收集 CrowdStrike 检测日志

支持的平台:

本文档介绍了如何通过 Google Security Operations Feed 将 CrowdStrike 检测日志导出到 Google Security Operations,以及 CrowdStrike 检测字段如何映射到 Google Security Operations 统一数据模型 (UDM) 字段。

如需了解详情,请参阅将数据提取到 Google 安全运营中心概览

典型的部署包括 CrowdStrike 和配置为将日志发送到 Google Security Operations 的 Google Security Operations Feed。每个客户部署都可能不同,并且可能更复杂。

该部署包含以下组件:

  • CrowdStrike Falcon Intelligence:您从中收集日志的 CrowdStrike 产品。

  • CrowdStrike Feed。CrowdStrike Feed,用于从 CrowdStrike 提取日志并将日志写入 Google SecOps。

  • Google Security Operations:保留和分析 CrowdStrike 检测日志。

注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 CS_DETECTS 注入标签的解析器。

准备工作

  • 确保您在 CrowdStrike 实例上拥有安装 CrowdStrike Falcon Host 传感器的管理员权限。

  • 确保部署架构中的所有系统都采用世界协调时间 (UTC) 时区

  • 确保设备搭载的是受支持的操作系统。

    • 操作系统必须在 64 位服务器上运行。CrowdStrike Falcon Host 传感器版本 6.51 或更高版本支持 Microsoft Windows Server 2008 R2 SP1。
    • 搭载旧版操作系统(例如 Windows 7 SP1)的系统需要在其设备上安装 SHA-2 代码签名支持。

  • 从 Google Security Operations 支持团队获取 Google Security Operations 服务账号文件和您的客户 ID。

配置 CrowdStrike 以注入日志

如需设置提取 Feed,请按以下步骤操作:

  1. 在 CrowdStrike Falcon 中创建新的 API 客户端密钥对。此密钥对会从 CrowdStrike Falcon 读取事件和补充信息。
  2. 在创建密钥对时,向 Detections 提供 READ 权限。

在 Google Security Operations 中配置 Feed 以注入 CrowdStrike 检测日志

  1. 依次前往 SIEM 设置 > Feed
  2. 点击 Add New(新增)。
  3. 字段名称中输入一个具有唯一性的名称。
  4. 选择第三方 API 作为来源类型
  5. 选择 CrowdStrike Detection Monitoring 作为日志类型
  6. 点击下一步
  7. 配置以下必需的输入参数:
    • OAuth 令牌端点:指定端点。
    • OAuth 客户端 ID:指定您之前获得的客户端 ID。
    • OAuth 客户端密钥:指定您之前获取的客户端密钥。
    • 基准网址:指定基准网址。
  8. 点击下一步,然后点击提交

字段映射参考文档

本部分介绍 Google 安全运营中心解析器如何将 CrowdStrike Detection 字段映射到 Google 安全运营中心 Unified Data Model (UDM) 字段。下表列出了 CS_DETECTS 事件标识符及其对应的 UDM 事件类型。

