Collect SentinelOne Cloud Funnel logs

Supported in:

This document describes how you can export SentinelOne Cloud Funnel logs by setting up a Google Security Operations feed and how log fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of SentinelOne Cloud Funnel and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • SentinelOne: The platform from which you collect logs.

  • Google Security Operations feed: The Google Security Operations feed that fetches logs from SentinelOne and writes logs to Google Security Operations.

  • Google Security Operations: Retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the SENTINELONE_CF ingestion label.

Before you begin

  • Ensure that you have an active Singularity Complete subscription for SentinelOne. Refer to Platform Packages for additional details.
  • Ensure that you have an active license for the Cloud Funnel Data Lake Streaming Module.
  • Ensure that you are using SentinelOne Cloud Funnel v2.0.
  • Ensure that you have an Admin role for the Global or Account level. To get Admin role, contact your administrator user.
  • Ensure that you have administrator rights to install the SentinelOne agent. To get administrator rights, contact your administrator user.
  • Ensure that you have a configured Google Cloud Storage Bucket. For more information, see Configure Your Google Cloud Storage Bucket.
    • Replace YOUR_CONSOLE_DOMAIN in the URL with your specific console domain.

Set up SentinelOne Cloud Funnel

  1. Sign in to the SentinelOne management console.
  2. In the Settings toolbar, click Integrations > Cloud Funnel.
  3. In the Cloud Provider list, select Google Cloud.
  4. In the GCS Storage Name field, enter the name of the Cloud Storage bucket.
  5. Click Validate to validate whether the bucket exists, and that SentinelOne has read and write access to the bucket.
  6. Select Enable Telemetry Streaming to stream your XDR data to your bucket.

Set up a Google Security Operations ingestion feed

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, SentinelOne Cloud Funnel Logs).
  4. Select Google Cloud Storage as the Source type.
  5. Select SentinelOne Singularity Cloud Funnel as the Log type.
  6. Click Get a service account. Copy the Service Account. You'll need it to add permissions in the bucket for this Service Account to let Google Security Operations read or delete data in the bucket.
  7. Click Next.
  8. Configure the following input parameters:

    • Storage bucket URI: the Google Cloud Storage bucket source URI.
    • URI is a: the type of object URI points to.
    • Source deletion option: whether to delete files or directories after transferring.
    • Select the Never delete files option in Source deletion option.

    On the Google Cloud Storage Bucket, to add Storage Object Viewer permissions to this Service Account, follow these steps:

    1. In your Google Cloud console, go to Buckets and select the bucket name.

    2. In Bucket Details, go to Permissions > Grant Access.

    3. In New Principles, paste Service Account that you copied.

    4. In Select a role, select Cloud Storage, then select Storage Object Viewer role.

  9. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Supported SentinelOne Cloud Funnel log types

The SentinelOne Cloud Funnel parser supports the following log types:

Event Type

  • Process Exit
  • Process Modification
  • Process Creation
  • Duplicate Process Handle
  • Duplicate Thread Handle
  • Open Remote Process Handle
  • Remote Thread Creation
  • Remote Process Termination
  • Command Script
  • IP Connect
  • IP Listen
  • File Modification
  • File Creation
  • File Scan
  • File Deletion
  • File Rename
  • Pre Execution Detection
  • Login
  • Logout
  • GET
  • OPTIONS
  • POST
  • PUT
  • DELETE
  • CONNECT
  • HEAD
  • DNS Resolved
  • DNS Unresolved
  • Task Register
  • Task Update
  • Task Start
  • Task Trigger
  • Task Delete
  • Registry Key Create
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Key Import
  • Registry Value Modified
  • Registry Value Create
  • Registry Value Delete
  • Behavioral Indicators
  • Module Load
  • Driver Load
  • Not Reported
  • Group Creation
  • Firmware Test
  • Threat Intelligence Indicators
  • Named Pipe Creation
  • Named Pipe Connection
  • Windows Event Log Creation

Field mapping reference

This section explains how the Google Security Operations parser maps SentinelOne fields to Google Security Operations Unified Data Model (UDM) fields.

Field mapping reference: Event Identifier to Event Type

The following table lists the SENTINELONE_CF log types and their corresponding UDM event types.
Event Identifier Event Type
Behavioral Indicators STATUS_UPDATE
Command Script PROCESS_UNCATEGORIZED
CONNECT NETWORK_HTTP
DELETE NETWORK_HTTP
DNS Resolved NETWORK_DNS
DNS Unresolved NETWORK_DNS
Driver Load PROCESS_MODULE_LOAD
Duplicate Process Handle PROCESS_UNCATEGORIZED
Duplicate Thread Handle PROCESS_UNCATEGORIZED
File Creation FILE_CREATION
File Deletion FILE_DELETION
File Modification FILE_MODIFICATION
File Rename FILE_MOVE
File Scan SCAN_FILE
Firmware Test STATUS_UPDATE
GET NETWORK_HTTP
Group Creation GROUP_CREATION
HEAD NETWORK_HTTP
IP Connect NETWORK_CONNECTION
IP Listen STATUS_UPDATE
Login USER_LOGIN
Logout USER_LOGOUT
Module Load PROCESS_MODULE_LOAD
Named Pipe Connection STATUS_UPDATE
Named Pipe Creation RESOURCE_CREATION
Not Reported NETWORK_HTTP
Open Remote Process Handle PROCESS_UNCATEGORIZED
OPTIONS NETWORK_HTTP
POST NETWORK_HTTP
Pre Execution Detection STATUS_UPDATE
Process Creation PROCESS_LAUNCH
Process Exit PROCESS_TERMINATION
Process Modification PROCESS_UNCATEGORIZED
PUT NETWORK_HTTP
Registry Key Create REGISTRY_CREATION
Registry Key Delete REGISTRY_DELETION
Registry Key Export REGISTRY_UNCATEGORIZED
Registry Key Import REGISTRY_UNCATEGORIZED
Registry Key Rename REGISTRY_UNCATEGORIZED
Registry Key Security Changed REGISTRY_MODIFICATION
Registry Value Create REGISTRY_CREATION
Registry Value Delete REGISTRY_DELETION
Registry Value Modified REGISTRY_MODIFICATION
Remote Process Termination PROCESS_TERMINATION
Remote Thread Creation PROCESS_UNCATEGORIZED
Task Delete SCHEDULED_TASK_DELETION
Task Register SCHEDULED_TASK_CREATION
Task Start SCHEDULED_TASK_UNCATEGORIZED
Task Trigger SCHEDULED_TASK_UNCATEGORIZED
Task Update SCHEDULED_TASK_MODIFICATION
Threat Intelligence Indicators STATUS_UPDATE

Field mapping reference: SENTINELONE_CF

The following table lists the log fields of the SENTINELONE_CF log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to SentinelOne.
extensions.auth.auth_details If the event.type log field value contain one of the following values, then the event.type log field is mapped to the extensions.auth.auth_details UDM field.
  • Login
  • Logout
extensions.auth.mechanism If the event.login.type log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the event.login.type log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.

Else, if the event.login.type log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the event.login.type log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the event.login.type log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the event.login.type log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the event.login.type log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.

Else, if the event.login.type log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the event.login.type log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK.
network.application_protocol If the event.type log field value contain one of the following values, then the network.application_protocol UDM field is set to DNS.
  • DNS Resolved
  • DNS Unresolved
network.direction If the event.network.direction log field value is equal to OUTGOING, then the network.direction UDM field is set to OUTBOUND.

