Halaman ini diterjemahkan oleh Cloud Translation API.

Mengumpulkan log Pemberitahuan SentinelOne

Didukung di:

Google SecOps SIEM

Dokumen ini menjelaskan cara mengumpulkan log Pemberitahuan SentinelOne dengan menyiapkan feed Google Security Operations dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Google SecOps.

Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google Security Operations.

Deployment standar terdiri dari SentinelOne Alert dan feed Google SecOps yang dikonfigurasi untuk mengirim log ke Google SecOps. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.

Deployment berisi komponen berikut:

SentinelOne: Produk tempat Anda mengumpulkan log.
Feed Google SecOps: Feed Google SecOps yang mengambil log dari SentinelOne dan menulis log ke Google SecOps.
Google SecOps: Google SecOps menyimpan dan menganalisis log dari SentinelOne.

Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser dengan label transfer SENTINELONE_ALERT.

Sebelum memulai

Pastikan Anda memiliki langganan Singularity Complete yang aktif untuk SentinelOne. Lihat Paket Platform untuk mengetahui detail selengkapnya.
Pastikan Anda menggunakan GET Alerts dan GET Threats API v2.1.
Pastikan Anda memiliki peran admin untuk tingkat Global atau Akun. Untuk mendapatkan peran admin, hubungi pengguna administrator Anda.
Pastikan Anda memiliki hak administrator untuk menginstal agen SentinelOne. Untuk mendapatkan hak administrator, hubungi pengguna administrator Anda.

Mengonfigurasi feed di Google SecOps untuk memuat log Pemberitahuan SentinelOne

Untuk menyiapkan feed transfer, lakukan hal berikut:

Dari menu Google SecOps, pilih Setelan, lalu klik Feed.
Klik Tambahkan baru.
Pilih API pihak ketiga sebagai Jenis sumber dan Notifikasi Sentinelone sebagai Jenis log.
Klik Berikutnya dan isi Header HTTP autentikasi, Nama host API, Waktu mulai awal, Apakah API pemberitahuan berlangganan, dan Namespace aset untuk instance SentinelOne Anda.

Anda memerlukan token API untuk mengisi Header HTTP autentikasi. Kunci ini dapat dibuat dari SentinelOne dan digunakan kembali untuk pembuatan feed di masa mendatang. Untuk membuat token API, ikuti langkah-langkah berikut:
1. Di konsol pengelolaan SentinelOne, buka Setelan, lalu klik Pengguna.
2. Klik Pengguna admin yang token API-nya ingin Anda buat.
3. Klik Actions > API token operations > Generate API token.
4. Di Header HTTP autentikasi, masukkan token API yang dihasilkan dalam format Authorization: ApiToken Token Value.
Centang kotak Apakah API pemberitahuan berlangganan untuk mengumpulkan peristiwa Pemberitahuan SentinelOne.
Klik Berikutnya, lalu Kirim.

Format log Pemberitahuan SentinelOne yang didukung

Parser Pemberitahuan SentinelOne mendukung log dalam format JSON dan CSV.

Jenis log Pemberitahuan SentinelOne yang didukung

Parser Pemberitahuan SentinelOne mendukung jenis log pemberitahuan dan ancaman.

Referensi pemetaan kolom

Bagian ini menjelaskan cara parser Google SecOps memetakan kolom Pemberitahuan SentinelOne ke kolom Unified Data Model (UDM) Google SecOps.

Referensi pemetaan kolom: ID Peristiwa ke Jenis Peristiwa

Tabel berikut mencantumkan jenis log SENTINELONE_ALERT dan jenis peristiwa UDM yang sesuai.

Event Identifier	Event Type	Security Category
`BEHAVIORALINDICATORS`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS`
`DNS`	`NETWORK_DNS`
`DUPLICATEPROCESS`	`PROCESS_UNCATEGORIZED`
`FILECREATION`	`FILE_CREATION`
`FILEDELETION`	`FILE_DELETION`
`FILEMODIFICATION`	`FILE_MODIFICATION`
`FILERENAME`	`FILE_MODIFICATION`
`FILESCAN`	`SCAN_FILE`
`HTTP`	`NETWORK_HTTP`
`MALICIOUSFILE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`OPENPROCESS`	`PROCESS_OPEN`
`PROCESSCREATION`	`PROCESS_LAUNCH`
`REGKEYCREATE`	`REGISTRY_CREATION`
`REGKEYDELETE`	`REGISTRY_DELETION`
`REGVALUECREATE`	`REGISTRY_CREATION`
`REGVALUEDELETE`	`REGISTRY_DELETION`
`REGVALUEMODIFIED`	`REGISTRY_MODIFICATION`
`SCHEDTASKSTART`	`SERVICE_START`
`SCHEDTASKTRIGGER`	`SERVICE_START`
`SCHEDTASKUPDATE`	`SERVICE_MODIFICATION`
`SCRIPTS`	`FILE_UNCATEGORIZED`
`TCPV4`	`NETWORK_UNCATEGORIZED`
`TCPV4LISTEN`	`NETWORK_UNCATEGORIZED`
`WINLOGONATTEMPT`	`USER_LOGIN`
If the `threatInfo.filePath` log field is not empty or the `threatInfo.fileSize` log field value is not empty, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`.	`FILE_UNCATEGORIZED`

Referensi pemetaan kolom: SENTINELONE_ALERT

Tabel berikut mencantumkan kolom log dari jenis log SENTINELONE_ALERT dan kolom UDM yang sesuai.

