SentinelOne 알림 로그 수집
다음에서 지원:
Google SecOps
SIEM
이 문서에서는 Google Security Operations 피드를 설정하여 SentinelOne Alert 로그를 수집하는 방법과 로그 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.
자세한 내용은 Google Security Operations에 데이터 수집 개요를 참조하세요.
일반적인 배포는 SentinelOne Alert 및 Google SecOps에 로그를 전송하도록 구성된 Google SecOps 피드로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.
배포에는 다음 구성요소가 포함됩니다.
SentinelOne: 로그를 수집하는 제품입니다.
Google SecOps 피드: SentinelOne에서 로그를 가져오고 로그를 Google SecOps에 작성하는 Google SecOps 피드입니다.
Google SecOps: Google SecOps는 SentinelOne의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 SENTINELONE_ALERT 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
- GET Alerts 및 GET Threats API v2.1을 사용하고 있는지 확인합니다.
- SentinelOne 콘솔에 액세스할 수 있는지 확인합니다.
- SentinelOne 에이전트를 설치할 수 있는 관리자 권한이 있는지 확인합니다. 관리자 권한을 얻으려면 관리자에게 문의하세요.
SentinelOne 알림 로그를 로드하도록 Google SecOps에서 피드 구성
처리 피드를 설정하려면 다음 단계를 따르세요.
- Google SecOps 메뉴에서 설정을 선택한 후 피드를 클릭합니다.
- 새로 추가를 클릭합니다.
- 소스 유형으로 서드 파티 API를 선택하고 로그 유형으로 Sentinelone 알림을 선택합니다.
다음을 클릭하고 SentinelOne 인스턴스의 인증 HTTP 헤더, API 호스트 이름, 초기 시작 시간, 알림 API 구독 여부, 애셋 네임스페이스를 입력합니다.
인증 HTTP 헤더를 채우려면 API 토큰이 필요합니다. SentinelOne에서 생성하고 향후 피드 생성 시 재사용할 수 있습니다. API 토큰을 생성하려면 다음 단계를 따르세요.
- SentinelOne 관리 콘솔에서 설정으로 이동한 다음 사용자를 클릭합니다.
- API 토큰을 생성할 관리자 사용자를 클릭합니다.
- 작업 > API 토큰 작업 > API 토큰 생성을 클릭합니다.
- 인증 HTTP 헤더에서 생성된 API 토큰을
Authorization: ApiToken Token Value형식으로 입력합니다.
Is alert API subscribed 체크박스를 선택하여 SentinelOne 알림 이벤트를 수집합니다.
다음을 클릭한 후 제출을 클릭합니다.
지원되는 SentinelOne 알림 로그 형식
SentinelOne Alert 파서는 JSON 및 CSV 형식의 로그를 모두 지원합니다.
지원되는 SentinelOne Alert 로그 유형
SentinelOne Alert 파서는 알림 및 위협 로그 유형을 지원합니다.
필드 매핑 참조
이 섹션에서는 Google SecOps 파서가 SentinelOne 알림 필드를 Google SecOps 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로
다음 표에는SENTINELONE_ALERT 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
| Event Identifier | Event Type | Security Category |
|---|---|---|
BEHAVIORALINDICATORS |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
DNS |
NETWORK_DNS |
|
DUPLICATEPROCESS |
PROCESS_UNCATEGORIZED |
|
FILECREATION |
FILE_CREATION |
|
FILEDELETION |
FILE_DELETION |
|
FILEMODIFICATION |
FILE_MODIFICATION |
|
FILERENAME |
FILE_MODIFICATION |
|
FILESCAN |
SCAN_FILE |
|
HTTP |
NETWORK_HTTP |
|
MALICIOUSFILE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
OPENPROCESS |
PROCESS_OPEN |
|
PROCESSCREATION |
PROCESS_LAUNCH |
|
REGKEYCREATE |
REGISTRY_CREATION |
|
REGKEYDELETE |
REGISTRY_DELETION |
|
REGVALUECREATE |
REGISTRY_CREATION |
|
REGVALUEDELETE |
REGISTRY_DELETION |
|
REGVALUEMODIFIED |
REGISTRY_MODIFICATION |
|
SCHEDTASKSTART |
SERVICE_START |
|
SCHEDTASKTRIGGER |
SERVICE_START |
|
SCHEDTASKUPDATE |
SERVICE_MODIFICATION |
|
SCRIPTS |
FILE_UNCATEGORIZED |
|
TCPV4 |
NETWORK_UNCATEGORIZED |
|
TCPV4LISTEN |
NETWORK_UNCATEGORIZED |
|
WINLOGONATTEMPT |
USER_LOGIN |
|
If the threatInfo.filePath log field is not empty or the threatInfo.fileSize log field value is not empty, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
FILE_UNCATEGORIZED |
|
필드 매핑 참조: SENTINELONE_ALERT
다음 표에는 SENTINELONE_ALERT 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
|
|
metadata.product_name |
|
|
metadata.url_back_to_product |
If the threatInfo.threatId log field value is not empty and the source_hostname log field value is not empty, then the https://source_hostname/incidents/threats/threatInfo.threatId/overview log field is mapped to the metadata.url_back_to_product UDM field.Else, if the source_hostname log field value is not empty, then the https://source_hostname log field is mapped to the metadata.url_back_to_product UDM field. |
agentDetectionInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value matches the regular expression pattern laptop, then the principal.asset.type UDM field is set to LAPTOP.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern desktop, then the principal.asset.type UDM field is set to WORKSTATION.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern server, then the principal.asset.type UDM field is set to SERVER.Else, the agentDetectionInfo.machineType log field is mapped to the principal.asset.attribute.labels.agent_detection_info_machine_type UDM field. |
