Mengumpulkan log Deteksi CrowdStrike
Dokumen ini menjelaskan cara mengekspor log Deteksi CrowdStrike ke Google Security Operations melalui feed Google Security Operations, dan cara kolom Deteksi CrowdStrike dipetakan ke kolom Unified Data Model (UDM) Google Security Operations.
Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google Security Operations.
Deployment standar terdiri dari CrowdStrike dan feed Google Security Operations yang dikonfigurasi untuk mengirim log ke Google Security Operations. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
CrowdStrike Falcon Intelligence: Produk CrowdStrike tempat Anda mengumpulkan log.
Feed CrowdStrike. Feed CrowdStrike yang mengambil log dari CrowdStrike dan menulis log ke Google SecOps.
Google Security Operations: Menyimpan dan menganalisis log Deteksi CrowdStrike.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah
ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser
dengan label transfer CS_DETECTS
.
Sebelum memulai
Pastikan Anda memiliki hak administrator di instance CrowdStrike untuk menginstal sensor Host CrowdStrike Falcon.
Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dalam zona waktu UTC
Pastikan perangkat berjalan di sistem operasi yang didukung.
- OS harus berjalan di server 64-bit. Microsoft Windows server 2008 R2 SP1 didukung untuk sensor Host CrowdStrike Falcon versi 6.51 atau yang lebih baru.
- Sistem yang menjalankan versi OS lama (misalnya, Windows 7 SP1) memerlukan dukungan penandatanganan kode SHA-2 yang diinstal di perangkatnya.
Dapatkan file akun layanan Google Security Operations dan ID pelanggan Anda dari tim dukungan Google Security Operations.
Mengonfigurasi CrowdStrike untuk menyerap log
Untuk menyiapkan feed transfer, ikuti langkah-langkah berikut:
- Buat pasangan kunci klien API baru di CrowdStrike Falcon. Pasangan kunci ini membaca peristiwa dan informasi tambahan dari CrowdStrike Falcon.
- Berikan izin
READ
keDetections
saat membuat pasangan kunci.
Mengonfigurasi feed di Google Security Operations untuk menyerap log Deteksi CrowdStrike
- Buka Setelan SIEM > Feed.
- Klik Add New.
- Masukkan nama unik untuk Nama Kolom.
- Pilih API pihak ketiga sebagai Jenis Sumber.
- Pilih CrowdStrike Detection Monitoring sebagai Log Type.
- Klik Berikutnya.
- Konfigurasikan parameter input wajib berikut:
- Endpoint Token OAuth: tentukan endpoint.
- Client ID OAuth: tentukan client ID yang Anda dapatkan sebelumnya.
- Rahasia Klien OAuth: tentukan rahasia klien yang Anda peroleh sebelumnya.
- Base URL: tentukan Base URL.
- Klik Berikutnya, lalu klik Kirim.
Referensi pemetaan kolom
Bagian ini menjelaskan cara parser Google Security Operations memetakan kolom Deteksi CrowdStrike ke kolom Unified Data Model (UDM) Google Security Operations.
Tabel berikut mencantumkan ID peristiwa CS_DETECTS
dan jenis peristiwa UDM yang sesuai.
Event Identifier | Event Type | Security Category |
---|---|---|
.bash_profile and .bashrc |
SCAN_FILE |
|
/etc/passwd and /etc/shadow |
SCAN_UNCATEGORIZED |
|
Abuse Accessibility Features |
SCAN_UNCATEGORIZED |
|
Abuse Device Administrator Access to Prevent Removal |
SCAN_UNCATEGORIZED |
|
Abuse Elevation Control Mechanism |
SCAN_UNCATEGORIZED |
|
Access Calendar Entries |
SCAN_UNCATEGORIZED |
|
Access Call Log |
SCAN_UNCATEGORIZED |
|
Access Contact List |
SCAN_UNCATEGORIZED |
|
Access Notifications |
SCAN_UNCATEGORIZED |
|
Access Sensitive Data in Device Logs |
SCAN_UNCATEGORIZED |
|
Access Stored Application Data |
SCAN_UNCATEGORIZED |
|
Access Token Manipulation |
SCAN_UNCATEGORIZED |
|
Accessibility Features |
SCAN_UNCATEGORIZED |
|
Account Access Removal |
SCAN_UNCATEGORIZED |
|
Account Discovery |
SCAN_UNCATEGORIZED |
|
Account Manipulation |
SCAN_UNCATEGORIZED |
|
Active Setup |
SCAN_UNCATEGORIZED |
|
Add Office 365 Global Administrator Role |
SCAN_UNCATEGORIZED |
|
Add-ins |
SCAN_UNCATEGORIZED |
|
Additional Azure Service Principal Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Roles |
SCAN_UNCATEGORIZED |
|
Additional Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Adversary-in-the-Middle |
SCAN_UNCATEGORIZED |
|
Adware |
SCAN_UNCATEGORIZED |
|
Adware/PUP |
SCAN_PROCESS |
|
Alternate Network Mediums |
SCAN_NETWORK |
|
Android Intent Hijacking |
SCAN_UNCATEGORIZED |
|
App Auto-Start at Device Boot |
SCAN_UNCATEGORIZED |
|
AppCert DLLs |
SCAN_UNCATEGORIZED |
|
AppInit DLLs |
SCAN_UNCATEGORIZED |
|
AppleScript |
SCAN_FILE |
|
Application Access Token |
SCAN_UNCATEGORIZED |
|
Application Discovery |
SCAN_UNCATEGORIZED |
|
Application Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Application Layer Protocol |
SCAN_NETWORK |
|
Application or System Exploitation |
SCAN_UNCATEGORIZED |
|
Application Shimming |
SCAN_UNCATEGORIZED |
|
Application Window Discovery |
SCAN_UNCATEGORIZED |
|
Archive Collected Data |
SCAN_UNCATEGORIZED |
|
Archive via Custom Method |
SCAN_UNCATEGORIZED |
|
Archive via Library |
SCAN_FILE |
DATA_EXFILTRATION |
Archive via Utility |
SCAN_UNCATEGORIZED |
|
ARP Cache Poisoning |
SCAN_NETWORK |
|
AS-REP Roasting |
SCAN_UNCATEGORIZED |
|
Asymmetric Cryptography |
SCAN_NETWORK |
|
Asynchronous Procedure Call |
SCAN_PROCESS |
EXPLOIT |
At |
SCAN_UNCATEGORIZED |
|
At (Linux) |
SCAN_UNCATEGORIZED |
|
At (Windows) |
SCAN_UNCATEGORIZED |
|
Attack PC via USB Connection |
SCAN_UNCATEGORIZED |
|
Attributed to Adversary |
SCAN_UNCATEGORIZED |
|
Audio Capture |
SCAN_UNCATEGORIZED |
|
Authentication Package |
SCAN_UNCATEGORIZED |
|
Automated Collection |
SCAN_UNCATEGORIZED |
|
Automated Exfiltration |
SCAN_UNCATEGORIZED |
EXPLOIT |
Bad device settings |
