Raccogliere i log di rilevamento di CrowdStrike
Questo documento descrive come esportare i log di rilevamento di CrowdStrike in Google Security Operations tramite il feed di Google Security Operations e come i campi di rilevamento di CrowdStrike vengono mappati ai campi del modello di dati unificato (UDM) di Google Security Operations.
Per ulteriori informazioni, consulta la Panoramica dell'importazione dei dati in Google Security Operations.
Un deployment tipico è costituito da CrowdStrike e dal feed di Google Security Operations configurato per inviare i log a Google Security Operations. Ogni implementazione del cliente può essere diversa e potrebbe essere più complessa.
Il deployment contiene i seguenti componenti:
CrowdStrike Falcon Intelligence: il prodotto CrowdStrike da cui raccogliete i log.
Feed di CrowdStrike. Il feed di CrowdStrike che recupera i log da CrowdStrike e li scrive in Google SecOps.
Google Security Operations: conserva e analizza i log di rilevamento di CrowdStrike.
Un'etichetta di importazione identifica l'analizzatore sintattico che normalizza i dati dei log non elaborati
in formato UDM strutturato. Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione CS_DETECTS
.
Prima di iniziare
Assicurati di disporre dei diritti di amministratore sull'istanza CrowdStrike per installare il sensore host CrowdStrike Falcon.
Assicurati che tutti i sistemi nell'architettura di deployment siano configurati nel fuso orario UTC
Assicurati che il dispositivo sia in esecuzione su un sistema operativo supportato.
- Il sistema operativo deve essere in esecuzione su un server a 64 bit. Microsoft Windows Server 2008 R2 SP1 è supportato per le versioni 6.51 o successive del sensore CrowdStrike Falcon Host.
- I sistemi con versioni precedenti del sistema operativo (ad esempio Windows 7 SP1) richiedono la presenza sul dispositivo del supporto per la firma del codice SHA-2.
Ottieni il file dell'account di servizio Google Security Operations e il tuo ID cliente dal team di assistenza di Google Security Operations.
Configura CrowdStrike per importare i log
Per configurare un feed di importazione:
- Crea una nuova coppia di chiavi client API in CrowdStrike Falcon. Questa coppia di chiavi legge gli eventi e le informazioni supplementari di CrowdStrike Falcon.
- Fornisci l'autorizzazione
READ
aDetections
durante la creazione della coppia di chiavi.
Configura un feed in Google Security Operations per importare i log di rilevamento di CrowdStrike
- Vai a Impostazioni SIEM > Feed.
- Fai clic su Add New (Aggiungi nuovo).
- Inserisci un nome univoco per il nome del campo.
- Seleziona API di terze parti come Tipo di origine.
- Seleziona Monitoraggio del rilevamento di CrowdStrike come Tipo di log.
- Fai clic su Avanti.
- Configura i seguenti parametri di input obbligatori:
- Endpoint del token OAuth: specifica l'endpoint.
- ID client OAuth: specifica l'ID client ottenuto in precedenza.
- Client secret OAuth: specifica il client secret ottenuto in precedenza.
- URL di base: specifica l'URL di base.
- Fai clic su Avanti e poi su Invia.
Riferimento alla mappatura dei campi
Questa sezione spiega in che modo il parser di Google Security Operations mappa i campi di rilevamento di CrowdStrike ai campi del modello di dati unificato (UDM) di Google Security Operations.
La tabella seguente elenca gli identificatori di eventi CS_DETECTS
e i relativi tipi di eventi UDM corrispondenti.
Event Identifier | Event Type | Security Category |
---|---|---|
.bash_profile and .bashrc |
SCAN_FILE |
|
/etc/passwd and /etc/shadow |
SCAN_UNCATEGORIZED |
|
Abuse Accessibility Features |
SCAN_UNCATEGORIZED |
|
Abuse Device Administrator Access to Prevent Removal |
SCAN_UNCATEGORIZED |
|
Abuse Elevation Control Mechanism |
SCAN_UNCATEGORIZED |
|
Access Calendar Entries |
SCAN_UNCATEGORIZED |
|
Access Call Log |
SCAN_UNCATEGORIZED |
|
Access Contact List |
SCAN_UNCATEGORIZED |
|
Access Notifications |
SCAN_UNCATEGORIZED |
|
Access Sensitive Data in Device Logs |
SCAN_UNCATEGORIZED |
|
Access Stored Application Data |
SCAN_UNCATEGORIZED |
|
Access Token Manipulation |
SCAN_UNCATEGORIZED |
|
Accessibility Features |
SCAN_UNCATEGORIZED |
|
Account Access Removal |
SCAN_UNCATEGORIZED |
|
Account Discovery |
SCAN_UNCATEGORIZED |
|
Account Manipulation |
SCAN_UNCATEGORIZED |
|
Active Setup |
SCAN_UNCATEGORIZED |
|
Add Office 365 Global Administrator Role |
SCAN_UNCATEGORIZED |
|
Add-ins |
SCAN_UNCATEGORIZED |
|
Additional Azure Service Principal Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Credentials |
SCAN_UNCATEGORIZED |
|
Additional Cloud Roles |
SCAN_UNCATEGORIZED |
|
Additional Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Adversary-in-the-Middle |
SCAN_UNCATEGORIZED |
|
Adware |
SCAN_UNCATEGORIZED |
|
Adware/PUP |
SCAN_PROCESS |
|
Alternate Network Mediums |
SCAN_NETWORK |
|
Android Intent Hijacking |
SCAN_UNCATEGORIZED |
|
App Auto-Start at Device Boot |
SCAN_UNCATEGORIZED |
|
AppCert DLLs |
SCAN_UNCATEGORIZED |
|
AppInit DLLs |
SCAN_UNCATEGORIZED |
|
AppleScript |
SCAN_FILE |
|
Application Access Token |
SCAN_UNCATEGORIZED |
|
Application Discovery |
SCAN_UNCATEGORIZED |
|
Application Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Application Layer Protocol |
SCAN_NETWORK |
|
Application or System Exploitation |
SCAN_UNCATEGORIZED |
|
Application Shimming |
SCAN_UNCATEGORIZED |
|
Application Window Discovery |
SCAN_UNCATEGORIZED |
|
Archive Collected Data |
SCAN_UNCATEGORIZED |
|
Archive via Custom Method |
SCAN_UNCATEGORIZED |
|
Archive via Library |
SCAN_FILE |
DATA_EXFILTRATION |
Archive via Utility |
SCAN_UNCATEGORIZED |
|
ARP Cache Poisoning |
SCAN_NETWORK |
|
AS-REP Roasting |
SCAN_UNCATEGORIZED |
|
Asymmetric Cryptography |