agentRealtimeInfo.agentMachineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is not empty , then:
|
agentRealtimeInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is empty and the agentRealtimeInfo.machineType log field value is not empty , then:
|
agentDetectionInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentDetectionInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentDetectionInfo.osFamily |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX.Else, the agentDetectionInfo.osFamily log field is mapped to the principal.asset.attribute.labels.agent_detection_info_os_family UDM field. |
agentRealtimeInfo.os |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osFamily |
principal.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX |
agentRealtimeInfo.os |
principal.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentRealtimeInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.osRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentRealtimeInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.siteId |
principal.labels[agent_detection_info_siteId] (deprecated) |
|
agentDetectionInfo.siteId |
additional.fields[agent_detection_info_siteId] |
|
agentDetectionInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.version |
principal.asset.attribute.labels[agent_version] |
|
agentDetectionInfo.agentVersion |
principal.asset.attribute.labels[agent_detection_info_agent_version] |
|
agentRealtimeInfo.agentVersion |
principal.asset.attribute.labels[agent_realtime_info_agent_version] |
|
agentRealtimeInfo.id |
principal.asset.attribute.labels[agent_realtime_info_id] |
|
agentRealtimeInfo.infected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.agentInfected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.isActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.agentIsActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.isDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
agentRealtimeInfo.agentIsDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
alertInfo.alertId |
metadata.product_log_id |
|
id |
metadata.product_log_id |
|
metadata.product_event_type |
If the log matches the regular expression pattern alertInfo, then the metadata.product_event_type UDM field is set to Alerts.Else, if the log matches the regular expression pattern threatInfo, then the metadata.product_event_type UDM field is set to Threats. |
|
alertInfo.analystVerdict |
security_result.detection_fields[alert_info_analyst_verdict] |
|
alertInfo.createdAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
threatInfo.identifiedAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
|
network.application_protocol |
If the alertInfo.dnsRequest log field value is not empty, then the network.application_protocol UDM field is set to DNS. |
alertInfo.dnsRequest |
network.dns.questions.name |
|
alertInfo.dnsResponse |
network.dns.answers.name |
|
alertInfo.dstIp |
target.ip |
|
alertInfo.dstPort |
target.port |
|
alertInfo.dvEventId |
security_result.detection_fields[alert_info_dv_event_id] |
|
alertInfo.eventType |
security_result.detection_fields[alert_info_event_type] |
|
alertInfo.hitType |
security_result.detection_fields[alert_info_hit_type] |
|
alertInfo.incidentStatus |
security_result.detection_fields[alert_info_incident_status] |
|
alertInfo.indicatorCategory |
security_result.detection_fields[alert_info_indicator_category] |
|
alertInfo.indicatorDescription |
security_result.detection_fields[alert_info_indicator_description] |
|
alertInfo.indicatorName |
security_result.detection_fields[alert_info_indicator_name] |
|
alertInfo.isEdr |
security_result.detection_fields[alert_info_is_edr] |
|
alertInfo.loginAccountDomain |
security_result.detection_fields[alert_info_login_account_domain] |
|
alertInfo.loginAccountSid |
security_result.detection_fields[alert_info_login_account_sid] |
|
alertInfo.loginIsAdministratorEquivalent |
security_result.detection_fields[alert_info_login_is_administrator_equivalent] |
|
|
security_result.action |
If the alertInfo.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW. else the alertInfo.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to BLOCK.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to ALLOW.
