收集 SentinelOne Cloud Funnel 日志

支持以下语言:

本文档介绍了如何通过设置 Google Security Operations Feed 来导出 SentinelOne Cloud Funnel 日志,以及日志字段如何映射到 Google Security Operations 统一数据模型 (UDM) 字段。

如需了解详情,请参阅 Google Security Operations 的数据注入概览

典型部署包括 SentinelOne Cloud Funnel 和配置为向 Google Security Operations 发送日志的 Google Security Operations Feed。每个客户部署都可能不同,并且可能更复杂。

该部署包含以下组件:

  • SentinelOne:您从中收集日志的平台。

  • Google Security Operations Feed:从 SentinelOne 提取日志并将日志写入 Google Security Operations 的 Google Security Operations Feed。

  • Google Security Operations:保留和分析日志。

提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 SENTINELONE_CF 提取标签的解析器。

准备工作

  • 确保您使用的是 SentinelOne Cloud Funnel v2.0。
  • 确保您有权访问 SentinelOne 控制台。
  • 请确保您拥有安装 SentinelOne 代理的管理员权限。如需获得管理员权限,请与您的管理员用户联系。

设置 SentinelOne Cloud Funnel

  1. 登录 SentinelOne 管理控制台。
  2. 设置工具栏中,点击集成 >云漏斗
  3. 云服务提供商列表中,选择 Google Cloud
  4. GCS Storage Name 字段中,输入 Cloud Storage 存储桶的名称。
  5. 点击验证以验证存储桶是否存在,以及 SentinelOne 是否拥有对该存储桶的读写权限。
  6. 选择启用遥测流式传输 (Enable Telemetry Streaming),以便将 XDR 数据流式传输到存储桶。

设置 Google Security Operations 注入 Feed

  1. 从 Google Security Operations 菜单中,选择设置
  2. 点击 Feed
  3. 点击新增
  4. 选择 Google Cloud Storage 作为来源类型
  5. 选择 SentinelOne Singularity Cloud Funnel 作为日志类型,为 SentinelOne Cloud Funnel 创建 Feed。
  6. 点击获取服务账号
  7. 点击下一步
  8. 配置以下输入参数:
    • Storage 存储桶 URI:Google Cloud Storage 存储桶来源 URI。
    • URI 是:URI 指向的对象类型。
    • 源删除选项:转移完成后是否删除文件或目录。
  9. 点击下一步,然后点击提交

如需详细了解 Google Security Operations Feed,请参阅 Google Security Operations Feed 文档。如需了解 Feed 类型,请参阅按类型配置 Feed。 如果您在创建 Feed 时遇到问题,请与 Google Security Operations 支持团队联系。

支持的 SentinelOne Cloud Funnel 日志类型

SentinelOne Cloud Funnel 解析器支持以下日志类型:

Event Type

  • Process Exit
  • Process Modification
  • Process Creation
  • Duplicate Process Handle
  • Duplicate Thread Handle
  • Open Remote Process Handle
  • Remote Thread Creation
  • Remote Process Termination
  • Command Script
  • IP Connect
  • IP Listen
  • File Modification
  • File Creation
  • File Scan
  • File Deletion
  • File Rename
  • Pre Execution Detection
  • Login
  • Logout
  • GET
  • OPTIONS
  • POST
  • PUT
  • DELETE
  • CONNECT
  • HEAD
  • DNS Resolved
  • DNS Unresolved
  • Task Register
  • Task Update
  • Task Start
  • Task Trigger
  • Task Delete
  • Registry Key Create
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Key Import
  • Registry Value Modified
  • Registry Value Create
  • Registry Value Delete
  • Behavioral Indicators
  • Module Load
  • Driver Load
  • Not Reported
  • Group Creation
  • Firmware Test
  • Threat Intelligence Indicators
  • Named Pipe Creation
  • Named Pipe Connection
  • Windows Event Log Creation

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 SentinelOne 字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。

字段映射参考文档:事件标识符到事件类型

下表列出了 SENTINELONE_CF 日志类型及其对应的 UDM 事件类型。
Event Identifier Event Type
Process Exit PROCESS_TERMINATION
Process Modification PROCESS_UNCATEGORIZED
Process Creation PROCESS_LAUNCH
Duplicate Process Handle PROCESS_UNCATEGORIZED
Duplicate Thread Handle PROCESS_UNCATEGORIZED
Open Remote Process Handle PROCESS_UNCATEGORIZED
Remote Thread Creation PROCESS_UNCATEGORIZED
Remote Process Termination PROCESS_TERMINATION
Command Script PROCESS_UNCATEGORIZED
IP Connect NETWORK_CONNECTION
IP Listen STATUS_UPDATE
File Modification FILE_MODIFICATION
File Creation FILE_CREATION
File Scan SCAN_FILE
File Deletion FILE_DELETION
File Rename FILE_MOVE
Pre Execution Detection STATUS_UPDATE
Login USER_LOGIN
Logout USER_LOGOUT
GET NETWORK_HTTP
OPTIONS NETWORK_HTTP
POST NETWORK_HTTP
PUT NETWORK_HTTP
DELETE NETWORK_HTTP
CONNECT NETWORK_HTTP
HEAD NETWORK_HTTP
DNS Resolved NETWORK_DNS
DNS Unresolved NETWORK_DNS
Task Register SCHEDULED_TASK_CREATION
Task Update SCHEDULED_TASK_MODIFICATION
Task Start SCHEDULED_TASK_UNCATEGORIZED
Task Trigger SCHEDULED_TASK_UNCATEGORIZED
Task Delete SCHEDULED_TASK_DELETION
Registry Key Create REGISTRY_CREATION
Registry Key Rename REGISTRY_UNCATEGORIZED
Registry Key Delete REGISTRY_DELETION
Registry Key Export REGISTRY_UNCATEGORIZED
Registry Key Security Changed REGISTRY_MODIFICATION
Registry Key Import REGISTRY_UNCATEGORIZED
Registry Value Modified REGISTRY_MODIFICATION
Registry Value Create REGISTRY_CREATION
Registry Value Delete REGISTRY_DELETION
Behavioral Indicators STATUS_UPDATE
Module Load PROCESS_MODULE_LOAD
Driver Load PROCESS_MODULE_LOAD
Not Reported NETWORK_HTTP
Group Creation GROUP_CREATION
Firmware Test STATUS_UPDATE
Threat Intelligence Indicators STATUS_UPDATE
Named Pipe Creation RESOURCE_CREATION
Named Pipe Connection STATUS_UPDATE

字段映射参考:SENTINELONE_CF

下表列出了 SENTINELONE_CF 日志类型的日志字段及其对应的 UDM 字段。

Log field UDM mapping Logic
winEventLog.description about.labels[win_event_log_description] (deprecated)
winEventLog.description additional.fields[win_event_log_description]
event.time metadata.event_timestamp
winEventLog.creationDate about.labels[win_event_log_creation_date] (deprecated)
winEventLog.creationDate additional.fields[win_event_log_creation_date]
account.id metadata.product_deployment_id
event.type metadata.product_event_type
event.id metadata.product_log_id
winEventLog.id about.labels[win_event_log_id] (deprecated)
winEventLog.id additional.fields[win_event_log_id]
metadata.vendor_name The metadata.vendor_name UDM field is set to SentinelOne.
extensions.auth.auth_details If the event.type log field value contain one of the following values, then the event.type log field is mapped to the extensions.auth.auth_details UDM field.
  • Login
  • Logout
extensions.auth.mechanism If the event.login.type log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the event.login.type log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.

