Recopila registros de embudo de SentinelOne Cloud

Compatible con:

En este documento, se describe cómo puedes configurar un feed de Google Security Operations para exportar registros de SentinelOne Cloud Funnel y cómo los campos de registro se asignan a los campos del modelo de datos unificados (UDM) de Google Security Operations.

Para obtener más información, consulta la descripción general de la transferencia de datos a Google Security Operations.

Una implementación típica consiste en el embudo de Cloud de SentinelOne y el feed de Google Security Operations configurado para enviar registros a Google Security Operations. Cada implementación de cliente puede diferir y ser más compleja.

La implementación contiene los siguientes componentes:

  • SentinelOne: Es la plataforma desde la que recopilas registros.

  • Feed de Google Security Operations: Es el feed de Google Security Operations que recupera registros de SentinelOne y escribe registros en Google Security Operations.

  • Google Security Operations: Retiene y analiza los registros.

Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado del UDM. La información de este documento se aplica al analizador con la etiqueta de transferencia SENTINELONE_CF.

Antes de comenzar

  • Asegúrate de tener una suscripción activa a Singularity Complete para SentinelOne. Consulta Paquetes de la plataforma para obtener más detalles.
  • Asegúrate de tener una licencia activa para el módulo de transmisión de data lake de Cloud Funnel.
  • Asegúrate de usar la versión 2.0 de SentinelOne Cloud Funnel.
  • Asegúrate de tener el rol de administrador a nivel global o de la cuenta. Para obtener el rol de administrador, comunícate con tu usuario administrador.
  • Asegúrate de tener derechos de administrador para instalar el agente de SentinelOne. Para obtener derechos de administrador, comunícate con tu usuario administrador.
  • Asegúrate de tener un Google Cloud bucket de almacenamiento configurado. Para obtener más información, consulta Configura tu Google Cloud bucket de almacenamiento.
    • Reemplaza YOUR_CONSOLE_DOMAIN en la URL por tu dominio específico de la consola.

Configura el embudo de Cloud de SentinelOne

  1. Accede a la consola de administración de SentinelOne.
  2. En la barra de herramientas Configuración, haz clic en Integraciones > embudo de conversión de Cloud.
  3. En la lista Proveedor de servicios en la nube, selecciona Google Cloud.
  4. En el campo Nombre de almacenamiento de GCS, ingresa el nombre del bucket de Cloud Storage.
  5. Haz clic en Validar para verificar si el bucket existe y que SentinelOne tenga acceso de lectura y escritura a él.
  6. Selecciona Habilitar transmisión de métricas para transmitir tus datos de XDR a tu bucket.

Configura un feed de transferencia de Google Security Operations

  1. Ve a Configuración de SIEM > Feeds.
  2. Haz clic en Agregar nueva.
  3. En el campo Nombre del feed, ingresa un nombre para el feed (por ejemplo, Registros de embudo de nube de SentinelOne).
  4. Selecciona Google Cloud Storage como el Tipo de fuente.
  5. Selecciona Embudo de SentinelOne Singularity Cloud como el Tipo de registro.
  6. Haz clic en Obtener una cuenta de servicio. Copia la Cuenta de servicio. La necesitarás para agregar permisos en el bucket de esta cuenta de servicio para permitir que Google Security Operations lea o borre datos del bucket.
  7. Haz clic en Siguiente.

  8. Configura los siguientes parámetros de entrada:

    • URI del bucket de almacenamiento: Es el URI de origen del bucket de Google Cloud Storage.
    • URI es un: el tipo de objeto al que apunta el URI.
    • Opción de eliminación de la fuente: Si quieres borrar archivos o directorios después de la transferencia.
    • Selecciona la opción No borrar archivos nunca en Opción de eliminación de la fuente.

    En el Google Cloud bucket de almacenamiento, para agregar permisos de Visualizador de objetos de almacenamiento a esta cuenta de servicio, sigue estos pasos:

    1. En la consola de Google Cloud, ve a Buckets y selecciona el nombre del bucket.

    2. En Detalles del bucket, ve a Permisos > Otorgar acceso.

    3. En Principales nuevas, pega la cuenta de servicio que copiaste.

    4. En Selecciona un rol, selecciona Cloud Storage y, luego, el rol de Visualizador de objetos de Storage.

  9. Haz clic en Siguiente y, luego, en Enviar.

Para obtener más información sobre los feeds de Google Security Operations, consulta la documentación de los feeds de Google Security Operations. Para obtener información sobre los requisitos de cada tipo de feed, consulta Configuración de feeds por tipo. Si tienes problemas para crear feeds, comunícate con el equipo de asistencia de Operaciones de seguridad de Google.

Tipos de registros de embudo de SentinelOne Cloud compatibles

El analizador de embudo de Cloud de SentinelOne admite los siguientes tipos de registros:

Event Type

  • Process Exit
  • Process Modification
  • Process Creation
  • Duplicate Process Handle
  • Duplicate Thread Handle
  • Open Remote Process Handle
  • Remote Thread Creation
  • Remote Process Termination
  • Command Script
  • IP Connect
  • IP Listen
  • File Modification
  • File Creation
  • File Scan
  • File Deletion
  • File Rename
  • Pre Execution Detection
  • Login
  • Logout
  • GET
  • OPTIONS
  • POST
  • PUT
  • DELETE
  • CONNECT
  • HEAD
  • DNS Resolved
  • DNS Unresolved
  • Task Register
  • Task Update
  • Task Start
  • Task Trigger
  • Task Delete
  • Registry Key Create
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Key Import
  • Registry Value Modified
  • Registry Value Create
  • Registry Value Delete
  • Behavioral Indicators
  • Module Load
  • Driver Load
  • Not Reported
  • Group Creation
  • Firmware Test
  • Threat Intelligence Indicators
  • Named Pipe Creation
  • Named Pipe Connection
  • Windows Event Log Creation

Referencia de la asignación de campos

En esta sección, se explica cómo el analizador de Google Security Operations asigna campos de SentinelOne a campos del modelo de datos unificado (UDM) de Google Security Operations.

Referencia de asignación de campos: identificador de evento a tipo de evento

En la siguiente tabla, se enumeran los tipos de registro de SENTINELONE_CF y sus correspondientes tipos de eventos de la AUA.
Event Identifier Event Type
Process Exit PROCESS_TERMINATION
Process Modification PROCESS_UNCATEGORIZED
Process Creation PROCESS_LAUNCH
Duplicate Process Handle PROCESS_UNCATEGORIZED
Duplicate Thread Handle PROCESS_UNCATEGORIZED
Open Remote Process Handle PROCESS_UNCATEGORIZED
Remote Thread Creation PROCESS_UNCATEGORIZED
Remote Process Termination PROCESS_TERMINATION
Command Script PROCESS_UNCATEGORIZED
IP Connect NETWORK_CONNECTION
IP Listen STATUS_UPDATE
File Modification FILE_MODIFICATION
File Creation FILE_CREATION
File Scan SCAN_FILE
File Deletion FILE_DELETION
File Rename FILE_MOVE
Pre Execution Detection STATUS_UPDATE
Login USER_LOGIN
Logout USER_LOGOUT
GET NETWORK_HTTP
OPTIONS NETWORK_HTTP
POST NETWORK_HTTP
PUT NETWORK_HTTP
DELETE NETWORK_HTTP
CONNECT NETWORK_HTTP
HEAD NETWORK_HTTP
DNS Resolved NETWORK_DNS
DNS Unresolved NETWORK_DNS
Task Register SCHEDULED_TASK_CREATION
Task Update SCHEDULED_TASK_MODIFICATION
Task Start SCHEDULED_TASK_UNCATEGORIZED
Task Trigger SCHEDULED_TASK_UNCATEGORIZED
Task Delete SCHEDULED_TASK_DELETION
Registry Key Create REGISTRY_CREATION
Registry Key Rename REGISTRY_UNCATEGORIZED
Registry Key Delete REGISTRY_DELETION
Registry Key Export REGISTRY_UNCATEGORIZED
Registry Key Security Changed REGISTRY_MODIFICATION
Registry Key Import REGISTRY_UNCATEGORIZED
Registry Value Modified REGISTRY_MODIFICATION
Registry Value Create REGISTRY_CREATION
Registry Value Delete REGISTRY_DELETION
Behavioral Indicators STATUS_UPDATE
Module Load PROCESS_MODULE_LOAD
Driver Load PROCESS_MODULE_LOAD
Not Reported NETWORK_HTTP
Group Creation GROUP_CREATION
Firmware Test STATUS_UPDATE
Threat Intelligence Indicators STATUS_UPDATE
Named Pipe Creation RESOURCE_CREATION
Named Pipe Connection STATUS_UPDATE