Log field	UDM mapping	Logic
	`metadata.vendor_name`
	`metadata.product_name`
	`metadata.url_back_to_product`	If the `threatInfo.threatId` log field value is not empty and the `source_hostname` log field value is not empty, then the `https://source_hostname/incidents/threats/threatInfo.threatId/overview` log field is mapped to the `metadata.url_back_to_product` UDM field. Else, if the `source_hostname` log field value is not empty, then the `https://source_hostname` log field is mapped to the `metadata.url_back_to_product` UDM field.
`agentDetectionInfo.machineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentDetectionInfo.machineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentDetectionInfo.machineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentRealtimeInfo.agentMachineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value is empty and the `agentRealtimeInfo.agentMachineType` log field value is not empty , then: If the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentRealtimeInfo.agentMachineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentRealtimeInfo.agentMachineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentRealtimeInfo.machineType`	`principal.asset.type`	If the `agentDetectionInfo.machineType` log field value is empty and the `agentRealtimeInfo.agentMachineType` log field value is empty and the `agentRealtimeInfo.machineType` log field value is not empty , then: If the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`. Else, if the `agentRealtimeInfo.machineType` log field value matches the regular expression pattern `server`, then the `principal.asset.type` UDM field is set to `SERVER`. Else, the `agentRealtimeInfo.machineType` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_machine_type` UDM field.
`agentDetectionInfo.name`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentRealtimeInfo.agentComputerName`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentRealtimeInfo.name`	`principal.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.hostname` UDM field.
`agentDetectionInfo.name`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentRealtimeInfo.agentComputerName`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentRealtimeInfo.name`	`principal.asset.hostname`	If the `agentDetectionInfo.name` log field value is not empty, then the `agentDetectionInfo.name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.agentComputerName` log field value is not empty, then the `agentRealtimeInfo.agentComputerName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `agentRealtimeInfo.name` log field value is not empty, then the `agentRealtimeInfo.name` log field is mapped to the `principal.asset.hostname` UDM field.
`agentDetectionInfo.osFamily`	`principal.asset.platform_software.platform`	If the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)win`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)lin`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, the `agentDetectionInfo.osFamily` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_os_family` UDM field.
`agentRealtimeInfo.os`	`principal.asset.platform_software.platform`	If the `agentDetectionInfo.osFamily` log field value is empty and the `agentRealtimeInfo.os` log field value is not empty , then: If the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)win`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)lin`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, the `agentRealtimeInfo.os` log field is mapped to the `principal.asset.attribute.labels.agent_detection_info_os_family` UDM field.
`agentDetectionInfo.osFamily`	`principal.platform`	If the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)win`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `agentDetectionInfo.osFamily` log field value matches the regular expression pattern `(?i)lin`, then the `principal.platform` UDM field is set to `LINUX`
`agentRealtimeInfo.os`	`principal.platform`	If the `agentDetectionInfo.osFamily` log field value is empty and the `agentRealtimeInfo.os` log field value is not empty , then: If the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)win`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `agentRealtimeInfo.os` log field value matches the regular expression pattern `(?i)lin`, then the `principal.platform` UDM field is set to `LINUX`.
`agentDetectionInfo.osName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentDetectionInfo.agentOsName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentRealtimeInfo.agentOsName`	`principal.asset.platform_software.platform_version`	If the `agentDetectionInfo.osName` log field value is not empty, then the `agentDetectionInfo.osName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentDetectionInfo.agentOsName` log field value is not empty, then the `agentDetectionInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field. Else, if the `agentRealtimeInfo.agentOsName` log field value is not empty, then the `agentRealtimeInfo.agentOsName` log field is mapped to the `principal.asset.platform_software.platform_version` UDM field.
`agentDetectionInfo.osRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentDetectionInfo.agentOsRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentRealtimeInfo.agentOsRevision`	`principal.asset.platform_software.platform_patch_level`	If the `agentDetectionInfo.osRevision` log field value is not empty, then the `agentDetectionInfo.osRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentDetectionInfo.agentOsRevision` log field value is not empty, then the `agentDetectionInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field. Else, if the `agentRealtimeInfo.agentOsRevision` log field value is not empty, then the `agentRealtimeInfo.agentOsRevision` log field is mapped to the `principal.asset.platform_software.platform_patch_level` UDM field.
`agentDetectionInfo.siteId`	`principal.labels[agent_detection_info_siteId]` (deprecated)
`agentDetectionInfo.siteId`	`additional.fields[agent_detection_info_siteId]`
`agentDetectionInfo.uuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentDetectionInfo.agentUuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentRealtimeInfo.uuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentRealtimeInfo.agentUuid`	`principal.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset_id` UDM field.