Event Identifier Event Type Security Category
.bash_profile and .bashrc SCAN_FILE
/etc/passwd and /etc/shadow SCAN_UNCATEGORIZED
Abuse Accessibility Features SCAN_UNCATEGORIZED
Abuse Device Administrator Access to Prevent Removal SCAN_UNCATEGORIZED
Abuse Elevation Control Mechanism SCAN_UNCATEGORIZED
Access Calendar Entries SCAN_UNCATEGORIZED
Access Call Log SCAN_UNCATEGORIZED
Access Contact List SCAN_UNCATEGORIZED
Access Notifications SCAN_UNCATEGORIZED
Access Sensitive Data in Device Logs SCAN_UNCATEGORIZED
Access Stored Application Data SCAN_UNCATEGORIZED
Access Token Manipulation SCAN_UNCATEGORIZED
Accessibility Features SCAN_UNCATEGORIZED
Account Access Removal SCAN_UNCATEGORIZED
Account Discovery SCAN_UNCATEGORIZED
Account Manipulation SCAN_UNCATEGORIZED
Active Setup SCAN_UNCATEGORIZED
Add Office 365 Global Administrator Role SCAN_UNCATEGORIZED
Add-ins SCAN_UNCATEGORIZED
Additional Azure Service Principal Credentials SCAN_UNCATEGORIZED
Additional Cloud Credentials SCAN_UNCATEGORIZED
Additional Cloud Roles SCAN_UNCATEGORIZED
Additional Email Delegate Permissions SCAN_UNCATEGORIZED
Adversary-in-the-Middle SCAN_UNCATEGORIZED
Adware SCAN_UNCATEGORIZED
Adware/PUP SCAN_PROCESS
Alternate Network Mediums SCAN_NETWORK
Android Intent Hijacking SCAN_UNCATEGORIZED
App Auto-Start at Device Boot SCAN_UNCATEGORIZED
AppCert DLLs SCAN_UNCATEGORIZED
AppInit DLLs SCAN_UNCATEGORIZED
AppleScript SCAN_FILE
Application Access Token SCAN_UNCATEGORIZED
Application Discovery SCAN_UNCATEGORIZED
Application Exhaustion Flood SCAN_UNCATEGORIZED
Application Layer Protocol SCAN_NETWORK
Application or System Exploitation SCAN_UNCATEGORIZED
Application Shimming SCAN_UNCATEGORIZED
Application Window Discovery SCAN_UNCATEGORIZED
Archive Collected Data SCAN_UNCATEGORIZED
Archive via Custom Method SCAN_UNCATEGORIZED
Archive via Library SCAN_FILE DATA_EXFILTRATION
Archive via Utility SCAN_UNCATEGORIZED
ARP Cache Poisoning SCAN_NETWORK
AS-REP Roasting SCAN_UNCATEGORIZED
Asymmetric Cryptography SCAN_NETWORK
Asynchronous Procedure Call SCAN_PROCESS EXPLOIT
At SCAN_UNCATEGORIZED
At (Linux) SCAN_UNCATEGORIZED
At (Windows) SCAN_UNCATEGORIZED
Attack PC via USB Connection SCAN_UNCATEGORIZED
Attributed to Adversary SCAN_UNCATEGORIZED
Audio Capture SCAN_UNCATEGORIZED
Authentication Package SCAN_UNCATEGORIZED
Automated Collection SCAN_UNCATEGORIZED
Automated Exfiltration SCAN_UNCATEGORIZED EXPLOIT
Bad device settings SCAN_HOST
Bash History SCAN_UNCATEGORIZED
Bidirectional Communication SCAN_NETWORK
Binary Padding SCAN_UNCATEGORIZED
BITS Jobs SCAN_UNCATEGORIZED
Boot or Logon Autostart Execution SCAN_UNCATEGORIZED
Boot or Logon Initialization Scripts SCAN_UNCATEGORIZED
Bootkit SCAN_UNCATEGORIZED
Broadcast Receivers SCAN_UNCATEGORIZED
Browser Bookmark Discovery SCAN_UNCATEGORIZED
Browser Exploit SCAN_UNCATEGORIZED EXPLOIT
Browser Extensions SCAN_UNCATEGORIZED
Browser Session Hijacking SCAN_UNCATEGORIZED
Brute Force SCAN_UNCATEGORIZED
Build Image on Host SCAN_UNCATEGORIZED
Bypass Monitoring SCAN_HOST
Bypass User Access Control SCAN_UNCATEGORIZED
Bypass User Account Control SCAN_UNCATEGORIZED
Cached Domain Credentials SCAN_UNCATEGORIZED
Calendar Entries SCAN_UNCATEGORIZED
Call Control SCAN_UNCATEGORIZED ACL_VIOLATION
Call Log SCAN_UNCATEGORIZED
Capture Audio SCAN_UNCATEGORIZED
Capture Camera SCAN_UNCATEGORIZED
Capture Clipboard Data SCAN_UNCATEGORIZED
Capture SMS Messages SCAN_UNCATEGORIZED
Carrier Billing Fraud SCAN_UNCATEGORIZED
Change Default File Association SCAN_FILE
Clear Command History SCAN_UNCATEGORIZED
Clear Linux or Mac System Logs SCAN_UNCATEGORIZED
Clear Windows Event Logs SCAN_UNCATEGORIZED
Clipboard Data SCAN_UNCATEGORIZED
Clipboard Modification SCAN_UNCATEGORIZED
Cloud Account SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Groups SCAN_NETWORK
Cloud Infrastructure Discovery SCAN_NETWORK
Cloud Instance Metadata API SCAN_UNCATEGORIZED ACL_VIOLATION
Cloud Service Dashboard SCAN_NETWORK
Cloud Service Discovery SCAN_NETWORK
Cloud Storage Object Discovery SCAN_NETWORK
Cloud-based ML SCAN_UNCATEGORIZED
CMSTP SCAN_UNCATEGORIZED
Code Injection SCAN_UNCATEGORIZED
Code Repositories SCAN_UNCATEGORIZED
Code Signing SCAN_UNCATEGORIZED
Code Signing Policy Modification SCAN_UNCATEGORIZED
Command and Scripting Interpreter SCAN_FILE
Command-Line Interface SCAN_UNCATEGORIZED
Commonly Used Port SCAN_NETWORK
Communication Through Removable Media SCAN_NETWORK
Compile After Delivery SCAN_FILE
Compiled HTML File SCAN_FILE
Component Firmware SCAN_UNCATEGORIZED
Component Object Model SCAN_UNCATEGORIZED
Component Object Model and Distributed COM SCAN_UNCATEGORIZED
Component Object Model Hijacking SCAN_UNCATEGORIZED
Compromise Application Executable SCAN_UNCATEGORIZED
Compromise Client Software Binary SCAN_UNCATEGORIZED
Compromise Hardware Supply Chain SCAN_UNCATEGORIZED
Compromise Software Dependencies and Development Tools SCAN_UNCATEGORIZED
Compromise Software Supply Chain SCAN_UNCATEGORIZED
Confluence SCAN_UNCATEGORIZED
Connection Proxy SCAN_NETWORK
Contact List SCAN_UNCATEGORIZED
Container Administration Command SCAN_UNCATEGORIZED
Container and Resource Discovery SCAN_NETWORK
Container API SCAN_UNCATEGORIZED ACL_VIOLATION
Container Orchestration Job SCAN_UNCATEGORIZED
Control Panel SCAN_UNCATEGORIZED
Control Panel Items SCAN_UNCATEGORIZED
COR_PROFILER SCAN_UNCATEGORIZED
Create Account SCAN_UNCATEGORIZED