Referencia de asignación de campos: SENTINELONE_CF

En la siguiente tabla, se enumeran los campos de registro del tipo de registro SENTINELONE_CF y sus campos de UDM correspondientes.

Log field UDM mapping Logic
winEventLog.description about.labels[win_event_log_description] (deprecated)
winEventLog.description additional.fields[win_event_log_description]
event.time metadata.event_timestamp
winEventLog.creationDate about.labels[win_event_log_creation_date] (deprecated)
winEventLog.creationDate additional.fields[win_event_log_creation_date]
account.id metadata.product_deployment_id
event.type metadata.product_event_type
event.id metadata.product_log_id
winEventLog.id about.labels[win_event_log_id] (deprecated)
winEventLog.id additional.fields[win_event_log_id]
metadata.vendor_name The metadata.vendor_name UDM field is set to SentinelOne.
extensions.auth.auth_details If the event.type log field value contain one of the following values, then the event.type log field is mapped to the extensions.auth.auth_details UDM field.
  • Login
  • Logout
extensions.auth.mechanism If the event.login.type log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the event.login.type log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.

Else, if the event.login.type log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the event.login.type log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the event.login.type log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the event.login.type log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the event.login.type log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.

Else, if the event.login.type log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the event.login.type log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK.
network.application_protocol If the event.type log field value contain one of the following values, then the network.application_protocol UDM field is set to DNS.
  • DNS Resolved
  • DNS Unresolved
network.direction If the event.network.direction log field value is equal to OUTGOING, then the network.direction UDM field is set to OUTBOUND.

Else, if the event.network.direction log field value is equal to INCOMING, then the network.direction UDM field is set to INBOUND.
event.dns.response network.dns.answers.name
event.dns.response network.dns.answers.type
event.dns.request network.dns.questions.name
event.url.action network.http.method
event.login.sessionId network.session_id
agent.uuid principal.asset.asset_id
agent.uuid principal.asset_id
agent.version principal.asset.attribute.labels[agent_version]
winEventLog.description.accountDomain principal.labels[win_event_log_description_account_domain] (deprecated)
winEventLog.description.accountDomain additional.fields[win_event_log_description_account_domain]
principal.asset.platform_software.platform If the endpoint.os log field value is equal to windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the endpoint.os log field value is equal to linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
principal.asset.type If the endpoint.type log field value is equal to laptop, then the principal.asset.type UDM field is set to LAPTOP.