SCAN_NETWORK |
|
Asynchronous Procedure Call |
SCAN_PROCESS |
EXPLOIT |
At |
SCAN_UNCATEGORIZED |
|
At (Linux) |
SCAN_UNCATEGORIZED |
|
At (Windows) |
SCAN_UNCATEGORIZED |
|
Attack PC via USB Connection |
SCAN_UNCATEGORIZED |
|
Attributed to Adversary |
SCAN_UNCATEGORIZED |
|
Audio Capture |
SCAN_UNCATEGORIZED |
|
Authentication Package |
SCAN_UNCATEGORIZED |
|
Automated Collection |
SCAN_UNCATEGORIZED |
|
Automated Exfiltration |
SCAN_UNCATEGORIZED |
EXPLOIT |
Bad device settings |
SCAN_HOST |
|
Bash History |
SCAN_UNCATEGORIZED |
|
Bidirectional Communication |
SCAN_NETWORK |
|
Binary Padding |
SCAN_UNCATEGORIZED |
|
BITS Jobs |
SCAN_UNCATEGORIZED |
|
Boot or Logon Autostart Execution |
SCAN_UNCATEGORIZED |
|
Boot or Logon Initialization Scripts |
SCAN_UNCATEGORIZED |
|
Bootkit |
SCAN_UNCATEGORIZED |
|
Broadcast Receivers |
SCAN_UNCATEGORIZED |
|
Browser Bookmark Discovery |
SCAN_UNCATEGORIZED |
|
Browser Exploit |
SCAN_UNCATEGORIZED |
EXPLOIT |
Browser Extensions |
SCAN_UNCATEGORIZED |
|
Browser Session Hijacking |
SCAN_UNCATEGORIZED |
|
Brute Force |
SCAN_UNCATEGORIZED |
|
Build Image on Host |
SCAN_UNCATEGORIZED |
|
Bypass Monitoring |
SCAN_HOST |
|
Bypass User Access Control |
SCAN_UNCATEGORIZED |
|
Bypass User Account Control |
SCAN_UNCATEGORIZED |
|
Cached Domain Credentials |
SCAN_UNCATEGORIZED |
|
Calendar Entries |
SCAN_UNCATEGORIZED |
|
Call Control |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Call Log |
SCAN_UNCATEGORIZED |
|
Capture Audio |
SCAN_UNCATEGORIZED |
|
Capture Camera |
SCAN_UNCATEGORIZED |
|
Capture Clipboard Data |
SCAN_UNCATEGORIZED |
|
Capture SMS Messages |
SCAN_UNCATEGORIZED |
|
Carrier Billing Fraud |
SCAN_UNCATEGORIZED |
|
Change Default File Association |
SCAN_FILE |
|
Clear Command History |
SCAN_UNCATEGORIZED |
|
Clear Linux or Mac System Logs |
SCAN_UNCATEGORIZED |
|
Clear Windows Event Logs |
SCAN_UNCATEGORIZED |
|
Clipboard Data |
SCAN_UNCATEGORIZED |
|
Clipboard Modification |
SCAN_UNCATEGORIZED |
|
Cloud Account |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Groups |
SCAN_NETWORK |
|
Cloud Infrastructure Discovery |
SCAN_NETWORK |
|
Cloud Instance Metadata API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cloud Service Dashboard |
SCAN_NETWORK |
|
Cloud Service Discovery |
SCAN_NETWORK |
|
Cloud Storage Object Discovery |
SCAN_NETWORK |
|
Cloud-based ML |
SCAN_UNCATEGORIZED |
|
CMSTP |
SCAN_UNCATEGORIZED |
|
Code Injection |
SCAN_UNCATEGORIZED |
|
Code Repositories |
SCAN_UNCATEGORIZED |
|
Code Signing |
SCAN_UNCATEGORIZED |
|
Code Signing Policy Modification |
SCAN_UNCATEGORIZED |
|
Command and Scripting Interpreter |
SCAN_FILE |
|
Command-Line Interface |
SCAN_UNCATEGORIZED |
|
Commonly Used Port |
SCAN_NETWORK |
|
Communication Through Removable Media |
SCAN_NETWORK |
|
Compile After Delivery |
SCAN_FILE |
|
Compiled HTML File |
SCAN_FILE |
|
Component Firmware |
SCAN_UNCATEGORIZED |
|
Component Object Model |
SCAN_UNCATEGORIZED |
|
Component Object Model and Distributed COM |
SCAN_UNCATEGORIZED |
|
Component Object Model Hijacking |
SCAN_UNCATEGORIZED |
|
Compromise Application Executable |
SCAN_UNCATEGORIZED |
|
Compromise Client Software Binary |
SCAN_UNCATEGORIZED |
|
Compromise Hardware Supply Chain |
SCAN_UNCATEGORIZED |
|
Compromise Software Dependencies and Development Tools |
SCAN_UNCATEGORIZED |
|
Compromise Software Supply Chain |
SCAN_UNCATEGORIZED |
|
Confluence |
SCAN_UNCATEGORIZED |
|
Connection Proxy |
SCAN_NETWORK |
|
Contact List |
SCAN_UNCATEGORIZED |
|
Container Administration Command |
SCAN_UNCATEGORIZED |
|
Container and Resource Discovery |
SCAN_NETWORK |
|
Container API |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Container Orchestration Job |
SCAN_UNCATEGORIZED |
|
Control Panel |
SCAN_UNCATEGORIZED |
|
Control Panel Items |
SCAN_UNCATEGORIZED |
|
COR_PROFILER |
SCAN_UNCATEGORIZED |
|
Create Account |
SCAN_UNCATEGORIZED |
|
Create Cloud Instance |
SCAN_UNCATEGORIZED |
|
Create or Modify System Process |
SCAN_PROCESS |
|
Create Process with Token |
SCAN_PROCESS |
|
Create Snapshot |
SCAN_UNCATEGORIZED |
|
Credential API Hooking |
SCAN_UNCATEGORIZED |
|
Credential Dumping |
SCAN_UNCATEGORIZED |
|
Credential Stuffing |
SCAN_UNCATEGORIZED |
|
Credentials from Password Store |
SCAN_UNCATEGORIZED |
|
Credentials from Password Stores |
SCAN_UNCATEGORIZED |
|
Credentials from Web Browsers |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials In Files |
SCAN_FILE |
DATA_EXFILTRATION |
Credentials in Registry |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Cron |
SCAN_UNCATEGORIZED |
|
Custom Command and Control Protocol |
SCAN_NETWORK |
|
Custom Cryptographic Protocol |
SCAN_NETWORK |
|
Data Compressed |
SCAN_UNCATEGORIZED |
|
Data Destruction |
SCAN_FILE |
|
Data Encoding |
SCAN_NETWORK |
|
Data Encrypted |
SCAN_UNCATEGORIZED |
|
Data Encrypted for Impact |
SCAN_UNCATEGORIZED |
|
Data from Cloud Storage Object |
SCAN_UNCATEGORIZED |
|
Data from Configuration Repository |
SCAN_UNCATEGORIZED |
|
Data from Information Repositories |
SCAN_UNCATEGORIZED |
|
Data from Local System |
SCAN_UNCATEGORIZED |
|
Data from Network Shared Drive |
SCAN_NETWORK |
|
Data from Removable Media |
SCAN_UNCATEGORIZED |
|
Data Manipulation |
SCAN_UNCATEGORIZED |
|
Data Obfuscation |
SCAN_NETWORK |
|
Data Staged |
SCAN_UNCATEGORIZED |
|
Data Transfer Size Limits |
SCAN_UNCATEGORIZED |
|
DCShadow |
SCAN_UNCATEGORIZED |
|
DCSync |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Dead Drop Resolver |
SCAN_NETWORK |
|
Debugger Evasion |
SCAN_UNCATEGORIZED |
|
Defacement |
SCAN_UNCATEGORIZED |
|
Default Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Delete Cloud Instance |
SCAN_UNCATEGORIZED |
|
