Se usó la API de Cloud Translation para traducir esta página.

Recopila registros de alertas de SentinelOne

Compatible con:

Google SecOps SIEM

En este documento, se describe cómo puedes recopilar registros de alertas de SentinelOne configurando un feed de Google Security Operations y cómo los campos de registro se asignan a los campos del modelo de datos unificados (UDM) de Google SecOps.

Para obtener más información, consulta la descripción general de la transferencia de datos a Google Security Operations.

Una implementación típica consta de Alert de SentinelOne y el feed de Google SecOps configurado para enviar registros a Google SecOps. Cada implementación del cliente puede diferir y ser más compleja.

La implementación contiene los siguientes componentes:

SentinelOne: Es el producto del que recopilas registros.
Feed de Google SecOps: Es el feed de Google SecOps que recupera registros de SentinelOne y escribe registros en Google SecOps.
Google SecOps: Google SecOps retiene y analiza los registros de SentinelOne.

Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado del UDM. La información de este documento se aplica al analizador con la etiqueta de transferencia SENTINELONE_ALERT.

Antes de comenzar

Asegúrate de tener una suscripción activa a Singularity Complete para SentinelOne. Consulta Paquetes de la plataforma para obtener más detalles.
Asegúrate de usar la versión 2.1 de las APIs de GET Alerts y GET Threats.
Asegúrate de tener un rol de administrador a nivel global o de la cuenta. Para obtener el rol de administrador, comunícate con tu usuario administrador.
Asegúrate de tener derechos de administrador para instalar el agente de SentinelOne. Para obtener derechos de administrador, comunícate con tu usuario administrador.

Configura un feed en Google SecOps para cargar registros de alertas de SentinelOne

Para configurar un feed de transferencia, haz lo siguiente:

En el menú de Google SecOps, selecciona Configuración y, luego, haz clic en Feeds.
Haz clic en Agregar nueva.
Selecciona API de terceros como el tipo de fuente y Alertas de Sentinelone como el tipo de registro.
Haz clic en Siguiente y completa los campos Encabezados HTTP de autenticación, Nombre de host de la API, Hora de inicio inicial, ¿Se suscribió la API de alertas? y Nombre de espacio de nombres de activos para tu instancia de SentinelOne.

Necesitas un token de API para propagar los encabezados HTTP de autenticación. Se puede generar desde SentinelOne y reutilizarse para futuras creaciones de feeds. Para generar un token de API, sigue estos pasos:
1. En la consola de administración de SentinelOne, ve a Configuración y, luego, haz clic en Usuarios.
2. Haz clic en el usuario administrador para el que deseas generar el token de API.
3. Haz clic en Acciones > Operaciones de tokens de API > Generar token de API.
4. En Encabezados HTTP de autenticación, ingresa el token de API generado en el formato Authorization: ApiToken Token Value.
Selecciona la casilla de verificación Is alert API subscribed para recopilar eventos de alerta de SentinelOne.
Haz clic en Siguiente y, luego, en Enviar.

Formatos de registro de alertas de SentinelOne compatibles

El analizador de alertas de SentinelOne admite registros en formato JSON y CSV.

Tipos de registros de alertas de SentinelOne admitidos

El analizador de alertas de SentinelOne admite tipos de registros de alertas y amenazas.

Referencia de la asignación de campos

En esta sección, se explica cómo el analizador de Google SecOps asigna los campos de alerta de SentinelOne a los campos del modelo de datos unificado (UDM) de Google SecOps.

Referencia de asignación de campos: identificador de evento a tipo de evento

En la siguiente tabla, se enumeran los tipos de registro de SENTINELONE_ALERT y sus correspondientes tipos de eventos de la AUA.

Event Identifier	Event Type	Security Category
`BEHAVIORALINDICATORS`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS`
`DNS`	`NETWORK_DNS`
`DUPLICATEPROCESS`	`PROCESS_UNCATEGORIZED`
`FILECREATION`	`FILE_CREATION`
`FILEDELETION`	`FILE_DELETION`
`FILEMODIFICATION`	`FILE_MODIFICATION`
`FILERENAME`	`FILE_MODIFICATION`
`FILESCAN`	`SCAN_FILE`
`HTTP`	`NETWORK_HTTP`
`MALICIOUSFILE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`OPENPROCESS`	`PROCESS_OPEN`
`PROCESSCREATION`	`PROCESS_LAUNCH`
`REGKEYCREATE`	`REGISTRY_CREATION`
`REGKEYDELETE`	`REGISTRY_DELETION`
`REGVALUECREATE`	`REGISTRY_CREATION`
`REGVALUEDELETE`	`REGISTRY_DELETION`
`REGVALUEMODIFIED`	`REGISTRY_MODIFICATION`
`SCHEDTASKSTART`	`SERVICE_START`
`SCHEDTASKTRIGGER`	`SERVICE_START`
`SCHEDTASKUPDATE`	`SERVICE_MODIFICATION`
`SCRIPTS`	`FILE_UNCATEGORIZED`
`TCPV4`	`NETWORK_UNCATEGORIZED`
`TCPV4LISTEN`	`NETWORK_UNCATEGORIZED`
`WINLOGONATTEMPT`	`USER_LOGIN`
If the `threatInfo.filePath` log field is not empty or the `threatInfo.fileSize` log field value is not empty, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`.	`FILE_UNCATEGORIZED`