Create Cloud Instance SCAN_UNCATEGORIZED
Create or Modify System Process SCAN_PROCESS
Create Process with Token SCAN_PROCESS
Create Snapshot SCAN_UNCATEGORIZED
Credential API Hooking SCAN_UNCATEGORIZED
Credential Dumping SCAN_UNCATEGORIZED
Credential Stuffing SCAN_UNCATEGORIZED
Credentials from Password Store SCAN_UNCATEGORIZED
Credentials from Password Stores SCAN_UNCATEGORIZED
Credentials from Web Browsers SCAN_FILE DATA_EXFILTRATION
Credentials In Files SCAN_FILE DATA_EXFILTRATION
Credentials in Registry SCAN_UNCATEGORIZED ACL_VIOLATION
Cron SCAN_UNCATEGORIZED
Custom Command and Control Protocol SCAN_NETWORK
Custom Cryptographic Protocol SCAN_NETWORK
Data Compressed SCAN_UNCATEGORIZED
Data Destruction SCAN_FILE
Data Encoding SCAN_NETWORK
Data Encrypted SCAN_UNCATEGORIZED
Data Encrypted for Impact SCAN_UNCATEGORIZED
Data from Cloud Storage Object SCAN_UNCATEGORIZED
Data from Configuration Repository SCAN_UNCATEGORIZED
Data from Information Repositories SCAN_UNCATEGORIZED
Data from Local System SCAN_UNCATEGORIZED
Data from Network Shared Drive SCAN_NETWORK
Data from Removable Media SCAN_UNCATEGORIZED
Data Manipulation SCAN_UNCATEGORIZED
Data Obfuscation SCAN_NETWORK
Data Staged SCAN_UNCATEGORIZED
Data Transfer Size Limits SCAN_UNCATEGORIZED
DCShadow SCAN_UNCATEGORIZED
DCSync SCAN_UNCATEGORIZED ACL_VIOLATION
Dead Drop Resolver SCAN_NETWORK
Debugger Evasion SCAN_UNCATEGORIZED
Defacement SCAN_UNCATEGORIZED
Default Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Delete Cloud Instance SCAN_UNCATEGORIZED
Delete Device Data SCAN_UNCATEGORIZED
Deliver Malicious App via Authorized App Store SCAN_UNCATEGORIZED
Deliver Malicious App via Other Means SCAN_UNCATEGORIZED
Deobfuscate/Decode Files or Information SCAN_FILE
Deploy Container SCAN_UNCATEGORIZED
Destructive Malware SCAN_UNCATEGORIZED
Device Administrator Permissions SCAN_UNCATEGORIZED
Device Lockout SCAN_UNCATEGORIZED
Device Registration SCAN_UNCATEGORIZED
DHCP Spoofing SCAN_NETWORK
Direct Network Flood SCAN_NETWORK
Direct Volume Access SCAN_UNCATEGORIZED
Disable Cloud Logs SCAN_UNCATEGORIZED
Disable Crypto Hardware SCAN_UNCATEGORIZED
Disable or Modify Cloud Firewall SCAN_NETWORK
Disable or Modify System Firewall SCAN_NETWORK
Disable or Modify Tools SCAN_UNCATEGORIZED
Disable Windows Event Logging SCAN_UNCATEGORIZED
Disabling Security Tools SCAN_UNCATEGORIZED
Disguise Root/Jailbreak Indicators SCAN_UNCATEGORIZED
Disk Content Wipe SCAN_UNCATEGORIZED
Disk Structure Wipe SCAN_UNCATEGORIZED
Disk Wipe SCAN_UNCATEGORIZED
DLL Search Order Hijacking SCAN_UNCATEGORIZED
DLL Side-Loading SCAN_UNCATEGORIZED
DNS SCAN_NETWORK
DNS Calculation SCAN_NETWORK
Domain Account SCAN_UNCATEGORIZED
Domain Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Domain Controller Authentication SCAN_UNCATEGORIZED
Domain Fronting SCAN_NETWORK
Domain Generation Algorithms SCAN_NETWORK
Domain Groups SCAN_UNCATEGORIZED
Domain Policy Modification SCAN_UNCATEGORIZED
Domain Trust Discovery SCAN_UNCATEGORIZED
Domain Trust Modification SCAN_UNCATEGORIZED
Double File Extension SCAN_FILE
Downgrade Attack SCAN_UNCATEGORIZED
Downgrade System Image SCAN_UNCATEGORIZED
Downgrade to Insecure Protocols SCAN_NETWORK
Download New Code at Runtime SCAN_UNCATEGORIZED
Drive-by Compromise SCAN_UNCATEGORIZED EXPLOIT
Dylib Hijacking SCAN_UNCATEGORIZED
Dynamic Data Exchange SCAN_UNCATEGORIZED
Dynamic Linker Hijacking SCAN_UNCATEGORIZED
Dynamic Resolution SCAN_NETWORK
Dynamic-link Library Injection SCAN_UNCATEGORIZED
Eavesdrop on Insecure Network Communication SCAN_NETWORK
Elevated Execution with Prompt SCAN_UNCATEGORIZED
Email Account SCAN_NETWORK
Email Collection SCAN_UNCATEGORIZED
Email Forwarding Rule SCAN_UNCATEGORIZED
Email Hiding Rules SCAN_UNCATEGORIZED
Emond SCAN_UNCATEGORIZED
Encrypted Channel SCAN_NETWORK
Endpoint Denial of Service SCAN_UNCATEGORIZED
Environmental Keying SCAN_UNCATEGORIZED
Escape to Host SCAN_UNCATEGORIZED
Evade Analysis Environment SCAN_UNCATEGORIZED
Event Triggered Execution SCAN_UNCATEGORIZED
Exchange Email Delegate Permissions SCAN_UNCATEGORIZED
Executable Installer File Permissions Weakness SCAN_UNCATEGORIZED
Execution Guardrails SCAN_UNCATEGORIZED
Execution through API SCAN_UNCATEGORIZED
Execution through Module Load SCAN_UNCATEGORIZED
Exfiltration Over Alternative Protocol SCAN_NETWORK EXPLOIT
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol SCAN_NETWORK
Exfiltration Over Bluetooth SCAN_UNCATEGORIZED
Exfiltration Over C2 Channel SCAN_NETWORK EXPLOIT
Exfiltration Over Command and Control Channel SCAN_NETWORK
Exfiltration Over Other Network Medium SCAN_NETWORK
Exfiltration Over Physical Medium SCAN_UNCATEGORIZED
Exfiltration Over Symmetric Encrypted Non-C2 Protocol SCAN_NETWORK
Exfiltration Over Unencrypted Non-C2 Protocol SCAN_NETWORK EXPLOIT
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol SCAN_NETWORK
Exfiltration over USB SCAN_UNCATEGORIZED
Exfiltration Over Web Service SCAN_NETWORK
Exfiltration to Cloud Storage SCAN_UNCATEGORIZED
Exfiltration to Code Repository SCAN_NETWORK
Exploit Enterprise Resources SCAN_NETWORK
Exploit Mitigation SCAN_UNCATEGORIZED EXPLOIT
Exploit OS Vulnerability SCAN_UNCATEGORIZED EXPLOIT
Exploit Public-Facing Application SCAN_UNCATEGORIZED EXPLOIT
Exploit SS7 to Redirect Phone Calls/SMS SCAN_NETWORK EXPLOIT
Exploit SS7 to Track Device Location SCAN_NETWORK EXPLOIT