Else, if the endpoint.type log field value contain one of the following values, then the principal.asset.type UDM field is set to SERVER.
  • server
  • Kubernetes Node
Else, if the endpoint.type log field value is equal to desktop, then the principal.asset.type UDM field is set to WORKSTATION.
endpoint.name principal.hostname
endpoint.name principal.asset.hostname
src.endpoint.ip.address principal.ip
src.ip.address principal.ip
osSrc.process.activeContent.hash principal.labels[os_src_process_active_content_hash] (deprecated)
osSrc.process.activeContent.hash additional.fields[os_src_process_active_content_hash]
osSrc.process.activeContent.id principal.labels[os_src_process_active_content_id] (deprecated)
osSrc.process.activeContent.id additional.fields[os_src_process_active_content_id]
osSrc.process.activeContent.path principal.labels[os_src_process_active_content_path] (deprecated)
osSrc.process.activeContent.path additional.fields[os_src_process_active_content_path]
osSrc.process.activeContent.signedStatus principal.labels[os_src_process_active_content_signed_status] (deprecated)
osSrc.process.activeContent.signedStatus additional.fields[os_src_process_active_content_signed_status]
osSrc.process.activeContentType principal.labels[os_src_process_active_content_type] (deprecated)
osSrc.process.activeContentType additional.fields[os_src_process_active_content_type]
osSrc.process.childProcCount principal.labels[os_src_process_child_proc_count] (deprecated)
osSrc.process.childProcCount additional.fields[os_src_process_child_proc_count]
osSrc.process.crossProcessCount principal.labels[os_src_process_cross_process_count] (deprecated)
osSrc.process.crossProcessCount additional.fields[os_src_process_cross_process_count]
osSrc.process.crossProcessDupRemoteProcessHandleCount principal.labels[os_src_process_cross_process_dup_rmote_process_handle_count] (deprecated)
osSrc.process.crossProcessDupRemoteProcessHandleCount additional.fields[os_src_process_cross_process_dup_rmote_process_handle_count]
osSrc.process.crossProcessDupThreadHandleCount principal.labels[os_src_process_cross_process_dup_thread_handle_count] (deprecated)
osSrc.process.crossProcessDupThreadHandleCount additional.fields[os_src_process_cross_process_dup_thread_handle_count]
osSrc.process.crossProcessOpenProcessCount principal.labels[os_src_process_cross_process_open_process_count] (deprecated)
osSrc.process.crossProcessOpenProcessCount additional.fields[os_src_process_cross_process_open_process_count]
osSrc.process.crossProcessOutOfStorylineCount principal.labels[os_src_process_cross_process_out_of_storyline_count] (deprecated)
osSrc.process.crossProcessOutOfStorylineCount additional.fields[os_src_process_cross_process_out_of_storyline_count]
osSrc.process.crossProcessThreadCreateCount principal.labels[os_src_process_cross_process_thread_create_count] (deprecated)
osSrc.process.crossProcessThreadCreateCount additional.fields[os_src_process_cross_process_thread_create_count]
osSrc.process.displayName principal.labels[os_src_process_display_name] (deprecated)
osSrc.process.displayName additional.fields[os_src_process_display_name]
osSrc.process.dnsCount principal.labels[os_src_process_dns_count] (deprecated)
osSrc.process.dnsCount additional.fields[os_src_process_dns_count]
osSrc.process.image.binaryIsExecutable principal.labels[os_src_process_image_binary_is_executable] (deprecated)
osSrc.process.image.binaryIsExecutable additional.fields[os_src_process_image_binary_is_executable]
osSrc.process.indicatorBootConfigurationUpdateCount principal.labels[os_src_process_indicator_boot_configuration_update_count] (deprecated)
osSrc.process.indicatorBootConfigurationUpdateCount additional.fields[os_src_process_indicator_boot_configuration_update_count]
osSrc.process.indicatorEvasionCount principal.labels[os_src_process_indicator_evasion_count] (deprecated)
osSrc.process.indicatorEvasionCount additional.fields[os_src_process_indicator_evasion_count]
osSrc.process.indicatorExploitationCount principal.labels[os_src_process_indicator_exploitation_count] (deprecated)
osSrc.process.indicatorExploitationCount additional.fields[os_src_process_indicator_exploitation_count]
osSrc.process.indicatorGeneral.count principal.labels[os_src_process_indicator_general_count] (deprecated)
osSrc.process.indicatorGeneral.count additional.fields[os_src_process_indicator_general_count]
osSrc.process.indicatorInfostealerCount principal.labels[os_src_process_indicator_infostealer_count] (deprecated)
osSrc.process.indicatorInfostealerCount additional.fields[os_src_process_indicator_infostealer_count]
osSrc.process.indicatorInjectionCount principal.labels[os_src_process_indicator_injection_count] (deprecated)
osSrc.process.indicatorInjectionCount additional.fields[os_src_process_indicator_injection_count]
osSrc.process.indicatorPersistenceCount principal.labels[os_src_process_indicator_persistence_count] (deprecated)
osSrc.process.indicatorPersistenceCount additional.fields[os_src_process_indicator_persistence_count]
osSrc.process.indicatorPostExploitationCount principal.labels[os_src_process_indicator_post_exploitation_count] (deprecated)
osSrc.process.indicatorPostExploitationCount additional.fields[os_src_process_indicator_post_exploitation_count]
osSrc.process.indicatorRansomwareCount principal.labels[os_src_process_indicator_ransomware_count] (deprecated)
osSrc.process.indicatorRansomwareCount additional.fields[os_src_process_indicator_ransomware_count]
osSrc.process.indicatorReconnaissanceCount principal.labels[os_src_process_indicator_reconnaissance_count] (deprecated)
osSrc.process.indicatorReconnaissanceCount additional.fields[os_src_process_indicator_reconnaissance_count]
osSrc.process.integrityLevel principal.labels[os_src_process_integrity_level] (deprecated)
osSrc.process.integrityLevel additional.fields[os_src_process_integrity_level]
osSrc.process.isNative64Bit principal.labels[os_src_process_is_native_64_bit] (deprecated)
osSrc.process.isNative64Bit additional.fields[os_src_process_is_native_64_bit]
osSrc.process.isRedirectCmdProcessor principal.labels[os_src_process_is_redirect_cmd_processor] (deprecated)
osSrc.process.isRedirectCmdProcessor additional.fields[os_src_process_is_redirect_cmd_processor]
osSrc.process.isStorylineRoot principal.labels[os_src_process_is_storyline_root] (deprecated)
osSrc.process.isStorylineRoot additional.fields[os_src_process_is_storyline_root]
osSrc.process.moduleCount principal.labels[os_src_process_module_count] (deprecated)
osSrc.process.moduleCount additional.fields[os_src_process_module_count]
osSrc.process.netConnCount principal.labels[os_src_process_net_conn_count] (deprecated)
osSrc.process.netConnCount additional.fields[os_src_process_net_conn_count]
osSrc.process.netConnInCount principal.labels[os_src_process_net_conn_in_count] (deprecated)
osSrc.process.netConnInCount additional.fields[os_src_process_net_conn_in_count]
osSrc.process.netConnOutCount principal.labels[os_src_process_net_conn_out_count] (deprecated)
osSrc.process.netConnOutCount additional.fields[os_src_process_net_conn_out_count]
osSrc.process.parent.activeContent.hash principal.labels[os_src_process_parent_active_content_hash] (deprecated)
osSrc.process.parent.activeContent.hash additional.fields[os_src_process_parent_active_content_hash]
osSrc.process.parent.activeContent.id principal.labels[os_src_process_parent_active_content_id] (deprecated)
osSrc.process.parent.activeContent.id additional.fields[os_src_process_parent_active_content_id]
osSrc.process.parent.activeContent.path principal.labels[os_src_process_parent_active_content_path] (deprecated)
osSrc.process.parent.activeContent.path additional.fields[os_src_process_parent_active_content_path]
osSrc.process.parent.activeContent.signedStatus principal.labels[os_src_process_parent_active_content_signed_status] (deprecated)
osSrc.process.parent.activeContent.signedStatus additional.fields[os_src_process_parent_active_content_signed_status]
osSrc.process.parent.activeContentType principal.labels[os_src_process_parent_active_content_type] (deprecated)
osSrc.process.parent.activeContentType additional.fields[os_src_process_parent_active_content_type]
osSrc.process.parent.displayName principal.labels[os_src_process_parent_display_name] (deprecated)
osSrc.process.parent.displayName additional.fields[os_src_process_parent_display_name]
osSrc.process.parent.integrityLevel principal.labels[os_src_process_parent_integrity_level] (deprecated)
osSrc.process.parent.integrityLevel additional.fields[os_src_process_parent_integrity_level]
osSrc.process.parent.isNative64Bit principal.labels[os_src_process_parent_is_native_64_bit] (deprecated)
osSrc.process.parent.isNative64Bit additional.fields[os_src_process_parent_is_native_64_bit]
osSrc.process.parent.isRedirectCmdProcessor principal.labels[os_src_process_parent_is_redirect_cmd_processor] (deprecated)
osSrc.process.parent.isRedirectCmdProcessor additional.fields[os_src_process_parent_is_redirect_cmd_processor]
osSrc.process.parent.isStorylineRoot principal.labels[os_src_process_parent_is_storyline_root] (deprecated)
osSrc.process.parent.isStorylineRoot additional.fields[os_src_process_parent_is_storyline_root]
osSrc.process.parent.publisher principal.labels[os_src_process_parent_publisher] (deprecated)
osSrc.process.parent.publisher additional.fields[os_src_process_parent_publisher]
osSrc.process.parent.sessionId principal.labels[os_src_process_parent_session_id] (deprecated)
osSrc.process.parent.sessionId additional.fields[os_src_process_parent_session_id]
osSrc.process.parent.signedStatus principal.process_ancestors.parent_process.file.signature_info.sigcheck.verification_message
osSrc.process.parent.startTime principal.labels[os_src_process_parent_start_time] (deprecated)
osSrc.process.parent.startTime additional.fields[os_src_process_parent_start_time]
osSrc.process.parent.storyline.id principal.labels[os_src_process_parent_storyline_id] (deprecated)
osSrc.process.parent.storyline.id additional.fields[os_src_process_parent_storyline_id]
src.process.parent.storyline.id principal.labels[src_process_parent_storyline_id] (deprecated)
src.process.parent.storyline.id additional.fields[src_process_parent_storyline_id]
osSrc.process.publisher principal.labels[os_src_process_publisher] (deprecated)
osSrc.process.publisher additional.fields[os_src_process_publisher]
osSrc.process.registryChangeCount principal.labels[os_src_process_registry_change_count] (deprecated)
osSrc.process.registryChangeCount additional.fields[os_src_process_registry_change_count]
osSrc.process.sessionId principal.labels[os_src_process_session_id] (deprecated)
osSrc.process.sessionId additional.fields[os_src_process_session_id]
osSrc.process.signedStatus principal.process_ancestors.file.signature_info.sigcheck.verification_message
osSrc.process.startTime principal.labels[os_src_process_start_time] (deprecated)
osSrc.process.startTime additional.fields[os_src_process_start_time]
osSrc.process.storyline.id principal.labels[os_src_process_storyline_id] (deprecated)
osSrc.process.storyline.id additional.fields[os_src_process_storyline_id]
osSrc.process.subsystem principal.labels[os_src_process_subsystem] (deprecated)
osSrc.process.subsystem additional.fields[os_src_process_subsystem]
osSrc.process.tgtFileCreationCount principal.labels[os_src_process_tgt_file_creation_count] (deprecated)
osSrc.process.tgtFileCreationCount additional.fields[os_src_process_tgt_file_creation_count]
osSrc.process.tgtFileDeletionCount principal.labels[os_src_process_tgt_file_deletion_count] (deprecated)
osSrc.process.tgtFileDeletionCount additional.fields[os_src_process_tgt_file_deletion_count]
osSrc.process.tgtFileModificationCount principal.labels[os_src_process_tgt_file_modification_count] (deprecated)
osSrc.process.tgtFileModificationCount additional.fields[os_src_process_tgt_file_modification_count]
osSrc.process.verifiedStatus principal.labels[os_src_process_verified_status] (deprecated)
osSrc.process.verifiedStatus additional.fields[os_src_process_verified_status]
process.unique.key principal.labels[process_unique_key] (deprecated)