|
|
extensions.auth.mechanism |
If the alertInfo.loginType log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.Else, if the alertInfo.loginType log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.Else, if the alertInfo.loginType log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.Else, if the alertInfo.loginType log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.Else, if the alertInfo.loginType log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.Else, if the alertInfo.loginType log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.Else, if the alertInfo.loginType log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.Else, if the alertInfo.loginType log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK. |
alertInfo.loginsUserName |
target.user.user_display_name |
|
alertInfo.modulePath |
security_result.detection_fields[alert_info_module_path] |
|
alertInfo.moduleSha1 |
security_result.detection_fields[alert_info_module_sha1] |
|
alertInfo.netEventDirection |
network.direction |
If the alertInfo.netEventDirection log field value matches the regular expression pattern OUTGOING, then the network.direction UDM field is set to OUTBOUND.Else, if the alertInfo.netEventDirection log field value matches the regular expression pattern INCOMING, then the network.direction UDM field is set to INBOUND. |
alertInfo.registryKeyPath |
target.registry.registry_key |
|
alertInfo.registryOldValue |
src.registry.registry_value_data |
|
alertInfo.registryOldValueType |
src.registry.registry_value_name |
|
alertInfo.registryPath |
src.registry.registry_key |
|
alertInfo.registryValue |
target.registry.registry_value_data |
|
alertInfo.reportedAt |
security_result.first_discovered_time |
|
alertInfo.source |
security_result.category_details |
|
alertInfo.srcPort |
principal.port |
|
alertInfo.tiIndicatorComparisonMethod |
security_result.detection_fields[alert_info_tiIndicator_comparison_method] |
|
alertInfo.tiIndicatorSource |
security_result.detection_fields[alert_info_tiIndicator_source] |
|
alertInfo.tiIndicatorType |
security_result.detection_fields[alert_info_tiIndicator_type] |
|
alertInfo.tiIndicatorValue |
security_result.detection_fields[alert_info_tiIndicator_value] |
|
alertInfo.updatedAt |
security_result.detection_fields[alert_info_updated_at] |
|
containerInfo.id |
target.resource.product_object_id |
|
containerInfo.image |
target.resource.attribute.labels[container_image] |
|
containerInfo.labels |
target.resource.attribute.labels[container_labels] |
If the containerInfo.labels log field value is not empty, then the containerInfo.labels log field is mapped to the target.resource.attribute.labels.container_labels UDM field. |
containerInfo.name |
target.resource.name |
|
|
target.resource.resource_type |
If the containerInfo.name log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER. |
kubernetesInfo.cluster |
target.resource_ancestors.name |
|
kubernetesInfo.controllerName |
target.resource_ancestors.name |
|
kubernetesInfo.node |
target.resource_ancestors.name |
|
kubernetesInfo.pod |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
If the kubernetesInfo.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.If the kubernetesInfo.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.isContainerQuarantine log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.node log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER. |
kubernetesInfo.controllerKind |
target.resource_ancestors.attribute.labels[kubernetes_controller_kind] |
|
kubernetesInfo.controllerLabels |
target.resource_ancestors.attribute.labels[kubernetes_controller_labels] |
If the kubernetesInfo.controllerLabels log field value is not empty, then the kubernetesInfo.controllerLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_controller_labels UDM field. |
kubernetesInfo.namespace |
target.resource_ancestors.attribute.labels[kubernetes_namespace] |
|
kubernetesInfo.namespaceLabels |
target.resource_ancestors.attribute.labels[kubernetes_namespace_labels] |
|
kubernetesInfo.podLabels |
target.resource_ancestors.attribute.labels[kubernetes_pod_labels] |
If the kubernetesInfo.podLabels log field value is not empty, then the kubernetesInfo.podLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_pod_labels UDM field. |
ruleInfo.description |
security_result.rule_set_display_name |
|
ruleInfo.id |
security_result.rule_id |
|
ruleInfo.name |
security_result.rule_name |
|
ruleInfo.queryLang |
security_result.rule_labels[query_lang] |
|
ruleInfo.queryType |
security_result.rule_labels[query_type] |
|
ruleInfo.s1ql |
security_result.rule_labels[s1ql] |
|
ruleInfo.scopeLevel |
security_result.rule_labels[scope_level] |
|
|
security_result.severity |
If the ruleInfo.severity log field value matches the regular expression pattern (?i)low, then the security_result.severity UDM field is set to LOW.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)critical, then the security_result.severity UDM field is set to CRITICAL.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)high, then the security_result.severity UDM field is set to HIGH. |