SCAN_HOST |
|
Bash History |
SCAN_UNCATEGORIZED |
|
Bidirectional Communication |
SCAN_NETWORK |
|
Binary Padding |
SCAN_UNCATEGORIZED |
|
BITS Jobs |
SCAN_UNCATEGORIZED |
|
Boot or Logon Autostart Execution |
SCAN_UNCATEGORIZED |
|
Boot or Logon Initialization Scripts |
SCAN_UNCATEGORIZED |
|
Bootkit |
SCAN_UNCATEGORIZED |
|
Broadcast Receivers |
SCAN_UNCATEGORIZED |
|
Browser Bookmark Discovery |
SCAN_UNCATEGORIZED |
|
Browser Exploit |
SCAN_UNCATEGORIZED |
EXPLOIT |
Browser Extensions |
SCAN_UNCATEGORIZED |
|
Browser Session Hijacking |
SCAN_UNCATEGORIZED |
|
Brute Force |
SCAN_UNCATEGORIZED |
|
Build Image on Host |
SCAN_UNCATEGORIZED |
|
Bypass Monitoring |
SCAN_HOST |
|
Bypass User Access Control |
SCAN_UNCATEGORIZED |
|
Bypass User Account Control |
SCAN_UNCATEGORIZED |
|
Cached Domain Credentials |
SCAN_UNCATEGORIZED |
|
Calendar Entries |
SCAN_UNCATEGORIZED |
|
Call Control |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Call Log |
SCAN_UNCATEGORIZED |
|
Capture Audio |
SCAN_UNCATEGORIZED |
|
Capture Camera |
SCAN_UNCATEGORIZED |
|
Capture Clipboard Data |
SCAN_UNCATEGORIZED |
|
Capture SMS Messages |
SCAN_UNCATEGORIZED |
|
Carrier Billing Fraud |
SCAN_UNCATEGORIZED |
|
Change Default File Association |
SCAN_FILE |
|
Clear Command History |
SCAN_UNCATEGORIZED |
|
Clear Linux or Mac System Logs |
SCAN_UNCATEGORIZED |
|
Clear Windows Event Logs |
SCAN_UNCATEGORIZED |
|
Clipboard Data |
SCAN_UNCATEGORIZED |
|
Clipboard Modification |
SCAN_UNCATEGORIZED |
|
Cloud Account |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Groups |
SCAN_NETWORK |
|
Cloud Infrastructure Discovery |
SCAN_NETWORK |
|
Cloud Instance Metadata API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Service Dashboard |
SCAN_NETWORK |
|
Cloud Service Discovery |
SCAN_NETWORK |
|
Cloud Storage Object Discovery |
SCAN_NETWORK |
|
Cloud-based ML |
SCAN_UNCATEGORIZED |
|
CMSTP |
SCAN_UNCATEGORIZED |
|
Code Injection |
SCAN_UNCATEGORIZED |
|
Code Repositories |
SCAN_UNCATEGORIZED |
|
Code Signing |
SCAN_UNCATEGORIZED |
|
Code Signing Policy Modification |
SCAN_UNCATEGORIZED |
|
Command and Scripting Interpreter |
SCAN_FILE |
|
Command-Line Interface |
SCAN_UNCATEGORIZED |
|
Commonly Used Port |
SCAN_NETWORK |
|
Communication Through Removable Media |
SCAN_NETWORK |
|
Compile After Delivery |
SCAN_FILE |
|
Compiled HTML File |
SCAN_FILE |
|
Component Firmware |
SCAN_UNCATEGORIZED |
|
Component Object Model |
SCAN_UNCATEGORIZED |
|
Component Object Model and Distributed COM |
SCAN_UNCATEGORIZED |
|
Component Object Model Hijacking |
SCAN_UNCATEGORIZED |
|
Compromise Application Executable |
SCAN_UNCATEGORIZED |
|
Compromise Client Software Binary |
SCAN_UNCATEGORIZED |
|
Compromise Hardware Supply Chain |
SCAN_UNCATEGORIZED |
|
Compromise Software Dependencies and Development Tools |
SCAN_UNCATEGORIZED |
|
Compromise Software Supply Chain |
SCAN_UNCATEGORIZED |
|
Confluence |
SCAN_UNCATEGORIZED |
|
Connection Proxy |
SCAN_NETWORK |
|
Contact List |
SCAN_UNCATEGORIZED |
|
Container Administration Command |
SCAN_UNCATEGORIZED |
|
Container and Resource Discovery |
SCAN_NETWORK |
|
Container API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Container Orchestration Job |
SCAN_UNCATEGORIZED |
|
Control Panel |
SCAN_UNCATEGORIZED |
|
Control Panel Items |
SCAN_UNCATEGORIZED |
|
COR_PROFILER |
SCAN_UNCATEGORIZED |
|
Create Account |
SCAN_UNCATEGORIZED |
|
Create Cloud Instance |
SCAN_UNCATEGORIZED |
|
Create or Modify System Process |
SCAN_PROCESS |
|
Create Process with Token |
SCAN_PROCESS |
|
Create Snapshot |
SCAN_UNCATEGORIZED |
|
Credential API Hooking |
SCAN_UNCATEGORIZED |
|
Credential Dumping |
SCAN_UNCATEGORIZED |
|
Credential Stuffing |
SCAN_UNCATEGORIZED |
|
Credentials from Password Store |
SCAN_UNCATEGORIZED |
|
Credentials from Password Stores |
SCAN_UNCATEGORIZED |
|
Credentials from Web Browsers |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials In Files |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials in Registry |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cron |
SCAN_UNCATEGORIZED |
|
Custom Command and Control Protocol |
SCAN_NETWORK |
|
Custom Cryptographic Protocol |
SCAN_NETWORK |
|
Data Compressed |
SCAN_UNCATEGORIZED |
|
Data Destruction |
SCAN_FILE |
|
Data Encoding |
SCAN_NETWORK |
|
Data Encrypted |
SCAN_UNCATEGORIZED |
|
Data Encrypted for Impact |
SCAN_UNCATEGORIZED |
|
Data from Cloud Storage Object |
SCAN_UNCATEGORIZED |
|
Data from Configuration Repository |
SCAN_UNCATEGORIZED |
|
Data from Information Repositories |
SCAN_UNCATEGORIZED |
|
Data from Local System |
SCAN_UNCATEGORIZED |
|
Data from Network Shared Drive |
SCAN_NETWORK |
|
Data from Removable Media |
SCAN_UNCATEGORIZED |
|
Data Manipulation |
SCAN_UNCATEGORIZED |
|
Data Obfuscation |
SCAN_NETWORK |
|
Data Staged |
SCAN_UNCATEGORIZED |
|
Data Transfer Size Limits |
SCAN_UNCATEGORIZED |
|
DCShadow |
SCAN_UNCATEGORIZED |
|
DCSync |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Dead Drop Resolver |
SCAN_NETWORK |
|
Debugger Evasion |
SCAN_UNCATEGORIZED |
|
Defacement |
SCAN_UNCATEGORIZED |
|
Default Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Delete Cloud Instance |
SCAN_UNCATEGORIZED |
|
Delete Device Data |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Authorized App Store |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Other Means |
SCAN_UNCATEGORIZED |
|
Deobfuscate/Decode Files or Information |
SCAN_FILE |
|
Deploy Container |
SCAN_UNCATEGORIZED |
|
Destructive Malware |
SCAN_UNCATEGORIZED |
|
Device Administrator Permissions |
SCAN_UNCATEGORIZED |