process.unique.key additional.fields[process_unique_key]
site.name principal.labels[site_name] (deprecated)
site.name additional.fields[site_name]
src.process.activeContent.hash principal.labels[src_process_active_content_hash] (deprecated)
src.process.activeContent.hash additional.fields[src_process_active_content_hash]
src.process.activeContent.id principal.labels[src_process_active_content_id] (deprecated)
src.process.activeContent.id additional.fields[src_process_active_content_id]
src.process.activeContent.path principal.labels[src_process_active_content_path] (deprecated)
src.process.activeContent.path additional.fields[src_process_active_content_path]
src.process.activeContent.signedStatus principal.labels[src_process_active_content_signed_status] (deprecated)
src.process.activeContent.signedStatus additional.fields[src_process_active_content_signed_status]
src.process.activeContentType principal.labels[src_process_active_content_type] (deprecated)
src.process.activeContentType additional.fields[src_process_active_content_type]
src.process.childProcCount principal.labels[src_process_child_proc_count] (deprecated)
src.process.childProcCount additional.fields[src_process_child_proc_count]
src.process.crossProcessCount principal.labels[src_process_cross_process_count] (deprecated)
src.process.crossProcessCount additional.fields[src_process_cross_process_count]
src.process.crossProcessDupRemoteProcessHandleCount principal.labels[src_process_cross_process_dup_remote_process_handle_count] (deprecated)
src.process.crossProcessDupRemoteProcessHandleCount additional.fields[src_process_cross_process_dup_remote_process_handle_count]
src.process.crossProcessDupThreadHandleCount principal.labels[src_process_cross_process_dup_thread_handle_count] (deprecated)
src.process.crossProcessDupThreadHandleCount additional.fields[src_process_cross_process_dup_thread_handle_count]
src.process.crossProcessOpenProcessCount principal.labels[src_process_cross_process_open_process_count] (deprecated)
src.process.crossProcessOpenProcessCount additional.fields[src_process_cross_process_open_process_count]
src.process.crossProcessOutOfStorylineCount principal.labels[src_process_cross_process_out_of_storyline_count] (deprecated)
src.process.crossProcessOutOfStorylineCount additional.fields[src_process_cross_process_out_of_storyline_count]
src.process.crossProcessThreadCreateCount principal.labels[src_process_cross_process_thread_create_count] (deprecated)
src.process.crossProcessThreadCreateCount additional.fields[src_process_cross_process_thread_create_count]
src.process.displayName principal.labels[src_process_display_name] (deprecated)
src.process.displayName additional.fields[src_process_display_name]
src.process.dnsCount principal.labels[src_process_dns_count] (deprecated)
src.process.dnsCount additional.fields[src_process_dns_count]
src.process.image.binaryIsExecutable principal.labels[src_process_image_binary_is_executable] (deprecated)
src.process.image.binaryIsExecutable additional.fields[src_process_image_binary_is_executable]
src.process.indicatorBootConfigurationUpdateCount principal.labels[src_process_indicator_boot_configuration_update_count] (deprecated)
src.process.indicatorBootConfigurationUpdateCount additional.fields[src_process_indicator_boot_configuration_update_count]
src.process.indicatorEvasionCount principal.labels[src_process_indicator_evasion_count] (deprecated)
src.process.indicatorEvasionCount additional.fields[src_process_indicator_evasion_count]
src.process.indicatorExploitationCount principal.labels[src_process_indicator_exploitation_count] (deprecated)
src.process.indicatorExploitationCount additional.fields[src_process_indicator_exploitation_count]
src.process.indicatorGeneralCount principal.labels[src_process_indicator_general_count] (deprecated)
src.process.indicatorGeneralCount additional.fields[src_process_indicator_general_count]
src.process.indicatorInfostealerCount principal.labels[src_process_indicator_infostealer_count] (deprecated)
src.process.indicatorInfostealerCount additional.fields[src_process_indicator_infostealer_count]
src.process.indicatorInjectionCount principal.labels[src_process_indicator_injection_count] (deprecated)
src.process.indicatorInjectionCount additional.fields[src_process_indicator_injection_count]
src.process.indicatorPersistenceCount principal.labels[src_process_indicator_persistence_count] (deprecated)
src.process.indicatorPersistenceCount additional.fields[src_process_indicator_persistence_count]
src.process.indicatorPostExploitationCount principal.labels[src_process_indicator_post_exploitation_count] (deprecated)
src.process.indicatorPostExploitationCount additional.fields[src_process_indicator_post_exploitation_count]
src.process.indicatorRansomwareCount principal.labels[src_process_indicator_ransomware_count] (deprecated)
src.process.indicatorRansomwareCount additional.fields[src_process_indicator_ransomware_count]
src.process.indicatorReconnaissanceCount principal.labels[src_process_indicator_reconnaissance_count] (deprecated)
src.process.indicatorReconnaissanceCount additional.fields[src_process_indicator_reconnaissance_count]
src.process.integrityLevel principal.labels[src_process_integrity_level] (deprecated)
src.process.integrityLevel additional.fields[src_process_integrity_level]
src.process.isNative64Bit principal.labels[src_process_is_native_64_bit] (deprecated)
src.process.isNative64Bit additional.fields[src_process_is_native_64_bit]
src.process.isRedirectCmdProcessor principal.labels[src_process_is_redirect_cmd_processor] (deprecated)
src.process.isRedirectCmdProcessor additional.fields[src_process_is_redirect_cmd_processor]
src.process.isStorylineRoot principal.labels[src_process_is_storyline_root] (deprecated)
src.process.isStorylineRoot additional.fields[src_process_is_storyline_root]
src.process.lUserUid principal.labels[src_process_l_user_uid] (deprecated)
src.process.lUserUid additional.fields[src_process_l_user_uid]
src.process.moduleCount principal.labels[src_process_module_count] (deprecated)
src.process.moduleCount additional.fields[src_process_module_count]
src.process.netConnCount principal.labels[src_process_net_conn_count] (deprecated)
src.process.netConnCount additional.fields[src_process_net_conn_count]
src.process.netConnInCount principal.labels[src_process_net_conn_in_count] (deprecated)
src.process.netConnInCount additional.fields[src_process_net_conn_in_count]
src.process.netConnOutCount principal.labels[src_process_net_conn_out_count] (deprecated)
src.process.netConnOutCount additional.fields[src_process_net_conn_out_count]
src.process.parent.activeContent.hash principal.labels[src_process_parent_active_content_hash] (deprecated)
src.process.parent.activeContent.hash additional.fields[src_process_parent_active_content_hash]
src.process.parent.activeContent.id principal.labels[src_process_parent_active_content_id] (deprecated)
src.process.parent.activeContent.id additional.fields[src_process_parent_active_content_id]
src.process.parent.activeContent.path principal.labels[src_process_parent_active_content_path] (deprecated)
src.process.parent.activeContent.path additional.fields[src_process_parent_active_content_path]
src.process.parent.activeContent.signedStatus principal.labels[src_process_parent_active_content_signed_status] (deprecated)
src.process.parent.activeContent.signedStatus additional.fields[src_process_parent_active_content_signed_status]
src.process.parent.activeContentType principal.labels[src_process_parent_active_content_type] (deprecated)
src.process.parent.activeContentType additional.fields[src_process_parent_active_content_type]
src.process.parent.displayName principal.labels[src_process_parent_display_name] (deprecated)
src.process.parent.displayName additional.fields[src_process_parent_display_name]
src.process.parent.integrityLevel principal.labels[src_process_parent_integrity_level] (deprecated)
src.process.parent.integrityLevel additional.fields[src_process_parent_integrity_level]
src.process.parent.isNative64Bit principal.labels[src_process_parent_is_native_64_bit] (deprecated)
src.process.parent.isNative64Bit additional.fields[src_process_parent_is_native_64_bit]
src.process.parent.isRedirectCmdProcessor principal.labels[src_process_parent_is_redirect_cmd_processor] (deprecated)
src.process.parent.isRedirectCmdProcessor additional.fields[src_process_parent_is_redirect_cmd_processor]
src.process.parent.isStorylineRoot principal.labels[src_process_parent_is_storyline_root] (deprecated)
src.process.parent.isStorylineRoot additional.fields[src_process_parent_is_storyline_root]
src.process.parent.publisher principal.labels[src_process_parent_publisher] (deprecated)
src.process.parent.publisher additional.fields[src_process_parent_publisher]
src.process.parent.reasonSignatureInvalid principal.labels[src_process_parent_reason_signature_invalid] (deprecated)
src.process.parent.reasonSignatureInvalid additional.fields[src_process_parent_reason_signature_invalid]
src.process.parent.sessionId principal.labels[src_process_parent_session_id] (deprecated)
src.process.parent.sessionId additional.fields[src_process_parent_session_id]
src.process.parent.signedStatus principal.process.parent_process.file.signature_info.sigcheck.verification_message
src.process.parent.startTime principal.labels[src_process_parent_start_time] (deprecated)
src.process.parent.startTime additional.fields[src_process_parent_start_time]
src.process.parent.subsystem principal.labels[src_process_parent_subsystem] (deprecated)
src.process.parent.subsystem additional.fields[src_process_parent_subsystem]
src.process.publisher principal.labels[src_process_publisher] (deprecated)
src.process.publisher additional.fields[src_process_publisher]
src.process.reasonSignatureInvalid principal.labels[src_process_reason_signature_invalid] (deprecated)
src.process.reasonSignatureInvalid additional.fields[src_process_reason_signature_invalid]
src.process.registryChangeCount principal.labels[src_process_registry_change_count] (deprecated)
src.process.registryChangeCount additional.fields[src_process_registry_change_count]
src.process.rpid principal.labels[src_process_rpid] (deprecated)
src.process.rpid additional.fields[src_process_rpid]
src.process.sessionId principal.labels[src_process_session_id] (deprecated)
src.process.sessionId additional.fields[src_process_session_id]
src.process.signedStatus principal.process.file.signature_info.sigcheck.verification_message
src.process.startTime principal.labels[src_process_start_time] (deprecated)
src.process.startTime additional.fields[src_process_start_time]
src.process.storyline.id principal.labels[src_process_storyline_id] (deprecated)
src.process.storyline.id additional.fields[src_process_storyline_id]
src.process.subsystem principal.labels[src_process_subsystem] (deprecated)
src.process.subsystem additional.fields[src_process_subsystem]
src.process.tgtFileCreationCount principal.labels[src_process_tgt_file_creation_count] (deprecated)
src.process.tgtFileCreationCount additional.fields[src_process_tgt_file_creation_count]
src.process.tgtFileDeletionCount principal.labels[src_process_tgt_file_deletion_count] (deprecated)
src.process.tgtFileDeletionCount additional.fields[src_process_tgt_file_deletion_count]
src.process.tgtFileModificationCount principal.labels[src_process_tgt_file_modification_count] (deprecated)
src.process.tgtFileModificationCount additional.fields[src_process_tgt_file_modification_count]
src.process.tid principal.labels[src_process_tid] (deprecated)
src.process.tid additional.fields[src_process_tid]
principal.process.product_specific_process_id If the src.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.uid} log field is mapped to the principal.process.product_specific_process_id UDM field.
src.process.verifiedStatus principal.labels[src_process_verified_status] (deprecated)
src.process.verifiedStatus additional.fields[src_process_verified_status]
site.id principal.labels[site_id] (deprecated)
site.id additional.fields[site_id]
principal.platform If the os.name log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.

