Diese Seite wurde von der Cloud Translation API übersetzt.

SentinelOne Cloud Funnel-Logs erfassen

Unterstützt in:

Google SecOps SIEM

In diesem Dokument wird beschrieben, wie Sie SentinelOne Cloud Funnel-Logs exportieren können, indem Sie einen Google Security Operations-Feed einrichten. Außerdem wird beschrieben, wie Logfelder den Feldern des Google Security Operations Unified Data Model (UDM) zugeordnet werden.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Eine typische Bereitstellung besteht aus SentinelOne Cloud Funnel und dem Google Security Operations-Feed, der so konfiguriert ist, dass Protokolle an Google Security Operations gesendet werden. Jede Kundenbereitstellung kann unterschiedlich sein und komplexer sein.

Die Bereitstellung umfasst die folgenden Komponenten:

SentinelOne: Die Plattform, von der Sie Protokolle erfassen.
Google Security Operations-Feed: Der Google Security Operations-Feed, über den Protokolle von SentinelOne abgerufen und in Google Security Operations geschrieben werden.
Google Security Operations: Bewahrt die Logs auf und analysiert sie.

Ein Datenaufnahmelabel identifiziert den Parser, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel SENTINELONE_CF.

Hinweise

Achten Sie darauf, dass Sie SentinelOne Cloud Funnel v2.0 verwenden.
Sie benötigen Zugriff auf die SentinelOne-Konsole.
Sie benötigen Administratorrechte, um den SentinelOne-Agent zu installieren. Wenden Sie sich an Ihren Administrator, um Administratorrechte zu erhalten.

SentinelOne Cloud Funnel einrichten

Melden Sie sich in der SentinelOne-Verwaltungskonsole an.
Klicken Sie in der Symbolleiste Einstellungen auf Integrationen > Cloud Funnel.
Wählen Sie in der Liste Cloud-Anbieter die Option Google Cloud aus.
Geben Sie im Feld GCS-Speichername den Namen des Cloud Storage-Buckets ein.
Klicken Sie auf Validieren, um zu prüfen, ob der Bucket vorhanden ist und ob SentinelOne Lese- und Schreibzugriff darauf hat.
Wählen Sie Telemetry Streaming aktivieren aus, um Ihre XDR-Daten in Ihren Bucket zu streamen.

Google Security Operations-Aufnahmefeed einrichten

Wählen Sie im Google Security Operations-Menü die Option Settings (Einstellungen) aus.
Klicken Sie auf Feeds.
Klicken Sie auf Neu hinzufügen.
Wählen Sie Google Cloud Storage als Quelltyp aus.
Wählen Sie als Logtyp SentinelOne Singularity Cloud Funnel aus, um einen Feed für SentinelOne Cloud Funnel zu erstellen.
Klicken Sie auf Dienstkonto anfordern.
Klicken Sie auf Weiter.
Konfigurieren Sie die folgenden Eingabeparameter:
- Storage Bucket-URI: Der Google Cloud Storage-Bucket-Quell-URI.
- URI ist ein: Der Objekttyp, auf den URI verweist.
- Option zum Löschen der Quelle: Gibt an, ob Dateien oder Verzeichnisse nach der Übertragung gelöscht werden sollen.
Klicken Sie auf Weiter und dann auf Senden.

Weitere Informationen zu Google Security Operations-Feeds finden Sie in der Dokumentation zu Google Security Operations-Feeds. Informationen zu den Anforderungen für die einzelnen finden Sie unter Feedkonfiguration nach Typ. Wenn beim Erstellen von Feeds Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.