|
Device Lockout |
SCAN_UNCATEGORIZED |
|
Device Registration |
SCAN_UNCATEGORIZED |
|
DHCP Spoofing |
SCAN_NETWORK |
|
Direct Network Flood |
SCAN_NETWORK |
|
Direct Volume Access |
SCAN_UNCATEGORIZED |
|
Disable Cloud Logs |
SCAN_UNCATEGORIZED |
|
Disable Crypto Hardware |
SCAN_UNCATEGORIZED |
|
Disable or Modify Cloud Firewall |
SCAN_NETWORK |
|
Disable or Modify System Firewall |
SCAN_NETWORK |
|
Disable or Modify Tools |
SCAN_UNCATEGORIZED |
|
Disable Windows Event Logging |
SCAN_UNCATEGORIZED |
|
Disabling Security Tools |
SCAN_UNCATEGORIZED |
|
Disguise Root/Jailbreak Indicators |
SCAN_UNCATEGORIZED |
|
Disk Content Wipe |
SCAN_UNCATEGORIZED |
|
Disk Structure Wipe |
SCAN_UNCATEGORIZED |
|
Disk Wipe |
SCAN_UNCATEGORIZED |
|
DLL Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
DLL Side-Loading |
SCAN_UNCATEGORIZED |
|
DNS |
SCAN_NETWORK |
|
DNS Calculation |
SCAN_NETWORK |
|
Domain Account |
SCAN_UNCATEGORIZED |
|
Domain Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Domain Controller Authentication |
SCAN_UNCATEGORIZED |
|
Domain Fronting |
SCAN_NETWORK |
|
Domain Generation Algorithms |
SCAN_NETWORK |
|
Domain Groups |
SCAN_UNCATEGORIZED |
|
Domain Policy Modification |
SCAN_UNCATEGORIZED |
|
Domain Trust Discovery |
SCAN_UNCATEGORIZED |
|
Domain Trust Modification |
SCAN_UNCATEGORIZED |
|
Double File Extension |
SCAN_FILE |
|
Downgrade Attack |
SCAN_UNCATEGORIZED |
|
Downgrade System Image |
SCAN_UNCATEGORIZED |
|
Downgrade to Insecure Protocols |
SCAN_NETWORK |
|
Download New Code at Runtime |
SCAN_UNCATEGORIZED |
|
Drive-by Compromise |
SCAN_UNCATEGORIZED |
EXPLOIT |
Dylib Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Data Exchange |
SCAN_UNCATEGORIZED |
|
Dynamic Linker Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Resolution |
SCAN_NETWORK |
|
Dynamic-link Library Injection |
SCAN_UNCATEGORIZED |
|
Eavesdrop on Insecure Network Communication |
SCAN_NETWORK |
|
Elevated Execution with Prompt |
SCAN_UNCATEGORIZED |
|
Email Account |
SCAN_NETWORK |
|
Email Collection |
SCAN_UNCATEGORIZED |
|
Email Forwarding Rule |
SCAN_UNCATEGORIZED |
|
Email Hiding Rules |
SCAN_UNCATEGORIZED |
|
Emond |
SCAN_UNCATEGORIZED |
|
Encrypted Channel |
SCAN_NETWORK |
|
Endpoint Denial of Service |
SCAN_UNCATEGORIZED |
|
Environmental Keying |
SCAN_UNCATEGORIZED |
|
Escape to Host |
SCAN_UNCATEGORIZED |
|
Evade Analysis Environment |
SCAN_UNCATEGORIZED |
|
Event Triggered Execution |
SCAN_UNCATEGORIZED |
|
Exchange Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Executable Installer File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Execution Guardrails |
SCAN_UNCATEGORIZED |
|
Execution through API |
SCAN_UNCATEGORIZED |
|
Execution through Module Load |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Alternative Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Bluetooth |
SCAN_UNCATEGORIZED |
|
Exfiltration Over C2 Channel |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Command and Control Channel |
SCAN_NETWORK |
|
Exfiltration Over Other Network Medium |
SCAN_NETWORK |
|
Exfiltration Over Physical Medium |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Unencrypted Non-C2 Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration over USB |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Web Service |
SCAN_NETWORK |
|
Exfiltration to Cloud Storage |
SCAN_UNCATEGORIZED |
|
Exfiltration to Code Repository |
SCAN_NETWORK |
|
Exploit Enterprise Resources |
SCAN_NETWORK |
|
Exploit Mitigation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit OS Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit Public-Facing Application |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit SS7 to Redirect Phone Calls/SMS |
SCAN_NETWORK |
EXPLOIT |
Exploit SS7 to Track Device Location |
SCAN_NETWORK |
EXPLOIT |
Exploit TEE Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Charging Station or PC |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Radio Interfaces |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Client Execution |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Credential Access |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Defense Evasion |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Privilege Escalation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation of Remote Services |
SCAN_NETWORK |
EXPLOIT |
External Defacement |
SCAN_UNCATEGORIZED |
|
External Proxy |
SCAN_NETWORK |
|
External Remote Services |
SCAN_UNCATEGORIZED |
|
Extra Window Memory Injection |
SCAN_UNCATEGORIZED |
|
Fallback Channels |
SCAN_NETWORK |
|
Fast Flux DNS |
SCAN_NETWORK |
|
File and Directory Discovery |
SCAN_FILE |
|
File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
File Deletion |
SCAN_FILE |
DATA_DESTRUCTION |
File System Logical Offsets |
SCAN_FILE |
|
File System Permissions Weakness |
SCAN_UNCATEGORIZED |
|
File Transfer Protocols |
SCAN_FILE |
DATA_EXFILTRATION |
Firmware Corruption |
SCAN_UNCATEGORIZED |
|
Forced Authentication |
SCAN_UNCATEGORIZED |
|
Foreground Persistence |
SCAN_UNCATEGORIZED |
|
Forge Web Credentials |
SCAN_UNCATEGORIZED |
|
Gatekeeper Bypass |
SCAN_UNCATEGORIZED |
|
Generate Fraudulent Advertising Revenue |
SCAN_UNCATEGORIZED |
|
Generate Traffic from Victim |
SCAN_UNCATEGORIZED |
|
Geofencing |
SCAN_UNCATEGORIZED |
|
Golden Ticket |
SCAN_UNCATEGORIZED |
|
Graphical User Interface |
SCAN_UNCATEGORIZED |
|
Group Policy Discovery |
SCAN_UNCATEGORIZED |
|
Group Policy Modification |
SCAN_UNCATEGORIZED |
|
Group Policy Preferences |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
