target.process.parent_process.command_line
behaviors.parent_details.parent_md5 target.process.parent_process.file.md5 If the behavior.parent_details.parent_md5 log field value matches the regular expression pattern ^(0-9a-f)+$, then the behavior.parent_details.parent_md5 log field is mapped to the target.process.parent_process.file.md5 UDM field.

Else, the target.labels.key UDM field is set to behavior_parent_details_parent_md5 and the behavior.parent_details.parent_md5 log field is mapped to the target.labels.value UDM field.
behaviors.parent_details.parent_sha256 target.process.parent_process.file.sha256 If the behavior.parent_details.parent_sha256 log field value is not equal to empty or N/A, then the behavior.parent_details.parent_sha256 log field is mapped to the target.process.parent_process.file.sha256 UDM field.
behaviors.parent_details.parent_process_id target.process.parent_process.pid
behaviors.parent_details.parent_process_graph_id target.process.parent_process.product_specific_process_id
behaviors.triggering_process_id target.process.pid
behaviors.device_id Contains same value as device.device_id. Hence, this field is not mapped.