Referencia de asignación de campos: SENTINELONE_ALERT

En la siguiente tabla, se enumeran los campos de registro del tipo de registro SENTINELONE_ALERT y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
	`metadata.vendor_name`
	`metadata.product_name`
	`metadata.url_back_to_product`	If the `threatInfo.threatId` log field value is not empty and the `source_hostname` log field value is not empty, then the `https://source_hostname/incidents/threats/threatInfo.threatId/overview` log field is mapped to the `metadata.url_back_to_product` UDM field. Else, if the `source_hostname` log field value is not empty, then the `https://source_hostname` log field is mapped to the `metadata.url_back_to_product` UDM field.
`agentDetectionInfo.machineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentDetectionInfo.machineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentRealtimeInfo.agentMachineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value is empty and the `agentRealtimeInfo.agentMachineType` log field value is not empty , then: If the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentRealtimeInfo.agentMachineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentRealtimeInfo.machineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value is empty and the `agentRealtimeInfo.agentMachineType` log field value is empty and the `agentRealtimeInfo.machineType` log field value is not empty , then: If the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentRealtimeInfo.machineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentDetectionInfo.name`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentRealtimeInfo.agentComputerName`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentRealtimeInfo.name`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentDetectionInfo.name`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentRealtimeInfo.agentComputerName`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentRealtimeInfo.name`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentDetectionInfo.osFamily`	`principal.asset.platform_software.platform`	If the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)win`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)lin`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, the `agentDetectionInfo.osFamily` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_os_family` UDM field.
`agentRealtimeInfo.os`	`principal.asset.platform_software.platform`	If the `agentDetectionInfo.osFamily` log field value is empty and the `agentRealtimeInfo.os` log field value is not empty , then: If the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)win`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)lin`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, the `agentRealtimeInfo.os` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_os_family` UDM field.
`agentDetectionInfo.osFamily`	`principal.platform`	If the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)win`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)lin`, then the `principal.platform` UDM field is set to `LINUX`
`agentRealtimeInfo.os`	`principal.platform`	If the `agentDetectionInfo.osFamily` log field value is empty and the `agentRealtimeInfo.os` log field value is not empty , then: If the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)win`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)lin`, then the `principal.platform` UDM field is set to `LINUX`.
`agentDetectionInfo.osName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentDetectionInfo.agentOsName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentRealtimeInfo.agentOsName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentDetectionInfo.osRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentDetectionInfo.agentOsRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentRealtimeInfo.agentOsRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentDetectionInfo.siteId`	`principal.labels[agent_detection_info_siteId]` (deprecated)
`agentDetectionInfo.siteId`	`additional.fields[agent_detection_info_siteId]`
`agentDetectionInfo.uuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentDetectionInfo.agentUuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentRealtimeInfo.uuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentRealtimeInfo.agentUuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentDetectionInfo.uuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentDetectionInfo.agentUuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentRealtimeInfo.uuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentRealtimeInfo.agentUuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentDetectionInfo.version`	`principal.asset.attribute.labels[agent_version]`
`agentDetectionInfo.agentVersion`	`principal.asset.attribute.labels[agent_detection_info_agent_version]`
`agentRealtimeInfo.agentVersion`	`principal.asset.attribute.labels[agent_realtime_info_agent_version]`
`agentRealtimeInfo.id`	`principal.asset.attribute.labels[agent_realtime_info_id]`
`agentRealtimeInfo.infected`	`principal.asset.attribute.labels[agent_realtime_info_infected]`
`agentRealtimeInfo.agentInfected`	`principal.asset.attribute.labels[agent_realtime_info_infected]`
`agentRealtimeInfo.isActive`	`principal.asset.attribute.labels[agent_realtime_info_is_active]`
`agentRealtimeInfo.agentIsActive`	`principal.asset.attribute.labels[agent_realtime_info_is_active]`
`agentRealtimeInfo.isDecommissioned`	`principal.asset.attribute.labels[agent_realtime_info_is_decommissioned]`
`agentRealtimeInfo.agentIsDecommissioned`	`principal.asset.attribute.labels[agent_realtime_info_is_decommissioned]`
`alertInfo.alertId`	`metadata.product_log_id`
`id`	`metadata.product_log_id`
	`metadata.product_event_type`	If the log matches the regular expression pattern `alertInfo`, then the `metadata.product_event_type` UDM field is set to `Alerts`. Else, if the log matches the regular expression pattern `threatInfo`, then the `metadata.product_event_type` UDM field is set to `Threats`.