Exploit TEE Vulnerability SCAN_UNCATEGORIZED EXPLOIT
Exploit via Charging Station or PC SCAN_UNCATEGORIZED EXPLOIT
Exploit via Radio Interfaces SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Client Execution SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Credential Access SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Defense Evasion SCAN_UNCATEGORIZED EXPLOIT
Exploitation for Privilege Escalation SCAN_UNCATEGORIZED EXPLOIT
Exploitation of Remote Services SCAN_NETWORK EXPLOIT
External Defacement SCAN_UNCATEGORIZED
External Proxy SCAN_NETWORK
External Remote Services SCAN_UNCATEGORIZED
Extra Window Memory Injection SCAN_UNCATEGORIZED
Fallback Channels SCAN_NETWORK
Fast Flux DNS SCAN_NETWORK
File and Directory Discovery SCAN_FILE
File and Directory Permissions Modification SCAN_FILE ACL_VIOLATION
File Deletion SCAN_FILE DATA_DESTRUCTION
File System Logical Offsets SCAN_FILE
File System Permissions Weakness SCAN_UNCATEGORIZED
File Transfer Protocols SCAN_FILE DATA_EXFILTRATION
Firmware Corruption SCAN_UNCATEGORIZED
Forced Authentication SCAN_UNCATEGORIZED
Foreground Persistence SCAN_UNCATEGORIZED
Forge Web Credentials SCAN_UNCATEGORIZED
Gatekeeper Bypass SCAN_UNCATEGORIZED
Generate Fraudulent Advertising Revenue SCAN_UNCATEGORIZED
Generate Traffic from Victim SCAN_UNCATEGORIZED
Geofencing SCAN_UNCATEGORIZED
Golden Ticket SCAN_UNCATEGORIZED
Graphical User Interface SCAN_UNCATEGORIZED
Group Policy Discovery SCAN_UNCATEGORIZED
Group Policy Modification SCAN_UNCATEGORIZED
Group Policy Preferences SCAN_UNCATEGORIZED ACL_VIOLATION
GUI Input Capture SCAN_UNCATEGORIZED
Hardware Additions SCAN_NETWORK
Hidden File System SCAN_UNCATEGORIZED
Hidden Files and Directories SCAN_FILE
Hidden Users SCAN_UNCATEGORIZED
Hidden Window SCAN_UNCATEGORIZED
Hide Artifacts SCAN_UNCATEGORIZED
Hijack Execution Flow SCAN_UNCATEGORIZED
HISTCONTROL SCAN_UNCATEGORIZED
Hooking SCAN_UNCATEGORIZED
HTML Smuggling SCAN_UNCATEGORIZED
Hypervisor SCAN_UNCATEGORIZED
IIS Components SCAN_UNCATEGORIZED
Image File Execution Options Injection SCAN_UNCATEGORIZED
Impair Command History Logging SCAN_UNCATEGORIZED
Impair Defenses SCAN_UNCATEGORIZED
Impersonate SS7 Nodes SCAN_UNCATEGORIZED
Implant Container Image SCAN_UNCATEGORIZED
Implant Internal Image SCAN_UNCATEGORIZED
Indicator Blocking SCAN_UNCATEGORIZED
Indicator of Compromise SCAN_UNCATEGORIZED
Indicator Removal from Tools SCAN_UNCATEGORIZED
Indicator Removal on Host SCAN_UNCATEGORIZED
Indirect Command Execution SCAN_UNCATEGORIZED
Ingress Tool Transfer SCAN_FILE DATA_EXFILTRATION
Inhibit System Recovery SCAN_UNCATEGORIZED
Input Capture SCAN_UNCATEGORIZED
Input Injection SCAN_UNCATEGORIZED
Input Prompt SCAN_UNCATEGORIZED
Install Insecure or Malicious Configuration SCAN_UNCATEGORIZED
Install Root Certificate SCAN_FILE
InstallUtil SCAN_UNCATEGORIZED
Intelligence Indicator - Domain SCAN_NETWORK
Intelligence Indicator - Hash SCAN_FILE
Intelligence Indicator - IP SCAN_NETWORK
Inter-Process Communication SCAN_PROCESS
Internal Defacement SCAN_UNCATEGORIZED
Internal Proxy SCAN_NETWORK
Internet Connection Discovery SCAN_NETWORK
Invalid Code Signature SCAN_UNCATEGORIZED
Jamming or Denial of Service SCAN_NETWORK
JavaScript SCAN_FILE
JavaScript/JScript SCAN_FILE
Junk Data SCAN_NETWORK
Kerberoasting SCAN_UNCATEGORIZED
Kernel Modules and Extensions SCAN_UNCATEGORIZED
KernelCallbackTable SCAN_UNCATEGORIZED
Keychain SCAN_UNCATEGORIZED
Keylogging SCAN_UNCATEGORIZED
Known Hash SCAN_FILE
Launch Agent SCAN_UNCATEGORIZED
Launch Daemon SCAN_UNCATEGORIZED
Launchctl SCAN_PROCESS
Launchd SCAN_UNCATEGORIZED
LC_LOAD_DYLIB Addition SCAN_UNCATEGORIZED
LC_MAIN Hijacking SCAN_UNCATEGORIZED
LD_PRELOAD SCAN_UNCATEGORIZED
Linux and Mac File and Directory Permissions Modification SCAN_FILE ACL_VIOLATION
ListPlanting SCAN_UNCATEGORIZED
LLMNR/NBT-NS Poisoning and Relay SCAN_UNCATEGORIZED
LLMNR/NBT-NS Poisoning and SMB Relay SCAN_NETWORK
Local Account SCAN_UNCATEGORIZED
Local Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
Local Data Staging SCAN_UNCATEGORIZED
Local Email Collection SCAN_UNCATEGORIZED
Local Groups SCAN_UNCATEGORIZED
Local Job Scheduling SCAN_UNCATEGORIZED
Location Tracking SCAN_UNCATEGORIZED
Lockscreen Bypass SCAN_UNCATEGORIZED EXPLOIT
Login Hook SCAN_UNCATEGORIZED
Login Item SCAN_UNCATEGORIZED
Login Items SCAN_UNCATEGORIZED
Logon Script (Mac) SCAN_UNCATEGORIZED
Logon Script (Windows) SCAN_UNCATEGORIZED
Logon Scripts SCAN_UNCATEGORIZED
LSA Secrets SCAN_UNCATEGORIZED
LSASS Driver SCAN_UNCATEGORIZED
LSASS Memory SCAN_UNCATEGORIZED
Mail Protocols SCAN_NETWORK
Make and Impersonate Token SCAN_UNCATEGORIZED
Malicious Activity SCAN_UNCATEGORIZED
Malicious File SCAN_FILE
Malicious Image SCAN_FILE
Malicious Link SCAN_NETWORK
Malicious Tool Delivery SCAN_UNCATEGORIZED
Malicious Tool Execution SCAN_PROCESS
Man in the Browser SCAN_NETWORK
Man-in-the-Middle SCAN_NETWORK
Manipulate App Store Rankings or Ratings SCAN_UNCATEGORIZED
Manipulate Device Communication SCAN_NETWORK
Mark-of-the-Web Bypass SCAN_UNCATEGORIZED
Masquerade as Legitimate Application SCAN_UNCATEGORIZED
Masquerade Task or Service SCAN_UNCATEGORIZED
Masquerading SCAN_UNCATEGORIZED
Match Legitimate Name or Location SCAN_UNCATEGORIZED
Mavinject SCAN_UNCATEGORIZED
MMC SCAN_FILE
Modify Authentication Process SCAN_UNCATEGORIZED ACL_VIOLATION
Modify Cached Executable Code SCAN_UNCATEGORIZED