`agentDetectionInfo.uuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentDetectionInfo.agentUuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentRealtimeInfo.uuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentRealtimeInfo.agentUuid`	`principal.asset.asset_id`	If the `agentDetectionInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentDetectionInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentDetectionInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.uuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.uuid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `agentRealtimeInfo.agentUuid` log field value is not empty, then the `SentinelOne:%{agentRealtimeInfo.agentUuid}` log field is mapped to the `principal.asset.asset_id` UDM field.
`agentDetectionInfo.version`	`principal.asset.attribute.labels[agent_version]`
`agentDetectionInfo.agentVersion`	`principal.asset.attribute.labels[agent_detection_info_agent_version]`
`agentRealtimeInfo.agentVersion`	`principal.asset.attribute.labels[agent_realtime_info_agent_version]`
`agentRealtimeInfo.id`	`principal.asset.attribute.labels[agent_realtime_info_id]`
`agentRealtimeInfo.infected`	`principal.asset.attribute.labels[agent_realtime_info_infected]`
`agentRealtimeInfo.agentInfected`	`principal.asset.attribute.labels[agent_realtime_info_infected]`
`agentRealtimeInfo.isActive`	`principal.asset.attribute.labels[agent_realtime_info_is_active]`
`agentRealtimeInfo.agentIsActive`	`principal.asset.attribute.labels[agent_realtime_info_is_active]`
`agentRealtimeInfo.isDecommissioned`	`principal.asset.attribute.labels[agent_realtime_info_is_decommissioned]`
`agentRealtimeInfo.agentIsDecommissioned`	`principal.asset.attribute.labels[agent_realtime_info_is_decommissioned]`
`alertInfo.alertId`	`metadata.product_log_id`
`id`	`metadata.product_log_id`
	`metadata.product_event_type`	If the log matches the regular expression pattern `alertInfo`, then the `metadata.product_event_type` UDM field is set to `Alerts`. Else, if the log matches the regular expression pattern `threatInfo`, then the `metadata.product_event_type` UDM field is set to `Threats`.
`alertInfo.analystVerdict`	`security_result.detection_fields[alert_info_analyst_verdict]`
`alertInfo.createdAt`	`metadata.event_timestamp`	If the `alertInfo.createdAt` log field value is not empty, then the `alertInfo.createdAt` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `threatInfo.identifiedAt` log field value is not empty, then the `threatInfo.identifiedAt` log field is mapped to the `metadata.event_timestamp` UDM field.
`threatInfo.identifiedAt`	`metadata.event_timestamp`	If the `alertInfo.createdAt` log field value is not empty, then the `alertInfo.createdAt` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `threatInfo.identifiedAt` log field value is not empty, then the `threatInfo.identifiedAt` log field is mapped to the `metadata.event_timestamp` UDM field.
	`network.application_protocol`	If the `alertInfo.dnsRequest` log field value is not empty, then the `network.application_protocol` UDM field is set to `DNS`.
`alertInfo.dnsRequest`	`network.dns.questions.name`
`alertInfo.dnsResponse`	`network.dns.answers.name`
`alertInfo.dstIp`	`target.ip`
`alertInfo.dstPort`	`target.port`
`alertInfo.dvEventId`	`security_result.detection_fields[alert_info_dv_event_id]`
`alertInfo.eventType`	`security_result.detection_fields[alert_info_event_type]`
`alertInfo.hitType`	`security_result.detection_fields[alert_info_hit_type]`
`alertInfo.incidentStatus`	`security_result.detection_fields[alert_info_incident_status]`
`alertInfo.indicatorCategory`	`security_result.detection_fields[alert_info_indicator_category]`
`alertInfo.indicatorDescription`	`security_result.detection_fields[alert_info_indicator_description]`
`alertInfo.indicatorName`	`security_result.detection_fields[alert_info_indicator_name]`
`alertInfo.isEdr`	`security_result.detection_fields[alert_info_is_edr]`
`alertInfo.loginAccountDomain`	`security_result.detection_fields[alert_info_login_account_domain]`
`alertInfo.loginAccountSid`	`security_result.detection_fields[alert_info_login_account_sid]`
`alertInfo.loginIsAdministratorEquivalent`	`security_result.detection_fields[alert_info_login_is_administrator_equivalent]`
	`security_result.action`	If the `alertInfo.loginIsSuccessful` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. else the `alertInfo.loginIsSuccessful` log field value is equal to `false`, then the `security_result.action` UDM field is set to `BLOCK`. If the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.action` UDM field is set to `BLOCK`. `mitigated` `marked_as_benign` `blocked` `suspicious_resolved` Else, if the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.action` UDM field is set to `ALLOW`. `active` `suspicious` `pending` `not_mitigated`
	`extensions.auth.mechanism`	If the `alertInfo.loginType` log field value is equal to `NETWORK`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK`. Else, if the `alertInfo.loginType` log field value is equal to `SYSTEM`, then the `extensions.auth.mechanism` UDM field is set to `LOCAL`. Else, if the `alertInfo.loginType` log field value is equal to `INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `BATCH`, then the `extensions.auth.mechanism` UDM field is set to `BATCH`. Else, if the `alertInfo.loginType` log field value is equal to `SERVICE`, then the `extensions.auth.mechanism` UDM field is set to `SERVICE`. Else, if the `alertInfo.loginType` log field value is equal to `UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `UNLOCK`. Else, if the `alertInfo.loginType` log field value is equal to `NETWORK_CLEAR_TEXT`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK_CLEAR_TEXT`. Else, if the `alertInfo.loginType` log field value is equal to `NEW_CREDENTIALS`, then the `extensions.auth.mechanism` UDM field is set to `NEW_CREDENTIALS`. Else, if the `alertInfo.loginType` log field value is equal to `REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_REMOTE_INTERACTIVE`. Else, if the `alertInfo.loginType` log field value is equal to `CACHED_UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_UNLOCK`.
`alertInfo.loginsUserName`	`target.user.user_display_name`
`alertInfo.modulePath`	`security_result.detection_fields[alert_info_module_path]`