Else, if the os.name log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX.
src.port.number principal.port
osSrc.process.cmdline principal.process_ancestors.command_line
osSrc.process.image.path principal.process_ancestors.file.full_path
osSrc.process.image.md5 principal.process_ancestors.file.md5 If the osSrc.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.image.md5 log field is mapped to the principal.process_ancestors.file.md5 UDM field.
osSrc.process.name principal.process_ancestors.file.names
osSrc.process.image.sha1 principal.process_ancestors.file.sha1 If the osSrc.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.image.sha1 log field is mapped to the principal.process_ancestors.file.sha1 UDM field.
osSrc.process.image.sha256 principal.process_ancestors.file.sha256 If the osSrc.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.image.sha256 log field is mapped to the principal.process_ancestors.file.sha256 UDM field.
osSrc.process.parent.cmdline principal.process_ancestors.parent_process.command_line
osSrc.process.parent.image.path principal.process_ancestors.parent_process.file.full_path
osSrc.process.parent.image.md5 principal.process_ancestors.parent_process.file.md5 If the osSrc.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.parent.image.md5 log field is mapped to the principal.process_ancestors.parent_process.file.md5 UDM field.
osSrc.process.parent.name principal.process_ancestors.parent_process.file.names
osSrc.process.parent.image.sha1 principal.process_ancestors.parent_process.file.sha1 If the osSrc.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.parent.image.sha1 log field is mapped to the principal.process_ancestors.parent_process.file.sha1 UDM field.
osSrc.process.parent.image.sha256 principal.process_ancestors.parent_process.file.sha256 If the osSrc.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.parent.image.sha256 log field is mapped to the principal.process_ancestors.parent_process.file.sha256 UDM field.
osSrc.process.parent.pid principal.process_ancestors.parent_process.pid
osSrc.process.pid principal.process_ancestors.pid
principal.process_ancestors.product_specific_process_id If the osSrc.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.uid} log field is mapped to the principal.process_ancestors.product_specific_process_id UDM field.
src.process.cmdline principal.process.command_line
src.process.image.path principal.process.file.full_path
src.process.image.md5 principal.process.file.md5 If the src.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.image.md5 log field is mapped to the principal.process.file.md5 UDM field.
src.process.name principal.process.file.names
src.process.image.sha1 principal.process.file.sha1 If the src.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.image.sha1 log field is mapped to the principal.process.file.sha1 UDM field.
src.process.image.sha256 principal.process.file.sha256 If the src.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.image.sha256 log field is mapped to the principal.process.file.sha256 UDM field.
src.process.parent.cmdline principal.process.parent_process.command_line
src.process.parent.image.md5 principal.process.parent_process.file.md5 If the src.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.parent.image.md5 log field is mapped to the principal.process.parent_process.file.md5 UDM field.
src.process.parent.image.path principal.process.parent_process.file.full_path
src.process.parent.name principal.process.parent_process.file.names
src.process.parent.image.sha1 principal.process.parent_process.file.sha1 If the src.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.parent.image.sha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field.
src.process.parent.image.sha256 principal.process.parent_process.file.sha256 If the src.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.parent.image.sha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field.
src.process.parent.pid principal.process.parent_process.pid
principal.process_ancestors.parent_process.product_specific_process_id If the osSrc.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.parent.uid} log field is mapped to the principal.process_ancestors.parent_process.product_specific_process_id UDM field.
principal.process.parent_process.product_specific_process_id If the src.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.parent.uid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
src.process.pid principal.process.pid
osSrc.process.user principal.user.attribute.labels[os_src_process_user]
src.process.eUserUid principal.user.attribute.labels[src_process_e_user_uid]
src.process.lUserName principal.user.attribute.labels[src_process_l_user_name]
src.process.parent.eUserUid principal.user.attribute.labels[src_process_parent_e_user_uid]
src.process.parent.lUserUid principal.user.attribute.labels[src_process_parent_l_user_uid]
src.process.parent.rUserUid principal.user.attribute.labels[src_process_parent_r_user_uid]
src.process.rUserName principal.user.attribute.labels[src_process_r_user_name]
src.process.rUserUid principal.user.attribute.labels[src_process_r_user_uid]
src.process.eUserName principal.user.attribute.labels[src_process_e_user_name]
src.process.parent.eUserName principal.user.attribute.labels[src_process_parent_e_user_name]
src.process.parent.lUserName principal.user.attribute.labels[src_process_parent_l_user_name]
src.process.parent.rUserName principal.user.attribute.labels[src_process_parent_r_user_name]
osSrc.process.parent.user principal.user.attribute.labels[os_src_process_parent_user]
src.process.parent.user principal.user.attribute.labels[src_process_parent_user]
src.process.user principal.user.userid
tiIndicator.value security_result.about.file.md5 If the tiIndicator.type log field value is equal to Md5, then the tiIndicator.value log field is mapped to the security_result.about.file.md5 UDM field.
tiIndicator.value security_result.about.file.sha1 If the tiIndicator.type log field value is equal to Sha1, then the tiIndicator.value log field is mapped to the security_result.about.file.sha1 UDM field.
tiIndicator.value security_result.about.ip If the tiIndicator.type log field value contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.ip UDM field.
  • IPv4
  • IPV6
tiIndicator.value security_result.about.labels[tiIndicator.value] (deprecated) If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.labels UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value additional.fields[tiIndicator.value] If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the additional.fields UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value network.dns.questions.name If the tiIndicator.type log field value is equal to DNS, then the tiIndicator.value log field is mapped to the network.dns.questions.name UDM field.
tiIndicator.value security_result.about.url If the tiIndicator.type log field value is equal to URL, then the tiIndicator.value log field is mapped to the security_result.about.url UDM field.
winEventLog.providerName security_result.about.resource.attribute.labels[win_event_log_provider_name]
tiIndicator.addedBy security_result.about.user.email_addresses
tiIndicator.threatActors security_result.about.user.email_addresses
security_result.action If the event.login.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, if the event.login.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.