Else, if the event.login.type log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the event.login.type log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the event.login.type log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the event.login.type log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the event.login.type log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.

Else, if the event.login.type log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the event.login.type log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK.
network.application_protocol If the event.type log field value contain one of the following values, then the network.application_protocol UDM field is set to DNS.
  • DNS Resolved
  • DNS Unresolved
network.direction If the event.network.direction log field value is equal to OUTGOING, then the network.direction UDM field is set to OUTBOUND.

Else, if the event.network.direction log field value is equal to INCOMING, then the network.direction UDM field is set to INBOUND.
event.dns.response network.dns.answers.name
event.dns.response network.dns.answers.type
event.dns.request network.dns.questions.name
event.url.action network.http.method
event.login.sessionId network.session_id
agent.uuid principal.asset.asset_id
agent.uuid principal.asset_id
agent.version principal.asset.attribute.labels[agent_version]
winEventLog.description.accountDomain principal.labels[win_event_log_description_account_domain] (deprecated)
winEventLog.description.accountDomain additional.fields[win_event_log_description_account_domain]
principal.asset.platform_software.platform If the endpoint.os log field value is equal to windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the endpoint.os log field value is equal to linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
principal.asset.type If the endpoint.type log field value is equal to laptop, then the principal.asset.type UDM field is set to LAPTOP.