Unterstützte SentinelOne Cloud Funnel-Logtypen

Der SentinelOne Cloud Funnel-Parser unterstützt die folgenden Protokolltypen:

Event Type

Process Exit
Process Modification
Process Creation
Duplicate Process Handle
Duplicate Thread Handle
Open Remote Process Handle
Remote Thread Creation
Remote Process Termination
Command Script
IP Connect
IP Listen
File Modification
File Creation
File Scan
File Deletion
File Rename
Pre Execution Detection
Login
Logout
GET
OPTIONS
POST
PUT
DELETE
CONNECT
HEAD
DNS Resolved
DNS Unresolved
Task Register
Task Update
Task Start
Task Trigger
Task Delete
Registry Key Create
Registry Key Rename
Registry Key Delete
Registry Key Export
Registry Key Security Changed
Registry Key Import
Registry Value Modified
Registry Value Create
Registry Value Delete
Behavioral Indicators
Module Load
Driver Load
Not Reported
Group Creation
Firmware Test
Threat Intelligence Indicators
Named Pipe Creation
Named Pipe Connection
Windows Event Log Creation

Referenz für die Feldzuordnung

In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser die SentinelOne-Felder den Feldern im Google Security Operations Unified Data Model (UDM) zuordnet.

Feldzuordnungsreferenz: Ereignis-ID zu Ereignistyp

In der folgenden Tabelle sind die SENTINELONE_CF-Logtypen und die zugehörigen UDM-Ereignistypen aufgeführt.

Event Identifier	Event Type
`Process Exit`	`PROCESS_TERMINATION`
`Process Modification`	`PROCESS_UNCATEGORIZED`
`Process Creation`	`PROCESS_LAUNCH`
`Duplicate Process Handle`	`PROCESS_UNCATEGORIZED`
`Duplicate Thread Handle`	`PROCESS_UNCATEGORIZED`
`Open Remote Process Handle`	`PROCESS_UNCATEGORIZED`
`Remote Thread Creation`	`PROCESS_UNCATEGORIZED`
`Remote Process Termination`	`PROCESS_TERMINATION`
`Command Script`	`PROCESS_UNCATEGORIZED`
`IP Connect`	`NETWORK_CONNECTION`
`IP Listen`	`STATUS_UPDATE`
`File Modification`	`FILE_MODIFICATION`
`File Creation`	`FILE_CREATION`
`File Scan`	`SCAN_FILE`
`File Deletion`	`FILE_DELETION`
`File Rename`	`FILE_MOVE`
`Pre Execution Detection`	`STATUS_UPDATE`
`Login`	`USER_LOGIN`
`Logout`	`USER_LOGOUT`
`GET`	`NETWORK_HTTP`
`OPTIONS`	`NETWORK_HTTP`
`POST`	`NETWORK_HTTP`
`PUT`	`NETWORK_HTTP`
`DELETE`	`NETWORK_HTTP`
`CONNECT`	`NETWORK_HTTP`
`HEAD`	`NETWORK_HTTP`
`DNS Resolved`	`NETWORK_DNS`
`DNS Unresolved`	`NETWORK_DNS`
`Task Register`	`SCHEDULED_TASK_CREATION`
`Task Update`	`SCHEDULED_TASK_MODIFICATION`
`Task Start`	`SCHEDULED_TASK_UNCATEGORIZED`
`Task Trigger`	`SCHEDULED_TASK_UNCATEGORIZED`
`Task Delete`	`SCHEDULED_TASK_DELETION`
`Registry Key Create`	`REGISTRY_CREATION`
`Registry Key Rename`	`REGISTRY_UNCATEGORIZED`
`Registry Key Delete`	`REGISTRY_DELETION`
`Registry Key Export`	`REGISTRY_UNCATEGORIZED`
`Registry Key Security Changed`	`REGISTRY_MODIFICATION`
`Registry Key Import`	`REGISTRY_UNCATEGORIZED`
`Registry Value Modified`	`REGISTRY_MODIFICATION`
`Registry Value Create`	`REGISTRY_CREATION`
`Registry Value Delete`	`REGISTRY_DELETION`
`Behavioral Indicators`	`STATUS_UPDATE`
`Module Load`	`PROCESS_MODULE_LOAD`
`Driver Load`	`PROCESS_MODULE_LOAD`
`Not Reported`	`NETWORK_HTTP`
`Group Creation`	`GROUP_CREATION`
`Firmware Test`	`STATUS_UPDATE`
`Threat Intelligence Indicators`	`STATUS_UPDATE`
`Named Pipe Creation`	`RESOURCE_CREATION`
`Named Pipe Connection`	`STATUS_UPDATE`

Referenz für die Feldzuordnung: SENTINELONE_CF

In der folgenden Tabelle sind die Logfelder des Logtyps SENTINELONE_CF und die zugehörigen UDM-Felder aufgeführt.