GUI Input Capture |
SCAN_UNCATEGORIZED |
|
Hardware Additions |
SCAN_NETWORK |
|
Hidden File System |
SCAN_UNCATEGORIZED |
|
Hidden Files and Directories |
SCAN_FILE |
|
Hidden Users |
SCAN_UNCATEGORIZED |
|
Hidden Window |
SCAN_UNCATEGORIZED |
|
Hide Artifacts |
SCAN_UNCATEGORIZED |
|
Hijack Execution Flow |
SCAN_UNCATEGORIZED |
|
HISTCONTROL |
SCAN_UNCATEGORIZED |
|
Hooking |
SCAN_UNCATEGORIZED |
|
HTML Smuggling |
SCAN_UNCATEGORIZED |
|
Hypervisor |
SCAN_UNCATEGORIZED |
|
IIS Components |
SCAN_UNCATEGORIZED |
|
Image File Execution Options Injection |
SCAN_UNCATEGORIZED |
|
Impair Command History Logging |
SCAN_UNCATEGORIZED |
|
Impair Defenses |
SCAN_UNCATEGORIZED |
|
Impersonate SS7 Nodes |
SCAN_UNCATEGORIZED |
|
Implant Container Image |
SCAN_UNCATEGORIZED |
|
Implant Internal Image |
SCAN_UNCATEGORIZED |
|
Indicator Blocking |
SCAN_UNCATEGORIZED |
|
Indicator of Compromise |
SCAN_UNCATEGORIZED |
|
Indicator Removal from Tools |
SCAN_UNCATEGORIZED |
|
Indicator Removal on Host |
SCAN_UNCATEGORIZED |
|
Indirect Command Execution |
SCAN_UNCATEGORIZED |
|
Ingress Tool Transfer |
SCAN_FILE |
DATA_EXFILTRATION |
Inhibit System Recovery |
SCAN_UNCATEGORIZED |
|
Input Capture |
SCAN_UNCATEGORIZED |
|
Input Injection |
SCAN_UNCATEGORIZED |
|
Input Prompt |
SCAN_UNCATEGORIZED |
|
Install Insecure or Malicious Configuration |
SCAN_UNCATEGORIZED |
|
Install Root Certificate |
SCAN_FILE |
|
InstallUtil |
SCAN_UNCATEGORIZED |
|
Intelligence Indicator - Domain |
SCAN_NETWORK |
|
Intelligence Indicator - Hash |
SCAN_FILE |
|
Intelligence Indicator - IP |
SCAN_NETWORK |
|
Inter-Process Communication |
SCAN_PROCESS |
|
Internal Defacement |
SCAN_UNCATEGORIZED |
|
Internal Proxy |
SCAN_NETWORK |
|
Internet Connection Discovery |
SCAN_NETWORK |
|
Invalid Code Signature |
SCAN_UNCATEGORIZED |
|
Jamming or Denial of Service |
SCAN_NETWORK |
|
JavaScript |
SCAN_FILE |
|
JavaScript/JScript |
SCAN_FILE |
|
Junk Data |
SCAN_NETWORK |
|
Kerberoasting |
SCAN_UNCATEGORIZED |
|
Kernel Modules and Extensions |
SCAN_UNCATEGORIZED |
|
KernelCallbackTable |
SCAN_UNCATEGORIZED |
|
Keychain |
SCAN_UNCATEGORIZED |
|
Keylogging |
SCAN_UNCATEGORIZED |
|
Known Hash |
SCAN_FILE |
|
Launch Agent |
SCAN_UNCATEGORIZED |
|
Launch Daemon |
SCAN_UNCATEGORIZED |
|
Launchctl |
SCAN_PROCESS |
|
Launchd |
SCAN_UNCATEGORIZED |
|
LC_LOAD_DYLIB Addition |
SCAN_UNCATEGORIZED |
|
LC_MAIN Hijacking |
SCAN_UNCATEGORIZED |
|
LD_PRELOAD |
SCAN_UNCATEGORIZED |
|
Linux and Mac File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
ListPlanting |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and Relay |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and SMB Relay |
SCAN_NETWORK |
|
Local Account |
SCAN_UNCATEGORIZED |
|
Local Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Local Data Staging |
SCAN_UNCATEGORIZED |
|
Local Email Collection |
SCAN_UNCATEGORIZED |
|
Local Groups |
SCAN_UNCATEGORIZED |
|
Local Job Scheduling |
SCAN_UNCATEGORIZED |
|
Location Tracking |
SCAN_UNCATEGORIZED |
|
Lockscreen Bypass |
SCAN_UNCATEGORIZED |
EXPLOIT |
Login Hook |
SCAN_UNCATEGORIZED |
|
Login Item |
SCAN_UNCATEGORIZED |
|
Login Items |
SCAN_UNCATEGORIZED |
|
Logon Script (Mac) |
SCAN_UNCATEGORIZED |
|
Logon Script (Windows) |
SCAN_UNCATEGORIZED |
|
Logon Scripts |
SCAN_UNCATEGORIZED |
|
LSA Secrets |
SCAN_UNCATEGORIZED |
|
LSASS Driver |
SCAN_UNCATEGORIZED |
|
LSASS Memory |
SCAN_UNCATEGORIZED |
|
Mail Protocols |
SCAN_NETWORK |
|
Make and Impersonate Token |
SCAN_UNCATEGORIZED |
|
Malicious Activity |
SCAN_UNCATEGORIZED |
|
Malicious File |
SCAN_FILE |
|
Malicious Image |
SCAN_FILE |
|
Malicious Link |
SCAN_NETWORK |
|
Malicious Tool Delivery |
SCAN_UNCATEGORIZED |
|
Malicious Tool Execution |
SCAN_PROCESS |
|
Man in the Browser |
SCAN_NETWORK |
|
Man-in-the-Middle |
SCAN_NETWORK |
|
Manipulate App Store Rankings or Ratings |
SCAN_UNCATEGORIZED |
|
Manipulate Device Communication |
SCAN_NETWORK |
|
Mark-of-the-Web Bypass |
SCAN_UNCATEGORIZED |
|
Masquerade as Legitimate Application |
SCAN_UNCATEGORIZED |
|
Masquerade Task or Service |
SCAN_UNCATEGORIZED |
|
Masquerading |
SCAN_UNCATEGORIZED |
|
Match Legitimate Name or Location |
SCAN_UNCATEGORIZED |
|
Mavinject |
SCAN_UNCATEGORIZED |
|
MMC |
SCAN_FILE |
|
Modify Authentication Process |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Modify Cached Executable Code |
SCAN_UNCATEGORIZED |
|
Modify Cloud Compute Infrastructure |
SCAN_UNCATEGORIZED |
|
Modify Existing Service |
SCAN_UNCATEGORIZED |
|
Modify OS Kernel or Boot Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Registry |
SCAN_UNCATEGORIZED |
|
Modify System Image |
SCAN_UNCATEGORIZED |
|
Modify System Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Trusted Execution Environment |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
MSBuild |
SCAN_UNCATEGORIZED |
|
Mshta |
SCAN_UNCATEGORIZED |
|
Msiexec |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Request Generation |
SCAN_UNCATEGORIZED |
|
Multi-hop Proxy |
SCAN_NETWORK |
|
Multi-Stage Channels |
SCAN_NETWORK |
|
Multiband Communication |
SCAN_NETWORK |
|
Multilayer Encryption |
SCAN_NETWORK |
|
Native API |
SCAN_UNCATEGORIZED |
|
Native Code |
SCAN_UNCATEGORIZED |
|
Netsh Helper DLL |
SCAN_UNCATEGORIZED |
|
Network Address Translation Traversal |
SCAN_NETWORK |
|
Network Boundary Bridging |
SCAN_NETWORK |
|
Network Denial of Service |
SCAN_NETWORK |
|
Network Device Authentication |
SCAN_NETWORK |
|
Network Device CLI |
SCAN_NETWORK |
|
Network Device Configuration Dump |
SCAN_NETWORK |
EXPLOIT |
Network Information Discovery |