Else, if the event.network.direction log field value is equal to INCOMING, then the network.direction UDM field is set to INBOUND.
principal.asset.platform_software.platform If the endpoint.os log field value is equal to windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the endpoint.os log field value is equal to linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
principal.asset.type If the endpoint.type log field value is equal to laptop, then the principal.asset.type UDM field is set to LAPTOP.

Else, if the endpoint.type log field value contain one of the following values, then the principal.asset.type UDM field is set to SERVER.
  • server
  • Kubernetes Node
Else, if the endpoint.type log field value is equal to desktop, then the principal.asset.type UDM field is set to WORKSTATION.
principal.process.product_specific_process_id If the src.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.uid} log field is mapped to the principal.process.product_specific_process_id UDM field.
principal.platform If the os.name log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.

Else, if the os.name log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX.
principal.process_ancestors.product_specific_process_id If the osSrc.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.uid} log field is mapped to the principal.process_ancestors.product_specific_process_id UDM field.
principal.process_ancestors.parent_process.product_specific_process_id If the osSrc.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.parent.uid} log field is mapped to the principal.process_ancestors.parent_process.product_specific_process_id UDM field.
principal.process.parent_process.product_specific_process_id If the src.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.parent.uid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
security_result.action If the event.login.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, if the event.login.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.

If the event.network.connectionStatus log field value is equal to SUCCESS, then the security_result.action UDM field is set to ALLOW.

Else, if the event.network.connectionStatus log field value is equal to FAILURE, then the security_result.action UDM field is set to FAIL.

Else, if the event.network.connectionStatus log field value is equal to BLOCKED, then the security_result.action UDM field is set to BLOCK.
security_result.category If the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
  • malicious
  • Ransomware
  • OSX.Malware
  • Linux.Malware
  • Malware
  • Manual
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
  • Lateral Movement
  • Remote shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
  • miner
  • Trojan
  • Virus
  • Malicious Office Document
  • Malicious PDF
  • Worm
  • Rootkit
  • Infostealer
  • Generic.Heuristic
  • Downloader
  • Backdoor
  • Hacktool
  • Browser
  • Dialer
  • Installer
  • Packed
  • Network
  • Spyware
  • Interactive shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_PUA.
  • Adware
  • PUA
Else, if the indicator.category log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
security_result.category If the tiIndicator.categories log field value matches the regular expression pattern malware, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
security_result.severity If the winEventLog.level log field value matches the regular expression pattern ^(INFO|Informational|Information|Normal|NOTICE)$, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the winEventLog.level log field value contain one of the following values, then the security_result.severity UDM field is set to INFORMATIONAL.
  • Warning
  • DEBUG
Else, if the winEventLog.level log field value matches the regular expression pattern Error, then the security_result.severity UDM field is set to ERROR.

Else, if the winEventLog.level log field value matches the regular expression pattern Critical, then the security_result.severity UDM field is set to CRITICAL.
target.file.file_type If the tgt.file.type log field value is equal to PE, then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.

Else, if the tgt.file.type log field value is equal to ELF, then the target.file.file_type UDM field is set to FILE_TYPE_ELF.

Else, if the tgt.file.type log field value is equal to MACH, then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.

Else, if the tgt.file.type log field value is equal to PDF, then the target.file.file_type UDM field is set to FILE_TYPE_PDF.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to OPENXML, then the target.file.file_type UDM field is set to FILE_TYPE_XML.

Else, if the tgt.file.type log field value is equal to PKZIP, then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.

Else, if the tgt.file.type log field value is equal to RAR, then the target.file.file_type UDM field is set to FILE_TYPE_RAR.

Else, if the tgt.file.type log field value is equal to BZIP2, then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.

Else, if the tgt.file.type log field value is equal to TAR, then the target.file.file_type UDM field is set to FILE_TYPE_TAR.

Else, if the tgt.file.type log field value is equal to LNK, then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
target.process.product_specific_process_id If the tgt.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{tgt.process.uid} log field is mapped to the target.process.product_specific_process_id UDM field.
target.resource_ancestors.resource_type If the k8sCluster.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_type If the k8sCluster.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_type If the k8sCluster.podName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.
target.resource_ancestors.resource_type If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_subtype If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to NODE.
target.resource.resource_type If the k8sCluster.containerName log field value is not empty or the k8sCluster.containerId log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER.
target.resource.resource_type If the event.category log field value is equal to scheduled_task, then the target.resource.resource_type UDM field is set to TASK.