ruleInfo.severity |
security_result.severity_details |
|
ruleInfo.treatAsThreat |
security_result.rule_type |
|
sourceParentProcessInfo.commandline |
principal.process.parent_process.command_line |
|
sourceParentProcessInfo.fileHashMd5 |
principal.process.parent_process.file.md5 |
If the sourceParentProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceParentProcessInfo.fileHashMd5 log field is mapped to the principal.process.parent_process.file.md5 UDM field. |
sourceParentProcessInfo.fileHashSha1 |
principal.process.parent_process.file.sha1 |
If the sourceParentProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceParentProcessInfo.fileHashSha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field. |
sourceParentProcessInfo.fileHashSha256 |
principal.process.parent_process.file.sha256 |
If the sourceParentProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceParentProcessInfo.fileHashSha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field. |
sourceParentProcessInfo.filePath |
principal.process.parent_process.file.full_path |
|
sourceParentProcessInfo.fileSignerIdentity |
principal.process.parent_process.file.signature_info.sigcheck.signers.name |
|
sourceParentProcessInfo.integrityLevel |
principal.labels[source_parent_process_integrity_level] (deprecated) |
|
sourceParentProcessInfo.integrityLevel |
additional.fields[source_parent_process_integrity_level] |
|
sourceParentProcessInfo.name |
principal.labels[source_parent_process_name] (deprecated) |
|
sourceParentProcessInfo.name |
additional.fields[source_parent_process_name] |
|
sourceParentProcessInfo.pid |
principal.process.parent_process.pid |
|
sourceParentProcessInfo.pidStarttime |
principal.labels[source_parent_process_pid_start_time] (deprecated) |
|
sourceParentProcessInfo.pidStarttime |
additional.fields[source_parent_process_pid_start_time] |
|
sourceParentProcessInfo.storyline |
principal.labels[source_parent_process_storyline] (deprecated) |
|
sourceParentProcessInfo.storyline |
additional.fields[source_parent_process_storyline] |
|
sourceParentProcessInfo.subsystem |
principal.labels[source_parent_process_subsystem] (deprecated) |
|
sourceParentProcessInfo.subsystem |
additional.fields[source_parent_process_subsystem] |
|
|
principal.process.parent_process.product_specific_process_id |
If the sourceParentProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceParentProcessInfo.uniqueId} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
sourceParentProcessInfo.user |
principal.labels[source_parent_process_user] (deprecated) |
|
sourceParentProcessInfo.user |
additional.fields[source_parent_process_user] |
|
sourceProcessInfo.commandline |
principal.process.command_line |
|
sourceProcessInfo.fileHashMd5 |
principal.process.file.md5 |
If the sourceProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceProcessInfo.fileHashMd5 log field is mapped to the principal.process.file.md5 UDM field. |
sourceProcessInfo.fileHashSha1 |
principal.process.file.sha1 |
If the sourceProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceProcessInfo.fileHashSha1 log field is mapped to the principal.process.file.sha1 UDM field. |
sourceProcessInfo.fileHashSha256 |
principal.process.file.sha256 |
If the sourceProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceProcessInfo.fileHashSha256 log field is mapped to the principal.process.file.sha256 UDM field. |
sourceProcessInfo.filePath |
principal.process.file.full_path |
|
sourceProcessInfo.fileSignerIdentity |
principal.process.file.signature_info.sigcheck.signers.name |
|
sourceProcessInfo.integrityLevel |
principal.labels[source_process_integrity_level] (deprecated) |
|
sourceProcessInfo.integrityLevel |
additional.fields[source_process_integrity_level] |
|
sourceProcessInfo.name |
principal.labels[source_process_name] (deprecated) |
|
sourceProcessInfo.name |
additional.fields[source_process_name] |
|
sourceProcessInfo.pid |
principal.process.pid |
|
sourceProcessInfo.pidStarttime |
principal.labels[source_process_pid_start_time] (deprecated) |
|
sourceProcessInfo.pidStarttime |
additional.fields[source_process_pid_start_time] |
|
sourceProcessInfo.storyline |
principal.labels[source_process_storyline] (deprecated) |
|
sourceProcessInfo.storyline |
additional.fields[source_process_storyline] |
|
sourceProcessInfo.subsystem |
principal.labels[source_process_subsystem] (deprecated) |
|
sourceProcessInfo.subsystem |
additional.fields[source_process_subsystem] |
|
|
principal.process.product_specific_process_id |
If the sourceProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceProcessInfo.uniqueId} log field is mapped to the principal.process.product_specific_process_id UDM field. |
sourceProcessInfo.user |
principal.user.user_display_name |
|
threatInfo.initiatingUsername |
principal.user.user_display_name |
|
targetProcessInfo.tgtFileCreatedAt |
target.process.file.first_seen_time |
|
targetProcessInfo.tgtFileHashSha1 |