Else, if the endpoint.type log field value contain one of the following values, then the principal.asset.type UDM field is set to SERVER.
  • server
  • Kubernetes Node
Else, if the endpoint.type log field value is equal to desktop, then the principal.asset.type UDM field is set to WORKSTATION.
endpoint.name principal.hostname
endpoint.name principal.asset.hostname
src.endpoint.ip.address principal.ip
src.ip.address principal.ip
osSrc.process.activeContent.hash principal.labels[os_src_process_active_content_hash] (deprecated)
osSrc.process.activeContent.hash additional.fields[os_src_process_active_content_hash]
osSrc.process.activeContent.id principal.labels[os_src_process_active_content_id] (deprecated)
osSrc.process.activeContent.id additional.fields[os_src_process_active_content_id]
osSrc.process.activeContent.path principal.labels[os_src_process_active_content_path] (deprecated)
osSrc.process.activeContent.path additional.fields[os_src_process_active_content_path]
osSrc.process.activeContent.signedStatus principal.labels[os_src_process_active_content_signed_status] (deprecated)
osSrc.process.activeContent.signedStatus additional.fields[os_src_process_active_content_signed_status]
osSrc.process.activeContentType principal.labels[os_src_process_active_content_type] (deprecated)
osSrc.process.activeContentType additional.fields[os_src_process_active_content_type]
osSrc.process.childProcCount principal.labels[os_src_process_child_proc_count] (deprecated)
osSrc.process.childProcCount additional.fields[os_src_process_child_proc_count]
osSrc.process.crossProcessCount principal.labels[os_src_process_cross_process_count] (deprecated)
osSrc.process.crossProcessCount additional.fields[os_src_process_cross_process_count]
osSrc.process.crossProcessDupRemoteProcessHandleCount principal.labels[os_src_process_cross_process_dup_rmote_process_handle_count] (deprecated)
osSrc.process.crossProcessDupRemoteProcessHandleCount additional.fields[os_src_process_cross_process_dup_rmote_process_handle_count]
osSrc.process.crossProcessDupThreadHandleCount principal.labels[os_src_process_cross_process_dup_thread_handle_count] (deprecated)
osSrc.process.crossProcessDupThreadHandleCount additional.fields[os_src_process_cross_process_dup_thread_handle_count]
osSrc.process.crossProcessOpenProcessCount principal.labels[os_src_process_cross_process_open_process_count] (deprecated)
osSrc.process.crossProcessOpenProcessCount additional.fields[os_src_process_cross_process_open_process_count]
osSrc.process.crossProcessOutOfStorylineCount principal.labels[os_src_process_cross_process_out_of_storyline_count] (deprecated)
osSrc.process.crossProcessOutOfStorylineCount additional.fields[os_src_process_cross_process_out_of_storyline_count]
osSrc.process.crossProcessThreadCreateCount principal.labels[os_src_process_cross_process_thread_create_count] (deprecated)
osSrc.process.crossProcessThreadCreateCount additional.fields[os_src_process_cross_process_thread_create_count]
osSrc.process.displayName principal.labels[os_src_process_display_name] (deprecated)
osSrc.process.displayName additional.fields[os_src_process_display_name]
osSrc.process.dnsCount principal.labels[os_src_process_dns_count] (deprecated)
osSrc.process.dnsCount additional.fields[os_src_process_dns_count]
osSrc.process.image.binaryIsExecutable principal.labels[os_src_process_image_binary_is_executable] (deprecated)
osSrc.process.image.binaryIsExecutable additional.fields[os_src_process_image_binary_is_executable]
osSrc.process.indicatorBootConfigurationUpdateCount principal.labels[os_src_process_indicator_boot_configuration_update_count] (deprecated)
osSrc.process.indicatorBootConfigurationUpdateCount additional.fields[os_src_process_indicator_boot_configuration_update_count]
osSrc.process.indicatorEvasionCount principal.labels[os_src_process_indicator_evasion_count] (deprecated)
osSrc.process.indicatorEvasionCount additional.fields[os_src_process_indicator_evasion_count]
osSrc.process.indicatorExploitationCount principal.labels[os_src_process_indicator_exploitation_count] (deprecated)
osSrc.process.indicatorExploitationCount additional.fields[os_src_process_indicator_exploitation_count]
osSrc.process.indicatorGeneral.count principal.labels[os_src_process_indicator_general_count] (deprecated)
osSrc.process.indicatorGeneral.count additional.fields[os_src_process_indicator_general_count]
osSrc.process.indicatorInfostealerCount principal.labels[os_src_process_indicator_infostealer_count] (deprecated)
osSrc.process.indicatorInfostealerCount additional.fields[os_src_process_indicator_infostealer_count]
osSrc.process.indicatorInjectionCount principal.labels[os_src_process_indicator_injection_count] (deprecated)
osSrc.process.indicatorInjectionCount additional.fields[os_src_process_indicator_injection_count]
osSrc.process.indicatorPersistenceCount principal.labels[os_src_process_indicator_persistence_count] (deprecated)
osSrc.process.indicatorPersistenceCount additional.fields[os_src_process_indicator_persistence_count]
osSrc.process.indicatorPostExploitationCount principal.labels[os_src_process_indicator_post_exploitation_count] (deprecated)
osSrc.process.indicatorPostExploitationCount additional.fields[os_src_process_indicator_post_exploitation_count]
osSrc.process.indicatorRansomwareCount principal.labels[os_src_process_indicator_ransomware_count] (deprecated)
osSrc.process.indicatorRansomwareCount additional.fields[os_src_process_indicator_ransomware_count]
osSrc.process.indicatorReconnaissanceCount principal.labels[os_src_process_indicator_reconnaissance_count] (deprecated)
osSrc.process.indicatorReconnaissanceCount additional.fields[os_src_process_indicator_reconnaissance_count]
osSrc.process.integrityLevel principal.labels[os_src_process_integrity_level] (deprecated)
osSrc.process.integrityLevel additional.fields[os_src_process_integrity_level]
osSrc.process.isNative64Bit principal.labels[os_src_process_is_native_64_bit] (deprecated)
osSrc.process.isNative64Bit additional.fields[os_src_process_is_native_64_bit]
osSrc.process.isRedirectCmdProcessor principal.labels[os_src_process_is_redirect_cmd_processor] (deprecated)
osSrc.process.isRedirectCmdProcessor additional.fields[os_src_process_is_redirect_cmd_processor]
osSrc.process.isStorylineRoot principal.labels[os_src_process_is_storyline_root] (deprecated)
osSrc.process.isStorylineRoot additional.fields[os_src_process_is_storyline_root]
osSrc.process.moduleCount principal.labels[os_src_process_module_count] (deprecated)
osSrc.process.moduleCount additional.fields[os_src_process_module_count]
osSrc.process.netConnCount principal.labels[os_src_process_net_conn_count] (deprecated)
osSrc.process.netConnCount additional.fields[os_src_process_net_conn_count]
osSrc.process.netConnInCount principal.labels[os_src_process_net_conn_in_count] (deprecated)
osSrc.process.netConnInCount additional.fields[os_src_process_net_conn_in_count]
osSrc.process.netConnOutCount principal.labels[os_src_process_net_conn_out_count] (deprecated)
osSrc.process.netConnOutCount additional.fields[os_src_process_net_conn_out_count]
osSrc.process.parent.activeContent.hash principal.labels[os_src_process_parent_active_content_hash] (deprecated)
osSrc.process.parent.activeContent.hash additional.fields[os_src_process_parent_active_content_hash]
osSrc.process.parent.activeContent.id principal.labels[os_src_process_parent_active_content_id] (deprecated)
osSrc.process.parent.activeContent.id additional.fields[os_src_process_parent_active_content_id]
osSrc.process.parent.activeContent.path principal.labels[os_src_process_parent_active_content_path] (deprecated)
osSrc.process.parent.activeContent.path additional.fields[os_src_process_parent_active_content_path]
osSrc.process.parent.activeContent.signedStatus principal.labels[os_src_process_parent_active_content_signed_status] (deprecated)
osSrc.process.parent.activeContent.signedStatus additional.fields[os_src_process_parent_active_content_signed_status]
osSrc.process.parent.activeContentType principal.labels[os_src_process_parent_active_content_type] (deprecated)
osSrc.process.parent.activeContentType additional.fields[os_src_process_parent_active_content_type]
osSrc.process.parent.displayName principal.labels[os_src_process_parent_display_name] (deprecated)
osSrc.process.parent.displayName additional.fields[os_src_process_parent_display_name]
osSrc.process.parent.integrityLevel principal.labels[os_src_process_parent_integrity_level] (deprecated)
osSrc.process.parent.integrityLevel additional.fields[os_src_process_parent_integrity_level]
osSrc.process.parent.isNative64Bit principal.labels[os_src_process_parent_is_native_64_bit] (deprecated)
osSrc.process.parent.isNative64Bit additional.fields[os_src_process_parent_is_native_64_bit]
osSrc.process.parent.isRedirectCmdProcessor principal.labels[os_src_process_parent_is_redirect_cmd_processor] (deprecated)
osSrc.process.parent.isRedirectCmdProcessor additional.fields[os_src_process_parent_is_redirect_cmd_processor]
osSrc.process.parent.isStorylineRoot principal.labels[os_src_process_parent_is_storyline_root] (deprecated)
osSrc.process.parent.isStorylineRoot additional.fields[os_src_process_parent_is_storyline_root]
osSrc.process.parent.publisher principal.labels[os_src_process_parent_publisher] (deprecated)
osSrc.process.parent.publisher additional.fields[os_src_process_parent_publisher]
osSrc.process.parent.sessionId principal.labels[os_src_process_parent_session_id] (deprecated)
osSrc.process.parent.sessionId additional.fields[os_src_process_parent_session_id]
osSrc.process.parent.signedStatus principal.process_ancestors.parent_process.file.signature_info.sigcheck.verification_message
osSrc.process.parent.startTime principal.labels[os_src_process_parent_start_time] (deprecated)
osSrc.process.parent.startTime additional.fields[os_src_process_parent_start_time]
osSrc.process.parent.storyline.id principal.labels[os_src_process_parent_storyline_id] (deprecated)
osSrc.process.parent.storyline.id additional.fields[os_src_process_parent_storyline_id]
src.process.parent.storyline.id principal.labels[src_process_parent_storyline_id] (deprecated)
src.process.parent.storyline.id additional.fields[src_process_parent_storyline_id]
osSrc.process.publisher principal.labels[os_src_process_publisher] (deprecated)
osSrc.process.publisher additional.fields[os_src_process_publisher]
osSrc.process.registryChangeCount principal.labels[os_src_process_registry_change_count] (deprecated)
osSrc.process.registryChangeCount additional.fields[os_src_process_registry_change_count]
osSrc.process.sessionId principal.labels[os_src_process_session_id] (deprecated)
osSrc.process.sessionId additional.fields[os_src_process_session_id]
osSrc.process.signedStatus principal.process_ancestors.file.signature_info.sigcheck.verification_message
osSrc.process.startTime principal.labels[os_src_process_start_time] (deprecated)
osSrc.process.startTime additional.fields[os_src_process_start_time]
osSrc.process.storyline.id principal.labels[os_src_process_storyline_id] (deprecated)
osSrc.process.storyline.id additional.fields[os_src_process_storyline_id]
osSrc.process.subsystem principal.labels[os_src_process_subsystem] (deprecated)
osSrc.process.subsystem additional.fields[os_src_process_subsystem]
osSrc.process.tgtFileCreationCount principal.labels[os_src_process_tgt_file_creation_count] (deprecated)
osSrc.process.tgtFileCreationCount additional.fields[os_src_process_tgt_file_creation_count]
osSrc.process.tgtFileDeletionCount principal.labels[os_src_process_tgt_file_deletion_count] (deprecated)
osSrc.process.tgtFileDeletionCount additional.fields[os_src_process_tgt_file_deletion_count]
osSrc.process.tgtFileModificationCount principal.labels[os_src_process_tgt_file_modification_count] (deprecated)
osSrc.process.tgtFileModificationCount additional.fields[os_src_process_tgt_file_modification_count]
osSrc.process.verifiedStatus principal.labels[os_src_process_verified_status] (deprecated)
osSrc.process.verifiedStatus additional.fields[os_src_process_verified_status]
process.unique.key principal.labels[process_unique_key] (deprecated)