If the event.type log field value contain one of the following values, then the target.resource.resource_type UDM field is set to PIPE.
  • Named Pipe Creation
  • Named Pipe Connection
target.user.user_role If the event.login.isAdministratorEquivalent log field value is equal to true, then the target.user.user_role UDM field is set to ADMINISTRATOR.
account.id metadata.product_deployment_id
agent.uuid principal.asset.asset_id
agent.uuid principal.asset_id
agent.version principal.asset.attribute.labels[agent_version]
cmdScript.applicationName target.application
cmdScript.content target.process.command_line
cmdScript.isComplete target.labels[cmd_script_is_complete] (deprecated)
cmdScript.isComplete additional.fields[cmd_script_is_complete]
cmdScript.originalSize target.process.file.size
cmdScript.sha256 target.process.file.sha256 If the cmdScript.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the cmdScript.sha256 log field is mapped to the target.process.file.sha256 UDM field.
dataSource.category about.labels[data_source_category] (deprecated)
dataSource.category additional.fields[data_source_category]
dataSource.name about.labels[data_source_name] (deprecated)
dataSource.name additional.fields[data_source_name]
dataSource.vendor about.labels[data_source_vendor] (deprecated)
dataSource.vendor additional.fields[data_source_vendor]
driver.certificate.thumbprint target.labels[driver_certificate_thumbprint] (deprecated)
driver.certificate.thumbprint additional.fields[driver_certificate_thumbprint]
driver.certificate.thumbprintAlgorithm target.labels[driver_certificate_thumbprint_algorithm] (deprecated)
driver.certificate.thumbprintAlgorithm additional.fields[driver_certificate_thumbprint_algorithm]
driver.isLoadedBeforeMonitor target.labels[driver_is_loaded_before_monitor] (deprecated)
driver.isLoadedBeforeMonitor additional.fields[driver_is_loaded_before_monitor]
driver.loadVerdict target.labels[driver_load_verdict] (deprecated)
driver.loadVerdict additional.fields[driver_load_verdict]
driver.peSha1 target.process.file.sha1 If the driver.peSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the driver.peSha1 log field is mapped to the target.process.file.sha1 UDM field.
driver.peSha256 target.process.file.sha256 If the driver.peSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the driver.peSha256 log field is mapped to the target.process.file.sha256 UDM field.
driver.startType target.labels[driver_start_type] (deprecated)
driver.startType additional.fields[driver_start_type]
dst.ip.address target.ip
dst.port.number target.port
endpoint.name principal.hostname
endpoint.name principal.asset.hostname
event.category about.labels[event_category] (deprecated)
event.category additional.fields[event_category]
event.dns.request network.dns.questions.name
event.dns.response network.dns.answers.name
event.dns.response network.dns.answers.type
event.id metadata.product_log_id
event.login.accountDomain target.domain.name
event.login.accountName target.user.user_display_name
event.login.accountSid target.user.windows_sid
event.login.baseType about.labels[event_login_base_type] (deprecated)
event.login.baseType additional.fields[event_login_base_type]
event.login.failureReason security_result.description
event.login.isAdministratorEquivalent about.labels[event_login_is_administrator_equivalent] (deprecated)
event.login.isAdministratorEquivalent additional.fields[event_login_is_administrator_equivalent]
event.login.sessionId network.session_id
event.login.userName target.user.userid
event.network.connectionStatus security_result.action_details
event.network.protocolName about.labels[event_network_protocol_name] (deprecated)
event.network.protocolName additional.fields[event_network_protocol_name]
event.repetitionCount about.labels[event_repetition_count] (deprecated)
event.repetitionCount additional.fields[event_repetition_count]
event.time metadata.event_timestamp
event.type metadata.product_event_type
event.url.action network.http.method
group.id about.labels[group_id] (deprecated) If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the about.labels UDM field.
group.id additional.fields[group_id] If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the additional.fields UDM field.
i.scheme about.labels[i_scheme] (deprecated)
i.scheme additional.fields[i_scheme]
i.version about.labels[i_version] (deprecated)
i.version additional.fields[i_version]
indicator.category security_result.category_details
indicator.description security_result.description
indicator.metadata security_result.detection_fields [indicator_metadata]
indicator.name security_result.detection_fields [indicator_name]
k8sCluster.containerId target.resource.product_object_id
k8sCluster.containerImage target.resource.attribute.labels[k8s_cluster_container_image]
k8sCluster.containerImage.sha256 target.resource.attribute.labels[k8s_cluster_container_image_sha256]
k8sCluster.containerLabels target.resource.attribute.labels[k8s_cluster_container_labels]
k8sCluster.containerName target.resource.name
k8sCluster.controllerLabels target.resource_ancestors.attribute.labels[k8s_cluster_controller_labels]
k8sCluster.controllerName target.resource_ancestors.name
k8sCluster.controllerType target.resource_ancestors.resource_subtype
k8sCluster.name target.resource_ancestors.name
k8sCluster.namespace target.resource_ancestors.attribute.labels[k8s_cluster_namespace]
k8sCluster.namespaceLabels target.resource_ancestors.attribute.labels[k8s_cluster_namespace_labels]
k8sCluster.nodeName target.resource_ancestors.name
k8sCluster.podLabels target.resource_ancestors.attribute.labels[k8s_cluster_pod_labels]
k8sCluster.podName target.resource_ancestors.name
meta.event.name about.labels[meta_event_name] (deprecated)
meta.event.name additional.fields[meta_event_name]
mgmt.id about.labels[mgmt_id] (deprecated)
mgmt.id additional.fields[mgmt_id]
mgmt.osRevision about.labels[mgmt_os_revision] (deprecated)
mgmt.osRevision additional.fields[mgmt_os_revision]
mgmt.url about.url
module.md5 target.process.file.md5 If the module.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the module.md5 log field is mapped to the target.process.file.md5 UDM field.
module.path target.process.file.full_path
module.sha1 target.process.file.sha1 If the module.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the module.sha1 log field is mapped to the target.process.file.sha1 UDM field.
namedPipe.accessMode target.resource.attribute.permission.name
namedPipe.connectionType target.resource.attribute.labels[named_pipe_connection_type]
namedPipe.isFirstInstance target.resource.attribute.labels[named_pipe_is_first_instance]
namedPipe.isOverlapped target.resource.attribute.labels[named_pipe_is_overlapped]
namedPipe.isWriteThrough target.resource.attribute.labels[named_pipe_is_write_through]
namedPipe.maxInstances target.resource.attribute.labels[named_pipe_max_instances]
namedPipe.name target.resource.name
namedPipe.readMode target.resource.attribute.labels[named_pipe_read_mode]
namedPipe.remoteClients target.resource.attribute.labels[named_pipe_remote_clients]
namedPipe.securityGroups target.resource.attribute.labels[named_pipe_security_groups]
namedPipe.securityOwner target.resource.attribute.labels[named_pipe_security_owner]
namedPipe.typeMode target.resource.attribute.labels[named_pipe_type_mode]
namedPipe.waitMode target.resource.attribute.labels[named_pipe_wait_mode]
osSrc.process.activeContent.hash principal.labels[os_src_process_active_content_hash] (deprecated)
osSrc.process.activeContent.hash additional.fields[os_src_process_active_content_hash]
osSrc.process.activeContent.id principal.labels[os_src_process_active_content_id] (deprecated)
osSrc.process.activeContent.id additional.fields[os_src_process_active_content_id]
osSrc.process.activeContent.path principal.labels[os_src_process_active_content_path] (deprecated)
osSrc.process.activeContent.path additional.fields[os_src_process_active_content_path]
osSrc.process.activeContent.signedStatus principal.labels[os_src_process_active_content_signed_status] (deprecated)
osSrc.process.activeContent.signedStatus additional.fields[os_src_process_active_content_signed_status]
osSrc.process.activeContentType principal.labels[os_src_process_active_content_type] (deprecated)
osSrc.process.activeContentType additional.fields[os_src_process_active_content_type]