Modify Cloud Compute Infrastructure SCAN_UNCATEGORIZED
Modify Existing Service SCAN_UNCATEGORIZED
Modify OS Kernel or Boot Partition SCAN_UNCATEGORIZED AUTH_VIOLATION
Modify Registry SCAN_UNCATEGORIZED
Modify System Image SCAN_UNCATEGORIZED
Modify System Partition SCAN_UNCATEGORIZED AUTH_VIOLATION
Modify Trusted Execution Environment SCAN_UNCATEGORIZED AUTH_VIOLATION
MSBuild SCAN_UNCATEGORIZED
Mshta SCAN_UNCATEGORIZED
Msiexec SCAN_UNCATEGORIZED
Multi-Factor Authentication Interception SCAN_UNCATEGORIZED
Multi-Factor Authentication Request Generation SCAN_UNCATEGORIZED
Multi-hop Proxy SCAN_NETWORK
Multi-Stage Channels SCAN_NETWORK
Multiband Communication SCAN_NETWORK
Multilayer Encryption SCAN_NETWORK
Native API SCAN_UNCATEGORIZED
Native Code SCAN_UNCATEGORIZED
Netsh Helper DLL SCAN_UNCATEGORIZED
Network Address Translation Traversal SCAN_NETWORK
Network Boundary Bridging SCAN_NETWORK
Network Denial of Service SCAN_NETWORK
Network Device Authentication SCAN_NETWORK
Network Device CLI SCAN_NETWORK
Network Device Configuration Dump SCAN_NETWORK EXPLOIT
Network Information Discovery SCAN_NETWORK
Network Logon Script SCAN_UNCATEGORIZED
Network Service Discovery SCAN_NETWORK
Network Service Scanning SCAN_NETWORK
Network Share Connection Removal SCAN_NETWORK
Network Share Discovery SCAN_NETWORK
Network Sniffing SCAN_NETWORK
Network Traffic Capture or Redirection SCAN_NETWORK EXPLOIT
New Service SCAN_UNCATEGORIZED
Non-Application Layer Protocol SCAN_NETWORK
Non-Standard Encoding SCAN_NETWORK
Non-Standard Port SCAN_NETWORK
NTDS SCAN_UNCATEGORIZED
NTFS File Attributes SCAN_FILE
Obfuscated Files or Information SCAN_FILE
Obtain Device Cloud Backups SCAN_NETWORK
Odbcconf SCAN_UNCATEGORIZED
Office Application Startup SCAN_UNCATEGORIZED
Office Template Macros SCAN_UNCATEGORIZED
Office Test SCAN_UNCATEGORIZED
One-Way Communication SCAN_NETWORK
OS Credential Dumping SCAN_UNCATEGORIZED
OS Exhaustion Flood SCAN_UNCATEGORIZED
Out of Band Data SCAN_NETWORK
Outlook Forms SCAN_UNCATEGORIZED
Outlook Home Page SCAN_UNCATEGORIZED
Outlook Rules SCAN_UNCATEGORIZED
Parent PID Spoofing SCAN_PROCESS
Pass the Hash SCAN_UNCATEGORIZED
Pass the Ticket SCAN_UNCATEGORIZED
Password Cracking SCAN_UNCATEGORIZED
Password Filter DLL SCAN_UNCATEGORIZED
Password Guessing SCAN_UNCATEGORIZED
Password Managers SCAN_UNCATEGORIZED
Password Policy Discovery SCAN_UNCATEGORIZED
Password Spraying SCAN_UNCATEGORIZED
Patch System Image SCAN_UNCATEGORIZED
Path Interception SCAN_UNCATEGORIZED
Path Interception by PATH Environment Variable SCAN_UNCATEGORIZED
Path Interception by Search Order Hijacking SCAN_UNCATEGORIZED
Path Interception by Unquoted Path SCAN_UNCATEGORIZED
Peripheral Device Discovery SCAN_UNCATEGORIZED
Permission Groups Discovery SCAN_UNCATEGORIZED
Phishing SCAN_UNCATEGORIZED PHISHING
Plist File Modification SCAN_UNCATEGORIZED
Plist Modification SCAN_UNCATEGORIZED
Pluggable Authentication Modules SCAN_UNCATEGORIZED
Port Knocking SCAN_NETWORK
Port Monitors SCAN_UNCATEGORIZED
Portable Executable Injection SCAN_UNCATEGORIZED
PowerShell SCAN_FILE
PowerShell Profile SCAN_UNCATEGORIZED
Pre-OS Boot SCAN_UNCATEGORIZED
Premium SMS Toll Fraud SCAN_UNCATEGORIZED
Prevent Application Removal SCAN_UNCATEGORIZED
Print Processors SCAN_UNCATEGORIZED
Private Keys SCAN_UNCATEGORIZED ACL_VIOLATION
Proc Filesystem SCAN_FILE ACL_VIOLATION
Proc Memory SCAN_PROCESS
Process Argument Spoofing SCAN_PROCESS
Process Discovery SCAN_UNCATEGORIZED
Process Doppelgänging SCAN_PROCESS
Process Hollowing SCAN_PROCESS
Process Injection SCAN_PROCESS
Protected User Data SCAN_UNCATEGORIZED
Protocol Impersonation SCAN_NETWORK
Protocol Tunneling SCAN_NETWORK
Proxy SCAN_NETWORK
Proxy Through Victim SCAN_UNCATEGORIZED
Ptrace System Calls SCAN_PROCESS
PubPrn SCAN_FILE
PUP SCAN_UNCATEGORIZED
Python SCAN_FILE
Query Registry SCAN_UNCATEGORIZED
RC Scripts SCAN_UNCATEGORIZED
Rc.common SCAN_PROCESS
Re-opened Applications SCAN_UNCATEGORIZED
Reduce Key Space SCAN_UNCATEGORIZED
Redundant Access SCAN_UNCATEGORIZED
Reflection Amplification SCAN_NETWORK
Reflective Code Loading SCAN_UNCATEGORIZED
Registry Run Keys / Startup Folder SCAN_UNCATEGORIZED
Regsvcs/Regasm SCAN_UNCATEGORIZED
Regsvr32 SCAN_UNCATEGORIZED
Remote Access Software SCAN_NETWORK
Remote Access Tools SCAN_NETWORK
Remote Data Staging SCAN_UNCATEGORIZED
Remote Device Management Services SCAN_UNCATEGORIZED
Remote Email Collection SCAN_UNCATEGORIZED
Remote File Copy SCAN_FILE DATA_EXFILTRATION
Remote System Discovery SCAN_NETWORK
Remotely Track Device Without Authorization SCAN_NETWORK
Remotely Wipe Data Without Authorization SCAN_NETWORK
Rename System Utilities SCAN_UNCATEGORIZED
Replication Through Removable Media SCAN_UNCATEGORIZED EXPLOIT
Resource Forking SCAN_FILE
Resource Hijacking SCAN_UNCATEGORIZED
Reversible Encryption SCAN_UNCATEGORIZED
Revert Cloud Instance SCAN_UNCATEGORIZED
Right-to-Left Override SCAN_UNCATEGORIZED
Rogue Cellular Base Station SCAN_NETWORK
Rogue Domain Controller SCAN_UNCATEGORIZED
Rogue Wi-Fi Access Points SCAN_NETWORK
ROMMONkit SCAN_UNCATEGORIZED
Rootkit SCAN_UNCATEGORIZED
Run Virtual Instance SCAN_UNCATEGORIZED
Rundll32 SCAN_FILE
Runtime Data Manipulation SCAN_UNCATEGORIZED
Safe Mode Boot SCAN_UNCATEGORIZED
SAML Tokens SCAN_UNCATEGORIZED
Scheduled Task SCAN_UNCATEGORIZED
Scheduled Task/Job SCAN_UNCATEGORIZED
Scheduled Transfer SCAN_NETWORK