`alertInfo.moduleSha1`	`security_result.detection_fields[alert_info_module_sha1]`
`alertInfo.netEventDirection`	`network.direction`	If the `alertInfo.netEventDirection` log field value matches the regular expression pattern `OUTGOING`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `alertInfo.netEventDirection` log field value matches the regular expression pattern `INCOMING`, then the `network.direction` UDM field is set to `INBOUND`.
`alertInfo.registryKeyPath`	`target.registry.registry_key`
`alertInfo.registryOldValue`	`src.registry.registry_value_data`
`alertInfo.registryOldValueType`	`src.registry.registry_value_name`
`alertInfo.registryPath`	`src.registry.registry_key`
`alertInfo.registryValue`	`target.registry.registry_value_data`
`alertInfo.reportedAt`	`security_result.first_discovered_time`
`alertInfo.source`	`security_result.category_details`
`alertInfo.srcPort`	`principal.port`
`alertInfo.tiIndicatorComparisonMethod`	`security_result.detection_fields[alert_info_tiIndicator_comparison_method]`
`alertInfo.tiIndicatorSource`	`security_result.detection_fields[alert_info_tiIndicator_source]`
`alertInfo.tiIndicatorType`	`security_result.detection_fields[alert_info_tiIndicator_type]`
`alertInfo.tiIndicatorValue`	`security_result.detection_fields[alert_info_tiIndicator_value]`
`alertInfo.updatedAt`	`security_result.detection_fields[alert_info_updated_at]`
`containerInfo.id`	`target.resource.product_object_id`
`containerInfo.image`	`target.resource.attribute.labels[container_image]`
`containerInfo.labels`	`target.resource.attribute.labels[container_labels]`	If the `containerInfo.labels` log field value is not empty, then the `containerInfo.labels` log field is mapped to the `target.resource.attribute.labels.container_labels` UDM field.
`containerInfo.name`	`target.resource.name`
	`target.resource.resource_type`	If the `containerInfo.name` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `CONTAINER`.
`kubernetesInfo.cluster`	`target.resource_ancestors.name`
`kubernetesInfo.controllerName`	`target.resource_ancestors.name`
`kubernetesInfo.node`	`target.resource_ancestors.name`
`kubernetesInfo.pod`	`target.resource_ancestors.name`
	`target.resource_ancestors.resource_type`	If the `kubernetesInfo.pod` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `POD`. If the `kubernetesInfo.cluster` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.isContainerQuarantine` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.controllerName` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`. If the `kubernetesInfo.node` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`.
`kubernetesInfo.controllerKind`	`target.resource_ancestors.attribute.labels[kubernetes_controller_kind]`
`kubernetesInfo.controllerLabels`	`target.resource_ancestors.attribute.labels[kubernetes_controller_labels]`	If the `kubernetesInfo.controllerLabels` log field value is not empty, then the `kubernetesInfo.controllerLabels` log field is mapped to the `target.resource_ancestors.attribute.labels.kubernetes_controller_labels` UDM field.
`kubernetesInfo.namespace`	`target.resource_ancestors.attribute.labels[kubernetes_namespace]`
`kubernetesInfo.namespaceLabels`	`target.resource_ancestors.attribute.labels[kubernetes_namespace_labels]`
`kubernetesInfo.podLabels`	`target.resource_ancestors.attribute.labels[kubernetes_pod_labels]`	If the `kubernetesInfo.podLabels` log field value is not empty, then the `kubernetesInfo.podLabels` log field is mapped to the `target.resource_ancestors.attribute.labels.kubernetes_pod_labels` UDM field.
`ruleInfo.description`	`security_result.rule_set_display_name`
`ruleInfo.id`	`security_result.rule_id`
`ruleInfo.name`	`security_result.rule_name`
`ruleInfo.queryLang`	`security_result.rule_labels[query_lang]`
`ruleInfo.queryType`	`security_result.rule_labels[query_type]`
`ruleInfo.s1ql`	`security_result.rule_labels[s1ql]`
`ruleInfo.scopeLevel`	`security_result.rule_labels[scope_level]`
	`security_result.severity`	If the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)low`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)critical`, then the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `ruleInfo.severity` log field value matches the regular expression pattern `(?i)high`, then the `security_result.severity` UDM field is set to `HIGH`.
`ruleInfo.severity`	`security_result.severity_details`
`ruleInfo.treatAsThreat`	`security_result.rule_type`
`sourceParentProcessInfo.commandline`	`principal.process.parent_process.command_line`
`sourceParentProcessInfo.fileHashMd5`	`principal.process.parent_process.file.md5`	If the `sourceParentProcessInfo.fileHashMd5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `sourceParentProcessInfo.fileHashMd5` log field is mapped to the `principal.process.parent_process.file.md5` UDM field.
`sourceParentProcessInfo.fileHashSha1`	`principal.process.parent_process.file.sha1`	If the `sourceParentProcessInfo.fileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `sourceParentProcessInfo.fileHashSha1` log field is mapped to the `principal.process.parent_process.file.sha1` UDM field.
`sourceParentProcessInfo.fileHashSha256`	`principal.process.parent_process.file.sha256`	If the `sourceParentProcessInfo.fileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `sourceParentProcessInfo.fileHashSha256` log field is mapped to the `principal.process.parent_process.file.sha256` UDM field.
`sourceParentProcessInfo.filePath`	`principal.process.parent_process.file.full_path`
`sourceParentProcessInfo.fileSignerIdentity`	`principal.process.parent_process.file.signature_info.sigcheck.signers.name`
`sourceParentProcessInfo.integrityLevel`	`principal.labels[source_parent_process_integrity_level]` (deprecated)
`sourceParentProcessInfo.integrityLevel`	`additional.fields[source_parent_process_integrity_level]`
`sourceParentProcessInfo.name`	`principal.labels[source_parent_process_name]` (deprecated)
`sourceParentProcessInfo.name`	`additional.fields[source_parent_process_name]`
`sourceParentProcessInfo.pid`	`principal.process.parent_process.pid`
`sourceParentProcessInfo.pidStarttime`	`principal.labels[source_parent_process_pid_start_time]` (deprecated)
`sourceParentProcessInfo.pidStarttime`	`additional.fields[source_parent_process_pid_start_time]`
`sourceParentProcessInfo.storyline`	`principal.labels[source_parent_process_storyline]` (deprecated)