osSrc.process.childProcCount principal.labels[os_src_process_child_proc_count] (deprecated)
osSrc.process.childProcCount additional.fields[os_src_process_child_proc_count]
osSrc.process.cmdline principal.process_ancestors.command_line
osSrc.process.crossProcessCount principal.labels[os_src_process_cross_process_count] (deprecated)
osSrc.process.crossProcessCount additional.fields[os_src_process_cross_process_count]
osSrc.process.crossProcessDupRemoteProcessHandleCount principal.labels[os_src_process_cross_process_dup_rmote_process_handle_count] (deprecated)
osSrc.process.crossProcessDupRemoteProcessHandleCount additional.fields[os_src_process_cross_process_dup_rmote_process_handle_count]
osSrc.process.crossProcessDupThreadHandleCount principal.labels[os_src_process_cross_process_dup_thread_handle_count] (deprecated)
osSrc.process.crossProcessDupThreadHandleCount additional.fields[os_src_process_cross_process_dup_thread_handle_count]
osSrc.process.crossProcessOpenProcessCount principal.labels[os_src_process_cross_process_open_process_count] (deprecated)
osSrc.process.crossProcessOpenProcessCount additional.fields[os_src_process_cross_process_open_process_count]
osSrc.process.crossProcessOutOfStorylineCount principal.labels[os_src_process_cross_process_out_of_storyline_count] (deprecated)
osSrc.process.crossProcessOutOfStorylineCount additional.fields[os_src_process_cross_process_out_of_storyline_count]
osSrc.process.crossProcessThreadCreateCount principal.labels[os_src_process_cross_process_thread_create_count] (deprecated)
osSrc.process.crossProcessThreadCreateCount additional.fields[os_src_process_cross_process_thread_create_count]
osSrc.process.displayName principal.labels[os_src_process_display_name] (deprecated)
osSrc.process.displayName additional.fields[os_src_process_display_name]
osSrc.process.dnsCount principal.labels[os_src_process_dns_count] (deprecated)
osSrc.process.dnsCount additional.fields[os_src_process_dns_count]
osSrc.process.image.binaryIsExecutable principal.labels[os_src_process_image_binary_is_executable] (deprecated)
osSrc.process.image.binaryIsExecutable additional.fields[os_src_process_image_binary_is_executable]
osSrc.process.image.md5 principal.process_ancestors.file.md5 If the osSrc.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.image.md5 log field is mapped to the principal.process_ancestors.file.md5 UDM field.
osSrc.process.image.path principal.process_ancestors.file.full_path
osSrc.process.image.sha1 principal.process_ancestors.file.sha1 If the osSrc.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.image.sha1 log field is mapped to the principal.process_ancestors.file.sha1 UDM field.
osSrc.process.image.sha256 principal.process_ancestors.file.sha256 If the osSrc.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.image.sha256 log field is mapped to the principal.process_ancestors.file.sha256 UDM field.
osSrc.process.indicatorBootConfigurationUpdateCount principal.labels[os_src_process_indicator_boot_configuration_update_count] (deprecated)
osSrc.process.indicatorBootConfigurationUpdateCount additional.fields[os_src_process_indicator_boot_configuration_update_count]
osSrc.process.indicatorEvasionCount principal.labels[os_src_process_indicator_evasion_count] (deprecated)
osSrc.process.indicatorEvasionCount additional.fields[os_src_process_indicator_evasion_count]
osSrc.process.indicatorExploitationCount principal.labels[os_src_process_indicator_exploitation_count] (deprecated)
osSrc.process.indicatorExploitationCount additional.fields[os_src_process_indicator_exploitation_count]
osSrc.process.indicatorGeneral.count principal.labels[os_src_process_indicator_general_count] (deprecated)
osSrc.process.indicatorGeneral.count additional.fields[os_src_process_indicator_general_count]
osSrc.process.indicatorInfostealerCount principal.labels[os_src_process_indicator_infostealer_count] (deprecated)
osSrc.process.indicatorInfostealerCount additional.fields[os_src_process_indicator_infostealer_count]
osSrc.process.indicatorInjectionCount principal.labels[os_src_process_indicator_injection_count] (deprecated)
osSrc.process.indicatorInjectionCount additional.fields[os_src_process_indicator_injection_count]
osSrc.process.indicatorPersistenceCount principal.labels[os_src_process_indicator_persistence_count] (deprecated)
osSrc.process.indicatorPersistenceCount additional.fields[os_src_process_indicator_persistence_count]
osSrc.process.indicatorPostExploitationCount principal.labels[os_src_process_indicator_post_exploitation_count] (deprecated)
osSrc.process.indicatorPostExploitationCount additional.fields[os_src_process_indicator_post_exploitation_count]
osSrc.process.indicatorRansomwareCount principal.labels[os_src_process_indicator_ransomware_count] (deprecated)
osSrc.process.indicatorRansomwareCount additional.fields[os_src_process_indicator_ransomware_count]
osSrc.process.indicatorReconnaissanceCount principal.labels[os_src_process_indicator_reconnaissance_count] (deprecated)
osSrc.process.indicatorReconnaissanceCount additional.fields[os_src_process_indicator_reconnaissance_count]
osSrc.process.integrityLevel principal.labels[os_src_process_integrity_level] (deprecated)
osSrc.process.integrityLevel additional.fields[os_src_process_integrity_level]
osSrc.process.isNative64Bit principal.labels[os_src_process_is_native_64_bit] (deprecated)
osSrc.process.isNative64Bit additional.fields[os_src_process_is_native_64_bit]
osSrc.process.isRedirectCmdProcessor principal.labels[os_src_process_is_redirect_cmd_processor] (deprecated)
osSrc.process.isRedirectCmdProcessor additional.fields[os_src_process_is_redirect_cmd_processor]
osSrc.process.isStorylineRoot principal.labels[os_src_process_is_storyline_root] (deprecated)
osSrc.process.isStorylineRoot additional.fields[os_src_process_is_storyline_root]
osSrc.process.moduleCount principal.labels[os_src_process_module_count] (deprecated)
osSrc.process.moduleCount additional.fields[os_src_process_module_count]
osSrc.process.name principal.process_ancestors.file.names
osSrc.process.netConnCount principal.labels[os_src_process_net_conn_count] (deprecated)
osSrc.process.netConnCount additional.fields[os_src_process_net_conn_count]
osSrc.process.netConnInCount principal.labels[os_src_process_net_conn_in_count] (deprecated)
osSrc.process.netConnInCount additional.fields[os_src_process_net_conn_in_count]
osSrc.process.netConnOutCount principal.labels[os_src_process_net_conn_out_count] (deprecated)
osSrc.process.netConnOutCount additional.fields[os_src_process_net_conn_out_count]
osSrc.process.parent.activeContent.hash principal.labels[os_src_process_parent_active_content_hash] (deprecated)
osSrc.process.parent.activeContent.hash additional.fields[os_src_process_parent_active_content_hash]
osSrc.process.parent.activeContent.id principal.labels[os_src_process_parent_active_content_id] (deprecated)
osSrc.process.parent.activeContent.id additional.fields[os_src_process_parent_active_content_id]
osSrc.process.parent.activeContent.path principal.labels[os_src_process_parent_active_content_path] (deprecated)
osSrc.process.parent.activeContent.path additional.fields[os_src_process_parent_active_content_path]
osSrc.process.parent.activeContent.signedStatus principal.labels[os_src_process_parent_active_content_signed_status] (deprecated)
osSrc.process.parent.activeContent.signedStatus additional.fields[os_src_process_parent_active_content_signed_status]
osSrc.process.parent.activeContentType principal.labels[os_src_process_parent_active_content_type] (deprecated)
osSrc.process.parent.activeContentType additional.fields[os_src_process_parent_active_content_type]
osSrc.process.parent.cmdline principal.process_ancestors.parent_process.command_line
osSrc.process.parent.displayName principal.labels[os_src_process_parent_display_name] (deprecated)
osSrc.process.parent.displayName additional.fields[os_src_process_parent_display_name]
osSrc.process.parent.image.md5 principal.process_ancestors.parent_process.file.md5 If the osSrc.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.parent.image.md5 log field is mapped to the principal.process_ancestors.parent_process.file.md5 UDM field.
osSrc.process.parent.image.path principal.process_ancestors.parent_process.file.full_path