Screen Capture SCAN_UNCATEGORIZED
Screensaver SCAN_UNCATEGORIZED
Scripting SCAN_FILE
Security Account Manager SCAN_UNCATEGORIZED ACL_VIOLATION
Security Software Discovery SCAN_UNCATEGORIZED
Security Support Provider SCAN_UNCATEGORIZED
Securityd Memory SCAN_UNCATEGORIZED
Sensor-based ML SCAN_UNCATEGORIZED
Server Software Component SCAN_UNCATEGORIZED
Service Execution SCAN_FILE
Service Exhaustion Flood SCAN_NETWORK NETWORK_DENIAL_OF_SERVICE
Service Registry Permissions Weakness SCAN_UNCATEGORIZED
Service Stop SCAN_UNCATEGORIZED
Services File Permissions Weakness SCAN_UNCATEGORIZED
Services Registry Permissions Weakness SCAN_UNCATEGORIZED
Setuid and Setgid SCAN_UNCATEGORIZED EXPLOIT
Shared Modules SCAN_UNCATEGORIZED
Sharepoint SCAN_UNCATEGORIZED
Shortcut Modification SCAN_UNCATEGORIZED
SID-History Injection SCAN_UNCATEGORIZED
Signed Binary Proxy Execution SCAN_UNCATEGORIZED
Signed Script Proxy Execution SCAN_UNCATEGORIZED
Silver Ticket SCAN_UNCATEGORIZED
SIM Card Swap SCAN_NETWORK
SIP and Trust Provider Hijacking SCAN_UNCATEGORIZED
SMS Control SCAN_UNCATEGORIZED
SMS Messages SCAN_UNCATEGORIZED
SNMP (MIB Dump) SCAN_UNCATEGORIZED
Software Deployment Tools SCAN_UNCATEGORIZED
Software Discovery SCAN_UNCATEGORIZED
Software Packing SCAN_UNCATEGORIZED
Source SCAN_UNCATEGORIZED
Space after Filename SCAN_FILE
Spearphishing Attachment SCAN_FILE EXPLOIT
Spearphishing Link SCAN_NETWORK EXPLOIT
Spearphishing via Service SCAN_UNCATEGORIZED
SQL Stored Procedures SCAN_UNCATEGORIZED
SSH Authorized Keys SCAN_UNCATEGORIZED
Standard Application Layer Protocol SCAN_NETWORK
Standard Cryptographic Protocol SCAN_NETWORK
Standard Encoding SCAN_NETWORK
Standard Non-Application Layer Protocol SCAN_NETWORK
Startup Items SCAN_UNCATEGORIZED
Steal Application Access Token SCAN_UNCATEGORIZED
Steal or Forge Kerberos Tickets SCAN_UNCATEGORIZED
Steal Web Session Cookie SCAN_UNCATEGORIZED
Steganography SCAN_UNCATEGORIZED
Stored Application Data SCAN_UNCATEGORIZED
Stored Data Manipulation SCAN_UNCATEGORIZED ACL_VIOLATION
Subvert Trust Controls SCAN_UNCATEGORIZED
Sudo SCAN_UNCATEGORIZED
Sudo and Sudo Caching SCAN_UNCATEGORIZED
Sudo Caching SCAN_UNCATEGORIZED
Supply Chain Compromise SCAN_UNCATEGORIZED
Suppress Application Icon SCAN_UNCATEGORIZED
Suspicious Activity SCAN_UNCATEGORIZED
Symmetric Cryptography SCAN_NETWORK
System Binary Proxy Execution SCAN_UNCATEGORIZED
System Checks SCAN_UNCATEGORIZED
System Firmware SCAN_UNCATEGORIZED
System Information Discovery SCAN_UNCATEGORIZED
System Language Discovery SCAN_UNCATEGORIZED
System Location Discovery SCAN_UNCATEGORIZED
System Network Configuration Discovery SCAN_NETWORK
System Network Connections Discovery SCAN_NETWORK
System Owner/User Discovery SCAN_UNCATEGORIZED
System Runtime API Hijacking SCAN_UNCATEGORIZED
System Script Proxy Execution SCAN_FILE
System Service Discovery SCAN_UNCATEGORIZED
System Services SCAN_UNCATEGORIZED
System Shutdown/Reboot SCAN_UNCATEGORIZED
System Time Discovery SCAN_UNCATEGORIZED
Systemd Service SCAN_UNCATEGORIZED
Systemd Timers SCAN_UNCATEGORIZED
Template Injection SCAN_UNCATEGORIZED EXPLOIT
Terminal Services DLL SCAN_UNCATEGORIZED
TFTP Boot SCAN_NETWORK
Third-party Software SCAN_UNCATEGORIZED
Thread Execution Hijacking SCAN_UNCATEGORIZED
Thread Local Storage SCAN_UNCATEGORIZED
Time Based Evasion SCAN_UNCATEGORIZED
Time Providers SCAN_UNCATEGORIZED
Timestamp SCAN_UNCATEGORIZED
Token Impersonation/Theft SCAN_UNCATEGORIZED
Traffic Duplication SCAN_NETWORK
Traffic Signaling SCAN_NETWORK
Transfer Data to Cloud Account SCAN_NETWORK
Transmitted Data Manipulation SCAN_UNCATEGORIZED
Transport Agent SCAN_UNCATEGORIZED
Trap SCAN_UNCATEGORIZED
Trusted Developer Utilities SCAN_UNCATEGORIZED
Trusted Developer Utilities Proxy Execution SCAN_UNCATEGORIZED
Trusted Relationship SCAN_UNCATEGORIZED EXPLOIT
Two-Factor Authentication Interception SCAN_UNCATEGORIZED
Uncommonly Used Port SCAN_NETWORK NETWORK_SUSPICIOUS
Uninstall Malicious Application SCAN_UNCATEGORIZED
Unix Shell SCAN_FILE
Unix Shell Configuration Modification SCAN_UNCATEGORIZED
Unsecured Credentials SCAN_FILE ACL_VIOLATION
Unused/Unsupported Cloud Regions SCAN_UNCATEGORIZED
URI Hijacking SCAN_UNCATEGORIZED
URL Scheme Hijacking SCAN_UNCATEGORIZED
Use Alternate Authentication Material SCAN_UNCATEGORIZED
User Activity Based Checks SCAN_UNCATEGORIZED
User Evasion SCAN_UNCATEGORIZED
User Execution SCAN_FILE
Valid Accounts SCAN_UNCATEGORIZED ACL_VIOLATION
VBA Stomping SCAN_UNCATEGORIZED
VDSO Hijacking SCAN_UNCATEGORIZED
Verclsid SCAN_UNCATEGORIZED
Video Capture SCAN_UNCATEGORIZED
Virtualization/Sandbox Evasion SCAN_UNCATEGORIZED
Visual Basic SCAN_UNCATEGORIZED
Weaken Encryption SCAN_UNCATEGORIZED
Web Cookies SCAN_UNCATEGORIZED
Web Portal Capture SCAN_UNCATEGORIZED
Web Protocols SCAN_NETWORK
Web Service SCAN_NETWORK
Web Session Cookie SCAN_NETWORK
Web Shell SCAN_UNCATEGORIZED
Windows Command Shell SCAN_UNCATEGORIZED
Windows Credential Manager SCAN_UNCATEGORIZED
Windows File and Directory Permissions Modification SCAN_UNCATEGORIZED
Windows Management Instrumentation SCAN_UNCATEGORIZED
Windows Management Instrumentation Event Subscription SCAN_UNCATEGORIZED
Windows Remote Management SCAN_UNCATEGORIZED
Windows Service SCAN_UNCATEGORIZED
Winlogon Helper DLL SCAN_UNCATEGORIZED
XDG Autostart Entries SCAN_UNCATEGORIZED
XPC Services SCAN_UNCATEGORIZED
XSL Script Processing SCAN_FILE