SCAN_NETWORK |
|
Network Logon Script |
SCAN_UNCATEGORIZED |
|
Network Service Discovery |
SCAN_NETWORK |
|
Network Service Scanning |
SCAN_NETWORK |
|
Network Share Connection Removal |
SCAN_NETWORK |
|
Network Share Discovery |
SCAN_NETWORK |
|
Network Sniffing |
SCAN_NETWORK |
|
Network Traffic Capture or Redirection |
SCAN_NETWORK |
EXPLOIT |
New Service |
SCAN_UNCATEGORIZED |
|
Non-Application Layer Protocol |
SCAN_NETWORK |
|
Non-Standard Encoding |
SCAN_NETWORK |
|
Non-Standard Port |
SCAN_NETWORK |
|
NTDS |
SCAN_UNCATEGORIZED |
|
NTFS File Attributes |
SCAN_FILE |
|
Obfuscated Files or Information |
SCAN_FILE |
|
Obtain Device Cloud Backups |
SCAN_NETWORK |
|
Odbcconf |
SCAN_UNCATEGORIZED |
|
Office Application Startup |
SCAN_UNCATEGORIZED |
|
Office Template Macros |
SCAN_UNCATEGORIZED |
|
Office Test |
SCAN_UNCATEGORIZED |
|
One-Way Communication |
SCAN_NETWORK |
|
OS Credential Dumping |
SCAN_UNCATEGORIZED |
|
OS Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Out of Band Data |
SCAN_NETWORK |
|
Outlook Forms |
SCAN_UNCATEGORIZED |
|
Outlook Home Page |
SCAN_UNCATEGORIZED |
|
Outlook Rules |
SCAN_UNCATEGORIZED |
|
Parent PID Spoofing |
SCAN_PROCESS |
|
Pass the Hash |
SCAN_UNCATEGORIZED |
|
Pass the Ticket |
SCAN_UNCATEGORIZED |
|
Password Cracking |
SCAN_UNCATEGORIZED |
|
Password Filter DLL |
SCAN_UNCATEGORIZED |
|
Password Guessing |
SCAN_UNCATEGORIZED |
|
Password Managers |
SCAN_UNCATEGORIZED |
|
Password Policy Discovery |
SCAN_UNCATEGORIZED |
|
Password Spraying |
SCAN_UNCATEGORIZED |
|
Patch System Image |
SCAN_UNCATEGORIZED |
|
Path Interception |
SCAN_UNCATEGORIZED |
|
Path Interception by PATH Environment Variable |
SCAN_UNCATEGORIZED |
|
Path Interception by Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
Path Interception by Unquoted Path |
SCAN_UNCATEGORIZED |
|
Peripheral Device Discovery |
SCAN_UNCATEGORIZED |
|
Permission Groups Discovery |
SCAN_UNCATEGORIZED |
|
Phishing |
SCAN_UNCATEGORIZED |
PHISHING |
Plist File Modification |
SCAN_UNCATEGORIZED |
|
Plist Modification |
SCAN_UNCATEGORIZED |
|
Pluggable Authentication Modules |
SCAN_UNCATEGORIZED |
|
Port Knocking |
SCAN_NETWORK |
|
Port Monitors |
SCAN_UNCATEGORIZED |
|
Portable Executable Injection |
SCAN_UNCATEGORIZED |
|
PowerShell |
SCAN_FILE |
|
PowerShell Profile |
SCAN_UNCATEGORIZED |
|
Pre-OS Boot |
SCAN_UNCATEGORIZED |
|
Premium SMS Toll Fraud |
SCAN_UNCATEGORIZED |
|
Prevent Application Removal |
SCAN_UNCATEGORIZED |
|
Print Processors |
SCAN_UNCATEGORIZED |
|
Private Keys |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Proc Filesystem |
SCAN_FILE |
ACL_VIOLATION |
Proc Memory |
SCAN_PROCESS |
|
Process Argument Spoofing |
SCAN_PROCESS |
|
Process Discovery |
SCAN_UNCATEGORIZED |
|
Process Doppelgänging |
SCAN_PROCESS |
|
Process Hollowing |
SCAN_PROCESS |
|
Process Injection |
SCAN_PROCESS |
|
Protected User Data |
SCAN_UNCATEGORIZED |
|
Protocol Impersonation |
SCAN_NETWORK |
|
Protocol Tunneling |
SCAN_NETWORK |
|
Proxy |
SCAN_NETWORK |
|
Proxy Through Victim |
SCAN_UNCATEGORIZED |
|
Ptrace System Calls |
SCAN_PROCESS |
|
PubPrn |
SCAN_FILE |
|
PUP |
SCAN_UNCATEGORIZED |
|
Python |
SCAN_FILE |
|
Query Registry |
SCAN_UNCATEGORIZED |
|
RC Scripts |
SCAN_UNCATEGORIZED |
|
Rc.common |
SCAN_PROCESS |
|
Re-opened Applications |
SCAN_UNCATEGORIZED |
|
Reduce Key Space |
SCAN_UNCATEGORIZED |
|
Redundant Access |
SCAN_UNCATEGORIZED |
|
Reflection Amplification |
SCAN_NETWORK |
|
Reflective Code Loading |
SCAN_UNCATEGORIZED |
|
Registry Run Keys / Startup Folder |
SCAN_UNCATEGORIZED |
|
Regsvcs/Regasm |
SCAN_UNCATEGORIZED |
|
Regsvr32 |
SCAN_UNCATEGORIZED |
|
Remote Access Software |
SCAN_NETWORK |
|
Remote Access Tools |
SCAN_NETWORK |
|
Remote Data Staging |
SCAN_UNCATEGORIZED |
|
Remote Device Management Services |
SCAN_UNCATEGORIZED |
|
Remote Email Collection |
SCAN_UNCATEGORIZED |
|
Remote File Copy |
SCAN_FILE |
DATA_EXFILTRATION |
Remote System Discovery |
SCAN_NETWORK |
|
Remotely Track Device Without Authorization |
SCAN_NETWORK |
|
Remotely Wipe Data Without Authorization |
SCAN_NETWORK |
|
Rename System Utilities |
SCAN_UNCATEGORIZED |
|
Replication Through Removable Media |
SCAN_UNCATEGORIZED |
EXPLOIT |
Resource Forking |
SCAN_FILE |
|
Resource Hijacking |
SCAN_UNCATEGORIZED |
|
Reversible Encryption |
SCAN_UNCATEGORIZED |
|
Revert Cloud Instance |
SCAN_UNCATEGORIZED |
|
Right-to-Left Override |
SCAN_UNCATEGORIZED |
|
Rogue Cellular Base Station |
SCAN_NETWORK |
|
Rogue Domain Controller |
SCAN_UNCATEGORIZED |
|
Rogue Wi-Fi Access Points |
SCAN_NETWORK |
|
ROMMONkit |
SCAN_UNCATEGORIZED |
|
Rootkit |
SCAN_UNCATEGORIZED |
|
Run Virtual Instance |
SCAN_UNCATEGORIZED |
|
Rundll32 |
SCAN_FILE |
|
Runtime Data Manipulation |
SCAN_UNCATEGORIZED |
|
Safe Mode Boot |
SCAN_UNCATEGORIZED |
|
SAML Tokens |
SCAN_UNCATEGORIZED |
|
Scheduled Task |
SCAN_UNCATEGORIZED |
|
Scheduled Task/Job |
SCAN_UNCATEGORIZED |
|
Scheduled Transfer |
SCAN_NETWORK |
|
Screen Capture |
SCAN_UNCATEGORIZED |
|
Screensaver |
SCAN_UNCATEGORIZED |
|
Scripting |
SCAN_FILE |
|
Security Account Manager |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Security Software Discovery |
SCAN_UNCATEGORIZED |
|
Security Support Provider |
SCAN_UNCATEGORIZED |
|
Securityd Memory |
SCAN_UNCATEGORIZED |
|
Sensor-based ML |
SCAN_UNCATEGORIZED |
|
Server Software Component |
SCAN_UNCATEGORIZED |
|
Service Execution |
SCAN_FILE |
|
Service Exhaustion Flood |
SCAN_NETWORK |
NETWORK_DENIAL_OF_SERVICE |
Service Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Service Stop |
SCAN_UNCATEGORIZED |
|