`sourceParentProcessInfo.storyline`	`additional.fields[source_parent_process_storyline]`
`sourceParentProcessInfo.subsystem`	`principal.labels[source_parent_process_subsystem]` (deprecated)
`sourceParentProcessInfo.subsystem`	`additional.fields[source_parent_process_subsystem]`
	`principal.process.parent_process.product_specific_process_id`	If the `sourceParentProcessInfo.uniqueId` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceParentProcessInfo.uniqueId}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`sourceParentProcessInfo.user`	`principal.labels[source_parent_process_user]` (deprecated)
`sourceParentProcessInfo.user`	`additional.fields[source_parent_process_user]`
`sourceProcessInfo.commandline`	`principal.process.command_line`
`sourceProcessInfo.fileHashMd5`	`principal.process.file.md5`	If the `sourceProcessInfo.fileHashMd5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `sourceProcessInfo.fileHashMd5` log field is mapped to the `principal.process.file.md5` UDM field.
`sourceProcessInfo.fileHashSha1`	`principal.process.file.sha1`	If the `sourceProcessInfo.fileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `sourceProcessInfo.fileHashSha1` log field is mapped to the `principal.process.file.sha1` UDM field.
`sourceProcessInfo.fileHashSha256`	`principal.process.file.sha256`	If the `sourceProcessInfo.fileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `sourceProcessInfo.fileHashSha256` log field is mapped to the `principal.process.file.sha256` UDM field.
`sourceProcessInfo.filePath`	`principal.process.file.full_path`
`sourceProcessInfo.fileSignerIdentity`	`principal.process.file.signature_info.sigcheck.signers.name`
`sourceProcessInfo.integrityLevel`	`principal.labels[source_process_integrity_level]` (deprecated)
`sourceProcessInfo.integrityLevel`	`additional.fields[source_process_integrity_level]`
`sourceProcessInfo.name`	`principal.labels[source_process_name]` (deprecated)
`sourceProcessInfo.name`	`additional.fields[source_process_name]`
`sourceProcessInfo.pid`	`principal.process.pid`
`sourceProcessInfo.pidStarttime`	`principal.labels[source_process_pid_start_time]` (deprecated)
`sourceProcessInfo.pidStarttime`	`additional.fields[source_process_pid_start_time]`
`sourceProcessInfo.storyline`	`principal.labels[source_process_storyline]` (deprecated)
`sourceProcessInfo.storyline`	`additional.fields[source_process_storyline]`
`sourceProcessInfo.subsystem`	`principal.labels[source_process_subsystem]` (deprecated)
`sourceProcessInfo.subsystem`	`additional.fields[source_process_subsystem]`
	`principal.process.product_specific_process_id`	If the `sourceProcessInfo.uniqueId` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceProcessInfo.uniqueId}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`sourceProcessInfo.user`	`principal.user.user_display_name`
`threatInfo.initiatingUsername`	`principal.user.user_display_name`
`targetProcessInfo.tgtFileCreatedAt`	`target.process.file.first_seen_time`
`targetProcessInfo.tgtFileHashSha1`	`target.process.file.sha1`	If the `targetProcessInfo.tgtFileHashSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `targetProcessInfo.tgtFileHashSha1` log field is mapped to the `target.process.file.sha1` UDM field.
`targetProcessInfo.tgtFileHashSha256`	`target.process.file.sha256`	If the `targetProcessInfo.tgtFileHashSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `targetProcessInfo.tgtFileHashSha256` log field is mapped to the `target.process.file.sha256` UDM field.
`targetProcessInfo.tgtFileId`	`target.labels[target_file_id]` (deprecated)
`targetProcessInfo.tgtFileId`	`additional.fields[target_file_id]`
`targetProcessInfo.tgtFileIsSigned`	`target.process.file.signature_info.sigcheck.verification_message`
`targetProcessInfo.tgtFileModifiedAt`	`target.process.file.last_modification_time`
`targetProcessInfo.tgtFileOldPath`	`target.labels[target_file_old_path]` (deprecated)
`targetProcessInfo.tgtFileOldPath`	`additional.fields[target_file_old_path]`
`targetProcessInfo.tgtFilePath`	`target.process.file.full_path`
`targetProcessInfo.tgtProcCmdLine`	`target.process.command_line`
`targetProcessInfo.tgtProcImagePath`	`target.labels[target_process_image_path]` (deprecated)
`targetProcessInfo.tgtProcImagePath`	`additional.fields[target_process_image_path]`
`targetProcessInfo.tgtProcIntegrityLevel`	`target.labels[target_process_integrity_level]` (deprecated)
`targetProcessInfo.tgtProcIntegrityLevel`	`additional.fields[target_process_integrity_level]`
`targetProcessInfo.tgtProcName`	`target.labels[target_process_name]` (deprecated)
`targetProcessInfo.tgtProcName`	`additional.fields[target_process_name]`
`targetProcessInfo.tgtProcPid`	`target.process.pid`
`targetProcessInfo.tgtProcSignedStatus`	`target.labels[target_process_signed_status]` (deprecated)
`targetProcessInfo.tgtProcSignedStatus`	`additional.fields[target_process_signed_status]`
`targetProcessInfo.tgtProcStorylineId`	`target.labels[target_process_storyline_id]` (deprecated)
`targetProcessInfo.tgtProcStorylineId`	`additional.fields[target_process_storyline_id]`
	`target.process.product_specific_process_id`	If the `targetProcessInfo.tgtProcUid` log field value is not empty, then the `SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{targetProcessInfo.tgtProcUid}` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`targetProcessInfo.tgtProcessStartTime`	`target.labels[target_process_start_time]` (deprecated)
`targetProcessInfo.tgtProcessStartTime`	`additional.fields[target_process_start_time]`
`source_hostname`	`intermediary.hostname`
	`idm.is_alert`	The `idm.is_alert` UDM field is set to `TRUE`.
	`idm.is_significant`	The `idm.is_significant` UDM field is set to `TRUE`.
`agentDetectionInfo.accountId`	`metadata.product_deployment_id`
`agentDetectionInfo.accountName`	`principal.labels[agent_detection_info_account_name]` (deprecated)
`agentDetectionInfo.accountName`	`additional.fields[agent_detection_info_account_name]`
`agentDetectionInfo.agentDetectionState`	`principal.asset.attribute.labels[agent_detection_info_detection_state]`
`agentDetectionInfo.agentDomain`	`principal.administrative_domain`
`agentDetectionInfo.agentIpV4`	`principal.ip`
`agentDetectionInfo.agentIpV6`	`principal.ip`
`alertInfo.srcIp`	`principal.ip`
`alertInfo.srcMachineIp`	`principal.ip`