字段映射参考:CS_DETECTS

下表列出了 CS_DETECTS 日志类型的日志字段及其对应的 UDM 字段。
Log field UDM mapping Logic
date_updated about.labels [date_updated]
q about.labels [q]
cid about.resource.product_object_id
cid metadata.product_deployment_id
about.resource.resource_type The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.
behaviors.timestamp about.labels [behavior_timestamp]
behaviors.description metadata.description
first_behavior metadata.event_timestamp
created_timestamp metadata.collected_timestamp
detection_id metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to Falcon.
url_back_to_product metadata.url_back_to_product
metadata.vendor_name The metadata.vendor_name UDM field is set to Crowdstrike.
device.agent_load_flags principal.asset.attribute.labels [agent_load_flags]
device.agent_load_flags principal.asset.attribute.labels [agent_load_time]
device.agent_version principal.asset.attribute.labels [agent_version]
device.bios_manufacturer principal.asset.attribute.labels [bios_manufacturer]
device.bios_version principal.asset.attribute.labels [bios_version]
device.config_id_base principal.asset.attribute.labels [device_config_id_base]
device.config_id_build principal.asset.attribute.labels [device_config_id_base]
device.config_id_platform principal.asset.attribute.labels [device_config_id_platform]
device.cpu_signature principal.asset.attribute.labels [device_cpu_signature]
device.groups principal.asset.attribute.labels [device_groups]
device.instance_id principal.asset.attribute.labels [device_instance_id]
device.last_seen principal.asset.attribute.labels [device_last_seen]
device.major_version principal.asset.attribute.labels [device_major_version]
device.minor_version principal.asset.attribute.labels [device_minor_version]
device.modified_timestamp principal.asset.attribute.labels [device_modified_timestamp]
device.ou principal.asset.attribute.labels [device_ou]
device.platform_id principal.asset.attribute.labels [device_platform_id]
device.product_type principal.asset.attribute.labels [device_product_type]
device.reduced_functionality_mode principal.asset.attribute.labels [device_reduced_functionality_mode]
device.service_provider_account_id principal.asset.attribute.labels [device_service_provider_account_id]
device.service_provider principal.asset.attribute.labels [device_service_provider]
device.site_name principal.asset.attribute.labels [device_site_name]
device.status principal.asset.attribute.labels [device_status]
device.first_seen principal.asset.first_seen_time
device.system_manufacturer principal.asset.hardware.manufacturer
device.serial_number principal.asset.hardware.serial_number
device.hostname principal.hostname
device.platform_name principal.asset.platform_software.platform If the device.platform_name log field value matches the regular expression pattern Windows, then the target.asset.platform_software.platform UDM field is set to WINDOWS.
device.system_product_name principal.asset.platform_software.platform_version
device.device_id principal.asset_id
device.product_type_desc principal.asset.type If the device.product_type_desc log field value matches the regular expression pattern (?i)(Computer or Workstation), then the principal.asset.type UDM field is set to WORKSTATION.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Server, then the principal.asset.type UDM field is set to SERVER.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)Mobile, then the principal.asset.type UDM field is set to MOBILE.

Else, if the device.product_type_desc log field value matches the regular expression pattern (?i)iot, then the principal.asset.type UDM field is set to IOT.

Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED.
first_behavior principal.asset.vulnerabilities.first_found
last_behavior principal.asset.vulnerabilities.last_found
device.machine_domain principal.domain.name
device.release_group principal.group.group_display_name
device.local_ip principal.ip
device.mac_address principal.mac
device.external_ip principal.nat_ip
device.os_version principal.platform_version
device.cid principal.resource.product_object_id
behaviors.user_name principal.user.user_display_name
behaviors.user_id principal.user.windows_sid
quarantined_files.id security_result.about.file attributes
email_sent security_result.about.labels [email_sent]
assigned_to_name security_result.about.user.user_display_name
behaviors.tactic_id security_result.attack_details.tactics.id If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.

Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic security_result.attack_details.tactics.name If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.

Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic_id security_result.rule_labels [behavior_tactic_id] If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic_id log field is mapped to the security_result.attack_details.tactics.id UDM field.

Else, the behaviors.tactic_id log field is mapped to the security_result.rule_labels UDM field.
behaviors.tactic security_result.rule_labels [behavior_tactic] If the behaviors.tactic_id log field value does not match the regular expression pattern ^CS, then the behaviors.tactic log field is mapped to the security_result.attack_details.tactics.name UDM field.

Else, the behaviors.tactic log field is mapped to the security_result.rule_labels UDM field.
behaviors.technique_id security_result.attack_details.techniques.id If the behaviors.technique_id log field value does not match the regular expression pattern ^CS, then the behaviors.technique_id log field is mapped to the security_result.attack_details.techniques.id UDM field.
behaviors.technique security_result.attack_details.techniques.name If the behaviors.technique_id log field value does not match the regular expression pattern ^CS, then the behaviors.technique log field is mapped to the security_result.attack_details.techniques.name UDM field.
behaviors.technique_id security_result.rule_id
behaviors.technique security_result.rule_name
behaviors.scenario security_result.category
behaviors.confidence security_result.confidence_details
hostinfo.active_directory_dn_display security_result.detection_fields [active_directory_dn_display]
adversary_ids security_result.detection_fields [adversary_ids]
behaviors.ioc_description security_result.detection_fields [behavior_ioc_description]
behaviors.ioc_source security_result.detection_fields [behavior_ioc_source]
behaviors.behavior_id security_result.detection_fields [behaviors_behavior_id]
behaviors.objective security_result.detection_fields [behaviors_objective]
behaviors.pattern_disposition_details.blocking_unsupported_or_disabled security_result.detection_fields [behaviors_pattern_disposition_details_blocking_unsupported_or_disabled]
behaviors.pattern_disposition_details.bootup_safeguard_enabled security_result.detection_fields [behaviors_pattern_disposition_details_bootup_safeguard_enabled]
behaviors.pattern_disposition_details.critical_process_disabled security_result.detection_fields [behaviors_pattern_disposition_details_critical_process_disabled]
behaviors.pattern_disposition_details.detect security_result.detection_fields [behaviors_pattern_disposition_details_detect]
behaviors.pattern_disposition_details.fs_operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_fs_operation_blocked]
behaviors.pattern_disposition_details.handle_operation_downgraded security_result.detection_fields [behaviors_pattern_disposition_details_handle_operation_downgraded]
behaviors.pattern_disposition_details.inddet_mask security_result.detection_fields [behaviors_pattern_disposition_details_inddet_mask]
behaviors.pattern_disposition_details.indicator security_result.detection_fields [behaviors_pattern_disposition_details_indicator]
behaviors.pattern_disposition_details.kill_action_failed security_result.detection_fields [behaviors_pattern_disposition_details_kill_action_failed]
behaviors.pattern_disposition_details.kill_parent security_result.detection_fields [behaviors_pattern_disposition_details_kill_parent]
behaviors.pattern_disposition_details.kill_process security_result.detection_fields [behaviors_pattern_disposition_details_kill_process]
behaviors.pattern_disposition_details.kill_subprocess security_result.detection_fields [behaviors_pattern_disposition_details_kill_subprocess]
behaviors.pattern_disposition_details.operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_operation_blocked]
behaviors.pattern_disposition_details.policy_disabled security_result.detection_fields [behaviors_pattern_disposition_details_policy_disabled]
behaviors.pattern_disposition_details.process_blocked security_result.detection_fields [behaviors_pattern_disposition_details_process_blocked]
behaviors.pattern_disposition_details.quarantine_file security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_file]
behaviors.pattern_disposition_details.quarantine_machine security_result.detection_fields [behaviors_pattern_disposition_details_quarantine_machine]
behaviors.pattern_disposition_details.registry_operation_blocked security_result.detection_fields [behaviors_pattern_disposition_details_registry_operation_blocked]
behaviors.pattern_disposition_details.rooting security_result.detection_fields [behaviors_pattern_disposition_details_rooting]
behaviors.pattern_disposition_details.sensor_only security_result.detection_fields [behaviors_pattern_disposition_details_sensor_only]
behaviors.pattern_disposition_details.suspend_parent security_result.detection_fields [behaviors_pattern_disposition_details_suspend_parent]
behaviors.pattern_disposition_details.suspend_process security_result.detection_fields [behaviors_pattern_disposition_details_suspend_process]
behaviors.pattern_disposition security_result.detection_fields [behaviors_pattern_disposition] If the behaviors.pattern_disposition log field value is equal to 0, then the security_result.detection_fields.key/value UDM field is set to Detection, standard detection.