target.process.file.sha1 |
If the targetProcessInfo.tgtFileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the targetProcessInfo.tgtFileHashSha1 log field is mapped to the target.process.file.sha1 UDM field. |
targetProcessInfo.tgtFileHashSha256 |
target.process.file.sha256 |
If the targetProcessInfo.tgtFileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the targetProcessInfo.tgtFileHashSha256 log field is mapped to the target.process.file.sha256 UDM field. |
targetProcessInfo.tgtFileId |
target.labels[target_file_id] (deprecated) |
|
targetProcessInfo.tgtFileId |
additional.fields[target_file_id] |
|
targetProcessInfo.tgtFileIsSigned |
target.process.file.signature_info.sigcheck.verification_message |
|
targetProcessInfo.tgtFileModifiedAt |
target.process.file.last_modification_time |
|
targetProcessInfo.tgtFileOldPath |
target.labels[target_file_old_path] (deprecated) |
|
targetProcessInfo.tgtFileOldPath |
additional.fields[target_file_old_path] |
|
targetProcessInfo.tgtFilePath |
target.process.file.full_path |
|
targetProcessInfo.tgtProcCmdLine |
target.process.command_line |
|
targetProcessInfo.tgtProcImagePath |
target.labels[target_process_image_path] (deprecated) |
|
targetProcessInfo.tgtProcImagePath |
additional.fields[target_process_image_path] |
|
targetProcessInfo.tgtProcIntegrityLevel |
target.labels[target_process_integrity_level] (deprecated) |
|
targetProcessInfo.tgtProcIntegrityLevel |
additional.fields[target_process_integrity_level] |
|
targetProcessInfo.tgtProcName |
target.labels[target_process_name] (deprecated) |
|
targetProcessInfo.tgtProcName |
additional.fields[target_process_name] |
|
targetProcessInfo.tgtProcPid |
target.process.pid |
|
targetProcessInfo.tgtProcSignedStatus |
target.labels[target_process_signed_status] (deprecated) |
|
targetProcessInfo.tgtProcSignedStatus |
additional.fields[target_process_signed_status] |
|
targetProcessInfo.tgtProcStorylineId |
target.labels[target_process_storyline_id] (deprecated) |
|
targetProcessInfo.tgtProcStorylineId |
additional.fields[target_process_storyline_id] |
|
|
target.process.product_specific_process_id |
If the targetProcessInfo.tgtProcUid log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{targetProcessInfo.tgtProcUid} log field is mapped to the target.process.product_specific_process_id UDM field. |
targetProcessInfo.tgtProcessStartTime |
target.labels[target_process_start_time] (deprecated) |
|
targetProcessInfo.tgtProcessStartTime |
additional.fields[target_process_start_time] |
|
source_hostname |
intermediary.hostname |
|
|
idm.is_alert |
The idm.is_alert UDM field is set to TRUE. |
|
idm.is_significant |
The idm.is_significant UDM field is set to TRUE. |
agentDetectionInfo.accountId |
metadata.product_deployment_id |
|
agentDetectionInfo.accountName |
principal.labels[agent_detection_info_account_name] (deprecated) |
|
agentDetectionInfo.accountName |
additional.fields[agent_detection_info_account_name] |
|
agentDetectionInfo.agentDetectionState |
principal.asset.attribute.labels[agent_detection_info_detection_state] |
|
agentDetectionInfo.agentDomain |
principal.administrative_domain |
|
agentDetectionInfo.agentIpV4 |
principal.ip |
|
agentDetectionInfo.agentIpV6 |
principal.ip |
|
alertInfo.srcIp |
principal.ip |
|
alertInfo.srcMachineIp |
principal.ip |
|
agentDetectionInfo.agentIpV4 |
principal.asset.ip |
|
agentDetectionInfo.agentIpV6 |
principal.asset.ip |
|
alertInfo.srcIp |
principal.asset.ip |
|
alertInfo.srcMachineIp |
principal.asset.ip |
|
agentDetectionInfo.agentLastLoggedInUpn |
principal.labels[agent_detection_info_last_logged_in_upn] (deprecated) |
|
agentDetectionInfo.agentLastLoggedInUpn |
additional.fields[agent_detection_info_last_logged_in_upn] |
|
agentDetectionInfo.agentLastLoggedInUserMail |
principal.user.email_addresses |
|
agentDetectionInfo.agentLastLoggedInUserName |
principal.user.attribute.labels[agent_last_loggedIn_user_name] |
|
agentDetectionInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_detection_info_mitigation_mode] |
|
agentDetectionInfo.agentRegisteredAt |
principal.asset.first_discover_time |
|
agentDetectionInfo.externalIp |
principal.nat_ip |
|
agentDetectionInfo.groupId |
principal.group.attribute.labels[agent_detection_info_group_id] |
|
agentRealtimeInfo.groupId |
principal.group.attribute.labels[agent_realtime_info_group_id] |
|
agentDetectionInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentRealtimeInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentDetectionInfo.siteName |
principal.labels[agent_detection_info_site_name] (deprecated) |
|
agentDetectionInfo.siteName |
additional.fields[agent_detection_info_site_name] |
|
agentRealtimeInfo.siteName |
principal.labels[agent_realtime_info_site_name] (deprecated) |
|
agentRealtimeInfo.siteName |
additional.fields[agent_realtime_info_site_name] |
|
agentRealtimeInfo.accountId |
principal.labels[agent_realtime_info_account_id] (deprecated) |
|
agentRealtimeInfo.accountId |
additional.fields[agent_realtime_info_account_id] |