process.unique.key additional.fields[process_unique_key]
site.name principal.labels[site_name] (deprecated)
site.name additional.fields[site_name]
src.process.activeContent.hash principal.labels[src_process_active_content_hash] (deprecated)
src.process.activeContent.hash additional.fields[src_process_active_content_hash]
src.process.activeContent.id principal.labels[src_process_active_content_id] (deprecated)
src.process.activeContent.id additional.fields[src_process_active_content_id]
src.process.activeContent.path principal.labels[src_process_active_content_path] (deprecated)
src.process.activeContent.path additional.fields[src_process_active_content_path]
src.process.activeContent.signedStatus principal.labels[src_process_active_content_signed_status] (deprecated)
src.process.activeContent.signedStatus additional.fields[src_process_active_content_signed_status]
src.process.activeContentType principal.labels[src_process_active_content_type] (deprecated)
src.process.activeContentType additional.fields[src_process_active_content_type]
src.process.childProcCount principal.labels[src_process_child_proc_count] (deprecated)
src.process.childProcCount additional.fields[src_process_child_proc_count]
src.process.crossProcessCount principal.labels[src_process_cross_process_count] (deprecated)
src.process.crossProcessCount additional.fields[src_process_cross_process_count]
src.process.crossProcessDupRemoteProcessHandleCount principal.labels[src_process_cross_process_dup_remote_process_handle_count] (deprecated)
src.process.crossProcessDupRemoteProcessHandleCount additional.fields[src_process_cross_process_dup_remote_process_handle_count]
src.process.crossProcessDupThreadHandleCount principal.labels[src_process_cross_process_dup_thread_handle_count] (deprecated)
src.process.crossProcessDupThreadHandleCount additional.fields[src_process_cross_process_dup_thread_handle_count]
src.process.crossProcessOpenProcessCount principal.labels[src_process_cross_process_open_process_count] (deprecated)
src.process.crossProcessOpenProcessCount additional.fields[src_process_cross_process_open_process_count]
src.process.crossProcessOutOfStorylineCount principal.labels[src_process_cross_process_out_of_storyline_count] (deprecated)
src.process.crossProcessOutOfStorylineCount additional.fields[src_process_cross_process_out_of_storyline_count]
src.process.crossProcessThreadCreateCount principal.labels[src_process_cross_process_thread_create_count] (deprecated)
src.process.crossProcessThreadCreateCount additional.fields[src_process_cross_process_thread_create_count]
src.process.displayName principal.labels[src_process_display_name] (deprecated)
src.process.displayName additional.fields[src_process_display_name]
src.process.dnsCount principal.labels[src_process_dns_count] (deprecated)
src.process.dnsCount additional.fields[src_process_dns_count]
src.process.image.binaryIsExecutable principal.labels[src_process_image_binary_is_executable] (deprecated)
src.process.image.binaryIsExecutable additional.fields[src_process_image_binary_is_executable]
src.process.indicatorBootConfigurationUpdateCount principal.labels[src_process_indicator_boot_configuration_update_count] (deprecated)
src.process.indicatorBootConfigurationUpdateCount additional.fields[src_process_indicator_boot_configuration_update_count]
src.process.indicatorEvasionCount principal.labels[src_process_indicator_evasion_count] (deprecated)
src.process.indicatorEvasionCount additional.fields[src_process_indicator_evasion_count]
src.process.indicatorExploitationCount principal.labels[src_process_indicator_exploitation_count] (deprecated)
src.process.indicatorExploitationCount additional.fields[src_process_indicator_exploitation_count]
src.process.indicatorGeneralCount principal.labels[src_process_indicator_general_count] (deprecated)
src.process.indicatorGeneralCount additional.fields[src_process_indicator_general_count]
src.process.indicatorInfostealerCount principal.labels[src_process_indicator_infostealer_count] (deprecated)
src.process.indicatorInfostealerCount additional.fields[src_process_indicator_infostealer_count]
src.process.indicatorInjectionCount principal.labels[src_process_indicator_injection_count] (deprecated)
src.process.indicatorInjectionCount additional.fields[src_process_indicator_injection_count]
src.process.indicatorPersistenceCount principal.labels[src_process_indicator_persistence_count] (deprecated)
src.process.indicatorPersistenceCount additional.fields[src_process_indicator_persistence_count]
src.process.indicatorPostExploitationCount principal.labels[src_process_indicator_post_exploitation_count] (deprecated)
src.process.indicatorPostExploitationCount additional.fields[src_process_indicator_post_exploitation_count]
src.process.indicatorRansomwareCount principal.labels[src_process_indicator_ransomware_count] (deprecated)
src.process.indicatorRansomwareCount additional.fields[src_process_indicator_ransomware_count]
src.process.indicatorReconnaissanceCount principal.labels[src_process_indicator_reconnaissance_count] (deprecated)
src.process.indicatorReconnaissanceCount additional.fields[src_process_indicator_reconnaissance_count]
src.process.integrityLevel principal.labels[src_process_integrity_level] (deprecated)
src.process.integrityLevel additional.fields[src_process_integrity_level]
src.process.isNative64Bit principal.labels[src_process_is_native_64_bit] (deprecated)
src.process.isNative64Bit additional.fields[src_process_is_native_64_bit]
src.process.isRedirectCmdProcessor principal.labels[src_process_is_redirect_cmd_processor] (deprecated)
src.process.isRedirectCmdProcessor additional.fields[src_process_is_redirect_cmd_processor]
src.process.isStorylineRoot principal.labels[src_process_is_storyline_root] (deprecated)
src.process.isStorylineRoot additional.fields[src_process_is_storyline_root]
src.process.lUserUid principal.labels[src_process_l_user_uid] (deprecated)
src.process.lUserUid additional.fields[src_process_l_user_uid]
src.process.moduleCount principal.labels[src_process_module_count] (deprecated)
src.process.moduleCount additional.fields[src_process_module_count]
src.process.netConnCount principal.labels[src_process_net_conn_count] (deprecated)
src.process.netConnCount additional.fields[src_process_net_conn_count]
src.process.netConnInCount principal.labels[src_process_net_conn_in_count] (deprecated)
src.process.netConnInCount additional.fields[src_process_net_conn_in_count]
src.process.netConnOutCount principal.labels[src_process_net_conn_out_count] (deprecated)
src.process.netConnOutCount additional.fields[src_process_net_conn_out_count]
src.process.parent.activeContent.hash principal.labels[src_process_parent_active_content_hash] (deprecated)
src.process.parent.activeContent.hash additional.fields[src_process_parent_active_content_hash]
src.process.parent.activeContent.id principal.labels[src_process_parent_active_content_id] (deprecated)
src.process.parent.activeContent.id additional.fields[src_process_parent_active_content_id]
src.process.parent.activeContent.path principal.labels[src_process_parent_active_content_path] (deprecated)
src.process.parent.activeContent.path additional.fields[src_process_parent_active_content_path]
src.process.parent.activeContent.signedStatus principal.labels[src_process_parent_active_content_signed_status] (deprecated)
src.process.parent.activeContent.signedStatus additional.fields[src_process_parent_active_content_signed_status]
src.process.parent.activeContentType principal.labels[src_process_parent_active_content_type] (deprecated)
src.process.parent.activeContentType additional.fields[src_process_parent_active_content_type]
src.process.parent.displayName principal.labels[src_process_parent_display_name] (deprecated)
src.process.parent.displayName additional.fields[src_process_parent_display_name]
src.process.parent.integrityLevel principal.labels[src_process_parent_integrity_level] (deprecated)
src.process.parent.integrityLevel additional.fields[src_process_parent_integrity_level]
src.process.parent.isNative64Bit principal.labels[src_process_parent_is_native_64_bit] (deprecated)
src.process.parent.isNative64Bit additional.fields[src_process_parent_is_native_64_bit]
src.process.parent.isRedirectCmdProcessor principal.labels[src_process_parent_is_redirect_cmd_processor] (deprecated)
src.process.parent.isRedirectCmdProcessor additional.fields[src_process_parent_is_redirect_cmd_processor]
src.process.parent.isStorylineRoot principal.labels[src_process_parent_is_storyline_root] (deprecated)
src.process.parent.isStorylineRoot additional.fields[src_process_parent_is_storyline_root]
src.process.parent.publisher principal.labels[src_process_parent_publisher] (deprecated)
src.process.parent.publisher additional.fields[src_process_parent_publisher]
src.process.parent.reasonSignatureInvalid principal.labels[src_process_parent_reason_signature_invalid] (deprecated)
src.process.parent.reasonSignatureInvalid additional.fields[src_process_parent_reason_signature_invalid]
src.process.parent.sessionId principal.labels[src_process_parent_session_id] (deprecated)
src.process.parent.sessionId additional.fields[src_process_parent_session_id]
src.process.parent.signedStatus principal.process.parent_process.file.signature_info.sigcheck.verification_message
src.process.parent.startTime principal.labels[src_process_parent_start_time] (deprecated)
src.process.parent.startTime additional.fields[src_process_parent_start_time]
src.process.parent.subsystem principal.labels[src_process_parent_subsystem] (deprecated)
src.process.parent.subsystem additional.fields[src_process_parent_subsystem]
src.process.publisher principal.labels[src_process_publisher] (deprecated)
src.process.publisher additional.fields[src_process_publisher]
src.process.reasonSignatureInvalid principal.labels[src_process_reason_signature_invalid] (deprecated)
src.process.reasonSignatureInvalid additional.fields[src_process_reason_signature_invalid]
src.process.registryChangeCount principal.labels[src_process_registry_change_count] (deprecated)
src.process.registryChangeCount additional.fields[src_process_registry_change_count]
src.process.rpid principal.labels[src_process_rpid] (deprecated)
src.process.rpid additional.fields[src_process_rpid]
src.process.sessionId principal.labels[src_process_session_id] (deprecated)
src.process.sessionId additional.fields[src_process_session_id]
src.process.signedStatus principal.process.file.signature_info.sigcheck.verification_message
src.process.startTime principal.labels[src_process_start_time] (deprecated)
src.process.startTime additional.fields[src_process_start_time]
src.process.storyline.id principal.labels[src_process_storyline_id] (deprecated)
src.process.storyline.id additional.fields[src_process_storyline_id]
src.process.subsystem principal.labels[src_process_subsystem] (deprecated)
src.process.subsystem additional.fields[src_process_subsystem]
src.process.tgtFileCreationCount principal.labels[src_process_tgt_file_creation_count] (deprecated)
src.process.tgtFileCreationCount additional.fields[src_process_tgt_file_creation_count]
src.process.tgtFileDeletionCount principal.labels[src_process_tgt_file_deletion_count] (deprecated)
src.process.tgtFileDeletionCount additional.fields[src_process_tgt_file_deletion_count]
src.process.tgtFileModificationCount principal.labels[src_process_tgt_file_modification_count] (deprecated)
src.process.tgtFileModificationCount additional.fields[src_process_tgt_file_modification_count]
src.process.tid principal.labels[src_process_tid] (deprecated)
src.process.tid additional.fields[src_process_tid]
principal.process.product_specific_process_id If the src.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.uid} log field is mapped to the principal.process.product_specific_process_id UDM field.
src.process.verifiedStatus principal.labels[src_process_verified_status] (deprecated)
src.process.verifiedStatus additional.fields[src_process_verified_status]
site.id principal.labels[site_id] (deprecated)
site.id additional.fields[site_id]
principal.platform If the os.name log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.