`agentDetectionInfo.agentIpV4`	`principal.asset.ip`
`agentDetectionInfo.agentIpV6`	`principal.asset.ip`
`alertInfo.srcIp`	`principal.asset.ip`
`alertInfo.srcMachineIp`	`principal.asset.ip`
`agentDetectionInfo.agentLastLoggedInUpn`	`principal.labels[agent_detection_info_last_logged_in_upn]` (deprecated)
`agentDetectionInfo.agentLastLoggedInUpn`	`additional.fields[agent_detection_info_last_logged_in_upn]`
`agentDetectionInfo.agentLastLoggedInUserMail`	`principal.user.email_addresses`
`agentDetectionInfo.agentLastLoggedInUserName`	`principal.user.attribute.labels[agent_last_loggedIn_user_name]`
`agentDetectionInfo.agentMitigationMode`	`principal.asset.attribute.labels[agent_detection_info_mitigation_mode]`
`agentDetectionInfo.agentRegisteredAt`	`principal.asset.first_discover_time`
`agentDetectionInfo.externalIp`	`principal.nat_ip`
`agentDetectionInfo.groupId`	`principal.group.attribute.labels[agent_detection_info_group_id]`
`agentRealtimeInfo.groupId`	`principal.group.attribute.labels[agent_realtime_info_group_id]`
`agentDetectionInfo.groupName`	`principal.group.group_display_name`	If the `agentDetectionInfo.groupName` log field value is not empty, then the `agentDetectionInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. If the `agentDetectionInfo.groupName` log field value is empty and the `agentRealtimeInfo.groupName` log field value is not empty, then the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. Else, the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.attribute.labels.agent_realtime_info_group_name` UDM field.
`agentRealtimeInfo.groupName`	`principal.group.group_display_name`	If the `agentDetectionInfo.groupName` log field value is not empty, then the `agentDetectionInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. If the `agentDetectionInfo.groupName` log field value is empty and the `agentRealtimeInfo.groupName` log field value is not empty, then the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.group_display_name` UDM field. Else, the `agentRealtimeInfo.groupName` log field is mapped to the `principal.group.attribute.labels.agent_realtime_info_group_name` UDM field.
`agentDetectionInfo.siteName`	`principal.labels[agent_detection_info_site_name]` (deprecated)
`agentDetectionInfo.siteName`	`additional.fields[agent_detection_info_site_name]`
`agentRealtimeInfo.siteName`	`principal.labels[agent_realtime_info_site_name]` (deprecated)
`agentRealtimeInfo.siteName`	`additional.fields[agent_realtime_info_site_name]`
`agentRealtimeInfo.accountId`	`principal.labels[agent_realtime_info_account_id]` (deprecated)
`agentRealtimeInfo.accountId`	`additional.fields[agent_realtime_info_account_id]`
`agentRealtimeInfo.accountName`	`principal.labels[agent_realtime_info_account_name]` (deprecated)
`agentRealtimeInfo.accountName`	`additional.fields[agent_realtime_info_account_name]`
`agentRealtimeInfo.activeThreats`	`security_result.detection_fields[agent_realtime_info_active_threats]`
`agentRealtimeInfo.agentDecommissionedAt`	`principal.asset.attribute.labels[agent_realtime_info_agent_decommissioned_at]`
`agentRealtimeInfo.agentDomain`	`principal.labels[agent_realtime_info_domain]` (deprecated)
`agentRealtimeInfo.agentDomain`	`additional.fields[agent_realtime_info_domain]`
`agentRealtimeInfo.agentId`	`principal.asset.attribute.labels[agent_realtime_info_agent_id]`
`agentRealtimeInfo.agentMitigationMode`	`principal.asset.attribute.labels[agent_realtime_info_mitigation_mode]`
`agentRealtimeInfo.agentNetworkStatus`	`principal.labels[agent_realtime_info_network_status]` (deprecated)
`agentRealtimeInfo.agentNetworkStatus`	`additional.fields[agent_realtime_info_network_status]`
`agentRealtimeInfo.agentOsType`	`principal.labels[agent_realtime_info_os_type]` (deprecated)
`agentRealtimeInfo.agentOsType`	`additional.fields[agent_realtime_info_os_type]`
`agentRealtimeInfo.networkInterfaces.id`	`principal.labels[network_interface_id]`
`agentRealtimeInfo.networkInterfaces.name`	`principal.labels[network_interface_name]`
`agentRealtimeInfo.networkInterfaces.physical`	`principal.labels[network_interface_physical]`
`agentRealtimeInfo.operationalState`	`principal.asset.attribute.labels[agent_realtime_info_operational_State]`
`agentRealtimeInfo.rebootRequired`	`principal.labels[agent_realtime_info_reboot_required]` (deprecated)
`agentRealtimeInfo.rebootRequired`	`additional.fields[agent_realtime_info_reboot_required]`
`agentRealtimeInfo.scanAbortedAt`	`security_result.detection_fields[agent_realtime_info_scan_aborted_at]`
`agentRealtimeInfo.scanFinishedAt`	`security_result.detection_fields[agent_realtime_info_scan_finished_at]`
`agentRealtimeInfo.scanStartedAt`	`security_result.detection_fields[agent_realtime_info_scan_started_at]`
`agentRealtimeInfo.scanStatus`	`security_result.detection_fields[agent_realtime_info_scan_status]`
`agentRealtimeInfo.siteId`	`principal.labels[agent_realtime_info_site_id]` (deprecated)
`agentRealtimeInfo.siteId`	`additional.fields[agent_realtime_info_site_id]`
`agentRealtimeInfo.storageName`	`principal.resource.name`
	`principal.resource.resource_type`	If the `agentRealtimeInfo.storageName` log field value is not empty, then the `principal.resource.resource_type` UDM field is set to `STORAGE_OBJECT`.
`agentRealtimeInfo.storageType`	`principal.resource.resource_subtype`
`agentRealtimeInfo.userActionsNeeded`	`security_result.detection_fields[agent_realtime_info_user_actions_needed]`	If the `agentRealtimeInfo.userActionsNeeded` log field value is not empty, then the `agentRealtimeInfo.userActionsNeeded` log field is mapped to the `security_result.detection_fields.agent_realtime_info_user_actions_needed` UDM field.
`containerInfo.isContainerQuarantine`	`target.resource.attribute.labels[container_is_container_quarantine]`
`indicators.category`	`security_result.category_details`
`indicators.categoryId`	`security_result.detection_fields[indicators_category_id]`
`indicators.description`	`security_result.description`
`indicators.ids`	`security_result.detection_fields[indicators_ids]`
	`security_result.attack_details.tactics.id`
`indicators.tactics.name`	`security_result.attack_details.tactics.name`	If the `indicators.tactics.name` log field value is not empty, then the `indicators.tactics.name` log field is mapped to the `security_result.attack_details.tactics.name` UDM field.