Delete Device Data |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Authorized App Store |
SCAN_UNCATEGORIZED |
|
Deliver Malicious App via Other Means |
SCAN_UNCATEGORIZED |
|
Deobfuscate/Decode Files or Information |
SCAN_FILE |
|
Deploy Container |
SCAN_UNCATEGORIZED |
|
Destructive Malware |
SCAN_UNCATEGORIZED |
|
Device Administrator Permissions |
SCAN_UNCATEGORIZED |
|
Device Lockout |
SCAN_UNCATEGORIZED |
|
Device Registration |
SCAN_UNCATEGORIZED |
|
DHCP Spoofing |
SCAN_NETWORK |
|
Direct Network Flood |
SCAN_NETWORK |
|
Direct Volume Access |
SCAN_UNCATEGORIZED |
|
Disable Cloud Logs |
SCAN_UNCATEGORIZED |
|
Disable Crypto Hardware |
SCAN_UNCATEGORIZED |
|
Disable or Modify Cloud Firewall |
SCAN_NETWORK |
|
Disable or Modify System Firewall |
SCAN_NETWORK |
|
Disable or Modify Tools |
SCAN_UNCATEGORIZED |
|
Disable Windows Event Logging |
SCAN_UNCATEGORIZED |
|
Disabling Security Tools |
SCAN_UNCATEGORIZED |
|
Disguise Root/Jailbreak Indicators |
SCAN_UNCATEGORIZED |
|
Disk Content Wipe |
SCAN_UNCATEGORIZED |
|
Disk Structure Wipe |
SCAN_UNCATEGORIZED |
|
Disk Wipe |
SCAN_UNCATEGORIZED |
|
DLL Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
DLL Side-Loading |
SCAN_UNCATEGORIZED |
|
DNS |
SCAN_NETWORK |
|
DNS Calculation |
SCAN_NETWORK |
|
Domain Account |
SCAN_UNCATEGORIZED |
|
Domain Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Domain Controller Authentication |
SCAN_UNCATEGORIZED |
|
Domain Fronting |
SCAN_NETWORK |
|
Domain Generation Algorithms |
SCAN_NETWORK |
|
Domain Groups |
SCAN_UNCATEGORIZED |
|
Domain Policy Modification |
SCAN_UNCATEGORIZED |
|
Domain Trust Discovery |
SCAN_UNCATEGORIZED |
|
Domain Trust Modification |
SCAN_UNCATEGORIZED |
|
Double File Extension |
SCAN_FILE |
|
Downgrade Attack |
SCAN_UNCATEGORIZED |
|
Downgrade System Image |
SCAN_UNCATEGORIZED |
|
Downgrade to Insecure Protocols |
SCAN_NETWORK |
|
Download New Code at Runtime |
SCAN_UNCATEGORIZED |
|
Drive-by Compromise |
SCAN_UNCATEGORIZED |
EXPLOIT |
Dylib Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Data Exchange |
SCAN_UNCATEGORIZED |
|
Dynamic Linker Hijacking |
SCAN_UNCATEGORIZED |
|
Dynamic Resolution |
SCAN_NETWORK |
|
Dynamic-link Library Injection |
SCAN_UNCATEGORIZED |
|
Eavesdrop on Insecure Network Communication |
SCAN_NETWORK |
|
Elevated Execution with Prompt |
SCAN_UNCATEGORIZED |
|
Email Account |
SCAN_NETWORK |
|
Email Collection |
SCAN_UNCATEGORIZED |
|
Email Forwarding Rule |
SCAN_UNCATEGORIZED |
|
Email Hiding Rules |
SCAN_UNCATEGORIZED |
|
Emond |
SCAN_UNCATEGORIZED |
|
Encrypted Channel |
SCAN_NETWORK |
|
Endpoint Denial of Service |
SCAN_UNCATEGORIZED |
|
Environmental Keying |
SCAN_UNCATEGORIZED |
|
Escape to Host |
SCAN_UNCATEGORIZED |
|
Evade Analysis Environment |
SCAN_UNCATEGORIZED |
|
Event Triggered Execution |
SCAN_UNCATEGORIZED |
|
Exchange Email Delegate Permissions |
SCAN_UNCATEGORIZED |
|
Executable Installer File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Execution Guardrails |
SCAN_UNCATEGORIZED |
|
Execution through API |
SCAN_UNCATEGORIZED |
|
Execution through Module Load |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Alternative Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Bluetooth |
SCAN_UNCATEGORIZED |
|
Exfiltration Over C2 Channel |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Command and Control Channel |
SCAN_NETWORK |
|
Exfiltration Over Other Network Medium |
SCAN_NETWORK |
|
Exfiltration Over Physical Medium |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration Over Unencrypted Non-C2 Protocol |
SCAN_NETWORK |
EXPLOIT |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
SCAN_NETWORK |
|
Exfiltration over USB |
SCAN_UNCATEGORIZED |
|
Exfiltration Over Web Service |
SCAN_NETWORK |
|
Exfiltration to Cloud Storage |
SCAN_UNCATEGORIZED |
|
Exfiltration to Code Repository |
SCAN_NETWORK |
|
Exploit Enterprise Resources |
SCAN_NETWORK |
|
Exploit Mitigation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit OS Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit Public-Facing Application |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit SS7 to Redirect Phone Calls/SMS |
SCAN_NETWORK |
EXPLOIT |
Exploit SS7 to Track Device Location |
SCAN_NETWORK |
EXPLOIT |
Exploit TEE Vulnerability |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Charging Station or PC |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploit via Radio Interfaces |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Client Execution |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Credential Access |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Defense Evasion |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation for Privilege Escalation |
SCAN_UNCATEGORIZED |
EXPLOIT |
Exploitation of Remote Services |
SCAN_NETWORK |
EXPLOIT |
External Defacement |
SCAN_UNCATEGORIZED |
|
External Proxy |
SCAN_NETWORK |
|
External Remote Services |
SCAN_UNCATEGORIZED |
|
Extra Window Memory Injection |
SCAN_UNCATEGORIZED |
|
Fallback Channels |
SCAN_NETWORK |
|
Fast Flux DNS |
SCAN_NETWORK |
|
File and Directory Discovery |
SCAN_FILE |
|
File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
File Deletion |
SCAN_FILE |
DATA_DESTRUCTION |
File System Logical Offsets |
SCAN_FILE |
|
File System Permissions Weakness |
SCAN_UNCATEGORIZED |
|
File Transfer Protocols |
SCAN_FILE |
DATA_EXFILTRATION |
Firmware Corruption |
SCAN_UNCATEGORIZED |
|
Forced Authentication |
SCAN_UNCATEGORIZED |
|
Foreground Persistence |
SCAN_UNCATEGORIZED |
|
Forge Web Credentials |
SCAN_UNCATEGORIZED |
|
Gatekeeper Bypass |
SCAN_UNCATEGORIZED |
|
Generate Fraudulent Advertising Revenue |
SCAN_UNCATEGORIZED |
|
Generate Traffic from Victim |
SCAN_UNCATEGORIZED |
|
Geofencing |
SCAN_UNCATEGORIZED |