Log field	UDM mapping	Logic
`winEventLog.description`	`about.labels[win_event_log_description]` (deprecated)
`winEventLog.description`	`additional.fields[win_event_log_description]`
`event.time`	`metadata.event_timestamp`
`winEventLog.creationDate`	`about.labels[win_event_log_creation_date]` (deprecated)
`winEventLog.creationDate`	`additional.fields[win_event_log_creation_date]`
`account.id`	`metadata.product_deployment_id`
`event.type`	`metadata.product_event_type`
`event.id`	`metadata.product_log_id`
`winEventLog.id`	`about.labels[win_event_log_id]` (deprecated)
`winEventLog.id`	`additional.fields[win_event_log_id]`
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `SentinelOne`.
	`extensions.auth.auth_details`	If the `event.type` log field value contain one of the following values, then the `event.type` log field is mapped to the `extensions.auth.auth_details` UDM field. `Login` `Logout`
	`extensions.auth.mechanism`	If the `event.login.type` log field value is equal to `NETWORK`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK`. Else, if the `event.login.type` log field value is equal to `SYSTEM`, then the `extensions.auth.mechanism` UDM field is set to `LOCAL`. Else, if the `event.login.type` log field value is equal to `INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE`. Else, if the `event.login.type` log field value is equal to `BATCH`, then the `extensions.auth.mechanism` UDM field is set to `BATCH`. Else, if the `event.login.type` log field value is equal to `SERVICE`, then the `extensions.auth.mechanism` UDM field is set to `SERVICE`. Else, if the `event.login.type` log field value is equal to `UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `UNLOCK`. Else, if the `event.login.type` log field value is equal to `NETWORK_CLEAR_TEXT`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK_CLEAR_TEXT`. Else, if the `event.login.type` log field value is equal to `NEW_CREDENTIALS`, then the `extensions.auth.mechanism` UDM field is set to `NEW_CREDENTIALS`. Else, if the `event.login.type` log field value is equal to `REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, if the `event.login.type` log field value is equal to `CACHED_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_INTERACTIVE`. Else, if the `event.login.type` log field value is equal to `CACHED_REMOTE_INTERACTIVE`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_REMOTE_INTERACTIVE`. Else, if the `event.login.type` log field value is equal to `CACHED_UNLOCK`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_UNLOCK`.
	`network.application_protocol`	If the `event.type` log field value contain one of the following values, then the `network.application_protocol` UDM field is set to `DNS`. `DNS Resolved` `DNS Unresolved`
	`network.direction`	If the `event.network.direction` log field value is equal to `OUTGOING`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, if the `event.network.direction` log field value is equal to `INCOMING`, then the `network.direction` UDM field is set to `INBOUND`.
`event.dns.response`	`network.dns.answers.name`
`event.dns.response`	`network.dns.answers.type`
`event.dns.request`	`network.dns.questions.name`
`event.url.action`	`network.http.method`
`event.login.sessionId`	`network.session_id`
`agent.uuid`	`principal.asset.asset_id`
`agent.uuid`	`principal.asset_id`
`agent.version`	`principal.asset.attribute.labels[agent_version]`
`winEventLog.description.accountDomain`	`principal.labels[win_event_log_description_account_domain]` (deprecated)
`winEventLog.description.accountDomain`	`additional.fields[win_event_log_description_account_domain]`
	`principal.asset.platform_software.platform`	If the `endpoint.os` log field value is equal to `windows`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `endpoint.os` log field value is equal to `linux`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