Else, if the behaviors.pattern_disposition log field value is equal to 16, then the security_result.detection_fields.key/value UDM field is set to Prevention, process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 128, then the security_result.detection_fields.key/value UDM field is mapped to the Detection/Quarantine, standard detection and quarantine was attempted.

Else, if the behaviors.pattern_disposition log field value is equal to 272, then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 512, then the security_result.detection_fields.key/value UDM field is set to Prevention, parent process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 768, then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 1024, then the security_result.detection_fields.key/value UDM field is set to Prevention, operation blocked.

Else, if the behaviors.pattern_disposition log field value is equal to 1280, then the security_result.detection_fields.key/value UDM field is set to Detection, operation would have been blocked if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 2048, then the security_result.detection_fields.key/value UDM field is set to Prevention, process blocked from execution.

Else, if the behaviors.pattern_disposition log field value is equal to 2176, then the security_result.detection_fields.key/value UDM field is set to Detection, parent process would have been killed if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 2304, then the security_result.detection_fields.key/value UDM field is set to Detection, process would have been blocked if related prevention policy setting was enabled.

Else, if the behaviors.pattern_disposition log field value is equal to 4096, then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked.

Else, if the behaviors.pattern_disposition log field value is equal to 4112, then the security_result.detection_fields.key/value UDM field is set to Prevention, registry operation blocked and context process killed.

Else, if the behaviors.pattern_disposition log field value is equal to 4638, then the security_result.detection_fields.key/value UDM field is set to Detection, registry operation would have been blocked and context process would have been killed if a prevention policy setting was enabled.
behaviors_processed [] security_result.detection_fields [behaviors_processed]
behaviors.control_graph_id security_result.detection_fields [control_graph_id]
behaviors.control_graph_id security_result.detection_fields [tree_id] The tree_id field is extracted from the behaviors.control_graph_id log field using the Grok pattern, and the tree_id extracted field is mapped to the security_result.detection_fields UDM field.
hostinfo.domain security_result.detection_fields [hostinfo_domain]
max_confidence security_result.detection_fields [max_confidence]
max_severity security_result.detection_fields [max_severity]
overwatch_notes security_result.detection_fields [overwatch_notes]
quarantined_files.paths security_result.detection_fields [quarantined_files_paths]
quarantined_files.sha256 security_result.detection_fields [quarantined_files_sha256]
quarantined_files.state security_result.detection_fields [quarantined_files_state]
seconds_to_resolved security_result.detection_fields [seconds_to_resolved]
seconds_to_triaged security_result.detection_fields [seconds_to_triaged]
show_in_ui security_result.detection_fields [show_in_ui]
status security_result.detection_fields [status]
behaviors.template_instance_id security_result.detection_fields [template_instance_id]
behaviors.triggering_process_graph_id security_result.detection_fields [triggering_process_graph_id]
behaviors.rule_instance_id security_result.rule_labels [rule_instance_id]
behaviors.rule_instance_version security_result.rule_labels [rule_instance_version]
max_severity_displayname security_result.severity If the max_severity_displayname log field value matches the regular expression pattern (?i)Low, then the security_result.severity UDM field is set to LOW.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Informational, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)High, then the security_result.severity UDM field is set to HIGH.

Else, if the max_severity_displayname log field value matches the regular expression pattern (?i)Critical, then the security_result.severity UDM field is set to CRITICAL.

Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
behaviors.severity security_result.severity_details
behaviors.display_name security_result.summary
behaviors.ioc_type security_result.threat_name The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field.
behaviors.ioc_value security_result.threat_name The behaviors.ioc_type - behaviors.ioc_value log field is mapped to the security_result.threat_name UDM field.

behaviors.filepath

behaviors.ioc_description

 target.file.full_path If the behaviors.filepath log field value is equal to System, then the behaviors.ioc_description log field is mapped to the target.file.full_path UDM field.

Else, the behaviors.filepath log field is mapped to the target.file.full_path UDM field.
behaviors.alleged_filetype target.file.mime_type
behaviors.filename target.file.names
behaviors.sha256 target.file.sha256 If the behavior.sha256 log field value is not equal to empty or N/A, then the behavior.sha256 log field is mapped to the target.file.sha256 UDM field.
behaviors.cmdline target.process.command_line
behaviors.md5 target.process.file.md5 If the behavior.md5 log field value matches the regular expression pattern ^(0-9a-f)+$, then the behavior.md5 log field is mapped to the target.process.file.md5 UDM field.

Else, the target.labels.key UDM field is set to behavior_md5 and the behavior.md5 log field is mapped to the target.labels.value UDM field.
behaviors.parent_details.parent_cmdline target.process.parent_process.command_line
behaviors.parent_details.parent_md5 target.process.parent_process.file.md5 If the behavior.parent_details.parent_md5 log field value matches the regular expression pattern ^(0-9a-f)+$, then the behavior.parent_details.parent_md5 log field is mapped to the target.process.parent_process.file.md5 UDM field.

Else, the target.labels.key UDM field is set to behavior_parent_details_parent_md5 and the behavior.parent_details.parent_md5 log field is mapped to the target.labels.value UDM field.
behaviors.parent_details.parent_sha256 target.process.parent_process.file.sha256 If the behavior.parent_details.parent_sha256 log field value is not equal to empty or N/A, then the behavior.parent_details.parent_sha256 log field is mapped to the target.process.parent_process.file.sha256 UDM field.
behaviors.parent_details.parent_process_id target.process.parent_process.pid
behaviors.parent_details.parent_process_graph_id target.process.parent_process.product_specific_process_id
behaviors.triggering_process_id target.process.pid
behaviors.device_id Contains same value as device.device_id. Hence, this field is not mapped.