Else, if the os.name log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX.
src.port.number principal.port
osSrc.process.cmdline principal.process_ancestors.command_line
osSrc.process.image.path principal.process_ancestors.file.full_path
osSrc.process.image.md5 principal.process_ancestors.file.md5 If the osSrc.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.image.md5 log field is mapped to the principal.process_ancestors.file.md5 UDM field.
osSrc.process.name principal.process_ancestors.file.names
osSrc.process.image.sha1 principal.process_ancestors.file.sha1 If the osSrc.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.image.sha1 log field is mapped to the principal.process_ancestors.file.sha1 UDM field.
osSrc.process.image.sha256 principal.process_ancestors.file.sha256 If the osSrc.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.image.sha256 log field is mapped to the principal.process_ancestors.file.sha256 UDM field.
osSrc.process.parent.cmdline principal.process_ancestors.parent_process.command_line
osSrc.process.parent.image.path principal.process_ancestors.parent_process.file.full_path
osSrc.process.parent.image.md5 principal.process_ancestors.parent_process.file.md5 If the osSrc.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.parent.image.md5 log field is mapped to the principal.process_ancestors.parent_process.file.md5 UDM field.
osSrc.process.parent.name principal.process_ancestors.parent_process.file.names
osSrc.process.parent.image.sha1 principal.process_ancestors.parent_process.file.sha1 If the osSrc.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.parent.image.sha1 log field is mapped to the principal.process_ancestors.parent_process.file.sha1 UDM field.
osSrc.process.parent.image.sha256 principal.process_ancestors.parent_process.file.sha256 If the osSrc.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.parent.image.sha256 log field is mapped to the principal.process_ancestors.parent_process.file.sha256 UDM field.
osSrc.process.parent.pid principal.process_ancestors.parent_process.pid
osSrc.process.pid principal.process_ancestors.pid
principal.process_ancestors.product_specific_process_id If the osSrc.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.uid} log field is mapped to the principal.process_ancestors.product_specific_process_id UDM field.
src.process.cmdline principal.process.command_line
src.process.image.path principal.process.file.full_path
src.process.image.md5 principal.process.file.md5 If the src.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.image.md5 log field is mapped to the principal.process.file.md5 UDM field.
src.process.name principal.process.file.names
src.process.image.sha1 principal.process.file.sha1 If the src.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.image.sha1 log field is mapped to the principal.process.file.sha1 UDM field.
src.process.image.sha256 principal.process.file.sha256 If the src.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.image.sha256 log field is mapped to the principal.process.file.sha256 UDM field.
src.process.parent.cmdline principal.process.parent_process.command_line
src.process.parent.image.md5 principal.process.parent_process.file.md5 If the src.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.parent.image.md5 log field is mapped to the principal.process.parent_process.file.md5 UDM field.
src.process.parent.image.path principal.process.parent_process.file.full_path
src.process.parent.name principal.process.parent_process.file.names
src.process.parent.image.sha1 principal.process.parent_process.file.sha1 If the src.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.parent.image.sha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field.
src.process.parent.image.sha256 principal.process.parent_process.file.sha256 If the src.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.parent.image.sha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field.
src.process.parent.pid principal.process.parent_process.pid
principal.process_ancestors.parent_process.product_specific_process_id If the osSrc.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.parent.uid} log field is mapped to the principal.process_ancestors.parent_process.product_specific_process_id UDM field.
principal.process.parent_process.product_specific_process_id If the src.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.parent.uid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
src.process.pid principal.process.pid
osSrc.process.user principal.user.attribute.labels[os_src_process_user]
src.process.eUserUid principal.user.attribute.labels[src_process_e_user_uid]
src.process.lUserName principal.user.attribute.labels[src_process_l_user_name]
src.process.parent.eUserUid principal.user.attribute.labels[src_process_parent_e_user_uid]
src.process.parent.lUserUid principal.user.attribute.labels[src_process_parent_l_user_uid]
src.process.parent.rUserUid principal.user.attribute.labels[src_process_parent_r_user_uid]
src.process.rUserName principal.user.attribute.labels[src_process_r_user_name]
src.process.rUserUid principal.user.attribute.labels[src_process_r_user_uid]
src.process.eUserName principal.user.attribute.labels[src_process_e_user_name]
src.process.parent.eUserName principal.user.attribute.labels[src_process_parent_e_user_name]
src.process.parent.lUserName principal.user.attribute.labels[src_process_parent_l_user_name]
src.process.parent.rUserName principal.user.attribute.labels[src_process_parent_r_user_name]
osSrc.process.parent.user principal.user.attribute.labels[os_src_process_parent_user]
src.process.parent.user principal.user.attribute.labels[src_process_parent_user]
src.process.user principal.user.userid
tiIndicator.value security_result.about.file.md5 If the tiIndicator.type log field value is equal to Md5, then the tiIndicator.value log field is mapped to the security_result.about.file.md5 UDM field.
tiIndicator.value security_result.about.file.sha1 If the tiIndicator.type log field value is equal to Sha1, then the tiIndicator.value log field is mapped to the security_result.about.file.sha1 UDM field.
tiIndicator.value security_result.about.ip If the tiIndicator.type log field value contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.ip UDM field.
  • IPv4
  • IPV6
tiIndicator.value security_result.about.labels[tiIndicator.value] (deprecated) If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.labels UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value additional.fields[tiIndicator.value] If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the additional.fields UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value network.dns.questions.name If the tiIndicator.type log field value is equal to DNS, then the tiIndicator.value log field is mapped to the network.dns.questions.name UDM field.
tiIndicator.value security_result.about.url If the tiIndicator.type log field value is equal to URL, then the tiIndicator.value log field is mapped to the security_result.about.url UDM field.
winEventLog.providerName security_result.about.resource.attribute.labels[win_event_log_provider_name]
tiIndicator.addedBy security_result.about.user.email_addresses
tiIndicator.threatActors security_result.about.user.email_addresses
security_result.action If the event.login.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, if the event.login.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.