`alertInfo.analystVerdict`	`security_result.detection_fields[alert_info_analyst_verdict]`
`alertInfo.createdAt`	`metadata.event_timestamp`	If the `alertInfo.createdAt` log field value is not empty, then the `alertInfo.createdAt` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `threatInfo.identifiedAt` log field value is not empty, then the `threatInfo.identifiedAt` log field is mapped to the `metadata.event_timestamp` UDM field.
`threatInfo.identifiedAt`	`metadata.event_timestamp`	If the `alertInfo.createdAt` log field value is not empty, then the `alertInfo.createdAt` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `threatInfo.identifiedAt` log field value is not empty, then the `threatInfo.identifiedAt` log field is mapped to the `metadata.event_timestamp` UDM field.
	`network.application_protocol`	If the `alertInfo.dnsRequest` log field value is not empty, then the `network.application_protocol` UDM field is set to `DNS`.
`alertInfo.dnsRequest`	`network.dns.questions.name`
`alertInfo.dnsResponse`	`network.dns.answers.name`
`alertInfo.dstIp`	`target.ip`
`alertInfo.dstPort`	`target.port`
`alertInfo.dvEventId`	`security_result.detection_fields[alert_info_dv_event_id]`
`alertInfo.eventType`	`security_result.detection_fields[alert_info_event_type]`
`alertInfo.hitType`	`security_result.detection_fields[alert_info_hit_type]`
`alertInfo.incidentStatus`	`security_result.detection_fields[alert_info_incident_status]`
`alertInfo.indicatorCategory`	`security_result.detection_fields[alert_info_indicator_category]`
`alertInfo.indicatorDescription`	`security_result.detection_fields[alert_info_indicator_description]`
`alertInfo.indicatorName`	`security_result.detection_fields[alert_info_indicator_name]`
`alertInfo.isEdr`	`security_result.detection_fields[alert_info_is_edr]`
`alertInfo.loginAccountDomain`	`security_result.detection_fields[alert_info_login_account_domain]`
`alertInfo.loginAccountSid`	`security_result.detection_fields[alert_info_login_account_sid]`
`alertInfo.loginIsAdministratorEquivalent`	`security_result.detection_fields[alert_info_login_is_administrator_equivalent]`
	`security_result.action`	If the `alertInfo.loginIsSuccessful` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. else the `alertInfo.loginIsSuccessful` log field value is equal to `false`, then the `security_result.action` UDM field is set to `BLOCK`. If the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.action` UDM field is set to `BLOCK`. `mitigated` `marked_as_benign` `blocked` `suspicious_resolved` Else, if the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.action` UDM field is set to `ALLOW`. `active` `suspicious` `pending` `not_mitigated`
	`extensions.auth.mechanism`	If the `alertInfo.loginType` log field value is equal to `NETWORK`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK`. Else, if the `alertInfo.loginType` log field value is equal to `SYSTEM`, then the `extensions.auth.mechanism` UDM field is set to `LOCAL`. Else, if the `alertInfo.loginType` log field value is equal to `INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `BATCH`, then the `extensions.auth.mechanism` UDM field is set to `BATCH`. Else, if the `alertInfo.loginType` log field value is equal to `SERVICE`, then the `extensions.auth.mechanism` UDM field is set to `SERVICE`. Else, if the `alertInfo.loginType` log field value is equal to `UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `UNLOCK`. Else, if the `alertInfo.loginType` log field value is equal to `NETWORK_CLEAR_TEXT`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK_CLEAR_TEXT`. Else, if the `alertInfo.loginType` log field value is equal to `NEW_CREDENTIALS`, then the `extensions.auth.mechanism` UDM field is set to `NEW_CREDENTIALS`. Else, if the `alertInfo.loginType` log field value is equal to `REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_REMOTE_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_UNLOCK`.
`alertInfo.loginsUserName`	`target.user.user_display_name`
`alertInfo.modulePath`	`security_result.detection_fields[alert_info_module_path]`
`alertInfo.moduleSha1`	`security_result.detection_fields[alert_info_module_sha1]`
`alertInfo.netEventDirection`	`network.direction`	If the `alertInfo.netEventDirection` log field value matches the regular expression pattern `OUTGOING`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `alertInfo.netEventDirection` log field value matches the regular expression pattern `INCOMING`, then the `network.direction` UDM field is set to `INBOUND`.
`alertInfo.registryKeyPath`	`target.registry.registry_key`
`alertInfo.registryOldValue`	`src.registry.registry_value_data`
`alertInfo.registryOldValueType`	`src.registry.registry_value_name`
`alertInfo.registryPath`	`src.registry.registry_key`
`alertInfo.registryValue`	`target.registry.registry_value_data`
`alertInfo.reportedAt`	`security_result.first_discovered_time`
`alertInfo.source`	`security_result.category_details`
`alertInfo.srcPort`	`principal.port`
`alertInfo.tiIndicatorComparisonMethod`	`security_result.detection_fields[alert_info_tiIndicator_comparison_method]`
`alertInfo.tiIndicatorSource`	`security_result.detection_fields[alert_info_tiIndicator_source]`
`alertInfo.tiIndicatorType`	`security_result.detection_fields[alert_info_tiIndicator_type]`
`alertInfo.tiIndicatorValue`	`security_result.detection_fields[alert_info_tiIndicator_value]`
`alertInfo.updatedAt`	`security_result.detection_fields[alert_info_updated_at]`
`containerInfo.id`	`target.resource.product_object_id`
`containerInfo.image`	`target.resource.attribute.labels[container_image]`
`containerInfo.labels`	`target.resource.attribute.labels[container_labels]`	If the `containerInfo.labels` log field value is not empty, then the `containerInfo.labels` log field is mapped to the `target.resource.attribute.labels.container_labels` UDM field.