|
agentRealtimeInfo.accountName |
principal.labels[agent_realtime_info_account_name] (deprecated) |
|
agentRealtimeInfo.accountName |
additional.fields[agent_realtime_info_account_name] |
|
agentRealtimeInfo.activeThreats |
security_result.detection_fields[agent_realtime_info_active_threats] |
|
agentRealtimeInfo.agentDecommissionedAt |
principal.asset.attribute.labels[agent_realtime_info_agent_decommissioned_at] |
|
agentRealtimeInfo.agentDomain |
principal.labels[agent_realtime_info_domain] (deprecated) |
|
agentRealtimeInfo.agentDomain |
additional.fields[agent_realtime_info_domain] |
|
agentRealtimeInfo.agentId |
principal.asset.attribute.labels[agent_realtime_info_agent_id] |
|
agentRealtimeInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_realtime_info_mitigation_mode] |
|
agentRealtimeInfo.agentNetworkStatus |
principal.labels[agent_realtime_info_network_status] (deprecated) |
|
agentRealtimeInfo.agentNetworkStatus |
additional.fields[agent_realtime_info_network_status] |
|
agentRealtimeInfo.agentOsType |
principal.labels[agent_realtime_info_os_type] (deprecated) |
|
agentRealtimeInfo.agentOsType |
additional.fields[agent_realtime_info_os_type] |
|
agentRealtimeInfo.networkInterfaces.id |
principal.labels[network_interface_id] |
|
agentRealtimeInfo.networkInterfaces.name |
principal.labels[network_interface_name] |
|
agentRealtimeInfo.networkInterfaces.physical |
principal.labels[network_interface_physical] |
|
agentRealtimeInfo.operationalState |
principal.asset.attribute.labels[agent_realtime_info_operational_State] |
|
agentRealtimeInfo.rebootRequired |
principal.labels[agent_realtime_info_reboot_required] (deprecated) |
|
agentRealtimeInfo.rebootRequired |
additional.fields[agent_realtime_info_reboot_required] |
|
agentRealtimeInfo.scanAbortedAt |
security_result.detection_fields[agent_realtime_info_scan_aborted_at] |
|
agentRealtimeInfo.scanFinishedAt |
security_result.detection_fields[agent_realtime_info_scan_finished_at] |
|
agentRealtimeInfo.scanStartedAt |
security_result.detection_fields[agent_realtime_info_scan_started_at] |
|
agentRealtimeInfo.scanStatus |
security_result.detection_fields[agent_realtime_info_scan_status] |
|
agentRealtimeInfo.siteId |
principal.labels[agent_realtime_info_site_id] (deprecated) |
|
agentRealtimeInfo.siteId |
additional.fields[agent_realtime_info_site_id] |
|
agentRealtimeInfo.storageName |
principal.resource.name |
|
|
principal.resource.resource_type |
If the agentRealtimeInfo.storageName log field value is not empty, then the principal.resource.resource_type UDM field is set to STORAGE_OBJECT. |
agentRealtimeInfo.storageType |
principal.resource.resource_subtype |
|
agentRealtimeInfo.userActionsNeeded |
security_result.detection_fields[agent_realtime_info_user_actions_needed] |
If the agentRealtimeInfo.userActionsNeeded log field value is not empty, then the agentRealtimeInfo.userActionsNeeded log field is mapped to the security_result.detection_fields.agent_realtime_info_user_actions_needed UDM field. |
containerInfo.isContainerQuarantine |
target.resource.attribute.labels[container_is_container_quarantine] |
|
indicators.category |
security_result.category_details |
|
indicators.categoryId |
security_result.detection_fields[indicators_category_id] |
|
indicators.description |
security_result.description |
|
indicators.ids |
security_result.detection_fields[indicators_ids] |
|
|
security_result.attack_details.tactics.id |
|
indicators.tactics.name |
security_result.attack_details.tactics.name |
If the indicators.tactics.name log field value is not empty, then the indicators.tactics.name log field is mapped to the security_result.attack_details.tactics.name UDM field. |
indicators.tactics.source |
security_result.detection_fields[indicators_tactics_source] |
|
indicators.tactics.techniques.link |
security_result.detection_fields[indicators_tactics_techniques_link] |
|
indicators.tactics.techniques.name |
security_result.attack_details.techniques.id |
If the indicators.tactics.techniques.name log field value is not empty, then the indicators.tactics.techniques.name log field is mapped to the security_result.attack_details.techniques.id UDM field. |
|
security_result.attack_details.techniques.name |
|
|
security_result.attack_details.techniques.subtechnique_id |
|
|
security_result.attack_details.techniques.subtechnique_name |
|
kubernetesInfo.isContainerQuarantine |
target.resource_ancestors.attribute.labels[kubernetes_is_container_quarantine] |
|
kubernetesInfo.nodeLabels |
target.resource_ancestors.attribute.labels[kubernetes_node_labels] |
|
mitigationStatus.action |
security_result.detection_fields[mitigation_status_action] |
|
mitigationStatus.actionsCounters.failed |
security_result.detection_fields[mitigation_status_actions_counters_failed] |
|
mitigationStatus.actionsCounters.notFound |
security_result.detection_fields[mitigation_status_actions_counters_not_Found] |
|
mitigationStatus.actionsCounters.pendingReboot |
security_result.detection_fields[mitigation_status_actions_counters_pending_reboot] |