If the event.network.connectionStatus log field value is equal to SUCCESS, then the security_result.action UDM field is set to ALLOW.

Else, if the event.network.connectionStatus log field value is equal to FAILURE, then the security_result.action UDM field is set to FAIL.

Else, if the event.network.connectionStatus log field value is equal to BLOCKED, then the security_result.action UDM field is set to BLOCK.
event.network.connectionStatus security_result.action_details
tiIndicator.mitreTactics security_result.attack_details.tactics.name
security_result.category If the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
  • malicious
  • Ransomware
  • OSX.Malware
  • Linux.Malware
  • Malware
  • Manual
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
  • Lateral Movement
  • Remote shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
  • miner
  • Trojan
  • Virus
  • Malicious Office Document
  • Malicious PDF
  • Worm
  • Rootkit
  • Infostealer
  • Generic.Heuristic
  • Downloader
  • Backdoor
  • Hacktool
  • Browser
  • Dialer
  • Installer
  • Packed
  • Network
  • Spyware
  • Interactive shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_PUA.
  • Adware
  • PUA
Else, if the indicator.category log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
security_result.category If the tiIndicator.categories log field value matches the regular expression pattern malware, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
indicator.category security_result.category_details
tiIndicator.categories security_result.category_details
indicator.description security_result.description
event.login.failureReason security_result.description
tiIndicator.description security_result.descripton
indicator.metadata security_result.detection_fields [indicator_metadata]
indicator.name security_result.detection_fields [indicator_name]
tiIndicator.comparisonMethod security_result.detection_fields [ti_indicator_comparison_method]
tiIndicator.creationTime security_result.detection_fields [ti_indicator_creation_time]
tiIndicator.externalId security_result.detection_fields [ti_indicator_external_id]
tiIndicator.metadata security_result.detection_fields [ti_indicator_metadata]
tiIndicator.modificationTime security_result.detection_fields [ti_indicator_modification_time]
tiindicator.originalEvent.id security_result.detection_fields [ti_indicator_original_event_id]
tiindicator.originalEvent.index security_result.detection_fields [ti_indicator_original_event_index]
tiindicator.originalEvent.time security_result.detection_fields [ti_indicator_original_event_time]
tiindicator.originalEvent.traceId security_result.detection_fields [ti_indicator_original_event_trace_id]
tiIndicator.references security_result.detection_fields [ti_indicator_references]
tiIndicator.intrusionSets security_result.detection_fields [ti_indicator_tiIndicator_intrusion_sets]
tiIndicator.type security_result.detection_fields [ti_indicator_type]
tiIndicator.uid security_result.detection_fields [ti_indicator_uid]
tiIndicator.uploadTime security_result.detection_fields [ti_indicator_upload_time]
tiIndicator.validUntil security_result.detection_fields [ti_indicator_valid_until]
osSrc.process.parent.reasonSignatureInvalid security_result.detection_fields[os_src_process_parent_reason_signature_invalid]
osSrc.process.reasonSignatureInvalid security_result.detection_fields[os_src_process_reason_signature_invalid]
tgt.process.reasonSignatureInvalid security_result.detection_fields[tgt_process_reason_signature_invalid]
security_result.severity If the winEventLog.level log field value matches the regular expression pattern ^(INFO|Informational|Information|Normal|NOTICE)$, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the winEventLog.level log field value contain one of the following values, then the security_result.severity UDM field is set to INFORMATIONAL.
  • Warning
  • DEBUG
Else, if the winEventLog.level log field value matches the regular expression pattern Error, then the security_result.severity UDM field is set to ERROR.

Else, if the winEventLog.level log field value matches the regular expression pattern Critical, then the security_result.severity UDM field is set to CRITICAL.
winEventLog.level security_result.severity_details
tiIndicator.name security_result.threat_name
tiIndicator.source security_result.threat_feed_name
tgt.file.oldPath src.file.full_path
tgt.file.oldMd5 src.file.md5 If the tgt.file.oldMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.oldMd5 log field is mapped to the src.file.md5 UDM field.
driver.peSha1 target.process.file.sha1 If the driver.peSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the driver.peSha1 log field is mapped to the target.process.file.sha1 UDM field.
tgt.file.oldSha1 src.file.sha1 If the tgt.file.oldSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.oldSha1 log field is mapped to the src.file.sha1 UDM field.
driver.peSha256 target.process.file.sha256 If the driver.peSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the driver.peSha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.file.oldSha256 src.file.sha256 If the tgt.file.oldSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.oldSha256 log field is mapped to the src.file.sha256 UDM field.
driver.certificate.thumbprintAlgorithm target.labels[driver_certificate_thumbprint_algorithm] (deprecated)
driver.certificate.thumbprintAlgorithm additional.fields[driver_certificate_thumbprint_algorithm]
driver.certificate.thumbprint target.labels[driver_certificate_thumbprint] (deprecated)
driver.certificate.thumbprint additional.fields[driver_certificate_thumbprint]
driver.isLoadedBeforeMonitor target.labels[driver_is_loaded_before_monitor] (deprecated)
driver.isLoadedBeforeMonitor additional.fields[driver_is_loaded_before_monitor]
driver.loadVerdict target.labels[driver_load_verdict] (deprecated)
driver.loadVerdict additional.fields[driver_load_verdict]
driver.startType target.labels[driver_start_type] (deprecated)
driver.startType additional.fields[driver_start_type]
registry.oldValueFullSize src.labels[registry_old_value_full_size] (deprecated)
registry.oldValueFullSize additional.fields[registry_old_value_full_size]
registry.oldValueIsComplete src.labels[registry_old_valueIs_complete] (deprecated)
registry.oldValueIsComplete additional.fields[registry_old_valueIs_complete]
registry.oldValue src.registry.registry_value_data
registry.oldValueType src.registry.registry_value_name
tgt.file.location target.labels[tgt_file_location] (deprecated)
tgt.file.location additional.fields[tgt_file_location]
cmdScript.applicationName target.application
event.login.accountDomain target.domain.name
tgt.file.path target.file.full_path
tgt.file.modificationTime target.file.last_modification_time
tgt.file.md5 target.file.md5 If the tgt.file.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.md5 log field is mapped to the target.file.md5 UDM field.
tgt.file.extension target.file.mime_type
tgt.file.id target.file.names
tgt.file.internalName target.file.names
tgt.file.sha1 target.file.sha1 If the tgt.file.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.sha1 log field is mapped to the target.file.sha1 UDM field.
tgt.file.sha256 target.file.sha256 If the tgt.file.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.sha256 log field is mapped to the target.file.sha256 UDM field.
tgt.file.size target.file.size
target.file.file_type If the tgt.file.type log field value is equal to PE, then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.