`containerInfo.name`	`target.resource.name`
	`target.resource.resource_type`	If the `containerInfo.name` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `CONTAINER`.
`kubernetesInfo.cluster`	`target.resource_ancestors.name`
`kubernetesInfo.controllerName`	`target.resource_ancestors.name`
`kubernetesInfo.node`	`target.resource_ancestors.name`
`kubernetesInfo.pod`	`target.resource_ancestors.name`
	`target.resource_ancestors.resource_type`	If the `kubernetesInfo.pod` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `POD`. If the `kubernetesInfo.cluster` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.isContainerQuarantine` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.controllerName` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.node` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`.
`kubernetesInfo.controllerKind`	`target.resource_ancestors.attribute.labels[kubernetes_controller_kind]`
`kubernetesInfo.controllerLabels`	`target.resource_ancestors.attribute.labels[kubernetes_controller_labels]`	If the `kubernetesInfo.controllerLabels` log field value is not empty, then the `kubernetesInfo.controllerLabels` log field is mapped to the `target.resource_ancestors.attribute.labels.kubernetes_controller_labels` UDM field.
`kubernetesInfo.namespace`	`target.resource_ancestors.attribute.labels[kubernetes_namespace]`
`kubernetesInfo.namespaceLabels`	`target.resource_ancestors.attribute.labels[kubernetes_namespace_labels]`
`kubernetesInfo.podLabels`	`target.resource_ancestors.attribute.labels[kubernetes_pod_labels]`	If the `kubernetesInfo.podLabels` log field value is not empty, then the `kubernetesInfo.podLabels` log field is mapped to the `target.resource_ancestors.attribute.labels.kubernetes_pod_labels` UDM field.
`ruleInfo.description`	`security_result.rule_set_display_name`
`ruleInfo.id`	`security_result.rule_id`
`ruleInfo.name`	`security_result.rule_name`
`ruleInfo.queryLang`	`security_result.rule_labels[query_lang]`
`ruleInfo.queryType`	`security_result.rule_labels[query_type]`
`ruleInfo.s1ql`	`security_result.rule_labels[s1ql]`
`ruleInfo.scopeLevel`	`security_result.rule_labels[scope_level]`
	`security_result.severity`	If the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)low`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)critical`, then the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)high`, then the `security_result.severity` UDM field is set to `HIGH`.
`ruleInfo.severity`	`security_result.severity_details`
`ruleInfo.treatAsThreat`	`security_result.rule_type`
`sourceParentProcessInfo.commandline`	`principal.process.parent_process.command_line`
`sourceParentProcessInfo.fileHashMd5`	`principal.process.parent_process.file.md5`	If the `sourceParentProcessInfo.fileHashMd5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `sourceParentProcessInfo.fileHashMd5` log field is mapped to the `principal.process.parent_process.file.md5` UDM field.
`sourceParentProcessInfo.fileHashSha1`	`principal.process.parent_process.file.sha1`	If the `sourceParentProcessInfo.fileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `sourceParentProcessInfo.fileHashSha1` log field is mapped to the `principal.process.parent_process.file.sha1` UDM field.
`sourceParentProcessInfo.fileHashSha256`	`principal.process.parent_process.file.sha256`	If the `sourceParentProcessInfo.fileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `sourceParentProcessInfo.fileHashSha256` log field is mapped to the `principal.process.parent_process.file.sha256` UDM field.
`sourceParentProcessInfo.filePath`	`principal.process.parent_process.file.full_path`
`sourceParentProcessInfo.fileSignerIdentity`	`principal.process.parent_process.file.signature_info.sigcheck.signers.name`
`sourceParentProcessInfo.integrityLevel`	`principal.labels[source_parent_process_integrity_level]` (deprecated)
`sourceParentProcessInfo.integrityLevel`	`additional.fields[source_parent_process_integrity_level]`
`sourceParentProcessInfo.name`	`principal.labels[source_parent_process_name]` (deprecated)
`sourceParentProcessInfo.name`	`additional.fields[source_parent_process_name]`
`sourceParentProcessInfo.pid`	`principal.process.parent_process.pid`
`sourceParentProcessInfo.pidStarttime`	`principal.labels[source_parent_process_pid_start_time]` (deprecated)
`sourceParentProcessInfo.pidStarttime`	`additional.fields[source_parent_process_pid_start_time]`
`sourceParentProcessInfo.storyline`	`principal.labels[source_parent_process_storyline]` (deprecated)
`sourceParentProcessInfo.storyline`	`additional.fields[source_parent_process_storyline]`
`sourceParentProcessInfo.subsystem`	`principal.labels[source_parent_process_subsystem]` (deprecated)
`sourceParentProcessInfo.subsystem`	`additional.fields[source_parent_process_subsystem]`
	`principal.process.parent_process.product_specific_process_id`	If the `sourceParentProcessInfo.uniqueId` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceParentProcessInfo.uniqueId}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`sourceParentProcessInfo.user`	`principal.labels[source_parent_process_user]` (deprecated)
`sourceParentProcessInfo.user`	`additional.fields[source_parent_process_user]`
`sourceProcessInfo.commandline`	`principal.process.command_line`
`sourceProcessInfo.fileHashMd5`	`principal.process.file.md5`	If the `sourceProcessInfo.fileHashMd5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `sourceProcessInfo.fileHashMd5` log field is mapped to the `principal.process.file.md5` UDM field.
`sourceProcessInfo.fileHashSha1`	`principal.process.file.sha1`	If the `sourceProcessInfo.fileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `sourceProcessInfo.fileHashSha1` log field is mapped to the `principal.process.file.sha1` UDM field.