Services File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Services Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Setuid and Setgid |
SCAN_UNCATEGORIZED |
EXPLOIT |
Shared Modules |
SCAN_UNCATEGORIZED |
|
Sharepoint |
SCAN_UNCATEGORIZED |
|
Shortcut Modification |
SCAN_UNCATEGORIZED |
|
SID-History Injection |
SCAN_UNCATEGORIZED |
|
Signed Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
Signed Script Proxy Execution |
SCAN_UNCATEGORIZED |
|
Silver Ticket |
SCAN_UNCATEGORIZED |
|
SIM Card Swap |
SCAN_NETWORK |
|
SIP and Trust Provider Hijacking |
SCAN_UNCATEGORIZED |
|
SMS Control |
SCAN_UNCATEGORIZED |
|
SMS Messages |
SCAN_UNCATEGORIZED |
|
SNMP (MIB Dump) |
SCAN_UNCATEGORIZED |
|
Software Deployment Tools |
SCAN_UNCATEGORIZED |
|
Software Discovery |
SCAN_UNCATEGORIZED |
|
Software Packing |
SCAN_UNCATEGORIZED |
|
Source |
SCAN_UNCATEGORIZED |
|
Space after Filename |
SCAN_FILE |
|
Spearphishing Attachment |
SCAN_FILE |
EXPLOIT |
Spearphishing Link |
SCAN_NETWORK |
EXPLOIT |
Spearphishing via Service |
SCAN_UNCATEGORIZED |
|
SQL Stored Procedures |
SCAN_UNCATEGORIZED |
|
SSH Authorized Keys |
SCAN_UNCATEGORIZED |
|
Standard Application Layer Protocol |
SCAN_NETWORK |
|
Standard Cryptographic Protocol |
SCAN_NETWORK |
|
Standard Encoding |
SCAN_NETWORK |
|
Standard Non-Application Layer Protocol |
SCAN_NETWORK |
|
Startup Items |
SCAN_UNCATEGORIZED |
|
Steal Application Access Token |
SCAN_UNCATEGORIZED |
|
Steal or Forge Kerberos Tickets |
SCAN_UNCATEGORIZED |
|
Steal Web Session Cookie |
SCAN_UNCATEGORIZED |
|
Steganography |
SCAN_UNCATEGORIZED |
|
Stored Application Data |
SCAN_UNCATEGORIZED |
|
Stored Data Manipulation |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Subvert Trust Controls |
SCAN_UNCATEGORIZED |
|
Sudo |
SCAN_UNCATEGORIZED |
|
Sudo and Sudo Caching |
SCAN_UNCATEGORIZED |
|
Sudo Caching |
SCAN_UNCATEGORIZED |
|
Supply Chain Compromise |
SCAN_UNCATEGORIZED |
|
Suppress Application Icon |
SCAN_UNCATEGORIZED |
|
Suspicious Activity |
SCAN_UNCATEGORIZED |
|
Symmetric Cryptography |
SCAN_NETWORK |
|
System Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
System Checks |
SCAN_UNCATEGORIZED |
|
System Firmware |
SCAN_UNCATEGORIZED |
|
System Information Discovery |
SCAN_UNCATEGORIZED |
|
System Language Discovery |
SCAN_UNCATEGORIZED |
|
System Location Discovery |
SCAN_UNCATEGORIZED |
|
System Network Configuration Discovery |
SCAN_NETWORK |
|
System Network Connections Discovery |
SCAN_NETWORK |
|
System Owner/User Discovery |
SCAN_UNCATEGORIZED |
|
System Runtime API Hijacking |
SCAN_UNCATEGORIZED |
|
System Script Proxy Execution |
SCAN_FILE |
|
System Service Discovery |
SCAN_UNCATEGORIZED |
|
System Services |
SCAN_UNCATEGORIZED |
|
System Shutdown/Reboot |
SCAN_UNCATEGORIZED |
|
System Time Discovery |
SCAN_UNCATEGORIZED |
|
Systemd Service |
SCAN_UNCATEGORIZED |
|
Systemd Timers |
SCAN_UNCATEGORIZED |
|
Template Injection |
SCAN_UNCATEGORIZED |
EXPLOIT |
Terminal Services DLL |
SCAN_UNCATEGORIZED |
|
TFTP Boot |
SCAN_NETWORK |
|
Third-party Software |
SCAN_UNCATEGORIZED |
|
Thread Execution Hijacking |
SCAN_UNCATEGORIZED |
|
Thread Local Storage |
SCAN_UNCATEGORIZED |
|
Time Based Evasion |
SCAN_UNCATEGORIZED |
|
Time Providers |
SCAN_UNCATEGORIZED |
|
Timestamp |
SCAN_UNCATEGORIZED |
|
Token Impersonation/Theft |
SCAN_UNCATEGORIZED |
|
Traffic Duplication |
SCAN_NETWORK |
|
Traffic Signaling |
SCAN_NETWORK |
|
Transfer Data to Cloud Account |
SCAN_NETWORK |
|
Transmitted Data Manipulation |
SCAN_UNCATEGORIZED |
|
Transport Agent |
SCAN_UNCATEGORIZED |
|
Trap |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities Proxy Execution |
SCAN_UNCATEGORIZED |
|
Trusted Relationship |
SCAN_UNCATEGORIZED |
EXPLOIT |
Two-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Uncommonly Used Port |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
Uninstall Malicious Application |
SCAN_UNCATEGORIZED |
|
Unix Shell |
SCAN_FILE |
|
Unix Shell Configuration Modification |
SCAN_UNCATEGORIZED |
|
Unsecured Credentials |
SCAN_FILE |
ACL_VIOLATION |
Unused/Unsupported Cloud Regions |
SCAN_UNCATEGORIZED |
|
URI Hijacking |
SCAN_UNCATEGORIZED |
|
URL Scheme Hijacking |
SCAN_UNCATEGORIZED |
|
Use Alternate Authentication Material |
SCAN_UNCATEGORIZED |
|
User Activity Based Checks |
SCAN_UNCATEGORIZED |
|
User Evasion |
SCAN_UNCATEGORIZED |
|
User Execution |
SCAN_FILE |
|
Valid Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
VBA Stomping |
SCAN_UNCATEGORIZED |
|
VDSO Hijacking |
SCAN_UNCATEGORIZED |
|
Verclsid |
SCAN_UNCATEGORIZED |
|
Video Capture |
SCAN_UNCATEGORIZED |
|
Virtualization/Sandbox Evasion |
SCAN_UNCATEGORIZED |
|
Visual Basic |
SCAN_UNCATEGORIZED |
|
Weaken Encryption |
SCAN_UNCATEGORIZED |
|
Web Cookies |
SCAN_UNCATEGORIZED |
|
Web Portal Capture |
SCAN_UNCATEGORIZED |
|
Web Protocols |
SCAN_NETWORK |
|
Web Service |
SCAN_NETWORK |
|
Web Session Cookie |
SCAN_NETWORK |
|
Web Shell |
SCAN_UNCATEGORIZED |
|
Windows Command Shell |
SCAN_UNCATEGORIZED |
|
Windows Credential Manager |
SCAN_UNCATEGORIZED |
|
Windows File and Directory Permissions Modification |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation Event Subscription |
SCAN_UNCATEGORIZED |
|
Windows Remote Management |
SCAN_UNCATEGORIZED |
|
Windows Service |
SCAN_UNCATEGORIZED |
|
Winlogon Helper DLL |
SCAN_UNCATEGORIZED |
|
XDG Autostart Entries |
SCAN_UNCATEGORIZED |
|
XPC Services |
SCAN_UNCATEGORIZED |
|
XSL Script Processing |
SCAN_FILE |
|
Referensi pemetaan kolom: CS_DETECTS
Tabel berikut mencantumkan kolom log dari jenis logCS_DETECTS
dan kolom UDM yang sesuai.