Else, if the tgt.file.type log field value is equal to ELF, then the target.file.file_type UDM field is set to FILE_TYPE_ELF.

Else, if the tgt.file.type log field value is equal to MACH, then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.

Else, if the tgt.file.type log field value is equal to PDF, then the target.file.file_type UDM field is set to FILE_TYPE_PDF.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to OPENXML, then the target.file.file_type UDM field is set to FILE_TYPE_XML.

Else, if the tgt.file.type log field value is equal to PKZIP, then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.

Else, if the tgt.file.type log field value is equal to RAR, then the target.file.file_type UDM field is set to FILE_TYPE_RAR.

Else, if the tgt.file.type log field value is equal to BZIP2, then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.

Else, if the tgt.file.type log field value is equal to TAR, then the target.file.file_type UDM field is set to FILE_TYPE_TAR.

Else, if the tgt.file.type log field value is equal to LNK, then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
url.address target.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
url.address target.asset.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
dst.ip.address target.ip
cmdScript.isComplete target.labels[cmd_script_is_complete] (deprecated)
cmdScript.isComplete additional.fields[cmd_script_is_complete]
registry.keyUid target.labels[registry_key_uid] (deprecated)
registry.keyUid additional.fields[registry_key_uid]
registry.valueFullSize target.labels[registry_value_full_size] (deprecated)
registry.valueFullSize additional.fields[registry_value_full_size]
registry.valueIsComplete target.labels[registry_value_is_complete] (deprecated)
registry.valueIsComplete additional.fields[registry_value_is_complete]
tgt.file.convictedBy target.labels[tgt_file_convicted_by] (deprecated)
tgt.file.convictedBy additional.fields[tgt_file_convicted_by]
tgt.file.creationTime target.labels[tgt_file_creation_time] (deprecated)
tgt.file.creationTime additional.fields[tgt_file_creation_time]
tgt.file.description target.labels[tgt_file_description] (deprecated)
tgt.file.description additional.fields[tgt_file_description]
tgt.file.isExecutable target.labels[tgt_file_is_executable] (deprecated)
tgt.file.isExecutable additional.fields[tgt_file_is_executable]
tgt.file.isSigned target.labels[tgt_file_is_signed] (deprecated)
tgt.file.isSigned additional.fields[tgt_file_is_signed]
tgt.process.accessRights target.labels[tgt_process_access_rights] (deprecated)
tgt.process.accessRights additional.fields[tgt_process_access_rights]
tgt.process.activeContent.hash target.labels[tgt_process_active_content_hash] (deprecated)
tgt.process.activeContent.hash additional.fields[tgt_process_active_content_hash]
tgt.process.activeContent.id target.labels[tgt_process_active_content_id] (deprecated)
tgt.process.activeContent.id additional.fields[tgt_process_active_content_id]
tgt.process.activeContent.path target.labels[tgt_process_active_content_path] (deprecated)
tgt.process.activeContent.path additional.fields[tgt_process_active_content_path]
tgt.process.activeContent.signedStatus target.labels [tgt_process_active_content_signed_status] (deprecated)
tgt.process.activeContent.signedStatus additional.fields [tgt_process_active_content_signed_status]
tgt.process.activeContentType target.labels[tgt_process_active_content_type] (deprecated)
tgt.process.activeContentType additional.fields[tgt_process_active_content_type]
tgt.process.displayName target.labels[tgt_process_display_name] (deprecated)
tgt.process.displayName additional.fields[tgt_process_display_name]
tgt.process.image.binaryIsExecutable target.labels[tgt_process_image_binary_is_executable] (deprecated)
tgt.process.image.binaryIsExecutable additional.fields[tgt_process_image_binary_is_executable]
tgt.process.integrityLevel target.labels[tgt_process_integrity_level] (deprecated)
tgt.process.integrityLevel additional.fields[tgt_process_integrity_level]
tgt.process.isNative64Bit target.labels[tgt_process_is_native_64_bit] (deprecated)
tgt.process.isNative64Bit additional.fields[tgt_process_is_native_64_bit]
tgt.process.isRedirectCmdProcessor target.labels[tgt_process_is_redirect_cmd_processor] (deprecated)
tgt.process.isRedirectCmdProcessor additional.fields[tgt_process_is_redirect_cmd_processor]
tgt.process.isStorylineRoot target.labels[tgt_process_is_storyline_root] (deprecated)
tgt.process.isStorylineRoot additional.fields[tgt_process_is_storyline_root]
tgt.process.publisher target.labels[tgt_process_publisher] (deprecated)
tgt.process.publisher additional.fields[tgt_process_publisher]
tgt.process.relation target.labels[tgt_process_relation] (deprecated)
tgt.process.relation additional.fields[tgt_process_relation]
tgt.process.sessionId target.labels[tgt_process_session_id] (deprecated)
tgt.process.sessionId additional.fields[tgt_process_session_id]
tgt.process.signedStatus target.process.file.signature_info.sigcheck.verification_message
tgt.process.startTime target.labels[tgt_process_start_time] (deprecated)
tgt.process.startTime additional.fields[tgt_process_start_time]
tgt.process.storyline.id target.labels[tgt_process_storyline_id] (deprecated)
tgt.process.storyline.id additional.fields[tgt_process_storyline_id]
tgt.process.subsystem target.labels[tgt_process_subsystem] (deprecated)
tgt.process.subsystem additional.fields[tgt_process_subsystem]
tgt.process.verifiedStatus target.labels[tgt_process_verified_status] (deprecated)
tgt.process.verifiedStatus additional.fields[tgt_process_verified_status]
dst.port.number target.port
cmdScript.content target.process.command_line
tgt.process.cmdline target.process.command_line
tgt.process.image.path target.process.file.full_path
tgt.process.image.md5 target.process.file.md5 If the tgt.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.process.image.md5 log field is mapped to the target.process.file.md5 UDM field.
tgt.process.name target.process.file.names
tgt.process.image.sha1 target.process.file.sha1 If the tgt.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.process.image.sha1 log field is mapped to the target.process.file.sha1 UDM field.
cmdScript.sha256 target.process.file.sha256 If the cmdScript.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the cmdScript.sha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.process.image.sha256 target.process.file.sha256 If the tgt.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.process.image.sha256 log field is mapped to the target.process.file.sha256 UDM field.
cmdScript.originalSize target.process.file.size
tgt.process.pid target.process.pid
target.process.product_specific_process_id If the tgt.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{tgt.process.uid} log field is mapped to the target.process.product_specific_process_id UDM field.
registry.keyPath target.registry.registry_key
registry.value target.registry.registry_value_data
registry.valueType target.registry.registry_value_name
k8sCluster.namespaceLabels target.resource_ancestors.attribute.labels[k8s_cluster_namespace_labels]
k8sCluster.namespace target.resource_ancestors.attribute.labels[k8s_cluster_namespace]
k8sCluster.name target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerName target.resource_ancestors.name
k8sCluster.controllerLabels target.resource_ancestors.attribute.labels[k8s_cluster_controller_labels]
target.resource_ancestors.resource_type If the k8sCluster.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerType target.resource_ancestors.resource_subtype
k8sCluster.podName target.resource_ancestors.name
k8sCluster.podLabels target.resource_ancestors.attribute.labels[k8s_cluster_pod_labels]
target.resource_ancestors.resource_type If the k8sCluster.podName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.
k8sCluster.nodeName target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_subtype If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to NODE.
k8sCluster.containerName target.resource.name
k8sCluster.containerId target.resource.product_object_id
target.resource.resource_type If the k8sCluster.containerName log field value is not empty or the k8sCluster.containerId log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER.
k8sCluster.containerImage.sha256 target.resource.attribute.labels[k8s_cluster_container_image_sha256]
k8sCluster.containerImage target.resource.attribute.labels[k8s_cluster_container_image]
k8sCluster.containerLabels target.resource.attribute.labels[k8s_cluster_container_labels]
namedPipe.name target.resource.name
namedPipe.accessMode target.resource.attribute.permission.name
namedPipe.connectionType target.resource.attribute.labels[named_pipe_connection_type]
namedPipe.isFirstInstance target.resource.attribute.labels[named_pipe_is_first_instance]
namedPipe.isOverlapped target.resource.attribute.labels[named_pipe_is_overlapped]
namedPipe.isWriteThrough target.resource.attribute.labels[named_pipe_is_write_through]
namedPipe.maxInstances target.resource.attribute.labels[named_pipe_max_instances]
namedPipe.readMode target.resource.attribute.labels[named_pipe_read_mode]
namedPipe.remoteClients target.resource.attribute.labels[named_pipe_remote_clients]
namedPipe.securityGroups target.resource.attribute.labels[named_pipe_security_groups]
namedPipe.securityOwner target.resource.attribute.labels[named_pipe_security_owner]
namedPipe.typeMode target.resource.attribute.labels[named_pipe_type_mode]
namedPipe.waitMode target.resource.attribute.labels[named_pipe_wait_mode]
task.name target.resource.name
task.path target.resource.attribute.labels[task_path]
target.resource.resource_type If the event.category log field value is equal to scheduled_task, then the target.resource.resource_type UDM field is set to TASK.