	`principal.asset.type`	If the `endpoint.type` log field value is equal to `laptop`, then the `principal.asset.type` UDM field is set to `LAPTOP`. Else, if the `endpoint.type` log field value contain one of the following values, then the `principal.asset.type` UDM field is set to `SERVER`. `server` `Kubernetes Node` Else, if the `endpoint.type` log field value is equal to `desktop`, then the `principal.asset.type` UDM field is set to `WORKSTATION`.
`endpoint.name`	`principal.hostname`
`endpoint.name`	`principal.asset.hostname`
`src.endpoint.ip.address`	`principal.ip`
`src.ip.address`	`principal.ip`
`osSrc.process.activeContent.hash`	`principal.labels[os_src_process_active_content_hash]` (deprecated)
`osSrc.process.activeContent.hash`	`additional.fields[os_src_process_active_content_hash]`
`osSrc.process.activeContent.id`	`principal.labels[os_src_process_active_content_id]` (deprecated)
`osSrc.process.activeContent.id`	`additional.fields[os_src_process_active_content_id]`
`osSrc.process.activeContent.path`	`principal.labels[os_src_process_active_content_path]` (deprecated)
`osSrc.process.activeContent.path`	`additional.fields[os_src_process_active_content_path]`
`osSrc.process.activeContent.signedStatus`	`principal.labels[os_src_process_active_content_signed_status]` (deprecated)
`osSrc.process.activeContent.signedStatus`	`additional.fields[os_src_process_active_content_signed_status]`
`osSrc.process.activeContentType`	`principal.labels[os_src_process_active_content_type]` (deprecated)
`osSrc.process.activeContentType`	`additional.fields[os_src_process_active_content_type]`
`osSrc.process.childProcCount`	`principal.labels[os_src_process_child_proc_count]` (deprecated)
`osSrc.process.childProcCount`	`additional.fields[os_src_process_child_proc_count]`
`osSrc.process.crossProcessCount`	`principal.labels[os_src_process_cross_process_count]` (deprecated)
`osSrc.process.crossProcessCount`	`additional.fields[os_src_process_cross_process_count]`
`osSrc.process.crossProcessDupRemoteProcessHandleCount`	`principal.labels[os_src_process_cross_process_dup_rmote_process_handle_count]` (deprecated)
`osSrc.process.crossProcessDupRemoteProcessHandleCount`	`additional.fields[os_src_process_cross_process_dup_rmote_process_handle_count]`
`osSrc.process.crossProcessDupThreadHandleCount`	`principal.labels[os_src_process_cross_process_dup_thread_handle_count]` (deprecated)
`osSrc.process.crossProcessDupThreadHandleCount`	`additional.fields[os_src_process_cross_process_dup_thread_handle_count]`
`osSrc.process.crossProcessOpenProcessCount`	`principal.labels[os_src_process_cross_process_open_process_count]` (deprecated)
`osSrc.process.crossProcessOpenProcessCount`	`additional.fields[os_src_process_cross_process_open_process_count]`
`osSrc.process.crossProcessOutOfStorylineCount`	`principal.labels[os_src_process_cross_process_out_of_storyline_count]` (deprecated)
`osSrc.process.crossProcessOutOfStorylineCount`	`additional.fields[os_src_process_cross_process_out_of_storyline_count]`
`osSrc.process.crossProcessThreadCreateCount`	`principal.labels[os_src_process_cross_process_thread_create_count]` (deprecated)
`osSrc.process.crossProcessThreadCreateCount`	`additional.fields[os_src_process_cross_process_thread_create_count]`
`osSrc.process.displayName`	`principal.labels[os_src_process_display_name]` (deprecated)
`osSrc.process.displayName`	`additional.fields[os_src_process_display_name]`
`osSrc.process.dnsCount`	`principal.labels[os_src_process_dns_count]` (deprecated)
`osSrc.process.dnsCount`	`additional.fields[os_src_process_dns_count]`
`osSrc.process.image.binaryIsExecutable`	`principal.labels[os_src_process_image_binary_is_executable]` (deprecated)
`osSrc.process.image.binaryIsExecutable`	`additional.fields[os_src_process_image_binary_is_executable]`