`indicators.tactics.source`	`security_result.detection_fields[indicators_tactics_source]`
`indicators.tactics.techniques.link`	`security_result.detection_fields[indicators_tactics_techniques_link]`
`indicators.tactics.techniques.name`	`security_result.attack_details.techniques.id`	If the `indicators.tactics.techniques.name` log field value is not empty, then the `indicators.tactics.techniques.name` log field is mapped to the `security_result.attack_details.techniques.id` UDM field.
	`security_result.attack_details.techniques.name`
	`security_result.attack_details.techniques.subtechnique_id`
	`security_result.attack_details.techniques.subtechnique_name`
`kubernetesInfo.isContainerQuarantine`	`target.resource_ancestors.attribute.labels[kubernetes_is_container_quarantine]`
`kubernetesInfo.nodeLabels`	`target.resource_ancestors.attribute.labels[kubernetes_node_labels]`
`mitigationStatus.action`	`security_result.detection_fields[mitigation_status_action]`
`mitigationStatus.actionsCounters.failed`	`security_result.detection_fields[mitigation_status_actions_counters_failed]`
`mitigationStatus.actionsCounters.notFound`	`security_result.detection_fields[mitigation_status_actions_counters_not_Found]`
`mitigationStatus.actionsCounters.pendingReboot`	`security_result.detection_fields[mitigation_status_actions_counters_pending_reboot]`
`mitigationStatus.actionsCounters.success`	`security_result.detection_fields[mitigation_status_actions_counters_success]`
`mitigationStatus.actionsCounters.total`	`security_result.detection_fields[mitigation_status_actions_counters_total]`
`mitigationStatus.agentSupportsReport`	`security_result.detection_fields[mitigation_status_agent_supports_report]`
`mitigationStatus.groupNotFound`	`security_result.detection_fields[mitigation_status_group_not_found]`
`mitigationStatus.lastUpdate`	`security_result.detection_fields[mitigation_status_last_update]`
`mitigationStatus.latestReport`	`security_result.detection_fields[mitigation_status_last_report]`
`mitigationStatus.mitigationEndedAt`	`security_result.detection_fields[mitigation_status_mitigation_ended_at]`
`mitigationStatus.mitigationStartedAt`	`security_result.detection_fields[mitigation_status_mitigation_started_at]`
`mitigationStatus.status`	`security_result.detection_fields[mitigation_status]`
`threatInfo.analystVerdict`	`security_result.detection_fields[analystVerdict]`
`threatInfo.analystVerdictDescription`	`security_result.detection_fields[analyst_verdict_description]`
`threatInfo.automaticallyResolved`	`security_result.detection_fields[automatically_resolved]`
`threatInfo.browserType`	`security_result.detection_fields[browser_type]`
`threatInfo.certificateId`	`security_result.detection_fields[certificate_id]`
`threatInfo.classification`	`security_result.category_details`
	`security_result.category`	If the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `Malware` `Ransomware` `Linux.Malware` `OSX.Malware` `Manual` Else, if the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `Trojan` `miner` `Virus` `Malicious PDF` `Worm` `Rootkit` `Infostealer` `Lateral Movement` `Generic.Heuristic` `Downloader` `Backdoor` `Hacktool` `Browser` `Dialer` `Installer` `Packed` `Network` `Spyware` `Interactive shell` `Remote shell` Else, if the `threatInfo.classification` log field value contain one of the following values, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. `Lateral Movement` `Remote shell` Else, if the `threatInfo.classification` log field value is equal to `Exploit`, then the `security_result.category` UDM field is set to `EXPLOIT`. Else, if the `threatInfo.classification` log field value is equal to `Application Control`, then the `security_result.category` UDM field is set to `UNKNOWN_CATEGORY`. If the `alertInfo.eventType` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `BEHAVIORALINDICATORS` `MALICIOUSFILE`
`threatInfo.classificationSource`	`security_result.detection_fields[classification_source]`
`threatInfo.cloudFilesHashVerdict`	`security_result.detection_fields[cloud_Files_hash_verdict]`
`threatInfo.collectionId`	`security_result.detection_fields[collection_id]`
`threatInfo.confidenceLevel`	`security_result.confidence_details`
	`security_result.confidence`	If the `threatInfo.confidenceLevel` log field value is equal to `malicious`, then the `security_result.confidence` UDM field is set to `HIGH_CONFIDENCE`. Else, if the `threatInfo.confidenceLevel` log field value is equal to `suspicious`, then the `security_result.confidence` UDM field is set to `MEDIUM_CONFIDENCE`.
`threatInfo.createdAt`	`metadata.collected_timestamp`
`threatInfo.detectionEngines`	`security_result.detection_fields[detection_engines]`	If the `threatInfo.detectionEngines` log field value is not empty, then the `threatInfo.detectionEngines` log field is mapped to the `security_result.detection_fields.detection_engines` UDM field.
`threatInfo.detectionEngines.key`	`security_result.detection_fields[detection_engines_key]`	If the `threatInfo.detectionEngines.key` log field value is not empty, then the `threatInfo.detectionEngines.key` log field is mapped to the `security_result.detection_fields.detection_engines_key` UDM field.
`threatInfo.detectionEngines.title`	`security_result.detection_fields[detection_engines_title]`	If the `threatInfo.detectionEngines.title` log field value is not empty, then the `threatInfo.detectionEngines.title` log field is mapped to the `security_result.detection_fields.detection_engines_title` UDM field.
`threatInfo.detectionType`	`security_result.detection_fields[detection_type]`
`threatInfo.engines`	`security_result.detection_fields[engines]`	If the `threatInfo.engines` log field value is not empty, then the `threatInfo.engines` log field is mapped to the `security_result.detection_fields.engines` UDM field.
`threatInfo.externalTicketExists`	`security_result.detection_fields[external_ticket_exists]`
`threatInfo.externalTicketExists.description`	`security_result.detection_fields[external_ticket_exists_description]`
`threatInfo.externalTicketExists.readOnly`	`security_result.detection_fields[external_ticket_exists_readOnly]`
`threatInfo.externalTicketId`	`security_result.detection_fields[external_ticket_id]`
`threatInfo.failedActions`	`security_result.detection_fields[failed_actions]`
`threatInfo.fileExtension`	`target.file.mime_type`