Log field | UDM mapping | Logic |
---|---|---|
date_updated |
about.labels [date_updated] |
|
q |
about.labels [q] |
|
cid |
about.resource.product_object_id |
|
cid |
metadata.product_deployment_id |
|
|
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION . |
behaviors.timestamp |
about.labels [behavior_timestamp] |
|
behaviors.description |
metadata.description |
|
first_behavior |
metadata.event_timestamp |
|
created_timestamp |
metadata.collected_timestamp |
|
detection_id |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Falcon . |
url_back_to_product |
metadata.url_back_to_product |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Crowdstrike . |
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_flags] |
|
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_time] |
|
device.agent_version |
principal.asset.attribute.labels [agent_version] |
|
device.bios_manufacturer |
principal.asset.attribute.labels [bios_manufacturer] |
|
device.bios_version |
principal.asset.attribute.labels [bios_version] |
|
device.config_id_base |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_build |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_platform |
principal.asset.attribute.labels [device_config_id_platform] |
|
device.cpu_signature |
principal.asset.attribute.labels [device_cpu_signature] |
|
device.groups |
principal.asset.attribute.labels [device_groups] |
|
device.instance_id |
principal.asset.attribute.labels [device_instance_id] |
|
device.last_seen |
principal.asset.attribute.labels [device_last_seen] |
|
device.major_version |
principal.asset.attribute.labels [device_major_version] |
|
device.minor_version |
principal.asset.attribute.labels [device_minor_version] |
|
device.modified_timestamp |
principal.asset.attribute.labels [device_modified_timestamp] |
|
device.ou |
principal.asset.attribute.labels [device_ou] |
|
device.platform_id |
principal.asset.attribute.labels [device_platform_id] |
|
device.product_type |
principal.asset.attribute.labels [device_product_type] |
|
device.reduced_functionality_mode |
principal.asset.attribute.labels [device_reduced_functionality_mode] |
|
device.service_provider_account_id |
principal.asset.attribute.labels [device_service_provider_account_id] |
|
device.service_provider |
principal.asset.attribute.labels [device_service_provider] |
|
device.site_name |
principal.asset.attribute.labels [device_site_name] |
|
device.status |
principal.asset.attribute.labels [device_status] |
|
device.first_seen |
principal.asset.first_seen_time |
|
device.system_manufacturer |
principal.asset.hardware.manufacturer |
|
device.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.hostname |
|
device.platform_name |
principal.asset.platform_software.platform |
If the device.platform_name log field value matches the regular expression pattern Windows , then the target.asset.platform_software.platform UDM field is set to WINDOWS . |
device.system_product_name |
principal.asset.platform_software.platform_version |
|
device.device_id |
principal.asset_id |
|
device.product_type_desc |
principal.asset.type |
If the device.product_type_desc log field value matches the regular expression pattern (?i)(Computer or Workstation) , then the principal.asset.type UDM field is set to WORKSTATION .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Server , then the principal.asset.type UDM field is set to SERVER .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Mobile , then the principal.asset.type UDM field is set to MOBILE .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)iot , then the principal.asset.type UDM field is set to IOT .Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED . |
first_behavior |
principal.asset.vulnerabilities.first_found |
|
last_behavior |
principal.asset.vulnerabilities.last_found |
|
device.machine_domain |
principal.domain.name |
|
device.release_group |
principal.group.group_display_name |
|
device.local_ip |
principal.ip |
|
device.mac_address |
principal.mac |
|
device.external_ip |
principal.nat_ip |
|
device.os_version |
principal.platform_version |
|
device.cid |
principal.resource.product_object_id |
|
behaviors.user_name |
principal.user.user_display_name |
|
behaviors.user_id |
principal.user.windows_sid |
|
quarantined_files.id |
security_result.about.file attributes |
|
email_sent |
security_result.about.labels [email_sent] |
|
assigned_to_name |
security_result.about.user.user_display_name |
|
behaviors.tactic_id |
security_result.attack_details.tactics.id |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.attack_details.tactics.name |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic_id |
security_result.rule_labels [behavior_tactic_id] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.rule_labels [behavior_tactic] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.technique_id |
security_result.attack_details.techniques.id |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique_id log field is mapped to the security_result.attack_details.techniques.id UDM field. |
behaviors.technique |
security_result.attack_details.techniques.name |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique log field is mapped to the security_result.attack_details.techniques.name UDM field. |
behaviors.technique_id |
security_result.rule_id |
|
behaviors.technique |
security_result.rule_name |
|
behaviors.scenario |
security_result.category |
|
behaviors.confidence |
security_result.confidence_details |
|
hostinfo.active_directory_dn_display |
security_result.detection_fields [active_directory_dn_display] |
|
adversary_ids |
security_result.detection_fields [adversary_ids] |
|
behaviors.ioc_description |
security_result.detection_fields [behavior_ioc_description] |
|
behaviors.ioc_source |
security_result.detection_fields [behavior_ioc_source] |
|
behaviors.behavior_id |
security_result.detection_fields [behaviors_behavior_id] |
|
behaviors.objective |
security_result.detection_fields [behaviors_objective] |
|
behaviors.pattern_disposition_details.blocking_unsupported_or_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_blocking_unsupported_or_disabled] |
|
behaviors.pattern_disposition_details.bootup_safeguard_enabled |
security_result.detection_fields [behaviors_pattern_disposition_details_bootup_safeguard_enabled] |
|
behaviors.pattern_disposition_details.critical_process_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_critical_process_disabled] |
|
behaviors.pattern_disposition_details.detect |
security_result.detection_fields [behaviors_pattern_disposition_details_detect] |
|
behaviors.pattern_disposition_details.fs_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_fs_operation_blocked] |
|
behaviors.pattern_disposition_details.handle_operation_downgraded |
security_result.detection_fields [behaviors_pattern_disposition_details_handle_operation_downgraded] |
|
behaviors.pattern_disposition_details.inddet_mask |
security_result.detection_fields [behaviors_pattern_disposition_details_inddet_mask] |
|
behaviors.pattern_disposition_details.indicator |
security_result.detection_fields [behaviors_pattern_disposition_details_indicator] |
|
behaviors.pattern_disposition_details.kill_action_failed |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_action_failed] |
|
behaviors.pattern_disposition_details.kill_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_parent] |
|
behaviors.pattern_disposition_details.kill_process |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_process] |
|
behaviors.pattern_disposition_details.kill_subprocess |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_subprocess] |
|
behaviors.pattern_disposition_details.operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_operation_blocked] |
|