`osSrc.process.indicatorBootConfigurationUpdateCount`	`principal.labels[os_src_process_indicator_boot_configuration_update_count]` (deprecated)
`osSrc.process.indicatorBootConfigurationUpdateCount`	`additional.fields[os_src_process_indicator_boot_configuration_update_count]`
`osSrc.process.indicatorEvasionCount`	`principal.labels[os_src_process_indicator_evasion_count]` (deprecated)
`osSrc.process.indicatorEvasionCount`	`additional.fields[os_src_process_indicator_evasion_count]`
`osSrc.process.indicatorExploitationCount`	`principal.labels[os_src_process_indicator_exploitation_count]` (deprecated)
`osSrc.process.indicatorExploitationCount`	`additional.fields[os_src_process_indicator_exploitation_count]`
`osSrc.process.indicatorGeneral.count`	`principal.labels[os_src_process_indicator_general_count]` (deprecated)
`osSrc.process.indicatorGeneral.count`	`additional.fields[os_src_process_indicator_general_count]`
`osSrc.process.indicatorInfostealerCount`	`principal.labels[os_src_process_indicator_infostealer_count]` (deprecated)
`osSrc.process.indicatorInfostealerCount`	`additional.fields[os_src_process_indicator_infostealer_count]`
`osSrc.process.indicatorInjectionCount`	`principal.labels[os_src_process_indicator_injection_count]` (deprecated)
`osSrc.process.indicatorInjectionCount`	`additional.fields[os_src_process_indicator_injection_count]`
`osSrc.process.indicatorPersistenceCount`	`principal.labels[os_src_process_indicator_persistence_count]` (deprecated)
`osSrc.process.indicatorPersistenceCount`	`additional.fields[os_src_process_indicator_persistence_count]`
`osSrc.process.indicatorPostExploitationCount`	`principal.labels[os_src_process_indicator_post_exploitation_count]` (deprecated)
`osSrc.process.indicatorPostExploitationCount`	`additional.fields[os_src_process_indicator_post_exploitation_count]`
`osSrc.process.indicatorRansomwareCount`	`principal.labels[os_src_process_indicator_ransomware_count]` (deprecated)
`osSrc.process.indicatorRansomwareCount`	`additional.fields[os_src_process_indicator_ransomware_count]`
`osSrc.process.indicatorReconnaissanceCount`	`principal.labels[os_src_process_indicator_reconnaissance_count]` (deprecated)
`osSrc.process.indicatorReconnaissanceCount`	`additional.fields[os_src_process_indicator_reconnaissance_count]`
`osSrc.process.integrityLevel`	`principal.labels[os_src_process_integrity_level]` (deprecated)
`osSrc.process.integrityLevel`	`additional.fields[os_src_process_integrity_level]`
`osSrc.process.isNative64Bit`	`principal.labels[os_src_process_is_native_64_bit]` (deprecated)
`osSrc.process.isNative64Bit`	`additional.fields[os_src_process_is_native_64_bit]`
`osSrc.process.isRedirectCmdProcessor`	`principal.labels[os_src_process_is_redirect_cmd_processor]` (deprecated)
`osSrc.process.isRedirectCmdProcessor`	`additional.fields[os_src_process_is_redirect_cmd_processor]`
`osSrc.process.isStorylineRoot`	`principal.labels[os_src_process_is_storyline_root]` (deprecated)
`osSrc.process.isStorylineRoot`	`additional.fields[os_src_process_is_storyline_root]`
`osSrc.process.moduleCount`	`principal.labels[os_src_process_module_count]` (deprecated)
`osSrc.process.moduleCount`	`additional.fields[os_src_process_module_count]`
`osSrc.process.netConnCount`	`principal.labels[os_src_process_net_conn_count]` (deprecated)
`osSrc.process.netConnCount`	`additional.fields[os_src_process_net_conn_count]`
`osSrc.process.netConnInCount`	`principal.labels[os_src_process_net_conn_in_count]` (deprecated)
`osSrc.process.netConnInCount`	`additional.fields[os_src_process_net_conn_in_count]`
`osSrc.process.netConnOutCount`	`principal.labels[os_src_process_net_conn_out_count]` (deprecated)
`osSrc.process.netConnOutCount`	`additional.fields[os_src_process_net_conn_out_count]`
`osSrc.process.parent.activeContent.hash`	`principal.labels[os_src_process_parent_active_content_hash]` (deprecated)