osSrc.process.parent.image.sha1 principal.process_ancestors.parent_process.file.sha1 If the osSrc.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.parent.image.sha1 log field is mapped to the principal.process_ancestors.parent_process.file.sha1 UDM field.
osSrc.process.parent.image.sha256 principal.process_ancestors.parent_process.file.sha256 If the osSrc.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.parent.image.sha256 log field is mapped to the principal.process_ancestors.parent_process.file.sha256 UDM field.
osSrc.process.parent.integrityLevel principal.labels[os_src_process_parent_integrity_level] (deprecated)
osSrc.process.parent.integrityLevel additional.fields[os_src_process_parent_integrity_level]
osSrc.process.parent.isNative64Bit principal.labels[os_src_process_parent_is_native_64_bit] (deprecated)
osSrc.process.parent.isNative64Bit additional.fields[os_src_process_parent_is_native_64_bit]
osSrc.process.parent.isRedirectCmdProcessor principal.labels[os_src_process_parent_is_redirect_cmd_processor] (deprecated)
osSrc.process.parent.isRedirectCmdProcessor additional.fields[os_src_process_parent_is_redirect_cmd_processor]
osSrc.process.parent.isStorylineRoot principal.labels[os_src_process_parent_is_storyline_root] (deprecated)
osSrc.process.parent.isStorylineRoot additional.fields[os_src_process_parent_is_storyline_root]
osSrc.process.parent.name principal.process_ancestors.parent_process.file.names
osSrc.process.parent.pid principal.process_ancestors.parent_process.pid
osSrc.process.parent.publisher principal.labels[os_src_process_parent_publisher] (deprecated)
osSrc.process.parent.publisher additional.fields[os_src_process_parent_publisher]
osSrc.process.parent.reasonSignatureInvalid security_result.detection_fields[os_src_process_parent_reason_signature_invalid]
osSrc.process.parent.sessionId principal.labels[os_src_process_parent_session_id] (deprecated)
osSrc.process.parent.sessionId additional.fields[os_src_process_parent_session_id]
osSrc.process.parent.signedStatus principal.process_ancestors.parent_process.file.signature_info.sigcheck.verification_message
osSrc.process.parent.startTime principal.labels[os_src_process_parent_start_time] (deprecated)
osSrc.process.parent.startTime additional.fields[os_src_process_parent_start_time]
osSrc.process.parent.storyline.id principal.labels[os_src_process_parent_storyline_id] (deprecated)
osSrc.process.parent.storyline.id additional.fields[os_src_process_parent_storyline_id]
osSrc.process.parent.user principal.user.attribute.labels[os_src_process_parent_user]
osSrc.process.pid principal.process_ancestors.pid
osSrc.process.publisher principal.labels[os_src_process_publisher] (deprecated)
osSrc.process.publisher additional.fields[os_src_process_publisher]
osSrc.process.reasonSignatureInvalid security_result.detection_fields[os_src_process_reason_signature_invalid]
osSrc.process.registryChangeCount principal.labels[os_src_process_registry_change_count] (deprecated)
osSrc.process.registryChangeCount additional.fields[os_src_process_registry_change_count]
osSrc.process.sessionId principal.labels[os_src_process_session_id] (deprecated)
osSrc.process.sessionId additional.fields[os_src_process_session_id]
osSrc.process.signedStatus principal.process_ancestors.file.signature_info.sigcheck.verification_message
osSrc.process.startTime principal.labels[os_src_process_start_time] (deprecated)
osSrc.process.startTime additional.fields[os_src_process_start_time]
osSrc.process.storyline.id principal.labels[os_src_process_storyline_id] (deprecated)
osSrc.process.storyline.id additional.fields[os_src_process_storyline_id]
osSrc.process.subsystem principal.labels[os_src_process_subsystem] (deprecated)
osSrc.process.subsystem additional.fields[os_src_process_subsystem]
osSrc.process.tgtFileCreationCount principal.labels[os_src_process_tgt_file_creation_count] (deprecated)
osSrc.process.tgtFileCreationCount additional.fields[os_src_process_tgt_file_creation_count]
osSrc.process.tgtFileDeletionCount principal.labels[os_src_process_tgt_file_deletion_count] (deprecated)
osSrc.process.tgtFileDeletionCount additional.fields[os_src_process_tgt_file_deletion_count]
osSrc.process.tgtFileModificationCount principal.labels[os_src_process_tgt_file_modification_count] (deprecated)
osSrc.process.tgtFileModificationCount additional.fields[os_src_process_tgt_file_modification_count]
osSrc.process.user principal.user.attribute.labels[os_src_process_user]
osSrc.process.verifiedStatus principal.labels[os_src_process_verified_status] (deprecated)
osSrc.process.verifiedStatus additional.fields[os_src_process_verified_status]
packet.id about.labels[packet_id] (deprecated)
packet.id additional.fields[packet_id]
process.unique.key principal.labels[process_unique_key] (deprecated)
process.unique.key additional.fields[process_unique_key]
registry.keyPath target.registry.registry_key
registry.keyUid target.labels[registry_key_uid] (deprecated)
registry.keyUid additional.fields[registry_key_uid]
registry.oldValue src.registry.registry_value_data
registry.oldValueFullSize src.labels[registry_old_value_full_size] (deprecated)
registry.oldValueFullSize additional.fields[registry_old_value_full_size]
registry.oldValueIsComplete src.labels[registry_old_valueIs_complete] (deprecated)
registry.oldValueIsComplete additional.fields[registry_old_valueIs_complete]
registry.oldValueType src.registry.registry_value_name
registry.value target.registry.registry_value_data
registry.valueFullSize target.labels[registry_value_full_size] (deprecated)
registry.valueFullSize additional.fields[registry_value_full_size]
registry.valueIsComplete target.labels[registry_value_is_complete] (deprecated)
registry.valueIsComplete additional.fields[registry_value_is_complete]
registry.valueType target.registry.registry_value_name
sca:atlantisIngestTime about.labels[sca_atlantis_ingest_time] (deprecated)
sca:atlantisIngestTime additional.fields[sca_atlantis_ingest_time]
sca:ingestTime about.labels[sca_ingest_time] (deprecated)
sca:ingestTime additional.fields[sca_ingest_time]
site.id principal.labels[site_id] (deprecated)
site.id additional.fields[site_id]
site.name principal.labels[site_name] (deprecated)
site.name additional.fields[site_name]
src.endpoint.ip.address principal.ip
src.ip.address principal.ip
src.port.number principal.port
src.process.activeContent.hash principal.labels[src_process_active_content_hash] (deprecated)
src.process.activeContent.hash additional.fields[src_process_active_content_hash]
src.process.activeContent.id principal.labels[src_process_active_content_id] (deprecated)
src.process.activeContent.id additional.fields[src_process_active_content_id]
src.process.activeContent.path principal.labels[src_process_active_content_path] (deprecated)
src.process.activeContent.path additional.fields[src_process_active_content_path]
src.process.activeContent.signedStatus principal.labels[src_process_active_content_signed_status] (deprecated)
src.process.activeContent.signedStatus additional.fields[src_process_active_content_signed_status]
src.process.activeContentType principal.labels[src_process_active_content_type] (deprecated)
src.process.activeContentType additional.fields[src_process_active_content_type]
src.process.childProcCount principal.labels[src_process_child_proc_count] (deprecated)
src.process.childProcCount additional.fields[src_process_child_proc_count]
src.process.cmdline principal.process.command_line
src.process.crossProcessCount principal.labels[src_process_cross_process_count] (deprecated)
src.process.crossProcessCount additional.fields[src_process_cross_process_count]
src.process.crossProcessDupRemoteProcessHandleCount principal.labels[src_process_cross_process_dup_remote_process_handle_count] (deprecated)
src.process.crossProcessDupRemoteProcessHandleCount additional.fields[src_process_cross_process_dup_remote_process_handle_count]
src.process.crossProcessDupThreadHandleCount principal.labels[src_process_cross_process_dup_thread_handle_count] (deprecated)
src.process.crossProcessDupThreadHandleCount additional.fields[src_process_cross_process_dup_thread_handle_count]
src.process.crossProcessOpenProcessCount principal.labels[src_process_cross_process_open_process_count] (deprecated)
src.process.crossProcessOpenProcessCount additional.fields[src_process_cross_process_open_process_count]