If the event.network.connectionStatus log field value is equal to SUCCESS, then the security_result.action UDM field is set to ALLOW.

Else, if the event.network.connectionStatus log field value is equal to FAILURE, then the security_result.action UDM field is set to FAIL.

Else, if the event.network.connectionStatus log field value is equal to BLOCKED, then the security_result.action UDM field is set to BLOCK.
event.network.connectionStatus security_result.action_details
tiIndicator.mitreTactics security_result.attack_details.tactics.name
security_result.category If the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
  • malicious
  • Ransomware
  • OSX.Malware
  • Linux.Malware
  • Malware
  • Manual
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
  • Lateral Movement
  • Remote shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
  • miner
  • Trojan
  • Virus
  • Malicious Office Document
  • Malicious PDF
  • Worm
  • Rootkit
  • Infostealer
  • Generic.Heuristic
  • Downloader
  • Backdoor
  • Hacktool
  • Browser
  • Dialer
  • Installer
  • Packed
  • Network
  • Spyware
  • Interactive shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_PUA.
  • Adware
  • PUA
Else, if the indicator.category log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
security_result.category If the tiIndicator.categories log field value matches the regular expression pattern malware, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
indicator.category security_result.category_details
tiIndicator.categories security_result.category_details
indicator.description security_result.description
event.login.failureReason security_result.description
tiIndicator.description security_result.descripton
indicator.metadata security_result.detection_fields [indicator_metadata]
indicator.name security_result.detection_fields [indicator_name]
tiIndicator.comparisonMethod security_result.detection_fields [ti_indicator_comparison_method]
tiIndicator.creationTime security_result.detection_fields [ti_indicator_creation_time]
tiIndicator.externalId security_result.detection_fields [ti_indicator_external_id]
tiIndicator.metadata security_result.detection_fields [ti_indicator_metadata]
tiIndicator.modificationTime security_result.detection_fields [ti_indicator_modification_time]
tiindicator.originalEvent.id security_result.detection_fields [ti_indicator_original_event_id]
tiindicator.originalEvent.index security_result.detection_fields [ti_indicator_original_event_index]
tiindicator.originalEvent.time security_result.detection_fields [ti_indicator_original_event_time]
tiindicator.originalEvent.traceId security_result.detection_fields [ti_indicator_original_event_trace_id]
tiIndicator.references security_result.detection_fields [ti_indicator_references]
tiIndicator.intrusionSets security_result.detection_fields [ti_indicator_tiIndicator_intrusion_sets]
tiIndicator.type security_result.detection_fields [ti_indicator_type]
tiIndicator.uid security_result.detection_fields [ti_indicator_uid]
tiIndicator.uploadTime security_result.detection_fields [ti_indicator_upload_time]
tiIndicator.validUntil security_result.detection_fields [ti_indicator_valid_until]
osSrc.process.parent.reasonSignatureInvalid security_result.detection_fields[os_src_process_parent_reason_signature_invalid]
osSrc.process.reasonSignatureInvalid security_result.detection_fields[os_src_process_reason_signature_invalid]
tgt.process.reasonSignatureInvalid security_result.detection_fields[tgt_process_reason_signature_invalid]
security_result.severity If the winEventLog.level log field value matches the regular expression pattern ^(INFO|Informational|Information|Normal|NOTICE)$, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the winEventLog.level log field value contain one of the following values, then the security_result.severity UDM field is set to INFORMATIONAL.
  • Warning
  • DEBUG
Else, if the winEventLog.level log field value matches the regular expression pattern Error, then the security_result.severity UDM field is set to ERROR.

Else, if the winEventLog.level log field value matches the regular expression pattern Critical, then the security_result.severity UDM field is set to CRITICAL.
winEventLog.level security_result.severity_details
tiIndicator.name security_result.threat_name
tiIndicator.source security_result.threat_feed_name
tgt.file.oldPath src.file.full_path
tgt.file.oldMd5 src.file.md5 If the tgt.file.oldMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.oldMd5 log field is mapped to the src.file.md5 UDM field.
driver.peSha1 target.process.file.sha1 If the driver.peSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the driver.peSha1 log field is mapped to the target.process.file.sha1 UDM field.
tgt.file.oldSha1 src.file.sha1 If the tgt.file.oldSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.oldSha1 log field is mapped to the src.file.sha1 UDM field.
driver.peSha256 target.process.file.sha256 If the driver.peSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the driver.peSha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.file.oldSha256 src.file.sha256 If the tgt.file.oldSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.oldSha256 log field is mapped to the src.file.sha256 UDM field.
driver.certificate.thumbprintAlgorithm target.labels[driver_certificate_thumbprint_algorithm] (deprecated)
driver.certificate.thumbprintAlgorithm additional.fields[driver_certificate_thumbprint_algorithm]
driver.certificate.thumbprint target.labels[driver_certificate_thumbprint] (deprecated)
driver.certificate.thumbprint additional.fields[driver_certificate_thumbprint]
driver.isLoadedBeforeMonitor target.labels[driver_is_loaded_before_monitor] (deprecated)
driver.isLoadedBeforeMonitor additional.fields[driver_is_loaded_before_monitor]
driver.loadVerdict target.labels[driver_load_verdict] (deprecated)
driver.loadVerdict additional.fields[driver_load_verdict]
driver.startType target.labels[driver_start_type] (deprecated)
driver.startType additional.fields[driver_start_type]
registry.oldValueFullSize src.labels[registry_old_value_full_size] (deprecated)
registry.oldValueFullSize additional.fields[registry_old_value_full_size]
registry.oldValueIsComplete src.labels[registry_old_valueIs_complete] (deprecated)
registry.oldValueIsComplete additional.fields[registry_old_valueIs_complete]
registry.oldValue src.registry.registry_value_data
registry.oldValueType src.registry.registry_value_name
tgt.file.location target.labels[tgt_file_location] (deprecated)
tgt.file.location additional.fields[tgt_file_location]
cmdScript.applicationName target.application
event.login.accountDomain target.domain.name
tgt.file.path target.file.full_path
tgt.file.modificationTime target.file.last_modification_time
tgt.file.md5 target.file.md5 If the tgt.file.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.md5 log field is mapped to the target.file.md5 UDM field.
tgt.file.extension target.file.mime_type
tgt.file.id target.file.names
tgt.file.internalName target.file.names
tgt.file.sha1 target.file.sha1 If the tgt.file.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.sha1 log field is mapped to the target.file.sha1 UDM field.
tgt.file.sha256 target.file.sha256 If the tgt.file.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.sha256 log field is mapped to the target.file.sha256 UDM field.
tgt.file.size target.file.size
target.file.file_type If the tgt.file.type log field value is equal to PE, then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.