|
Golden Ticket |
SCAN_UNCATEGORIZED |
|
Graphical User Interface |
SCAN_UNCATEGORIZED |
|
Group Policy Discovery |
SCAN_UNCATEGORIZED |
|
Group Policy Modification |
SCAN_UNCATEGORIZED |
|
Group Policy Preferences |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
GUI Input Capture |
SCAN_UNCATEGORIZED |
|
Hardware Additions |
SCAN_NETWORK |
|
Hidden File System |
SCAN_UNCATEGORIZED |
|
Hidden Files and Directories |
SCAN_FILE |
|
Hidden Users |
SCAN_UNCATEGORIZED |
|
Hidden Window |
SCAN_UNCATEGORIZED |
|
Hide Artifacts |
SCAN_UNCATEGORIZED |
|
Hijack Execution Flow |
SCAN_UNCATEGORIZED |
|
HISTCONTROL |
SCAN_UNCATEGORIZED |
|
Hooking |
SCAN_UNCATEGORIZED |
|
HTML Smuggling |
SCAN_UNCATEGORIZED |
|
Hypervisor |
SCAN_UNCATEGORIZED |
|
IIS Components |
SCAN_UNCATEGORIZED |
|
Image File Execution Options Injection |
SCAN_UNCATEGORIZED |
|
Impair Command History Logging |
SCAN_UNCATEGORIZED |
|
Impair Defenses |
SCAN_UNCATEGORIZED |
|
Impersonate SS7 Nodes |
SCAN_UNCATEGORIZED |
|
Implant Container Image |
SCAN_UNCATEGORIZED |
|
Implant Internal Image |
SCAN_UNCATEGORIZED |
|
Indicator Blocking |
SCAN_UNCATEGORIZED |
|
Indicator of Compromise |
SCAN_UNCATEGORIZED |
|
Indicator Removal from Tools |
SCAN_UNCATEGORIZED |
|
Indicator Removal on Host |
SCAN_UNCATEGORIZED |
|
Indirect Command Execution |
SCAN_UNCATEGORIZED |
|
Ingress Tool Transfer |
SCAN_FILE |
DATA_EXFILTRATION |
Inhibit System Recovery |
SCAN_UNCATEGORIZED |
|
Input Capture |
SCAN_UNCATEGORIZED |
|
Input Injection |
SCAN_UNCATEGORIZED |
|
Input Prompt |
SCAN_UNCATEGORIZED |
|
Install Insecure or Malicious Configuration |
SCAN_UNCATEGORIZED |
|
Install Root Certificate |
SCAN_FILE |
|
InstallUtil |
SCAN_UNCATEGORIZED |
|
Intelligence Indicator - Domain |
SCAN_NETWORK |
|
Intelligence Indicator - Hash |
SCAN_FILE |
|
Intelligence Indicator - IP |
SCAN_NETWORK |
|
Inter-Process Communication |
SCAN_PROCESS |
|
Internal Defacement |
SCAN_UNCATEGORIZED |
|
Internal Proxy |
SCAN_NETWORK |
|
Internet Connection Discovery |
SCAN_NETWORK |
|
Invalid Code Signature |
SCAN_UNCATEGORIZED |
|
Jamming or Denial of Service |
SCAN_NETWORK |
|
JavaScript |
SCAN_FILE |
|
JavaScript/JScript |
SCAN_FILE |
|
Junk Data |
SCAN_NETWORK |
|
Kerberoasting |
SCAN_UNCATEGORIZED |
|
Kernel Modules and Extensions |
SCAN_UNCATEGORIZED |
|
KernelCallbackTable |
SCAN_UNCATEGORIZED |
|
Keychain |
SCAN_UNCATEGORIZED |
|
Keylogging |
SCAN_UNCATEGORIZED |
|
Known Hash |
SCAN_FILE |
|
Launch Agent |
SCAN_UNCATEGORIZED |
|
Launch Daemon |
SCAN_UNCATEGORIZED |
|
Launchctl |
SCAN_PROCESS |
|
Launchd |
SCAN_UNCATEGORIZED |
|
LC_LOAD_DYLIB Addition |
SCAN_UNCATEGORIZED |
|
LC_MAIN Hijacking |
SCAN_UNCATEGORIZED |
|
LD_PRELOAD |
SCAN_UNCATEGORIZED |
|
Linux and Mac File and Directory Permissions Modification |
SCAN_FILE |
ACL_VIOLATION |
ListPlanting |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and Relay |
SCAN_UNCATEGORIZED |
|
LLMNR/NBT-NS Poisoning and SMB Relay |
SCAN_NETWORK |
|
Local Account |
SCAN_UNCATEGORIZED |
|
Local Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Local Data Staging |
SCAN_UNCATEGORIZED |
|
Local Email Collection |
SCAN_UNCATEGORIZED |
|
Local Groups |
SCAN_UNCATEGORIZED |
|
Local Job Scheduling |
SCAN_UNCATEGORIZED |
|
Location Tracking |
SCAN_UNCATEGORIZED |
|
Lockscreen Bypass |
SCAN_UNCATEGORIZED |
EXPLOIT |
Login Hook |
SCAN_UNCATEGORIZED |
|
Login Item |
SCAN_UNCATEGORIZED |
|
Login Items |
SCAN_UNCATEGORIZED |
|
Logon Script (Mac) |
SCAN_UNCATEGORIZED |
|
Logon Script (Windows) |
SCAN_UNCATEGORIZED |
|
Logon Scripts |
SCAN_UNCATEGORIZED |
|
LSA Secrets |
SCAN_UNCATEGORIZED |
|
LSASS Driver |
SCAN_UNCATEGORIZED |
|
LSASS Memory |
SCAN_UNCATEGORIZED |
|
Mail Protocols |
SCAN_NETWORK |
|
Make and Impersonate Token |
SCAN_UNCATEGORIZED |
|
Malicious Activity |
SCAN_UNCATEGORIZED |
|
Malicious File |
SCAN_FILE |
|
Malicious Image |
SCAN_FILE |
|
Malicious Link |
SCAN_NETWORK |
|
Malicious Tool Delivery |
SCAN_UNCATEGORIZED |
|
Malicious Tool Execution |
SCAN_PROCESS |
|
Man in the Browser |
SCAN_NETWORK |
|
Man-in-the-Middle |
SCAN_NETWORK |
|
Manipulate App Store Rankings or Ratings |
SCAN_UNCATEGORIZED |
|
Manipulate Device Communication |
SCAN_NETWORK |
|
Mark-of-the-Web Bypass |
SCAN_UNCATEGORIZED |
|
Masquerade as Legitimate Application |
SCAN_UNCATEGORIZED |
|
Masquerade Task or Service |
SCAN_UNCATEGORIZED |
|
Masquerading |
SCAN_UNCATEGORIZED |
|
Match Legitimate Name or Location |
SCAN_UNCATEGORIZED |
|
Mavinject |
SCAN_UNCATEGORIZED |
|
MMC |
SCAN_FILE |
|
Modify Authentication Process |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Modify Cached Executable Code |
SCAN_UNCATEGORIZED |
|
Modify Cloud Compute Infrastructure |
SCAN_UNCATEGORIZED |
|
Modify Existing Service |
SCAN_UNCATEGORIZED |
|
Modify OS Kernel or Boot Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Registry |
SCAN_UNCATEGORIZED |
|
Modify System Image |
SCAN_UNCATEGORIZED |
|
Modify System Partition |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
Modify Trusted Execution Environment |
SCAN_UNCATEGORIZED |
AUTH_VIOLATION |
MSBuild |
SCAN_UNCATEGORIZED |
|
Mshta |
SCAN_UNCATEGORIZED |
|
Msiexec |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Multi-Factor Authentication Request Generation |
SCAN_UNCATEGORIZED |
|
Multi-hop Proxy |
SCAN_NETWORK |
|
Multi-Stage Channels |
SCAN_NETWORK |
|
Multiband Communication |
SCAN_NETWORK |
|
Multilayer Encryption |
SCAN_NETWORK |
|
Native API |
SCAN_UNCATEGORIZED |
|
Native Code |
SCAN_UNCATEGORIZED |
|
Netsh Helper DLL |
SCAN_UNCATEGORIZED |
|
Network Address Translation Traversal |
SCAN_NETWORK |
|
Network Boundary Bridging |
SCAN_NETWORK |
|
Network Denial of Service |
SCAN_NETWORK |
|
Network Device Authentication |