src.process.crossProcessOutOfStorylineCount principal.labels[src_process_cross_process_out_of_storyline_count] (deprecated)
src.process.crossProcessOutOfStorylineCount additional.fields[src_process_cross_process_out_of_storyline_count]
src.process.crossProcessThreadCreateCount principal.labels[src_process_cross_process_thread_create_count] (deprecated)
src.process.crossProcessThreadCreateCount additional.fields[src_process_cross_process_thread_create_count]
src.process.displayName principal.labels[src_process_display_name] (deprecated)
src.process.displayName additional.fields[src_process_display_name]
src.process.dnsCount principal.labels[src_process_dns_count] (deprecated)
src.process.dnsCount additional.fields[src_process_dns_count]
src.process.eUserName principal.user.attribute.labels[src_process_e_user_name]
src.process.eUserUid principal.user.attribute.labels[src_process_e_user_uid]
src.process.image.binaryIsExecutable principal.labels[src_process_image_binary_is_executable] (deprecated)
src.process.image.binaryIsExecutable additional.fields[src_process_image_binary_is_executable]
src.process.image.md5 principal.process.file.md5 If the src.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.image.md5 log field is mapped to the principal.process.file.md5 UDM field.
src.process.image.path principal.process.file.full_path
src.process.image.sha1 principal.process.file.sha1 If the src.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.image.sha1 log field is mapped to the principal.process.file.sha1 UDM field.
src.process.image.sha256 principal.process.file.sha256 If the src.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.image.sha256 log field is mapped to the principal.process.file.sha256 UDM field.
src.process.indicatorBootConfigurationUpdateCount principal.labels[src_process_indicator_boot_configuration_update_count] (deprecated)
src.process.indicatorBootConfigurationUpdateCount additional.fields[src_process_indicator_boot_configuration_update_count]
src.process.indicatorEvasionCount principal.labels[src_process_indicator_evasion_count] (deprecated)
src.process.indicatorEvasionCount additional.fields[src_process_indicator_evasion_count]
src.process.indicatorExploitationCount principal.labels[src_process_indicator_exploitation_count] (deprecated)
src.process.indicatorExploitationCount additional.fields[src_process_indicator_exploitation_count]
src.process.indicatorGeneralCount principal.labels[src_process_indicator_general_count] (deprecated)
src.process.indicatorGeneralCount additional.fields[src_process_indicator_general_count]
src.process.indicatorInfostealerCount principal.labels[src_process_indicator_infostealer_count] (deprecated)
src.process.indicatorInfostealerCount additional.fields[src_process_indicator_infostealer_count]
src.process.indicatorInjectionCount principal.labels[src_process_indicator_injection_count] (deprecated)
src.process.indicatorInjectionCount additional.fields[src_process_indicator_injection_count]
src.process.indicatorPersistenceCount principal.labels[src_process_indicator_persistence_count] (deprecated)
src.process.indicatorPersistenceCount additional.fields[src_process_indicator_persistence_count]
src.process.indicatorPostExploitationCount principal.labels[src_process_indicator_post_exploitation_count] (deprecated)
src.process.indicatorPostExploitationCount additional.fields[src_process_indicator_post_exploitation_count]
src.process.indicatorRansomwareCount principal.labels[src_process_indicator_ransomware_count] (deprecated)
src.process.indicatorRansomwareCount additional.fields[src_process_indicator_ransomware_count]
src.process.indicatorReconnaissanceCount principal.labels[src_process_indicator_reconnaissance_count] (deprecated)
src.process.indicatorReconnaissanceCount additional.fields[src_process_indicator_reconnaissance_count]
src.process.integrityLevel principal.labels[src_process_integrity_level] (deprecated)
src.process.integrityLevel additional.fields[src_process_integrity_level]
src.process.isNative64Bit principal.labels[src_process_is_native_64_bit] (deprecated)
src.process.isNative64Bit additional.fields[src_process_is_native_64_bit]
src.process.isRedirectCmdProcessor principal.labels[src_process_is_redirect_cmd_processor] (deprecated)
src.process.isRedirectCmdProcessor additional.fields[src_process_is_redirect_cmd_processor]
src.process.isStorylineRoot principal.labels[src_process_is_storyline_root] (deprecated)
src.process.isStorylineRoot additional.fields[src_process_is_storyline_root]
src.process.lUserName principal.user.attribute.labels[src_process_l_user_name]
src.process.lUserUid principal.labels[src_process_l_user_uid] (deprecated)
src.process.lUserUid additional.fields[src_process_l_user_uid]
src.process.moduleCount principal.labels[src_process_module_count] (deprecated)
src.process.moduleCount additional.fields[src_process_module_count]
src.process.name principal.process.file.names
src.process.netConnCount principal.labels[src_process_net_conn_count] (deprecated)
src.process.netConnCount additional.fields[src_process_net_conn_count]
src.process.netConnInCount principal.labels[src_process_net_conn_in_count] (deprecated)
src.process.netConnInCount additional.fields[src_process_net_conn_in_count]
src.process.netConnOutCount principal.labels[src_process_net_conn_out_count] (deprecated)
src.process.netConnOutCount additional.fields[src_process_net_conn_out_count]
src.process.parent.activeContent.hash principal.labels[src_process_parent_active_content_hash] (deprecated)
src.process.parent.activeContent.hash additional.fields[src_process_parent_active_content_hash]
src.process.parent.activeContent.id principal.labels[src_process_parent_active_content_id] (deprecated)
src.process.parent.activeContent.id additional.fields[src_process_parent_active_content_id]
src.process.parent.activeContent.path principal.labels[src_process_parent_active_content_path] (deprecated)
src.process.parent.activeContent.path additional.fields[src_process_parent_active_content_path]
src.process.parent.activeContent.signedStatus principal.labels[src_process_parent_active_content_signed_status] (deprecated)
src.process.parent.activeContent.signedStatus additional.fields[src_process_parent_active_content_signed_status]
src.process.parent.activeContentType principal.labels[src_process_parent_active_content_type] (deprecated)
src.process.parent.activeContentType additional.fields[src_process_parent_active_content_type]
src.process.parent.cmdline principal.process.parent_process.command_line
src.process.parent.displayName principal.labels[src_process_parent_display_name] (deprecated)
src.process.parent.displayName additional.fields[src_process_parent_display_name]
src.process.parent.eUserName principal.user.attribute.labels[src_process_parent_e_user_name]
src.process.parent.eUserUid principal.user.attribute.labels[src_process_parent_e_user_uid]
src.process.parent.image.md5 principal.process.parent_process.file.md5 If the src.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.parent.image.md5 log field is mapped to the principal.process.parent_process.file.md5 UDM field.
src.process.parent.image.path principal.process.parent_process.file.full_path
src.process.parent.image.sha1 principal.process.parent_process.file.sha1 If the src.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.parent.image.sha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field.
src.process.parent.image.sha256 principal.process.parent_process.file.sha256 If the src.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.parent.image.sha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field.
src.process.parent.integrityLevel principal.labels[src_process_parent_integrity_level] (deprecated)
src.process.parent.integrityLevel additional.fields[src_process_parent_integrity_level]
src.process.parent.isNative64Bit principal.labels[src_process_parent_is_native_64_bit] (deprecated)
src.process.parent.isNative64Bit additional.fields[src_process_parent_is_native_64_bit]
src.process.parent.isRedirectCmdProcessor principal.labels[src_process_parent_is_redirect_cmd_processor] (deprecated)
src.process.parent.isRedirectCmdProcessor additional.fields[src_process_parent_is_redirect_cmd_processor]
src.process.parent.isStorylineRoot principal.labels[src_process_parent_is_storyline_root] (deprecated)