behaviors.pattern_disposition_details.policy_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_policy_disabled] |
|
behaviors.pattern_disposition_details.process_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_process_blocked] |
|
behaviors.pattern_disposition_details.quarantine_file |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_file] |
|
behaviors.pattern_disposition_details.quarantine_machine |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_machine] |
|
behaviors.pattern_disposition_details.registry_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_registry_operation_blocked] |
|
behaviors.pattern_disposition_details.rooting |
security_result.detection_fields [behaviors_pattern_disposition_details_rooting] |
|
behaviors.pattern_disposition_details.sensor_only |
security_result.detection_fields [behaviors_pattern_disposition_details_sensor_only] |
|
behaviors.pattern_disposition_details.suspend_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_parent] |
|
behaviors.pattern_disposition_details.suspend_process |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_process] |
|
behaviors.pattern_disposition |
security_result.detection_fields [behaviors_pattern_disposition] |
If the behaviors.pattern_disposition log field value is equal to 0 , then the security_result.detection_fields.key/value UDM field is set to Detection, standard detection .Else, if the behaviors.pattern_disposition log field value is equal to 16 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process killed .Else, if the behaviors.pattern_disposition log field value is equal to 128 , then the security_result.detection_fields.key/value UDM field is mapped to the Detection/Quarantine, standard detection and quarantine was attempted .Else, if the behaviors.pattern_disposition log field value is equal to 272 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 512 , then the security_result.detection_fields.key/value UDM field is set to Prevention, parent process killed .Else, if the behaviors.pattern_disposition log field value is equal to 768 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 1024 , then the security_result.detection_fields.key/value UDM field is set to Prevention, operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 1280 , then the security_result.detection_fields.key/value UDM field is set to Detection, operation would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2048 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process blocked from execution .Else, if the behaviors.pattern_disposition log field value is equal to 2176 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2304 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 4096 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 4112 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked and context process killed .Else, if the behaviors.pattern_disposition log field value is equal to 4638 , then the security_result.detection_fields.key/value UDM field is set to Detection, registry operation would have been blocked and context process would have been killed if a prevention policy setting was enabled . |
behaviors_processed [] |
security_result.detection_fields [behaviors_processed] |
|
behaviors.control_graph_id |
security_result.detection_fields [control_graph_id] |
|
behaviors.control_graph_id |
security_result.detection_fields [tree_id] |
The tree_id field is extracted from the behaviors.control_graph_id log field using the Grok pattern, and the tree_id extracted field is mapped to the security_result.detection_fields UDM field. |
hostinfo.domain |
security_result.detection_fields [hostinfo_domain] |
|
max_confidence |
security_result.detection_fields [max_confidence] |
|
max_severity |
security_result.detection_fields [max_severity] |
|
overwatch_notes |
security_result.detection_fields [overwatch_notes] |
|
quarantined_files.paths |
security_result.detection_fields [quarantined_files_paths] |
|
quarantined_files.sha256 |
security_result.detection_fields [quarantined_files_sha256] |
|
quarantined_files.state |
security_result.detection_fields [quarantined_files_state] |
|
seconds_to_resolved |
security_result.detection_fields [seconds_to_resolved] |
|
seconds_to_triaged |
security_result.detection_fields [seconds_to_triaged] |
|
show_in_ui |
security_result.detection_fields [show_in_ui] |
|
status |
security_result.detection_fields [status] |
|
behaviors.template_instance_id |
security_result.detection_fields [template_instance_id] |
|
behaviors.triggering_process_graph_id |
security_result.detection_fields [triggering_process_graph_id] |
|
behaviors.rule_instance_id |
security_result.rule_labels [rule_instance_id] |
|
behaviors.rule_instance_version |
security_result.rule_labels [rule_instance_version] |
|
max_severity_displayname |
security_result.severity |
If the max_severity_displayname log field value matches the regular expression pattern (?i)Low , then the security_result.severity UDM field is set to LOW .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Informational , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Medium , then the security_result.severity UDM field is set to MEDIUM .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)High , then the security_result.severity UDM field is set to HIGH .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Critical , then the security_result.severity UDM field is set to CRITICAL .Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY . |
behaviors.severity |
security_result.severity_details |
|
behaviors.display_name |
security_result.summary |
|
behaviors.ioc_type |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
behaviors.ioc_value |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
|
target.file.full_path |
If the behaviors.filepath log field value is equal to System , then the behaviors.ioc_description log field is mapped to the target.file.full_path UDM field.Else, the behaviors.filepath log field is mapped to the target.file.full_path UDM field. |
behaviors.alleged_filetype |
target.file.mime_type |
|
behaviors.filename |
target.file.names |
|
behaviors.sha256 |
target.file.sha256 |
If the behavior.sha256 log field value is not equal to empty or N/A , then the behavior.sha256 log field is mapped to the target.file.sha256 UDM field. |
behaviors.cmdline |
target.process.command_line |
|
behaviors.md5 |
target.process.file.md5 |
If the behavior.md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.md5 log field is mapped to the target.process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_md5 and the behavior.md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_cmdline |
target.process.parent_process.command_line |
|
behaviors.parent_details.parent_md5 |
target.process.parent_process.file.md5 |
If the behavior.parent_details.parent_md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.parent_details.parent_md5 log field is mapped to the target.process.parent_process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_parent_details_parent_md5 and the behavior.parent_details.parent_md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_sha256 |
target.process.parent_process.file.sha256 |
If the behavior.parent_details.parent_sha256 log field value is not equal to empty or N/A , then the behavior.parent_details.parent_sha256 log field is mapped to the target.process.parent_process.file.sha256 UDM field. |
behaviors.parent_details.parent_process_id |
target.process.parent_process.pid |
|
behaviors.parent_details.parent_process_graph_id |
target.process.parent_process.product_specific_process_id |
|
behaviors.triggering_process_id |
target.process.pid |
|
behaviors.device_id |
|
Contains same value as device.device_id . Hence, this field is not mapped. |