SCAN_NETWORK |
|
Network Device CLI |
SCAN_NETWORK |
|
Network Device Configuration Dump |
SCAN_NETWORK |
EXPLOIT |
Network Information Discovery |
SCAN_NETWORK |
|
Network Logon Script |
SCAN_UNCATEGORIZED |
|
Network Service Discovery |
SCAN_NETWORK |
|
Network Service Scanning |
SCAN_NETWORK |
|
Network Share Connection Removal |
SCAN_NETWORK |
|
Network Share Discovery |
SCAN_NETWORK |
|
Network Sniffing |
SCAN_NETWORK |
|
Network Traffic Capture or Redirection |
SCAN_NETWORK |
EXPLOIT |
New Service |
SCAN_UNCATEGORIZED |
|
Non-Application Layer Protocol |
SCAN_NETWORK |
|
Non-Standard Encoding |
SCAN_NETWORK |
|
Non-Standard Port |
SCAN_NETWORK |
|
NTDS |
SCAN_UNCATEGORIZED |
|
NTFS File Attributes |
SCAN_FILE |
|
Obfuscated Files or Information |
SCAN_FILE |
|
Obtain Device Cloud Backups |
SCAN_NETWORK |
|
Odbcconf |
SCAN_UNCATEGORIZED |
|
Office Application Startup |
SCAN_UNCATEGORIZED |
|
Office Template Macros |
SCAN_UNCATEGORIZED |
|
Office Test |
SCAN_UNCATEGORIZED |
|
One-Way Communication |
SCAN_NETWORK |
|
OS Credential Dumping |
SCAN_UNCATEGORIZED |
|
OS Exhaustion Flood |
SCAN_UNCATEGORIZED |
|
Out of Band Data |
SCAN_NETWORK |
|
Outlook Forms |
SCAN_UNCATEGORIZED |
|
Outlook Home Page |
SCAN_UNCATEGORIZED |
|
Outlook Rules |
SCAN_UNCATEGORIZED |
|
Parent PID Spoofing |
SCAN_PROCESS |
|
Pass the Hash |
SCAN_UNCATEGORIZED |
|
Pass the Ticket |
SCAN_UNCATEGORIZED |
|
Password Cracking |
SCAN_UNCATEGORIZED |
|
Password Filter DLL |
SCAN_UNCATEGORIZED |
|
Password Guessing |
SCAN_UNCATEGORIZED |
|
Password Managers |
SCAN_UNCATEGORIZED |
|
Password Policy Discovery |
SCAN_UNCATEGORIZED |
|
Password Spraying |
SCAN_UNCATEGORIZED |
|
Patch System Image |
SCAN_UNCATEGORIZED |
|
Path Interception |
SCAN_UNCATEGORIZED |
|
Path Interception by PATH Environment Variable |
SCAN_UNCATEGORIZED |
|
Path Interception by Search Order Hijacking |
SCAN_UNCATEGORIZED |
|
Path Interception by Unquoted Path |
SCAN_UNCATEGORIZED |
|
Peripheral Device Discovery |
SCAN_UNCATEGORIZED |
|
Permission Groups Discovery |
SCAN_UNCATEGORIZED |
|
Phishing |
SCAN_UNCATEGORIZED |
PHISHING |
Plist File Modification |
SCAN_UNCATEGORIZED |
|
Plist Modification |
SCAN_UNCATEGORIZED |
|
Pluggable Authentication Modules |
SCAN_UNCATEGORIZED |
|
Port Knocking |
SCAN_NETWORK |
|
Port Monitors |
SCAN_UNCATEGORIZED |
|
Portable Executable Injection |
SCAN_UNCATEGORIZED |
|
PowerShell |
SCAN_FILE |
|
PowerShell Profile |
SCAN_UNCATEGORIZED |
|
Pre-OS Boot |
SCAN_UNCATEGORIZED |
|
Premium SMS Toll Fraud |
SCAN_UNCATEGORIZED |
|
Prevent Application Removal |
SCAN_UNCATEGORIZED |
|
Print Processors |
SCAN_UNCATEGORIZED |
|
Private Keys |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Proc Filesystem |
SCAN_FILE |
ACL_VIOLATION |
Proc Memory |
SCAN_PROCESS |
|
Process Argument Spoofing |
SCAN_PROCESS |
|
Process Discovery |
SCAN_UNCATEGORIZED |
|
Process Doppelgänging |
SCAN_PROCESS |
|
Process Hollowing |
SCAN_PROCESS |
|
Process Injection |
SCAN_PROCESS |
|
Protected User Data |
SCAN_UNCATEGORIZED |
|
Protocol Impersonation |
SCAN_NETWORK |
|
Protocol Tunneling |
SCAN_NETWORK |
|
Proxy |
SCAN_NETWORK |
|
Proxy Through Victim |
SCAN_UNCATEGORIZED |
|
Ptrace System Calls |
SCAN_PROCESS |
|
PubPrn |
SCAN_FILE |
|
PUP |
SCAN_UNCATEGORIZED |
|
Python |
SCAN_FILE |
|
Query Registry |
SCAN_UNCATEGORIZED |
|
RC Scripts |
SCAN_UNCATEGORIZED |
|
Rc.common |
SCAN_PROCESS |
|
Re-opened Applications |
SCAN_UNCATEGORIZED |
|
Reduce Key Space |
SCAN_UNCATEGORIZED |
|
Redundant Access |
SCAN_UNCATEGORIZED |
|
Reflection Amplification |
SCAN_NETWORK |
|
Reflective Code Loading |
SCAN_UNCATEGORIZED |
|
Registry Run Keys / Startup Folder |
SCAN_UNCATEGORIZED |
|
Regsvcs/Regasm |
SCAN_UNCATEGORIZED |
|
Regsvr32 |
SCAN_UNCATEGORIZED |
|
Remote Access Software |
SCAN_NETWORK |
|
Remote Access Tools |
SCAN_NETWORK |
|
Remote Data Staging |
SCAN_UNCATEGORIZED |
|
Remote Device Management Services |
SCAN_UNCATEGORIZED |
|
Remote Email Collection |
SCAN_UNCATEGORIZED |
|
Remote File Copy |
SCAN_FILE |
DATA_EXFILTRATION |
Remote System Discovery |
SCAN_NETWORK |
|
Remotely Track Device Without Authorization |
SCAN_NETWORK |
|
Remotely Wipe Data Without Authorization |
SCAN_NETWORK |
|
Rename System Utilities |
SCAN_UNCATEGORIZED |
|
Replication Through Removable Media |
SCAN_UNCATEGORIZED |
EXPLOIT |
Resource Forking |
SCAN_FILE |
|
Resource Hijacking |
SCAN_UNCATEGORIZED |
|
Reversible Encryption |
SCAN_UNCATEGORIZED |
|
Revert Cloud Instance |
SCAN_UNCATEGORIZED |
|
Right-to-Left Override |
SCAN_UNCATEGORIZED |
|
Rogue Cellular Base Station |
SCAN_NETWORK |
|
Rogue Domain Controller |
SCAN_UNCATEGORIZED |
|
Rogue Wi-Fi Access Points |
SCAN_NETWORK |
|
ROMMONkit |
SCAN_UNCATEGORIZED |
|
Rootkit |
SCAN_UNCATEGORIZED |
|
Run Virtual Instance |
SCAN_UNCATEGORIZED |
|
Rundll32 |
SCAN_FILE |
|
Runtime Data Manipulation |
SCAN_UNCATEGORIZED |
|
Safe Mode Boot |
SCAN_UNCATEGORIZED |
|
SAML Tokens |
SCAN_UNCATEGORIZED |
|
Scheduled Task |
SCAN_UNCATEGORIZED |
|
Scheduled Task/Job |
SCAN_UNCATEGORIZED |
|
Scheduled Transfer |
SCAN_NETWORK |
|
Screen Capture |
SCAN_UNCATEGORIZED |
|
Screensaver |
SCAN_UNCATEGORIZED |
|
Scripting |
SCAN_FILE |
|
Security Account Manager |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Security Software Discovery |
SCAN_UNCATEGORIZED |
|
Security Support Provider |
SCAN_UNCATEGORIZED |
|
Securityd Memory |
SCAN_UNCATEGORIZED |
|
Sensor-based ML |
SCAN_UNCATEGORIZED |
|
Server Software Component |
SCAN_UNCATEGORIZED |
|
Service Execution |
SCAN_FILE |
|
Service Exhaustion Flood |
SCAN_NETWORK |
NETWORK_DENIAL_OF_SERVICE |
Service Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Service Stop |
SCAN_UNCATEGORIZED |
|