src.process.parent.isStorylineRoot additional.fields[src_process_parent_is_storyline_root]
src.process.parent.lUserName principal.user.attribute.labels[src_process_parent_l_user_name]
src.process.parent.lUserUid principal.user.attribute.labels[src_process_parent_l_user_uid]
src.process.parent.name principal.process.parent_process.file.names
src.process.parent.pid principal.process.parent_process.pid
src.process.parent.publisher principal.labels[src_process_parent_publisher] (deprecated)
src.process.parent.publisher additional.fields[src_process_parent_publisher]
src.process.parent.reasonSignatureInvalid principal.labels[src_process_parent_reason_signature_invalid] (deprecated)
src.process.parent.reasonSignatureInvalid additional.fields[src_process_parent_reason_signature_invalid]
src.process.parent.rUserName principal.user.attribute.labels[src_process_parent_r_user_name]
src.process.parent.rUserUid principal.user.attribute.labels[src_process_parent_r_user_uid]
src.process.parent.sessionId principal.labels[src_process_parent_session_id] (deprecated)
src.process.parent.sessionId additional.fields[src_process_parent_session_id]
src.process.parent.signedStatus principal.process.parent_process.file.signature_info.sigcheck.verification_message
src.process.parent.startTime principal.labels[src_process_parent_start_time] (deprecated)
src.process.parent.startTime additional.fields[src_process_parent_start_time]
src.process.parent.storyline.id principal.labels[src_process_parent_storyline_id] (deprecated)
src.process.parent.storyline.id additional.fields[src_process_parent_storyline_id]
src.process.parent.subsystem principal.labels[src_process_parent_subsystem] (deprecated)
src.process.parent.subsystem additional.fields[src_process_parent_subsystem]
src.process.parent.user principal.user.attribute.labels[src_process_parent_user]
src.process.pid principal.process.pid
src.process.publisher principal.labels[src_process_publisher] (deprecated)
src.process.publisher additional.fields[src_process_publisher]
src.process.reasonSignatureInvalid principal.labels[src_process_reason_signature_invalid] (deprecated)
src.process.reasonSignatureInvalid additional.fields[src_process_reason_signature_invalid]
src.process.registryChangeCount principal.labels[src_process_registry_change_count] (deprecated)
src.process.registryChangeCount additional.fields[src_process_registry_change_count]
src.process.rpid principal.labels[src_process_rpid] (deprecated)
src.process.rpid additional.fields[src_process_rpid]
src.process.rUserName principal.user.attribute.labels[src_process_r_user_name]
src.process.rUserUid principal.user.attribute.labels[src_process_r_user_uid]
src.process.sessionId principal.labels[src_process_session_id] (deprecated)
src.process.sessionId additional.fields[src_process_session_id]
src.process.signedStatus principal.process.file.signature_info.sigcheck.verification_message
src.process.startTime principal.labels[src_process_start_time] (deprecated)
src.process.startTime additional.fields[src_process_start_time]
src.process.storyline.id principal.labels[src_process_storyline_id] (deprecated)
src.process.storyline.id additional.fields[src_process_storyline_id]
src.process.subsystem principal.labels[src_process_subsystem] (deprecated)
src.process.subsystem additional.fields[src_process_subsystem]
src.process.tgtFileCreationCount principal.labels[src_process_tgt_file_creation_count] (deprecated)
src.process.tgtFileCreationCount additional.fields[src_process_tgt_file_creation_count]
src.process.tgtFileDeletionCount principal.labels[src_process_tgt_file_deletion_count] (deprecated)
src.process.tgtFileDeletionCount additional.fields[src_process_tgt_file_deletion_count]
src.process.tgtFileModificationCount principal.labels[src_process_tgt_file_modification_count] (deprecated)
src.process.tgtFileModificationCount additional.fields[src_process_tgt_file_modification_count]
src.process.tid principal.labels[src_process_tid] (deprecated)
src.process.tid additional.fields[src_process_tid]
src.process.user principal.user.userid
src.process.verifiedStatus principal.labels[src_process_verified_status] (deprecated)
src.process.verifiedStatus additional.fields[src_process_verified_status]
task.name target.resource.name
task.path target.resource.attribute.labels[task_path]
tgt.file.convictedBy target.labels[tgt_file_convicted_by] (deprecated)
tgt.file.convictedBy additional.fields[tgt_file_convicted_by]
tgt.file.creationTime target.labels[tgt_file_creation_time] (deprecated)
tgt.file.creationTime additional.fields[tgt_file_creation_time]
tgt.file.description target.labels[tgt_file_description] (deprecated)
tgt.file.description additional.fields[tgt_file_description]
tgt.file.extension target.file.mime_type
tgt.file.id target.file.names
tgt.file.internalName target.file.names
tgt.file.isExecutable target.labels[tgt_file_is_executable] (deprecated)
tgt.file.isExecutable additional.fields[tgt_file_is_executable]
tgt.file.isSigned target.labels[tgt_file_is_signed] (deprecated)
tgt.file.isSigned additional.fields[tgt_file_is_signed]
tgt.file.location target.labels[tgt_file_location] (deprecated)
tgt.file.location additional.fields[tgt_file_location]
tgt.file.md5 target.file.md5 If the tgt.file.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.md5 log field is mapped to the target.file.md5 UDM field.
tgt.file.modificationTime target.file.last_modification_time
tgt.file.oldMd5 src.file.md5 If the tgt.file.oldMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.oldMd5 log field is mapped to the src.file.md5 UDM field.
tgt.file.oldPath src.file.full_path
tgt.file.oldSha1 src.file.sha1 If the tgt.file.oldSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.oldSha1 log field is mapped to the src.file.sha1 UDM field.
tgt.file.oldSha256 src.file.sha256 If the tgt.file.oldSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.oldSha256 log field is mapped to the src.file.sha256 UDM field.
tgt.file.path target.file.full_path
tgt.file.sha1 target.file.sha1 If the tgt.file.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.sha1 log field is mapped to the target.file.sha1 UDM field.
tgt.file.sha256 target.file.sha256 If the tgt.file.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.sha256 log field is mapped to the target.file.sha256 UDM field.
tgt.file.size target.file.size
tgt.process.accessRights target.labels[tgt_process_access_rights] (deprecated)
tgt.process.accessRights additional.fields[tgt_process_access_rights]
tgt.process.activeContent.hash target.labels[tgt_process_active_content_hash] (deprecated)
tgt.process.activeContent.hash additional.fields[tgt_process_active_content_hash]
tgt.process.activeContent.id target.labels[tgt_process_active_content_id] (deprecated)
tgt.process.activeContent.id additional.fields[tgt_process_active_content_id]
tgt.process.activeContent.path target.labels[tgt_process_active_content_path] (deprecated)
tgt.process.activeContent.path additional.fields[tgt_process_active_content_path]
tgt.process.activeContent.signedStatus target.labels [tgt_process_active_content_signed_status] (deprecated)
tgt.process.activeContent.signedStatus additional.fields [tgt_process_active_content_signed_status]
tgt.process.activeContentType target.labels[tgt_process_active_content_type] (deprecated)
tgt.process.activeContentType additional.fields[tgt_process_active_content_type]
tgt.process.cmdline target.process.command_line
tgt.process.displayName target.labels[tgt_process_display_name] (deprecated)
tgt.process.displayName additional.fields[tgt_process_display_name]
tgt.process.eUserName target.user.attribute.labels[tgt_process_e_user_name]
tgt.process.eUserUid target.user.attribute.labels[tgt_process_e_user_uid]
tgt.process.image.binaryIsExecutable target.labels[tgt_process_image_binary_is_executable] (deprecated)
tgt.process.image.binaryIsExecutable additional.fields[tgt_process_image_binary_is_executable]
tgt.process.image.md5 target.process.file.md5 If the tgt.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.process.image.md5 log field is mapped to the target.process.file.md5 UDM field.
tgt.process.image.path target.process.file.full_path
tgt.process.image.sha1 target.process.file.sha1 If the tgt.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.process.image.sha1 log field is mapped to the target.process.file.sha1 UDM field.