Else, if the tgt.file.type log field value is equal to ELF, then the target.file.file_type UDM field is set to FILE_TYPE_ELF.

Else, if the tgt.file.type log field value is equal to MACH, then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.

Else, if the tgt.file.type log field value is equal to PDF, then the target.file.file_type UDM field is set to FILE_TYPE_PDF.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to OPENXML, then the target.file.file_type UDM field is set to FILE_TYPE_XML.

Else, if the tgt.file.type log field value is equal to PKZIP, then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.

Else, if the tgt.file.type log field value is equal to RAR, then the target.file.file_type UDM field is set to FILE_TYPE_RAR.

Else, if the tgt.file.type log field value is equal to BZIP2, then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.

Else, if the tgt.file.type log field value is equal to TAR, then the target.file.file_type UDM field is set to FILE_TYPE_TAR.

Else, if the tgt.file.type log field value is equal to LNK, then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
url.address target.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
url.address target.asset.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
dst.ip.address target.ip
cmdScript.isComplete target.labels[cmd_script_is_complete] (deprecated)
cmdScript.isComplete additional.fields[cmd_script_is_complete]
registry.keyUid target.labels[registry_key_uid] (deprecated)
registry.keyUid additional.fields[registry_key_uid]
registry.valueFullSize target.labels[registry_value_full_size] (deprecated)
registry.valueFullSize additional.fields[registry_value_full_size]
registry.valueIsComplete target.labels[registry_value_is_complete] (deprecated)
registry.valueIsComplete additional.fields[registry_value_is_complete]
tgt.file.convictedBy target.labels[tgt_file_convicted_by] (deprecated)
tgt.file.convictedBy additional.fields[tgt_file_convicted_by]
tgt.file.creationTime target.labels[tgt_file_creation_time] (deprecated)
tgt.file.creationTime additional.fields[tgt_file_creation_time]
tgt.file.description target.labels[tgt_file_description] (deprecated)
tgt.file.description additional.fields[tgt_file_description]
tgt.file.isExecutable target.labels[tgt_file_is_executable] (deprecated)
tgt.file.isExecutable additional.fields[tgt_file_is_executable]
tgt.file.isSigned target.labels[tgt_file_is_signed] (deprecated)
tgt.file.isSigned additional.fields[tgt_file_is_signed]
tgt.process.accessRights target.labels[tgt_process_access_rights] (deprecated)
tgt.process.accessRights additional.fields[tgt_process_access_rights]
tgt.process.activeContent.hash target.labels[tgt_process_active_content_hash] (deprecated)
tgt.process.activeContent.hash additional.fields[tgt_process_active_content_hash]
tgt.process.activeContent.id target.labels[tgt_process_active_content_id] (deprecated)
tgt.process.activeContent.id additional.fields[tgt_process_active_content_id]
tgt.process.activeContent.path target.labels[tgt_process_active_content_path] (deprecated)
tgt.process.activeContent.path additional.fields[tgt_process_active_content_path]
tgt.process.activeContent.signedStatus target.labels [tgt_process_active_content_signed_status] (deprecated)
tgt.process.activeContent.signedStatus additional.fields [tgt_process_active_content_signed_status]
tgt.process.activeContentType target.labels[tgt_process_active_content_type] (deprecated)
tgt.process.activeContentType additional.fields[tgt_process_active_content_type]
tgt.process.displayName target.labels[tgt_process_display_name] (deprecated)
tgt.process.displayName additional.fields[tgt_process_display_name]
tgt.process.image.binaryIsExecutable target.labels[tgt_process_image_binary_is_executable] (deprecated)
tgt.process.image.binaryIsExecutable additional.fields[tgt_process_image_binary_is_executable]
tgt.process.integrityLevel target.labels[tgt_process_integrity_level] (deprecated)
tgt.process.integrityLevel additional.fields[tgt_process_integrity_level]
tgt.process.isNative64Bit target.labels[tgt_process_is_native_64_bit] (deprecated)
tgt.process.isNative64Bit additional.fields[tgt_process_is_native_64_bit]
tgt.process.isRedirectCmdProcessor target.labels[tgt_process_is_redirect_cmd_processor] (deprecated)
tgt.process.isRedirectCmdProcessor additional.fields[tgt_process_is_redirect_cmd_processor]
tgt.process.isStorylineRoot target.labels[tgt_process_is_storyline_root] (deprecated)
tgt.process.isStorylineRoot additional.fields[tgt_process_is_storyline_root]
tgt.process.publisher target.labels[tgt_process_publisher] (deprecated)
tgt.process.publisher additional.fields[tgt_process_publisher]
tgt.process.relation target.labels[tgt_process_relation] (deprecated)
tgt.process.relation additional.fields[tgt_process_relation]
tgt.process.sessionId target.labels[tgt_process_session_id] (deprecated)
tgt.process.sessionId additional.fields[tgt_process_session_id]
tgt.process.signedStatus target.process.file.signature_info.sigcheck.verification_message
tgt.process.startTime target.labels[tgt_process_start_time] (deprecated)
tgt.process.startTime additional.fields[tgt_process_start_time]
tgt.process.storyline.id target.labels[tgt_process_storyline_id] (deprecated)
tgt.process.storyline.id additional.fields[tgt_process_storyline_id]
tgt.process.subsystem target.labels[tgt_process_subsystem] (deprecated)
tgt.process.subsystem additional.fields[tgt_process_subsystem]
tgt.process.verifiedStatus target.labels[tgt_process_verified_status] (deprecated)
tgt.process.verifiedStatus additional.fields[tgt_process_verified_status]
dst.port.number target.port
cmdScript.content target.process.command_line
tgt.process.cmdline target.process.command_line
tgt.process.image.path target.process.file.full_path
tgt.process.image.md5 target.process.file.md5 If the tgt.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.process.image.md5 log field is mapped to the target.process.file.md5 UDM field.
tgt.process.name target.process.file.names
tgt.process.image.sha1 target.process.file.sha1 If the tgt.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.process.image.sha1 log field is mapped to the target.process.file.sha1 UDM field.
cmdScript.sha256 target.process.file.sha256 If the cmdScript.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the cmdScript.sha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.process.image.sha256 target.process.file.sha256 If the tgt.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.process.image.sha256 log field is mapped to the target.process.file.sha256 UDM field.
cmdScript.originalSize target.process.file.size
tgt.process.pid target.process.pid
target.process.product_specific_process_id If the tgt.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{tgt.process.uid} log field is mapped to the target.process.product_specific_process_id UDM field.
registry.keyPath target.registry.registry_key
registry.value target.registry.registry_value_data
registry.valueType target.registry.registry_value_name
k8sCluster.namespaceLabels target.resource_ancestors.attribute.labels[k8s_cluster_namespace_labels]
k8sCluster.namespace target.resource_ancestors.attribute.labels[k8s_cluster_namespace]
k8sCluster.name target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerName target.resource_ancestors.name
k8sCluster.controllerLabels target.resource_ancestors.attribute.labels[k8s_cluster_controller_labels]
target.resource_ancestors.resource_type If the k8sCluster.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerType target.resource_ancestors.resource_subtype
k8sCluster.podName target.resource_ancestors.name
k8sCluster.podLabels target.resource_ancestors.attribute.labels[k8s_cluster_pod_labels]
target.resource_ancestors.resource_type If the k8sCluster.podName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.
k8sCluster.nodeName target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_subtype If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to NODE.
k8sCluster.containerName target.resource.name
k8sCluster.containerId target.resource.product_object_id
target.resource.resource_type If the k8sCluster.containerName log field value is not empty or the k8sCluster.containerId log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER.
k8sCluster.containerImage.sha256 target.resource.attribute.labels[k8s_cluster_container_image_sha256]
k8sCluster.containerImage target.resource.attribute.labels[k8s_cluster_container_image]
k8sCluster.containerLabels target.resource.attribute.labels[k8s_cluster_container_labels]
namedPipe.name target.resource.name
namedPipe.accessMode target.resource.attribute.permission.name
namedPipe.connectionType target.resource.attribute.labels[named_pipe_connection_type]
namedPipe.isFirstInstance target.resource.attribute.labels[named_pipe_is_first_instance]
namedPipe.isOverlapped target.resource.attribute.labels[named_pipe_is_overlapped]
namedPipe.isWriteThrough target.resource.attribute.labels[named_pipe_is_write_through]
namedPipe.maxInstances target.resource.attribute.labels[named_pipe_max_instances]
namedPipe.readMode target.resource.attribute.labels[named_pipe_read_mode]
namedPipe.remoteClients target.resource.attribute.labels[named_pipe_remote_clients]
namedPipe.securityGroups target.resource.attribute.labels[named_pipe_security_groups]
namedPipe.securityOwner target.resource.attribute.labels[named_pipe_security_owner]
namedPipe.typeMode target.resource.attribute.labels[named_pipe_type_mode]
namedPipe.waitMode target.resource.attribute.labels[named_pipe_wait_mode]
task.name target.resource.name
task.path target.resource.attribute.labels[task_path]
target.resource.resource_type If the event.category log field value is equal to scheduled_task, then the target.resource.resource_type UDM field is set to TASK.