Services File Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Services Registry Permissions Weakness |
SCAN_UNCATEGORIZED |
|
Setuid and Setgid |
SCAN_UNCATEGORIZED |
EXPLOIT |
Shared Modules |
SCAN_UNCATEGORIZED |
|
Sharepoint |
SCAN_UNCATEGORIZED |
|
Shortcut Modification |
SCAN_UNCATEGORIZED |
|
SID-History Injection |
SCAN_UNCATEGORIZED |
|
Signed Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
Signed Script Proxy Execution |
SCAN_UNCATEGORIZED |
|
Silver Ticket |
SCAN_UNCATEGORIZED |
|
SIM Card Swap |
SCAN_NETWORK |
|
SIP and Trust Provider Hijacking |
SCAN_UNCATEGORIZED |
|
SMS Control |
SCAN_UNCATEGORIZED |
|
SMS Messages |
SCAN_UNCATEGORIZED |
|
SNMP (MIB Dump) |
SCAN_UNCATEGORIZED |
|
Software Deployment Tools |
SCAN_UNCATEGORIZED |
|
Software Discovery |
SCAN_UNCATEGORIZED |
|
Software Packing |
SCAN_UNCATEGORIZED |
|
Source |
SCAN_UNCATEGORIZED |
|
Space after Filename |
SCAN_FILE |
|
Spearphishing Attachment |
SCAN_FILE |
EXPLOIT |
Spearphishing Link |
SCAN_NETWORK |
EXPLOIT |
Spearphishing via Service |
SCAN_UNCATEGORIZED |
|
SQL Stored Procedures |
SCAN_UNCATEGORIZED |
|
SSH Authorized Keys |
SCAN_UNCATEGORIZED |
|
Standard Application Layer Protocol |
SCAN_NETWORK |
|
Standard Cryptographic Protocol |
SCAN_NETWORK |
|
Standard Encoding |
SCAN_NETWORK |
|
Standard Non-Application Layer Protocol |
SCAN_NETWORK |
|
Startup Items |
SCAN_UNCATEGORIZED |
|
Steal Application Access Token |
SCAN_UNCATEGORIZED |
|
Steal or Forge Kerberos Tickets |
SCAN_UNCATEGORIZED |
|
Steal Web Session Cookie |
SCAN_UNCATEGORIZED |
|
Steganography |
SCAN_UNCATEGORIZED |
|
Stored Application Data |
SCAN_UNCATEGORIZED |
|
Stored Data Manipulation |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Subvert Trust Controls |
SCAN_UNCATEGORIZED |
|
Sudo |
SCAN_UNCATEGORIZED |
|
Sudo and Sudo Caching |
SCAN_UNCATEGORIZED |
|
Sudo Caching |
SCAN_UNCATEGORIZED |
|
Supply Chain Compromise |
SCAN_UNCATEGORIZED |
|
Suppress Application Icon |
SCAN_UNCATEGORIZED |
|
Suspicious Activity |
SCAN_UNCATEGORIZED |
|
Symmetric Cryptography |
SCAN_NETWORK |
|
System Binary Proxy Execution |
SCAN_UNCATEGORIZED |
|
System Checks |
SCAN_UNCATEGORIZED |
|
System Firmware |
SCAN_UNCATEGORIZED |
|
System Information Discovery |
SCAN_UNCATEGORIZED |
|
System Language Discovery |
SCAN_UNCATEGORIZED |
|
System Location Discovery |
SCAN_UNCATEGORIZED |
|
System Network Configuration Discovery |
SCAN_NETWORK |
|
System Network Connections Discovery |
SCAN_NETWORK |
|
System Owner/User Discovery |
SCAN_UNCATEGORIZED |
|
System Runtime API Hijacking |
SCAN_UNCATEGORIZED |
|
System Script Proxy Execution |
SCAN_FILE |
|
System Service Discovery |
SCAN_UNCATEGORIZED |
|
System Services |
SCAN_UNCATEGORIZED |
|
System Shutdown/Reboot |
SCAN_UNCATEGORIZED |
|
System Time Discovery |
SCAN_UNCATEGORIZED |
|
Systemd Service |
SCAN_UNCATEGORIZED |
|
Systemd Timers |
SCAN_UNCATEGORIZED |
|
Template Injection |
SCAN_UNCATEGORIZED |
EXPLOIT |
Terminal Services DLL |
SCAN_UNCATEGORIZED |
|
TFTP Boot |
SCAN_NETWORK |
|
Third-party Software |
SCAN_UNCATEGORIZED |
|
Thread Execution Hijacking |
SCAN_UNCATEGORIZED |
|
Thread Local Storage |
SCAN_UNCATEGORIZED |
|
Time Based Evasion |
SCAN_UNCATEGORIZED |
|
Time Providers |
SCAN_UNCATEGORIZED |
|
Timestamp |
SCAN_UNCATEGORIZED |
|
Token Impersonation/Theft |
SCAN_UNCATEGORIZED |
|
Traffic Duplication |
SCAN_NETWORK |
|
Traffic Signaling |
SCAN_NETWORK |
|
Transfer Data to Cloud Account |
SCAN_NETWORK |
|
Transmitted Data Manipulation |
SCAN_UNCATEGORIZED |
|
Transport Agent |
SCAN_UNCATEGORIZED |
|
Trap |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities |
SCAN_UNCATEGORIZED |
|
Trusted Developer Utilities Proxy Execution |
SCAN_UNCATEGORIZED |
|
Trusted Relationship |
SCAN_UNCATEGORIZED |
EXPLOIT |
Two-Factor Authentication Interception |
SCAN_UNCATEGORIZED |
|
Uncommonly Used Port |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
Uninstall Malicious Application |
SCAN_UNCATEGORIZED |
|
Unix Shell |
SCAN_FILE |
|
Unix Shell Configuration Modification |
SCAN_UNCATEGORIZED |
|
Unsecured Credentials |
SCAN_FILE |
ACL_VIOLATION |
Unused/Unsupported Cloud Regions |
SCAN_UNCATEGORIZED |
|
URI Hijacking |
SCAN_UNCATEGORIZED |
|
URL Scheme Hijacking |
SCAN_UNCATEGORIZED |
|
Use Alternate Authentication Material |
SCAN_UNCATEGORIZED |
|
User Activity Based Checks |
SCAN_UNCATEGORIZED |
|
User Evasion |
SCAN_UNCATEGORIZED |
|
User Execution |
SCAN_FILE |
|
Valid Accounts |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
VBA Stomping |
SCAN_UNCATEGORIZED |
|
VDSO Hijacking |
SCAN_UNCATEGORIZED |
|
Verclsid |
SCAN_UNCATEGORIZED |
|
Video Capture |
SCAN_UNCATEGORIZED |
|
Virtualization/Sandbox Evasion |
SCAN_UNCATEGORIZED |
|
Visual Basic |
SCAN_UNCATEGORIZED |
|
Weaken Encryption |
SCAN_UNCATEGORIZED |
|
Web Cookies |
SCAN_UNCATEGORIZED |
|
Web Portal Capture |
SCAN_UNCATEGORIZED |
|
Web Protocols |
SCAN_NETWORK |
|
Web Service |
SCAN_NETWORK |
|
Web Session Cookie |
SCAN_NETWORK |
|
Web Shell |
SCAN_UNCATEGORIZED |
|
Windows Command Shell |
SCAN_UNCATEGORIZED |
|
Windows Credential Manager |
SCAN_UNCATEGORIZED |
|
Windows File and Directory Permissions Modification |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation |
SCAN_UNCATEGORIZED |
|
Windows Management Instrumentation Event Subscription |
SCAN_UNCATEGORIZED |
|
Windows Remote Management |
SCAN_UNCATEGORIZED |
|
Windows Service |
SCAN_UNCATEGORIZED |
|
Winlogon Helper DLL |
SCAN_UNCATEGORIZED |
|
XDG Autostart Entries |
SCAN_UNCATEGORIZED |
|
XPC Services |
SCAN_UNCATEGORIZED |
|
XSL Script Processing |
SCAN_FILE |
|
Riferimento alla mappatura dei campi: CS_DETECTS
La tabella seguente elenca i campi del log del tipo di logCS_DETECTS
e i relativi campi UDM.