tgt.process.image.sha256 target.process.file.sha256 If the tgt.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.process.image.sha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.process.integrityLevel target.labels[tgt_process_integrity_level] (deprecated)
tgt.process.integrityLevel additional.fields[tgt_process_integrity_level]
tgt.process.isNative64Bit target.labels[tgt_process_is_native_64_bit] (deprecated)
tgt.process.isNative64Bit additional.fields[tgt_process_is_native_64_bit]
tgt.process.isRedirectCmdProcessor target.labels[tgt_process_is_redirect_cmd_processor] (deprecated)
tgt.process.isRedirectCmdProcessor additional.fields[tgt_process_is_redirect_cmd_processor]
tgt.process.isStorylineRoot target.labels[tgt_process_is_storyline_root] (deprecated)
tgt.process.isStorylineRoot additional.fields[tgt_process_is_storyline_root]
tgt.process.lUserName target.user.attribute.labels[tgt_process_l_user_name]
tgt.process.lUserUid target.user.attribute.labels[tgt_process_l_user_uid]
tgt.process.name target.process.file.names
tgt.process.pid target.process.pid
tgt.process.publisher target.labels[tgt_process_publisher] (deprecated)
tgt.process.publisher additional.fields[tgt_process_publisher]
tgt.process.reasonSignatureInvalid security_result.detection_fields[tgt_process_reason_signature_invalid]
tgt.process.relation target.labels[tgt_process_relation] (deprecated)
tgt.process.relation additional.fields[tgt_process_relation]
tgt.process.rUserName target.user.attribute.labels[tgt_process_r_user_name]
tgt.process.rUserUid target.user.attribute.labels[tgt_process_r_user_uid]
tgt.process.sessionId target.labels[tgt_process_session_id] (deprecated)
tgt.process.sessionId additional.fields[tgt_process_session_id]
tgt.process.signedStatus target.process.file.signature_info.sigcheck.verification_message
tgt.process.startTime target.labels[tgt_process_start_time] (deprecated)
tgt.process.startTime additional.fields[tgt_process_start_time]
tgt.process.storyline.id target.labels[tgt_process_storyline_id] (deprecated)
tgt.process.storyline.id additional.fields[tgt_process_storyline_id]
tgt.process.subsystem target.labels[tgt_process_subsystem] (deprecated)
tgt.process.subsystem additional.fields[tgt_process_subsystem]
tgt.process.user target.user.userid
tgt.process.verifiedStatus target.labels[tgt_process_verified_status] (deprecated)
tgt.process.verifiedStatus additional.fields[tgt_process_verified_status]
tiIndicator.addedBy security_result.about.user.email_addresses
tiIndicator.categories security_result.category_details
tiIndicator.comparisonMethod security_result.detection_fields [ti_indicator_comparison_method]
tiIndicator.creationTime security_result.detection_fields [ti_indicator_creation_time]
tiIndicator.description security_result.descripton
tiIndicator.externalId security_result.detection_fields [ti_indicator_external_id]
tiIndicator.intrusionSets security_result.detection_fields [ti_indicator_tiIndicator_intrusion_sets]
tiIndicator.metadata security_result.detection_fields [ti_indicator_metadata]
tiIndicator.mitreTactics security_result.attack_details.tactics.name
tiIndicator.modificationTime security_result.detection_fields [ti_indicator_modification_time]
tiIndicator.name security_result.threat_name
tiindicator.originalEvent.id security_result.detection_fields [ti_indicator_original_event_id]
tiindicator.originalEvent.index security_result.detection_fields [ti_indicator_original_event_index]
tiindicator.originalEvent.time security_result.detection_fields [ti_indicator_original_event_time]
tiindicator.originalEvent.traceId security_result.detection_fields [ti_indicator_original_event_trace_id]
tiIndicator.references security_result.detection_fields [ti_indicator_references]
tiIndicator.source security_result.threat_feed_name
tiIndicator.threatActors security_result.about.user.email_addresses
tiIndicator.type security_result.detection_fields [ti_indicator_type]
tiIndicator.uid security_result.detection_fields [ti_indicator_uid]
tiIndicator.uploadTime security_result.detection_fields [ti_indicator_upload_time]
tiIndicator.validUntil security_result.detection_fields [ti_indicator_valid_until]
tiIndicator.value security_result.about.file.md5 If the tiIndicator.type log field value is equal to Md5, then the tiIndicator.value log field is mapped to the security_result.about.file.md5 UDM field.
tiIndicator.value security_result.about.file.sha1 If the tiIndicator.type log field value is equal to Sha1, then the tiIndicator.value log field is mapped to the security_result.about.file.sha1 UDM field.
tiIndicator.value security_result.about.ip If the tiIndicator.type log field value contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.ip UDM field.
  • IPv4
  • IPV6
tiIndicator.value security_result.about.labels[tiIndicator.value] (deprecated) If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.labels UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value additional.fields[tiIndicator.value] If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the additional.fields UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value network.dns.questions.name If the tiIndicator.type log field value is equal to DNS, then the tiIndicator.value log field is mapped to the network.dns.questions.name UDM field.
tiIndicator.value security_result.about.url If the tiIndicator.type log field value is equal to URL, then the tiIndicator.value log field is mapped to the security_result.about.url UDM field.
timestamp about.labels[timestamp] (deprecated)
timestamp additional.fields[timestamp]
trace.id about.labels[trace_id] (deprecated)
trace.id additional.fields[trace_id]
url.address target.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
url.address target.asset.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
url.address target.url
winEventLog.channel about.labels[win_event_log_channel] (deprecated)
winEventLog.channel additional.fields[win_event_log_channel]
winEventLog.creationDate about.labels[win_event_log_creation_date] (deprecated)
winEventLog.creationDate additional.fields[win_event_log_creation_date]
winEventLog.description about.labels[win_event_log_description] (deprecated)
winEventLog.description additional.fields[win_event_log_description]
winEventLog.description.accountDomain principal.labels[win_event_log_description_account_domain] (deprecated)
winEventLog.description.accountDomain additional.fields[win_event_log_description_account_domain]
winEventLog.description.additionalInformation about.labels[win_event_log_description_additional_information] (deprecated)
winEventLog.description.additionalInformation additional.fields[win_event_log_description_additional_information]
winEventLog.description.objectName about.labels[win_event_log_description_object_name] (deprecated)
winEventLog.description.objectName additional.fields[win_event_log_description_object_name]
winEventLog.description.objectServer about.labels[win_event_log_description_object_server] (deprecated)
winEventLog.description.objectServer additional.fields[win_event_log_description_object_server]
winEventLog.description.objectType about.labels[win_event_log_description_object_type] (deprecated)
winEventLog.description.objectType additional.fields[win_event_log_description_object_type]
winEventLog.description.operationType about.labels[win_event_log_description_operation_type] (deprecated)
winEventLog.description.operationType additional.fields[win_event_log_description_operation_type]
winEventLog.description.securityId about.labels[win_event_log_description_security_id] (deprecated)
winEventLog.description.securityId additional.fields[win_event_log_description_security_id]
winEventLog.description.userId about.labels[win_event_log_description_user_id] (deprecated)
winEventLog.description.userId additional.fields[win_event_log_description_user_id]
winEventLog.id about.labels[win_event_log_id] (deprecated)
winEventLog.id additional.fields[win_event_log_id]
winEventLog.level security_result.severity_details
winEventLog.providerName security_result.about.resource.attribute.labels[win_event_log_provider_name]
winEventLog.xml about.labels[win_event_log_xml] (deprecated)
winEventLog.xml additional.fields[win_event_log_xml]

What's next

Need more help? Get answers from Community members and Google SecOps professionals.