If the event.type log field value contain one of the following values, then the target.resource.resource_type UDM field is set to PIPE.
  • Named Pipe Creation
  • Named Pipe Connection
url.address target.url
tgt.process.eUserName target.user.attribute.labels[tgt_process_e_user_name]
tgt.process.eUserUid target.user.attribute.labels[tgt_process_e_user_uid]
tgt.process.lUserName target.user.attribute.labels[tgt_process_l_user_name]
tgt.process.lUserUid target.user.attribute.labels[tgt_process_l_user_uid]
tgt.process.rUserName target.user.attribute.labels[tgt_process_r_user_name]
tgt.process.rUserUid target.user.attribute.labels[tgt_process_r_user_uid]
tgt.process.user target.user.userid
event.login.accountName target.user.user_display_name
target.user.user_role If the event.login.isAdministratorEquivalent log field value is equal to true, then the target.user.user_role UDM field is set to ADMINISTRATOR.
event.login.userName target.user.userid
event.login.accountSid target.user.windows_sid
module.path target.process.file.full_path
module.md5 target.process.file.md5 If the module.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the module.md5 log field is mapped to the target.process.file.md5 UDM field.
module.sha1 target.process.file.sha1 If the module.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the module.sha1 log field is mapped to the target.process.file.sha1 UDM field.
mgmt.url about.url
dataSource.category about.labels[data_source_category] (deprecated)
dataSource.category additional.fields[data_source_category]
dataSource.name about.labels[data_source_name] (deprecated)
dataSource.name additional.fields[data_source_name]
dataSource.vendor about.labels[data_source_vendor] (deprecated)
dataSource.vendor additional.fields[data_source_vendor]
event.category about.labels[event_category] (deprecated)
event.category additional.fields[event_category]
event.login.baseType about.labels[event_login_base_type] (deprecated)
event.login.baseType additional.fields[event_login_base_type]
event.network.protocolName about.labels[event_network_protocol_name] (deprecated)
event.network.protocolName additional.fields[event_network_protocol_name]
event.repetitionCount about.labels[event_repetition_count] (deprecated)
event.repetitionCount additional.fields[event_repetition_count]
event.login.isAdministratorEquivalent about.labels[event_login_is_administrator_equivalent] (deprecated)
event.login.isAdministratorEquivalent additional.fields[event_login_is_administrator_equivalent]
group.id about.labels[group_id] (deprecated) If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the about.labels UDM field.
group.id additional.fields[group_id] If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the additional.fields UDM field.
i.scheme about.labels[i_scheme] (deprecated)
i.scheme additional.fields[i_scheme]
i.version about.labels[i_version] (deprecated)
i.version additional.fields[i_version]
meta.event.name about.labels[meta_event_name] (deprecated)
meta.event.name additional.fields[meta_event_name]
mgmt.id about.labels[mgmt_id] (deprecated)
mgmt.id additional.fields[mgmt_id]
mgmt.osRevision about.labels[mgmt_os_revision] (deprecated)
mgmt.osRevision additional.fields[mgmt_os_revision]
packet.id about.labels[packet_id] (deprecated)
packet.id additional.fields[packet_id]
sca:atlantisIngestTime about.labels[sca_atlantis_ingest_time] (deprecated)
sca:atlantisIngestTime additional.fields[sca_atlantis_ingest_time]
sca:ingestTime about.labels[sca_ingest_time] (deprecated)
sca:ingestTime additional.fields[sca_ingest_time]
timestamp about.labels[timestamp] (deprecated)
timestamp additional.fields[timestamp]
trace.id about.labels[trace_id] (deprecated)
trace.id additional.fields[trace_id]
winEventLog.channel about.labels[win_event_log_channel] (deprecated)
winEventLog.channel additional.fields[win_event_log_channel]
winEventLog.description.additionalInformation about.labels[win_event_log_description_additional_information] (deprecated)
winEventLog.description.additionalInformation additional.fields[win_event_log_description_additional_information]
winEventLog.description.objectName about.labels[win_event_log_description_object_name] (deprecated)
winEventLog.description.objectName additional.fields[win_event_log_description_object_name]
winEventLog.description.objectServer about.labels[win_event_log_description_object_server] (deprecated)
winEventLog.description.objectServer additional.fields[win_event_log_description_object_server]
winEventLog.description.objectType about.labels[win_event_log_description_object_type] (deprecated)
winEventLog.description.objectType additional.fields[win_event_log_description_object_type]
winEventLog.description.operationType about.labels[win_event_log_description_operation_type] (deprecated)
winEventLog.description.operationType additional.fields[win_event_log_description_operation_type]
winEventLog.description.securityId about.labels[win_event_log_description_security_id] (deprecated)
winEventLog.description.securityId additional.fields[win_event_log_description_security_id]
winEventLog.description.userId about.labels[win_event_log_description_user_id] (deprecated)
winEventLog.description.userId additional.fields[win_event_log_description_user_id]
winEventLog.xml about.labels[win_event_log_xml] (deprecated)
winEventLog.xml additional.fields[win_event_log_xml]

后续步骤