Log field | UDM mapping | Logic |
---|---|---|
date_updated |
about.labels [date_updated] |
|
q |
about.labels [q] |
|
cid |
about.resource.product_object_id |
|
cid |
metadata.product_deployment_id |
|
|
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION . |
behaviors.timestamp |
about.labels [behavior_timestamp] |
|
behaviors.description |
metadata.description |
|
first_behavior |
metadata.event_timestamp |
|
created_timestamp |
metadata.collected_timestamp |
|
detection_id |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Falcon . |
url_back_to_product |
metadata.url_back_to_product |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Crowdstrike . |
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_flags] |
|
device.agent_load_flags |
principal.asset.attribute.labels [agent_load_time] |
|
device.agent_version |
principal.asset.attribute.labels [agent_version] |
|
device.bios_manufacturer |
principal.asset.attribute.labels [bios_manufacturer] |
|
device.bios_version |
principal.asset.attribute.labels [bios_version] |
|
device.config_id_base |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_build |
principal.asset.attribute.labels [device_config_id_base] |
|
device.config_id_platform |
principal.asset.attribute.labels [device_config_id_platform] |
|
device.cpu_signature |
principal.asset.attribute.labels [device_cpu_signature] |
|
device.groups |
principal.asset.attribute.labels [device_groups] |
|
device.instance_id |
principal.asset.attribute.labels [device_instance_id] |
|
device.last_seen |
principal.asset.attribute.labels [device_last_seen] |
|
device.major_version |
principal.asset.attribute.labels [device_major_version] |
|
device.minor_version |
principal.asset.attribute.labels [device_minor_version] |
|
device.modified_timestamp |
principal.asset.attribute.labels [device_modified_timestamp] |
|
device.ou |
principal.asset.attribute.labels [device_ou] |
|
device.platform_id |
principal.asset.attribute.labels [device_platform_id] |
|
device.product_type |
principal.asset.attribute.labels [device_product_type] |
|
device.reduced_functionality_mode |
principal.asset.attribute.labels [device_reduced_functionality_mode] |
|
device.service_provider_account_id |
principal.asset.attribute.labels [device_service_provider_account_id] |
|
device.service_provider |
principal.asset.attribute.labels [device_service_provider] |
|
device.site_name |
principal.asset.attribute.labels [device_site_name] |
|
device.status |
principal.asset.attribute.labels [device_status] |
|
device.first_seen |
principal.asset.first_seen_time |
|
device.system_manufacturer |
principal.asset.hardware.manufacturer |
|
device.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.hostname |
|
device.platform_name |
principal.asset.platform_software.platform |
If the device.platform_name log field value matches the regular expression pattern Windows , then the target.asset.platform_software.platform UDM field is set to WINDOWS . |
device.system_product_name |
principal.asset.platform_software.platform_version |
|
device.device_id |
principal.asset_id |
|
device.product_type_desc |
principal.asset.type |
If the device.product_type_desc log field value matches the regular expression pattern (?i)(Computer or Workstation) , then the principal.asset.type UDM field is set to WORKSTATION .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Server , then the principal.asset.type UDM field is set to SERVER .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Mobile , then the principal.asset.type UDM field is set to MOBILE .Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)iot , then the principal.asset.type UDM field is set to IOT .Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED . |
first_behavior |
principal.asset.vulnerabilities.first_found |
|
last_behavior |
principal.asset.vulnerabilities.last_found |
|
device.machine_domain |
principal.domain.name |
|
device.release_group |
principal.group.group_display_name |
|
device.local_ip |
principal.ip |
|
device.mac_address |
principal.mac |
|
device.external_ip |
principal.nat_ip |
|
device.os_version |
principal.platform_version |
|
device.cid |
principal.resource.product_object_id |
|
behaviors.user_name |
principal.user.user_display_name |
|
behaviors.user_id |
principal.user.windows_sid |
|
quarantined_files.id |
security_result.about.file attributes |
|
email_sent |
security_result.about.labels [email_sent] |
|
assigned_to_name |
security_result.about.user.user_display_name |
|
behaviors.tactic_id |
security_result.attack_details.tactics.id |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.attack_details.tactics.name |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic_id |
security_result.rule_labels [behavior_tactic_id] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field. |
behaviors.tactic |
security_result.rule_labels [behavior_tactic] |
If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS , then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field. |
behaviors.technique_id |
security_result.attack_details.techniques.id |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique_id log field is mapped to the security_result.attack_details.techniques.id UDM field. |
behaviors.technique |
security_result.attack_details.techniques.name |
If the behaviors.technique_id log field value does not match the regular expression pattern ^CS , then the behaviors.technique log field is mapped to the security_result.attack_details.techniques.name UDM field. |
behaviors.technique_id |
security_result.rule_id |
|
behaviors.technique |
security_result.rule_name |
|
behaviors.scenario |
security_result.category |
|
behaviors.confidence |
security_result.confidence_details |
|
hostinfo.active_directory_dn_display |
security_result.detection_fields [active_directory_dn_display] |
|
adversary_ids |
security_result.detection_fields [adversary_ids] |
|
behaviors.ioc_description |
security_result.detection_fields [behavior_ioc_description] |
|
behaviors.ioc_source |
security_result.detection_fields [behavior_ioc_source] |
|
behaviors.behavior_id |
security_result.detection_fields [behaviors_behavior_id] |
|
behaviors.objective |
security_result.detection_fields [behaviors_objective] |
|
behaviors.pattern_disposition_details.blocking_unsupported_or_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_blocking_unsupported_or_disabled] |
|
behaviors.pattern_disposition_details.bootup_safeguard_enabled |
security_result.detection_fields [behaviors_pattern_disposition_details_bootup_safeguard_enabled] |
|
behaviors.pattern_disposition_details.critical_process_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_critical_process_disabled] |
|
behaviors.pattern_disposition_details.detect |
security_result.detection_fields [behaviors_pattern_disposition_details_detect] |
|
behaviors.pattern_disposition_details.fs_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_fs_operation_blocked] |
|
behaviors.pattern_disposition_details.handle_operation_downgraded |
security_result.detection_fields [behaviors_pattern_disposition_details_handle_operation_downgraded] |
|
behaviors.pattern_disposition_details.inddet_mask |
security_result.detection_fields [behaviors_pattern_disposition_details_inddet_mask] |
|
behaviors.pattern_disposition_details.indicator |
security_result.detection_fields [behaviors_pattern_disposition_details_indicator] |
|
behaviors.pattern_disposition_details.kill_action_failed |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_action_failed] |
|
behaviors.pattern_disposition_details.kill_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_parent] |
|
behaviors.pattern_disposition_details.kill_process |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_process] |
|
behaviors.pattern_disposition_details.kill_subprocess |
security_result.detection_fields [behaviors_pattern_disposition_details_kill_subprocess] |
|
behaviors.pattern_disposition_details.operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_operation_blocked] |
|
behaviors.pattern_disposition_details.policy_disabled |
security_result.detection_fields [behaviors_pattern_disposition_details_policy_disabled] |