`threatInfo.fileExtensionType`	`security_result.detection_fields[file_extension_type]`
`threatInfo.filePath`	`target.file.full_path`
`threatInfo.filePath.description`	`security_result.detection_fields[file_path_description]`
`threatInfo.filePath.readOnly`	`security_result.detection_fields[file_path_readOnly]`
`threatInfo.fileSize`	`target.file.size`
`threatInfo.fileVerificationType`	`security_result.detection_fields[file_verification_type]`
`threatInfo.incidentStatus`	`security_result.detection_fields[incident_status]`
`threatInfo.incidentStatusDescription`	`security_result.detection_fields[incident_status_description]`
`threatInfo.incidentStatusDescription.description`	`security_result.detection_fields[incident_status_description]`
`threatInfo.incidentStatusDescription.readOnly`	`security_result.detection_fields[incident_status_description_readOnly]`
`threatInfo.initiatedBy`	`security_result.detection_fields[initiatedBy]`
`threatInfo.initiatedByDescription`	`security_result.detection_fields[initiatedBy_description]`
`threatInfo.initiatedByDescription.description`	`security_result.detection_fields[initiatedBy_description]`
`threatInfo.initiatedByDescription.readOnly`	`security_result.detection_fields[initiatedBy_description_readOnly]`
`threatInfo.initiatingUserId`	`principal.user.attribute.labels[initiating_user_id]`
`threatInfo.isFileless`	`security_result.detection_fields[is_fileless]`
`threatInfo.isFileless.description`	`security_result.detection_fields[is_fileless_description]`
`threatInfo.isFileless.readOnly`	`security_result.detection_fields[is_fileless_readOnly]`
`threatInfo.isValidCertificate`	`security_result.detection_fields[is_valid_certificate]`
`threatInfo.maliciousProcessArguments`	`security_result.detection_fields[malicious_process_arguments]`
`threatInfo.md5`	`target.file.md5`	If the `threatInfo.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `threatInfo.md5` log field is mapped to the `target.file.md5` UDM field.
`threatInfo.mitigatedPreemptively`	`security_result.detection_fields[mitigated_preemptively]`
`threatInfo.mitigationStatus`	`security_result.action_details`
	`security_result.threat_status`	If the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.threat_status` UDM field is set to `CLEARED`. `mitigated` `marked_as_benign` `blocked` `suspicious_resolved` Else, if the `threatInfo.mitigationStatus` log field value contain one of the following values, then the `security_result.threat_status` UDM field is set to `ACTIVE`. `active` `suspicious` `pending` `not_mitigated`
`threatInfo.mitigationStatusDescription`	`security_result.detection_fields[mitigation_status_description]`
`threatInfo.mitigationStatusDescription.description`	`security_result.detection_fields[mitigation_status_description]`
`threatInfo.mitigationStatusDescription.readOnly`	`security_result.detection_fields[mitigation_status_description_readOnly]`
`threatInfo.originatorProcess`	`principal.process.parent_process.file.names`
`threatInfo.pendingActions`	`security_result.detection_fields[pending_actions]`
`threatInfo.processUser`	`principal.user.userid`
`threatInfo.publisherName`	`security_result.threat_feed_name`
`threatInfo.reachedEventsLimit`	`security_result.detection_fields[reached_events_limit]`
`threatInfo.rebootRequired`	`security_result.detection_fields[reboot_required]`
`threatInfo.sha1`	`target.file.sha1`	If the `threatInfo.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$"`, then the `threatInfo.sha1` log field is mapped to the `target.file.sha1` UDM field.
`threatInfo.sha256`	`target.file.sha256`	If the `threatInfo.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$"`, then the `threatInfo.sha256` log field is mapped to the `target.file.sha256` UDM field.
`threatInfo.storyline`	`security_result.detection_fields[storyline]`
`threatInfo.threatId`	`security_result.threat_id`
`threatInfo.threatName`	`security_result.threat_name`
`threatInfo.threatName`	`target.file.names`
`threatInfo.updatedAt`	`security_result.detection_fields[updatedAt]`
`whiteningOptions`	`about.labels[whitening_options]`	If the `whiteningOptions` log field value is not empty, then the `whiteningOptions` log field is mapped to the `about.labels.whitening_options` UDM field.
`agentDetectionInfo.cloudProviders.AWS.awsRole`	`principal.resource.attribute.roles.name`
`agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups`	`principal.resource.attribute.labels[cloud_providers_AWS_security_groups]`	If the `agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_security_groups` UDM field.
`agentDetectionInfo.cloudProviders.AWS.awsSubnetIds`	`principal.resource.attribute.labels[cloud_providers_AWS_subnet_ids]`	If the `agentDetectionInfo.cloudProviders.AWS.awsSubnetIds` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.awsSubnetIds` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_subnet_ids` UDM field.
`agentDetectionInfo.cloudProviders.AWS.cloudAccount`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_account]`
`agentDetectionInfo.cloudProviders.AWS.cloudImage`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_image]`
`agentDetectionInfo.cloudProviders.AWS.cloudInstanceId`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_id]`
`agentDetectionInfo.cloudProviders.AWS.cloudInstanceSize`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_size]`
`agentDetectionInfo.cloudProviders.AWS.cloudLocation`	`principal.resource.attribute.cloud.availability_zone`
`agentDetectionInfo.cloudProviders.AWS.cloudNetwork`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_network]`
`agentDetectionInfo.cloudProviders.AWS.cloudTags`	`principal.resource.attribute.labels[cloud_providers_AWS_cloud_tags]`	If the `agentDetectionInfo.cloudProviders.AWS.cloudTags` log field value is not empty, then the `agentDetectionInfo.cloudProviders.AWS.cloudTags` log field is mapped to the `principal.resource.attribute.labels.cloud_providers_AWS_cloud_tags` UDM field.
`modular_input_consumption_time`	`about.labels[modular_input_consumption_time]` (deprecated)
`modular_input_consumption_time`	`additional.fields[modular_input_consumption_time]`
`timestamp`	`about.labels[timestamp]` (deprecated)
`timestamp`	`additional.fields[timestamp]`
`updatedAt`	`about.labels[updatedAt]` (deprecated)
`updatedAt`	`additional.fields[updatedAt]`

Langkah selanjutnya

Penyerapan data ke Google Security Operations