|
mitigationStatus.actionsCounters.success |
security_result.detection_fields[mitigation_status_actions_counters_success] |
|
mitigationStatus.actionsCounters.total |
security_result.detection_fields[mitigation_status_actions_counters_total] |
|
mitigationStatus.agentSupportsReport |
security_result.detection_fields[mitigation_status_agent_supports_report] |
|
mitigationStatus.groupNotFound |
security_result.detection_fields[mitigation_status_group_not_found] |
|
mitigationStatus.lastUpdate |
security_result.detection_fields[mitigation_status_last_update] |
|
mitigationStatus.latestReport |
security_result.detection_fields[mitigation_status_last_report] |
|
mitigationStatus.mitigationEndedAt |
security_result.detection_fields[mitigation_status_mitigation_ended_at] |
|
mitigationStatus.mitigationStartedAt |
security_result.detection_fields[mitigation_status_mitigation_started_at] |
|
mitigationStatus.status |
security_result.detection_fields[mitigation_status] |
|
threatInfo.analystVerdict |
security_result.detection_fields[analystVerdict] |
|
threatInfo.analystVerdictDescription |
security_result.detection_fields[analyst_verdict_description] |
|
threatInfo.automaticallyResolved |
security_result.detection_fields[automatically_resolved] |
|
threatInfo.browserType |
security_result.detection_fields[browser_type] |
|
threatInfo.certificateId |
security_result.detection_fields[certificate_id] |
|
threatInfo.classification |
security_result.category_details |
|
|
security_result.category |
If the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
Else, if the threatInfo.classification log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
Else, if the threatInfo.classification log field value is equal to Application Control, then the security_result.category UDM field is set to UNKNOWN_CATEGORY.
If the alertInfo.eventType log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
threatInfo.classificationSource |
security_result.detection_fields[classification_source] |
|
threatInfo.cloudFilesHashVerdict |
security_result.detection_fields[cloud_Files_hash_verdict] |
|
threatInfo.collectionId |
security_result.detection_fields[collection_id] |
|
threatInfo.confidenceLevel |
security_result.confidence_details |
|
|
security_result.confidence |
If the threatInfo.confidenceLevel log field value is equal to malicious, then the security_result.confidence UDM field is set to HIGH_CONFIDENCE.Else, if the threatInfo.confidenceLevel log field value is equal to suspicious, then the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. |
threatInfo.createdAt |
metadata.collected_timestamp |
|
threatInfo.detectionEngines |
security_result.detection_fields[detection_engines] |
If the threatInfo.detectionEngines log field value is not empty, then the threatInfo.detectionEngines log field is mapped to the security_result.detection_fields.detection_engines UDM field. |
threatInfo.detectionEngines.key |
security_result.detection_fields[detection_engines_key] |
If the threatInfo.detectionEngines.key log field value is not empty, then the threatInfo.detectionEngines.key log field is mapped to the security_result.detection_fields.detection_engines_key UDM field. |
threatInfo.detectionEngines.title |
security_result.detection_fields[detection_engines_title] |
If the threatInfo.detectionEngines.title log field value is not empty, then the threatInfo.detectionEngines.title log field is mapped to the security_result.detection_fields.detection_engines_title UDM field. |
threatInfo.detectionType |
security_result.detection_fields[detection_type] |
|
threatInfo.engines |
security_result.detection_fields[engines] |
If the threatInfo.engines log field value is not empty, then the threatInfo.engines log field is mapped to the security_result.detection_fields.engines UDM field. |
threatInfo.externalTicketExists |
security_result.detection_fields[external_ticket_exists] |
|
threatInfo.externalTicketExists.description |
security_result.detection_fields[external_ticket_exists_description] |
|
threatInfo.externalTicketExists.readOnly |
security_result.detection_fields[external_ticket_exists_readOnly] |
|
threatInfo.externalTicketId |
security_result.detection_fields[external_ticket_id] |
|
threatInfo.failedActions |
security_result.detection_fields[failed_actions] |
|
threatInfo.fileExtension |
target.file.mime_type |
|
threatInfo.fileExtensionType |
security_result.detection_fields[file_extension_type] |
|
threatInfo.filePath |
target.file.full_path |
|
threatInfo.filePath.description |
security_result.detection_fields[file_path_description] |
|
threatInfo.filePath.readOnly |
security_result.detection_fields[file_path_readOnly] |
|
threatInfo.fileSize |
target.file.size |
|
threatInfo.fileVerificationType |
security_result.detection_fields[file_verification_type] |
|
threatInfo.incidentStatus |
security_result.detection_fields[incident_status] |
|
threatInfo.incidentStatusDescription |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.description |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.readOnly |