`sourceProcessInfo.fileHashSha256`	`principal.process.file.sha256`	If the `sourceProcessInfo.fileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `sourceProcessInfo.fileHashSha256` log field is mapped to the `principal.process.file.sha256` UDM field.
`sourceProcessInfo.filePath`	`principal.process.file.full_path`
`sourceProcessInfo.fileSignerIdentity`	`principal.process.file.signature_info.sigcheck.signers.name`
`sourceProcessInfo.integrityLevel`	`principal.labels[source_process_integrity_level]` (deprecated)
`sourceProcessInfo.integrityLevel`	`additional.fields[source_process_integrity_level]`
`sourceProcessInfo.name`	`principal.labels[source_process_name]` (deprecated)
`sourceProcessInfo.name`	`additional.fields[source_process_name]`
`sourceProcessInfo.pid`	`principal.process.pid`
`sourceProcessInfo.pidStarttime`	`principal.labels[source_process_pid_start_time]` (deprecated)
`sourceProcessInfo.pidStarttime`	`additional.fields[source_process_pid_start_time]`
`sourceProcessInfo.storyline`	`principal.labels[source_process_storyline]` (deprecated)
`sourceProcessInfo.storyline`	`additional.fields[source_process_storyline]`
`sourceProcessInfo.subsystem`	`principal.labels[source_process_subsystem]` (deprecated)
`sourceProcessInfo.subsystem`	`additional.fields[source_process_subsystem]`
	`principal.process.product_specific_process_id`	If the `sourceProcessInfo.uniqueId` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceProcessInfo.uniqueId}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`sourceProcessInfo.user`	`principal.user.user_display_name`
`threatInfo.initiatingUsername`	`principal.user.user_display_name`
`targetProcessInfo.tgtFileCreatedAt`	`target.process.file.first_seen_time`
`targetProcessInfo.tgtFileHashSha1`	`target.process.file.sha1`	If the `targetProcessInfo.tgtFileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `targetProcessInfo.tgtFileHashSha1` log field is mapped to the `target.process.file.sha1` UDM field.
`targetProcessInfo.tgtFileHashSha256`	`target.process.file.sha256`	If the `targetProcessInfo.tgtFileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `targetProcessInfo.tgtFileHashSha256` log field is mapped to the `target.process.file.sha256` UDM field.
`targetProcessInfo.tgtFileId`	`target.labels[target_file_id]` (deprecated)
`targetProcessInfo.tgtFileId`	`additional.fields[target_file_id]`
`targetProcessInfo.tgtFileIsSigned`	`target.process.file.signature_info.sigcheck.verification_message`
`targetProcessInfo.tgtFileModifiedAt`	`target.process.file.last_modification_time`
`targetProcessInfo.tgtFileOldPath`	`target.labels[target_file_old_path]` (deprecated)
`targetProcessInfo.tgtFileOldPath`	`additional.fields[target_file_old_path]`
`targetProcessInfo.tgtFilePath`	`target.process.file.full_path`
`targetProcessInfo.tgtProcCmdLine`	`target.process.command_line`
`targetProcessInfo.tgtProcImagePath`	`target.labels[target_process_image_path]` (deprecated)
`targetProcessInfo.tgtProcImagePath`	`additional.fields[target_process_image_path]`
`targetProcessInfo.tgtProcIntegrityLevel`	`target.labels[target_process_integrity_level]` (deprecated)
`targetProcessInfo.tgtProcIntegrityLevel`	`additional.fields[target_process_integrity_level]`
`targetProcessInfo.tgtProcName`	`target.labels[target_process_name]` (deprecated)
`targetProcessInfo.tgtProcName`	`additional.fields[target_process_name]`
`targetProcessInfo.tgtProcPid`	`target.process.pid`
`targetProcessInfo.tgtProcSignedStatus`	`target.labels[target_process_signed_status]` (deprecated)
`targetProcessInfo.tgtProcSignedStatus`	`additional.fields[target_process_signed_status]`
`targetProcessInfo.tgtProcStorylineId`	`target.labels[target_process_storyline_id]` (deprecated)
`targetProcessInfo.tgtProcStorylineId`	`additional.fields[target_process_storyline_id]`
	`target.process.product_specific_process_id`	If the `targetProcessInfo.tgtProcUid` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{targetProcessInfo.tgtProcUid}` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`targetProcessInfo.tgtProcessStartTime`	`target.labels[target_process_start_time]` (deprecated)
`targetProcessInfo.tgtProcessStartTime`	`additional.fields[target_process_start_time]`
`source_hostname`	`intermediary.hostname`
	`idm.is_alert`	The `idm.is_alert` UDM field is set to `TRUE`.
	`idm.is_significant`	The `idm.is_significant` UDM field is set to `TRUE`.
`agentDetectionInfo.accountId`	`metadata.product_deployment_id`
`agentDetectionInfo.accountName`	`principal.labels[agent_detection_info_account_name]` (deprecated)
`agentDetectionInfo.accountName`	`additional.fields[agent_detection_info_account_name]`
`agentDetectionInfo.agentDetectionState`	`principal.asset.attribute.labels[agent_detection_info_detection_state]`
`agentDetectionInfo.agentDomain`	`principal.administrative_domain`
`agentDetectionInfo.agentIpV4`	`principal.ip`
`agentDetectionInfo.agentIpV6`	`principal.ip`
`alertInfo.srcIp`	`principal.ip`
`alertInfo.srcMachineIp`	`principal.ip`
`agentDetectionInfo.agentIpV4`	`principal.asset.ip`
`agentDetectionInfo.agentIpV6`	`principal.asset.ip`
`alertInfo.srcIp`	`principal.asset.ip`
`alertInfo.srcMachineIp`	`principal.asset.ip`
`agentDetectionInfo.agentLastLoggedInUpn`	`principal.labels[agent_detection_info_last_logged_in_upn]` (deprecated)
`agentDetectionInfo.agentLastLoggedInUpn`	`additional.fields[agent_detection_info_last_logged_in_upn]`
`agentDetectionInfo.agentLastLoggedInUserMail`	`principal.user.email_addresses`
`agentDetectionInfo.agentLastLoggedInUserName`	`principal.user.attribute.labels[agent_last_loggedIn_user_name]`
`agentDetectionInfo.agentMitigationMode`	`principal.asset.attribute.labels[agent_detection_info_mitigation_mode]`
`agentDetectionInfo.agentRegisteredAt`	`principal.asset.first_discover_time`
`agentDetectionInfo.externalIp`	`principal.nat_ip`
`agentDetectionInfo.groupId`	`principal.group.attribute.labels[agent_detection_info_group_id]`
`agentRealtimeInfo.groupId`	`principal.group.attribute.labels[agent_realtime_info_group_id]`