If the event.type log field value contain one of the following values, then the target.resource.resource_type UDM field is set to PIPE.
  • Named Pipe Creation
  • Named Pipe Connection
url.address target.url
tgt.process.eUserName target.user.attribute.labels[tgt_process_e_user_name]
tgt.process.eUserUid target.user.attribute.labels[tgt_process_e_user_uid]
tgt.process.lUserName target.user.attribute.labels[tgt_process_l_user_name]
tgt.process.lUserUid target.user.attribute.labels[tgt_process_l_user_uid]
tgt.process.rUserName target.user.attribute.labels[tgt_process_r_user_name]
tgt.process.rUserUid target.user.attribute.labels[tgt_process_r_user_uid]
tgt.process.user target.user.userid
event.login.accountName target.user.user_display_name
target.user.user_role If the event.login.isAdministratorEquivalent log field value is equal to true, then the target.user.user_role UDM field is set to ADMINISTRATOR.
event.login.userName target.user.userid
event.login.accountSid target.user.windows_sid
module.path target.process.file.full_path
module.md5 target.process.file.md5 If the module.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the module.md5 log field is mapped to the target.process.file.md5 UDM field.
module.sha1 target.process.file.sha1 If the module.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the module.sha1 log field is mapped to the target.process.file.sha1 UDM field.
mgmt.url about.url
dataSource.category about.labels[data_source_category] (deprecated)
dataSource.category additional.fields[data_source_category]
dataSource.name about.labels[data_source_name] (deprecated)
dataSource.name additional.fields[data_source_name]
dataSource.vendor about.labels[data_source_vendor] (deprecated)
dataSource.vendor additional.fields[data_source_vendor]
event.category about.labels[event_category] (deprecated)
event.category additional.fields[event_category]
event.login.baseType about.labels[event_login_base_type] (deprecated)
event.login.baseType additional.fields[event_login_base_type]
event.network.protocolName about.labels[event_network_protocol_name] (deprecated)
event.network.protocolName additional.fields[event_network_protocol_name]
event.repetitionCount about.labels[event_repetition_count] (deprecated)
event.repetitionCount additional.fields[event_repetition_count]
event.login.isAdministratorEquivalent about.labels[event_login_is_administrator_equivalent] (deprecated)
event.login.isAdministratorEquivalent additional.fields[event_login_is_administrator_equivalent]
group.id about.labels[group_id] (deprecated) If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the about.labels UDM field.
group.id additional.fields[group_id] If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the additional.fields UDM field.
i.scheme about.labels[i_scheme] (deprecated)
i.scheme additional.fields[i_scheme]
i.version about.labels[i_version] (deprecated)
i.version additional.fields[i_version]
meta.event.name about.labels[meta_event_name] (deprecated)
meta.event.name additional.fields[meta_event_name]
mgmt.id about.labels[mgmt_id] (deprecated)
mgmt.id additional.fields[mgmt_id]
mgmt.osRevision about.labels[mgmt_os_revision] (deprecated)
mgmt.osRevision additional.fields[mgmt_os_revision]
packet.id about.labels[packet_id] (deprecated)
packet.id additional.fields[packet_id]
sca:atlantisIngestTime about.labels[sca_atlantis_ingest_time] (deprecated)
sca:atlantisIngestTime additional.fields[sca_atlantis_ingest_time]
sca:ingestTime about.labels[sca_ingest_time] (deprecated)
sca:ingestTime additional.fields[sca_ingest_time]
timestamp about.labels[timestamp] (deprecated)
timestamp additional.fields[timestamp]
trace.id about.labels[trace_id] (deprecated)
trace.id additional.fields[trace_id]
winEventLog.channel about.labels[win_event_log_channel] (deprecated)
winEventLog.channel additional.fields[win_event_log_channel]
winEventLog.description.additionalInformation about.labels[win_event_log_description_additional_information] (deprecated)
winEventLog.description.additionalInformation additional.fields[win_event_log_description_additional_information]
winEventLog.description.objectName about.labels[win_event_log_description_object_name] (deprecated)
winEventLog.description.objectName additional.fields[win_event_log_description_object_name]
winEventLog.description.objectServer about.labels[win_event_log_description_object_server] (deprecated)
winEventLog.description.objectServer additional.fields[win_event_log_description_object_server]
winEventLog.description.objectType about.labels[win_event_log_description_object_type] (deprecated)
winEventLog.description.objectType additional.fields[win_event_log_description_object_type]
winEventLog.description.operationType about.labels[win_event_log_description_operation_type] (deprecated)
winEventLog.description.operationType additional.fields[win_event_log_description_operation_type]
winEventLog.description.securityId about.labels[win_event_log_description_security_id] (deprecated)
winEventLog.description.securityId additional.fields[win_event_log_description_security_id]
winEventLog.description.userId about.labels[win_event_log_description_user_id] (deprecated)
winEventLog.description.userId additional.fields[win_event_log_description_user_id]
winEventLog.xml about.labels[win_event_log_xml] (deprecated)
winEventLog.xml additional.fields[win_event_log_xml]

¿Qué sigue?

¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.