security_result.detection_fields[incident_status_description_readOnly] |
|
threatInfo.initiatedBy |
security_result.detection_fields[initiatedBy] |
|
threatInfo.initiatedByDescription |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.description |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.readOnly |
security_result.detection_fields[initiatedBy_description_readOnly] |
|
threatInfo.initiatingUserId |
principal.user.attribute.labels[initiating_user_id] |
|
threatInfo.isFileless |
security_result.detection_fields[is_fileless] |
|
threatInfo.isFileless.description |
security_result.detection_fields[is_fileless_description] |
|
threatInfo.isFileless.readOnly |
security_result.detection_fields[is_fileless_readOnly] |
|
threatInfo.isValidCertificate |
security_result.detection_fields[is_valid_certificate] |
|
threatInfo.maliciousProcessArguments |
security_result.detection_fields[malicious_process_arguments] |
|
threatInfo.md5 |
target.file.md5 |
If the threatInfo.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the threatInfo.md5 log field is mapped to the target.file.md5 UDM field. |
threatInfo.mitigatedPreemptively |
security_result.detection_fields[mitigated_preemptively] |
|
threatInfo.mitigationStatus |
security_result.action_details |
|
|
security_result.threat_status |
If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to CLEARED.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to ACTIVE.
|
threatInfo.mitigationStatusDescription |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.description |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.readOnly |
security_result.detection_fields[mitigation_status_description_readOnly] |
|
threatInfo.originatorProcess |
principal.process.parent_process.file.names |
|
threatInfo.pendingActions |
security_result.detection_fields[pending_actions] |
|
threatInfo.processUser |
principal.user.userid |
|
threatInfo.publisherName |
security_result.threat_feed_name |
|
threatInfo.reachedEventsLimit |
security_result.detection_fields[reached_events_limit] |
|
threatInfo.rebootRequired |
security_result.detection_fields[reboot_required] |
|
threatInfo.sha1 |
target.file.sha1 |
If the threatInfo.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$", then the threatInfo.sha1 log field is mapped to the target.file.sha1 UDM field. |
threatInfo.sha256 |
target.file.sha256 |
If the threatInfo.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$", then the threatInfo.sha256 log field is mapped to the target.file.sha256 UDM field. |
threatInfo.storyline |
security_result.detection_fields[storyline] |
|
threatInfo.threatId |
security_result.threat_id |
|
threatInfo.threatName |
security_result.threat_name |
|
threatInfo.threatName |
target.file.names |
|
threatInfo.updatedAt |
security_result.detection_fields[updatedAt] |
|
whiteningOptions |
about.labels[whitening_options] |
If the whiteningOptions log field value is not empty, then the whiteningOptions log field is mapped to the about.labels.whitening_options UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsRole |
principal.resource.attribute.roles.name |
|
agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups |
principal.resource.attribute.labels[cloud_providers_AWS_security_groups] |
If the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_security_groups UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsSubnetIds |
principal.resource.attribute.labels[cloud_providers_AWS_subnet_ids] |
If the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_subnet_ids UDM field. |
agentDetectionInfo.cloudProviders.AWS.cloudAccount |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_account] |
|
agentDetectionInfo.cloudProviders.AWS.cloudImage |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_image] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceId |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_id] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceSize |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_size] |
|
agentDetectionInfo.cloudProviders.AWS.cloudLocation |
principal.resource.attribute.cloud.availability_zone |
|
agentDetectionInfo.cloudProviders.AWS.cloudNetwork |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_network] |
|
agentDetectionInfo.cloudProviders.AWS.cloudTags |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_tags] |
If the agentDetectionInfo.cloudProviders.AWS.cloudTags log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.cloudTags log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_cloud_tags UDM field. |
modular_input_consumption_time |
about.labels[modular_input_consumption_time] (deprecated) |
|
modular_input_consumption_time |
additional.fields[modular_input_consumption_time] |
|
timestamp |
about.labels[timestamp] (deprecated) |
|
timestamp |
additional.fields[timestamp] |
|
updatedAt |
about.labels[updatedAt] (deprecated) |
|
updatedAt |
additional.fields[updatedAt] |