`agentDetectionInfo.groupName`	`principal.group.group_display_name`	If the `agentDetectionInfo.groupName` log field value is not empty, then the `agentDetectionInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. If the `agentDetectionInfo.groupName` log field value is empty and the `agentRealtimeInfo.groupName` log field value is not empty, then the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. Else, the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.attribute.labels.agent_realtime_info_group_name` UDM field.
`agentRealtimeInfo.groupName`	`principal.group.group_display_name`	If the `agentDetectionInfo.groupName` log field value is not empty, then the `agentDetectionInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. If the `agentDetectionInfo.groupName` log field value is empty and the `agentRealtimeInfo.groupName` log field value is not empty, then the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. Else, the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.attribute.labels.agent_realtime_info_group_name` UDM field.
`agentDetectionInfo.siteName`	`principal.labels[agent_detection_info_site_name]` (deprecated)
`agentDetectionInfo.siteName`	`additional.fields[agent_detection_info_site_name]`
`agentRealtimeInfo.siteName`	`principal.labels[agent_realtime_info_site_name]` (deprecated)
`agentRealtimeInfo.siteName`	`additional.fields[agent_realtime_info_site_name]`
`agentRealtimeInfo.accountId`	`principal.labels[agent_realtime_info_account_id]` (deprecated)
`agentRealtimeInfo.accountId`	`additional.fields[agent_realtime_info_account_id]`
`agentRealtimeInfo.accountName`	`principal.labels[agent_realtime_info_account_name]` (deprecated)
`agentRealtimeInfo.accountName`	`additional.fields[agent_realtime_info_account_name]`
`agentRealtimeInfo.activeThreats`	`security_result.detection_fields[agent_realtime_info_active_threats]`
`agentRealtimeInfo.agentDecommissionedAt`	`principal.asset.attribute.labels[agent_realtime_info_agent_decommissioned_at]`
`agentRealtimeInfo.agentDomain`	`principal.labels[agent_realtime_info_domain]` (deprecated)
`agentRealtimeInfo.agentDomain`	`additional.fields[agent_realtime_info_domain]`
`agentRealtimeInfo.agentId`	`principal.asset.attribute.labels[agent_realtime_info_agent_id]`
`agentRealtimeInfo.agentMitigationMode`	`principal.asset.attribute.labels[agent_realtime_info_mitigation_mode]`
`agentRealtimeInfo.agentNetworkStatus`	`principal.labels[agent_realtime_info_network_status]` (deprecated)
`agentRealtimeInfo.agentNetworkStatus`	`additional.fields[agent_realtime_info_network_status]`
`agentRealtimeInfo.agentOsType`	`principal.labels[agent_realtime_info_os_type]` (deprecated)
`agentRealtimeInfo.agentOsType`	`additional.fields[agent_realtime_info_os_type]`
`agentRealtimeInfo.networkInterfaces.id`	`principal.labels[network_interface_id]`
`agentRealtimeInfo.networkInterfaces.name`	`principal.labels[network_interface_name]`
`agentRealtimeInfo.networkInterfaces.physical`	`principal.labels[network_interface_physical]`
`agentRealtimeInfo.operationalState`	`principal.asset.attribute.labels[agent_realtime_info_operational_State]`
`agentRealtimeInfo.rebootRequired`	`principal.labels[agent_realtime_info_reboot_required]` (deprecated)
`agentRealtimeInfo.rebootRequired`	`additional.fields[agent_realtime_info_reboot_required]`
`agentRealtimeInfo.scanAbortedAt`	`security_result.detection_fields[agent_realtime_info_scan_aborted_at]`
`agentRealtimeInfo.scanFinishedAt`	`security_result.detection_fields[agent_realtime_info_scan_finished_at]`
`agentRealtimeInfo.scanStartedAt`	`security_result.detection_fields[agent_realtime_info_scan_started_at]`
`agentRealtimeInfo.scanStatus`	`security_result.detection_fields[agent_realtime_info_scan_status]`
`agentRealtimeInfo.siteId`	`principal.labels[agent_realtime_info_site_id]` (deprecated)
`agentRealtimeInfo.siteId`	`additional.fields[agent_realtime_info_site_id]`
`agentRealtimeInfo.storageName`	`principal.resource.name`
	`principal.resource.resource_type`	If the `agentRealtimeInfo.storageName` log field value is not empty, then the `principal.resource.resource_type` UDM field is set to `STORAGE_OBJECT`.
`agentRealtimeInfo.storageType`	`principal.resource.resource_subtype`
`agentRealtimeInfo.userActionsNeeded`	`security_result.detection_fields[agent_realtime_info_user_actions_needed]`	If the `agentRealtimeInfo.userActionsNeeded` log field value is not empty, then the `agentRealtimeInfo.userActionsNeeded` log field is mapped to the `security_result.detection_fields.agent_realtime_info_user_actions_needed` UDM field.
`containerInfo.isContainerQuarantine`	`target.resource.attribute.labels[container_is_container_quarantine]`
`indicators.category`	`security_result.category_details`
`indicators.categoryId`	`security_result.detection_fields[indicators_category_id]`
`indicators.description`	`security_result.description`
`indicators.ids`	`security_result.detection_fields[indicators_ids]`
	`security_result.attack_details.tactics.id`
`indicators.tactics.name`	`security_result.attack_details.tactics.name`	If the `indicators.tactics.name` log field value is not empty, then the `indicators.tactics.name` log field is mapped to the `security_result.attack_details.tactics.name` UDM field.
`indicators.tactics.source`	`security_result.detection_fields[indicators_tactics_source]`
`indicators.tactics.techniques.link`	`security_result.detection_fields[indicators_tactics_techniques_link]`
`indicators.tactics.techniques.name`	`security_result.attack_details.techniques.id`	If the `indicators.tactics.techniques.name` log field value is not empty, then the `indicators.tactics.techniques.name` log field is mapped to the `security_result.attack_details.techniques.id` UDM field.
	`security_result.attack_details.techniques.name`
	`security_result.attack_details.techniques.subtechnique_id`
	`security_result.attack_details.techniques.subtechnique_name`