`osSrc.process.parent.activeContent.hash`	`additional.fields[os_src_process_parent_active_content_hash]`
`osSrc.process.parent.activeContent.id`	`principal.labels[os_src_process_parent_active_content_id]` (deprecated)
`osSrc.process.parent.activeContent.id`	`additional.fields[os_src_process_parent_active_content_id]`
`osSrc.process.parent.activeContent.path`	`principal.labels[os_src_process_parent_active_content_path]` (deprecated)
`osSrc.process.parent.activeContent.path`	`additional.fields[os_src_process_parent_active_content_path]`
`osSrc.process.parent.activeContent.signedStatus`	`principal.labels[os_src_process_parent_active_content_signed_status]` (deprecated)
`osSrc.process.parent.activeContent.signedStatus`	`additional.fields[os_src_process_parent_active_content_signed_status]`
`osSrc.process.parent.activeContentType`	`principal.labels[os_src_process_parent_active_content_type]` (deprecated)
`osSrc.process.parent.activeContentType`	`additional.fields[os_src_process_parent_active_content_type]`
`osSrc.process.parent.displayName`	`principal.labels[os_src_process_parent_display_name]` (deprecated)
`osSrc.process.parent.displayName`	`additional.fields[os_src_process_parent_display_name]`
`osSrc.process.parent.integrityLevel`	`principal.labels[os_src_process_parent_integrity_level]` (deprecated)
`osSrc.process.parent.integrityLevel`	`additional.fields[os_src_process_parent_integrity_level]`
`osSrc.process.parent.isNative64Bit`	`principal.labels[os_src_process_parent_is_native_64_bit]` (deprecated)
`osSrc.process.parent.isNative64Bit`	`additional.fields[os_src_process_parent_is_native_64_bit]`
`osSrc.process.parent.isRedirectCmdProcessor`	`principal.labels[os_src_process_parent_is_redirect_cmd_processor]` (deprecated)
`osSrc.process.parent.isRedirectCmdProcessor`	`additional.fields[os_src_process_parent_is_redirect_cmd_processor]`
`osSrc.process.parent.isStorylineRoot`	`principal.labels[os_src_process_parent_is_storyline_root]` (deprecated)
`osSrc.process.parent.isStorylineRoot`	`additional.fields[os_src_process_parent_is_storyline_root]`
`osSrc.process.parent.publisher`	`principal.labels[os_src_process_parent_publisher]` (deprecated)
`osSrc.process.parent.publisher`	`additional.fields[os_src_process_parent_publisher]`
`osSrc.process.parent.sessionId`	`principal.labels[os_src_process_parent_session_id]` (deprecated)
`osSrc.process.parent.sessionId`	`additional.fields[os_src_process_parent_session_id]`
`osSrc.process.parent.signedStatus`	`principal.process_ancestors.parent_process.file.signature_info.sigcheck.verification_message`
`osSrc.process.parent.startTime`	`principal.labels[os_src_process_parent_start_time]` (deprecated)
`osSrc.process.parent.startTime`	`additional.fields[os_src_process_parent_start_time]`
`osSrc.process.parent.storyline.id`	`principal.labels[os_src_process_parent_storyline_id]` (deprecated)
`osSrc.process.parent.storyline.id`	`additional.fields[os_src_process_parent_storyline_id]`
`src.process.parent.storyline.id`	`principal.labels[src_process_parent_storyline_id]` (deprecated)
`src.process.parent.storyline.id`	`additional.fields[src_process_parent_storyline_id]`
`osSrc.process.publisher`	`principal.labels[os_src_process_publisher]` (deprecated)
`osSrc.process.publisher`	`additional.fields[os_src_process_publisher]`
`osSrc.process.registryChangeCount`	`principal.labels[os_src_process_registry_change_count]` (deprecated)
`osSrc.process.registryChangeCount`	`additional.fields[os_src_process_registry_change_count]`
`osSrc.process.sessionId`	`principal.labels[os_src_process_session_id]` (deprecated)
`osSrc.process.sessionId`	`additional.fields[os_src_process_session_id]`
`osSrc.process.signedStatus`	`principal.process_ancestors.file.signature_info.sigcheck.verification_message`
`osSrc.process.startTime`	`principal.labels[os_src_process_start_time]` (deprecated)