|
behaviors.pattern_disposition_details.process_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_process_blocked] |
|
behaviors.pattern_disposition_details.quarantine_file |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_file] |
|
behaviors.pattern_disposition_details.quarantine_machine |
security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_machine] |
|
behaviors.pattern_disposition_details.registry_operation_blocked |
security_result.detection_fields [behaviors_pattern_disposition_details_registry_operation_blocked] |
|
behaviors.pattern_disposition_details.rooting |
security_result.detection_fields [behaviors_pattern_disposition_details_rooting] |
|
behaviors.pattern_disposition_details.sensor_only |
security_result.detection_fields [behaviors_pattern_disposition_details_sensor_only] |
|
behaviors.pattern_disposition_details.suspend_parent |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_parent] |
|
behaviors.pattern_disposition_details.suspend_process |
security_result.detection_fields [behaviors_pattern_disposition_details_suspend_process] |
|
behaviors.pattern_disposition |
security_result.detection_fields [behaviors_pattern_disposition] |
If the behaviors.pattern_disposition log field value is equal to 0 , then the security_result.detection_fields.key/value UDM field is set to Detection, standard detection .Else, if the behaviors.pattern_disposition log field value is equal to 16 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process killed .Else, if the behaviors.pattern_disposition log field value is equal to 128 , then the security_result.detection_fields.key/value UDM field is mapped to the Detection/Quarantine, standard detection and quarantine was attempted .Else, if the behaviors.pattern_disposition log field value is equal to 272 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 512 , then the security_result.detection_fields.key/value UDM field is set to Prevention, parent process killed .Else, if the behaviors.pattern_disposition log field value is equal to 768 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 1024 , then the security_result.detection_fields.key/value UDM field is set to Prevention, operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 1280 , then the security_result.detection_fields.key/value UDM field is set to Detection, operation would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2048 , then the security_result.detection_fields.key/value UDM field is set to Prevention, process blocked from execution .Else, if the behaviors.pattern_disposition log field value is equal to 2176 , then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 2304 , then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been blocked if related prevention policy setting was enabled .Else, if the behaviors.pattern_disposition log field value is equal to 4096 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked .Else, if the behaviors.pattern_disposition log field value is equal to 4112 , then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked and context process killed .Else, if the behaviors.pattern_disposition log field value is equal to 4638 , then the security_result.detection_fields.key/value UDM field is set to Detection, registry operation would have been blocked and context process would have been killed if a prevention policy setting was enabled . |
behaviors_processed [] |
security_result.detection_fields [behaviors_processed] |
|
behaviors.control_graph_id |
security_result.detection_fields [control_graph_id] |
|
behaviors.control_graph_id |
security_result.detection_fields [tree_id] |
The tree_id field is extracted from the behaviors.control_graph_id log field using the Grok pattern, and the tree_id extracted field is mapped to the security_result.detection_fields UDM field. |
hostinfo.domain |
security_result.detection_fields [hostinfo_domain] |
|
max_confidence |
security_result.detection_fields [max_confidence] |
|
max_severity |
security_result.detection_fields [max_severity] |
|
overwatch_notes |
security_result.detection_fields [overwatch_notes] |
|
quarantined_files.paths |
security_result.detection_fields [quarantined_files_paths] |
|
quarantined_files.sha256 |
security_result.detection_fields [quarantined_files_sha256] |
|
quarantined_files.state |
security_result.detection_fields [quarantined_files_state] |
|
seconds_to_resolved |
security_result.detection_fields [seconds_to_resolved] |
|
seconds_to_triaged |
security_result.detection_fields [seconds_to_triaged] |
|
show_in_ui |
security_result.detection_fields [show_in_ui] |
|
status |
security_result.detection_fields [status] |
|
behaviors.template_instance_id |
security_result.detection_fields [template_instance_id] |
|
behaviors.triggering_process_graph_id |
security_result.detection_fields [triggering_process_graph_id] |
|
behaviors.rule_instance_id |
security_result.rule_labels [rule_instance_id] |
|
behaviors.rule_instance_version |
security_result.rule_labels [rule_instance_version] |
|
max_severity_displayname |
security_result.severity |
If the max_severity_displayname log field value matches the regular expression pattern (?i)Low , then the security_result.severity UDM field is set to LOW .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Informational , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Medium , then the security_result.severity UDM field is set to MEDIUM .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)High , then the security_result.severity UDM field is set to HIGH .Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Critical , then the security_result.severity UDM field is set to CRITICAL .Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY . |
behaviors.severity |
security_result.severity_details |
|
behaviors.display_name |
security_result.summary |
|
behaviors.ioc_type |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
behaviors.ioc_value |
security_result.threat_name |
The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field. |
|
target.file.full_path |
If the behaviors.filepath log field value is equal to System , then the behaviors.ioc_description log field is mapped to the target.file.full_path UDM field.Else, the behaviors.filepath log field is mapped to the target.file.full_path UDM field. |
behaviors.alleged_filetype |
target.file.mime_type |
|
behaviors.filename |
target.file.names |
|
behaviors.sha256 |
target.file.sha256 |
If the behavior.sha256 log field value is not equal to empty or N/A , then the behavior.sha256 log field is mapped to the target.file.sha256 UDM field. |
behaviors.cmdline |
target.process.command_line |
|
behaviors.md5 |
target.process.file.md5 |
If the behavior.md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.md5 log field is mapped to the target.process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_md5 and the behavior.md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_cmdline |
target.process.parent_process.command_line |
|
behaviors.parent_details.parent_md5 |
target.process.parent_process.file.md5 |
If the behavior.parent_details.parent_md5 log field value matches the regular expression pattern ^(0-9a-f)+$ , then the behavior.parent_details.parent_md5 log field is mapped to the target.process.parent_process.file.md5 UDM field.Else, the target.labels.key UDM field is set to behavior_parent_details_parent_md5 and the behavior.parent_details.parent_md5 log field is mapped to the target.labels.value UDM field. |
behaviors.parent_details.parent_sha256 |
target.process.parent_process.file.sha256 |
If the behavior.parent_details.parent_sha256 log field value is not equal to empty or N/A , then the behavior.parent_details.parent_sha256 log field is mapped to the target.process.parent_process.file.sha256 UDM field. |
behaviors.parent_details.parent_process_id |
target.process.parent_process.pid |
|
behaviors.parent_details.parent_process_graph_id |
target.process.parent_process.product_specific_process_id |
|
behaviors.triggering_process_id |
target.process.pid |
|
behaviors.device_id |
|
Contains same value as device.device_id . Hence, this field is not mapped. |