`kubernetesInfo.isContainerQuarantine`	`target.resource_ancestors.attribute.labels[kubernetes_is_container_quarantine]`
`kubernetesInfo.nodeLabels`	`target.resource_ancestors.attribute.labels[kubernetes_node_labels]`
`mitigationStatus.action`	`security_result.detection_fields[mitigation_status_action]`
`mitigationStatus.actionsCounters.failed`	`security_result.detection_fields[mitigation_status_actions_counters_failed]`
`mitigationStatus.actionsCounters.notFound`	`security_result.detection_fields[mitigation_status_actions_counters_not_Found]`
`mitigationStatus.actionsCounters.pendingReboot`	`security_result.detection_fields[mitigation_status_actions_counters_pending_reboot]`
`mitigationStatus.actionsCounters.success`	`security_result.detection_fields[mitigation_status_actions_counters_success]`
`mitigationStatus.actionsCounters.total`	`security_result.detection_fields[mitigation_status_actions_counters_total]`
`mitigationStatus.agentSupportsReport`	`security_result.detection_fields[mitigation_status_agent_supports_report]`
`mitigationStatus.groupNotFound`	`security_result.detection_fields[mitigation_status_group_not_found]`
`mitigationStatus.lastUpdate`	`security_result.detection_fields[mitigation_status_last_update]`
`mitigationStatus.latestReport`	`security_result.detection_fields[mitigation_status_last_report]`
`mitigationStatus.mitigationEndedAt`	`security_result.detection_fields[mitigation_status_mitigation_ended_at]`
`mitigationStatus.mitigationStartedAt`	`security_result.detection_fields[mitigation_status_mitigation_started_at]`
`mitigationStatus.status`	`security_result.detection_fields[mitigation_status]`
`threatInfo.analystVerdict`	`security_result.detection_fields[analystVerdict]`
`threatInfo.analystVerdictDescription`	`security_result.detection_fields[analyst_verdict_description]`
`threatInfo.automaticallyResolved`	`security_result.detection_fields[automatically_resolved]`
`threatInfo.browserType`	`security_result.detection_fields[browser_type]`
`threatInfo.certificateId`	`security_result.detection_fields[certificate_id]`
`threatInfo.classification`	`security_result.category_details`
	`security_result.category`	If the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `Malware` `Ransomware` `Linux.Malware` `OSX.Malware` `Manual` Else, if the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `Trojan` `miner` `Virus` `Malicious PDF` `Worm` `Rootkit` `Infostealer` `Lateral Movement` `Generic.Heuristic` `Downloader` `Backdoor` `Hacktool` `Browser` `Dialer` `Installer` `Packed` `Network` `Spyware` `Interactive shell` `Remote shell` Else, if the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. `Lateral Movement` `Remote shell` Else, if the `threatInfo.classification` log field value is equal to `Exploit`, then the `security_result.category` UDM field is set to `EXPLOIT`. Else, if the `threatInfo.classification` log field value is equal to `Application Control`, then the `security_result.category` UDM field is set to `UNKNOWN_CATEGORY`. If the `alertInfo.eventType` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `BEHAVIORALINDICATORS` `MALICIOUSFILE`
`threatInfo.classificationSource`	`security_result.detection_fields[classification_source]`
`threatInfo.cloudFilesHashVerdict`	`security_result.detection_fields[cloud_Files_hash_verdict]`
`threatInfo.collectionId`	`security_result.detection_fields[collection_id]`
`threatInfo.confidenceLevel`	`security_result.confidence_details`
	`security_result.confidence`	If the `threatInfo.confidenceLevel` log field value is equal to `malicious`, then the `security_result.confidence` UDM field is set to `HIGH_CONFIDENCE`. Else, if the `threatInfo.confidenceLevel` log field value is equal to `suspicious`, then the `security_result.confidence` UDM field is set to `MEDIUM_CONFIDENCE`.
`threatInfo.createdAt`	`metadata.collected_timestamp`
`threatInfo.detectionEngines`	`security_result.detection_fields[detection_engines]`	If the `threatInfo.detectionEngines` log field value is not empty, then the `threatInfo.detectionEngines` log field is mapped to the `security_result.detection_fields.detection_engines` UDM field.
`threatInfo.detectionEngines.key`	`security_result.detection_fields[detection_engines_key]`	If the `threatInfo.detectionEngines.key` log field value is not empty, then the `threatInfo.detectionEngines.key` log field is mapped to the `security_result.detection_fields.detection_engines_key` UDM field.
`threatInfo.detectionEngines.title`	`security_result.detection_fields[detection_engines_title]`	If the `threatInfo.detectionEngines.title` log field value is not empty, then the `threatInfo.detectionEngines.title` log field is mapped to the `security_result.detection_fields.detection_engines_title` UDM field.
`threatInfo.detectionType`	`security_result.detection_fields[detection_type]`
`threatInfo.engines`	`security_result.detection_fields[engines]`	If the `threatInfo.engines` log field value is not empty, then the `threatInfo.engines` log field is mapped to the `security_result.detection_fields.engines` UDM field.
`threatInfo.externalTicketExists`	`security_result.detection_fields[external_ticket_exists]`
`threatInfo.externalTicketExists.description`	`security_result.detection_fields[external_ticket_exists_description]`
`threatInfo.externalTicketExists.readOnly`	`security_result.detection_fields[external_ticket_exists_readOnly]`
`threatInfo.externalTicketId`	`security_result.detection_fields[external_ticket_id]`
`threatInfo.failedActions`	`security_result.detection_fields[failed_actions]`
`threatInfo.fileExtension`	`target.file.mime_type`
`threatInfo.fileExtensionType`	`security_result.detection_fields[file_extension_type]`
`threatInfo.filePath`	`target.file.full_path`
`threatInfo.filePath.description`	`security_result.detection_fields[file_path_description]`
`threatInfo.filePath.readOnly`	`security_result.detection_fields[file_path_readOnly]`
`threatInfo.fileSize`	`target.file.size`
`threatInfo.fileVerificationType`	`security_result.detection_fields[file_verification_type]`
`threatInfo.incidentStatus`	`security_result.detection_fields[incident_status]`
`threatInfo.incidentStatusDescription`	`security_result.detection_fields[incident_status_description]`
`threatInfo.incidentStatusDescription.description`	`security_result.detection_fields[incident_status_description]`
`threatInfo.incidentStatusDescription.readOnly`	`security_result.detection_fields[incident_status_description_readOnly]`
`threatInfo.initiatedBy`	`security_result.detection_fields[initiatedBy]`
`threatInfo.initiatedByDescription`	`security_result.detection_fields[initiatedBy_description]`
`threatInfo.initiatedByDescription.description`	`security_result.detection_fields[initiatedBy_description]`
`threatInfo.initiatedByDescription.readOnly`	`security_result.detection_fields[initiatedBy_description_readOnly]`
`threatInfo.initiatingUserId`	`principal.user.attribute.labels[initiating_user_id]`
`threatInfo.isFileless`	`security_result.detection_fields[is_fileless]`
`threatInfo.isFileless.description`	`security_result.detection_fields[is_fileless_description]`
`threatInfo.isFileless.readOnly`	`security_result.detection_fields[is_fileless_readOnly]`
`threatInfo.isValidCertificate`	`security_result.detection_fields[is_valid_certificate]`
`threatInfo.maliciousProcessArguments`	`security_result.detection_fields[malicious_process_arguments]`
`threatInfo.md5`	`target.file.md5`	If the `threatInfo.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `threatInfo.md5` log field is mapped to the `target.file.md5` UDM field.
`threatInfo.mitigatedPreemptively`	`security_result.detection_fields[mitigated_preemptively]`
`threatInfo.mitigationStatus`	`security_result.action_details`
	`security_result.threat_status`	If the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.threat_status` UDM field is set to `CLEARED`. `mitigated` `marked_as_benign` `blocked` `suspicious_resolved` Else, if the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.threat_status` UDM field is set to `ACTIVE`. `active` `suspicious` `pending` `not_mitigated`
`threatInfo.mitigationStatusDescription`	`security_result.detection_fields[mitigation_status_description]`
`threatInfo.mitigationStatusDescription.description`	`security_result.detection_fields[mitigation_status_description]`
`threatInfo.mitigationStatusDescription.readOnly`	`security_result.detection_fields[mitigation_status_description_readOnly]`
`threatInfo.originatorProcess`	`principal.process.parent_process.file.names`
`threatInfo.pendingActions`	`security_result.detection_fields[pending_actions]`
`threatInfo.processUser`	`principal.user.userid`
`threatInfo.publisherName`	`security_result.threat_feed_name`
`threatInfo.reachedEventsLimit`	`security_result.detection_fields[reached_events_limit]`
`threatInfo.rebootRequired`	`security_result.detection_fields[reboot_required]`
`threatInfo.sha1`	`target.file.sha1`	If the `threatInfo.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$"`, then the `threatInfo.sha1` log field is mapped to the `target.file.sha1` UDM field.
`threatInfo.sha256`	`target.file.sha256`	If the `threatInfo.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$"`, then the `threatInfo.sha256` log field is mapped to the `target.file.sha256` UDM field.
`threatInfo.storyline`	`security_result.detection_fields[storyline]`
`threatInfo.threatId`	`security_result.threat_id`
`threatInfo.threatName`	`security_result.threat_name`
`threatInfo.threatName`	`target.file.names`
`threatInfo.updatedAt`	`security_result.detection_fields[updatedAt]`
`whiteningOptions`	`about.labels[whitening_options]`	If the `whiteningOptions` log field value is not empty, then the `whiteningOptions` log field is mapped to the `about.labels.whitening_options` UDM field.
`agentDetectionInfo.cloudProviders.AWS.awsRole`	`principal.resource.attribute.roles.name`
`agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups`	`principal.resource.attribute.labels[cloud_providers_AWS_security_groups]`	If the `agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_security_groups` UDM field.
`agentDetectionInfo.cloudProviders.AWS.awsSubnetIds`	`principal.resource.attribute.labels[cloud_providers_AWS_subnet_ids]`	If the `agentDetectionInfo.cloudProviders.AWS.awsSubnetIds` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.awsSubnetIds` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_subnet_ids` UDM field.
`agentDetectionInfo.cloudProviders.AWS.cloudAccount`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_account]`
`agentDetectionInfo.cloudProviders.AWS.cloudImage`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_image]`
`agentDetectionInfo.cloudProviders.AWS.cloudInstanceId`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_id]`
`agentDetectionInfo.cloudProviders.AWS.cloudInstanceSize`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_size]`
`agentDetectionInfo.cloudProviders.AWS.cloudLocation`	`principal.resource.attribute.cloud.availability_zone`
`agentDetectionInfo.cloudProviders.AWS.cloudNetwork`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_network]`
`agentDetectionInfo.cloudProviders.AWS.cloudTags`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_tags]`	If the `agentDetectionInfo.cloudProviders.AWS.cloudTags` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.cloudTags` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_cloud_tags` UDM field.
`modular_input_consumption_time`	`about.labels[modular_input_consumption_time]` (deprecated)
`modular_input_consumption_time`	`additional.fields[modular_input_consumption_time]`
`timestamp`	`about.labels[timestamp]` (deprecated)
`timestamp`	`additional.fields[timestamp]`
`updatedAt`	`about.labels[updatedAt]` (deprecated)
`updatedAt`	`additional.fields[updatedAt]`

¿Qué sigue?

Transferencia de datos a Google Security Operations