`osSrc.process.startTime`	`additional.fields[os_src_process_start_time]`
`osSrc.process.storyline.id`	`principal.labels[os_src_process_storyline_id]` (deprecated)
`osSrc.process.storyline.id`	`additional.fields[os_src_process_storyline_id]`
`osSrc.process.subsystem`	`principal.labels[os_src_process_subsystem]` (deprecated)
`osSrc.process.subsystem`	`additional.fields[os_src_process_subsystem]`
`osSrc.process.tgtFileCreationCount`	`principal.labels[os_src_process_tgt_file_creation_count]` (deprecated)
`osSrc.process.tgtFileCreationCount`	`additional.fields[os_src_process_tgt_file_creation_count]`
`osSrc.process.tgtFileDeletionCount`	`principal.labels[os_src_process_tgt_file_deletion_count]` (deprecated)
`osSrc.process.tgtFileDeletionCount`	`additional.fields[os_src_process_tgt_file_deletion_count]`
`osSrc.process.tgtFileModificationCount`	`principal.labels[os_src_process_tgt_file_modification_count]` (deprecated)
`osSrc.process.tgtFileModificationCount`	`additional.fields[os_src_process_tgt_file_modification_count]`
`osSrc.process.verifiedStatus`	`principal.labels[os_src_process_verified_status]` (deprecated)
`osSrc.process.verifiedStatus`	`additional.fields[os_src_process_verified_status]`
`process.unique.key`	`principal.labels[process_unique_key]` (deprecated)
`process.unique.key`	`additional.fields[process_unique_key]`
`site.name`	`principal.labels[site_name]` (deprecated)
`site.name`	`additional.fields[site_name]`
`src.process.activeContent.hash`	`principal.labels[src_process_active_content_hash]` (deprecated)
`src.process.activeContent.hash`	`additional.fields[src_process_active_content_hash]`
`src.process.activeContent.id`	`principal.labels[src_process_active_content_id]` (deprecated)
`src.process.activeContent.id`	`additional.fields[src_process_active_content_id]`
`src.process.activeContent.path`	`principal.labels[src_process_active_content_path]` (deprecated)
`src.process.activeContent.path`	`additional.fields[src_process_active_content_path]`
`src.process.activeContent.signedStatus`	`principal.labels[src_process_active_content_signed_status]` (deprecated)
`src.process.activeContent.signedStatus`	`additional.fields[src_process_active_content_signed_status]`
`src.process.activeContentType`	`principal.labels[src_process_active_content_type]` (deprecated)
`src.process.activeContentType`	`additional.fields[src_process_active_content_type]`
`src.process.childProcCount`	`principal.labels[src_process_child_proc_count]` (deprecated)
`src.process.childProcCount`	`additional.fields[src_process_child_proc_count]`
`src.process.crossProcessCount`	`principal.labels[src_process_cross_process_count]` (deprecated)
`src.process.crossProcessCount`	`additional.fields[src_process_cross_process_count]`
`src.process.crossProcessDupRemoteProcessHandleCount`	`principal.labels[src_process_cross_process_dup_remote_process_handle_count]` (deprecated)
`src.process.crossProcessDupRemoteProcessHandleCount`	`additional.fields[src_process_cross_process_dup_remote_process_handle_count]`
`src.process.crossProcessDupThreadHandleCount`	`principal.labels[src_process_cross_process_dup_thread_handle_count]` (deprecated)
`src.process.crossProcessDupThreadHandleCount`	`additional.fields[src_process_cross_process_dup_thread_handle_count]`
`src.process.crossProcessOpenProcessCount`	`principal.labels[src_process_cross_process_open_process_count]` (deprecated)
`src.process.crossProcessOpenProcessCount`	`additional.fields[src_process_cross_process_open_process_count]`
`src.process.crossProcessOutOfStorylineCount`	`principal.labels[src_process_cross_process_out_of_storyline_count]` (deprecated)
`src.process.crossProcessOutOfStorylineCount`	`additional.fields[src_process_cross_process_out_of_storyline_count]`
`src.process.crossProcessThreadCreateCount`	`principal.labels[src_process_cross_process_thread_create_count]` (deprecated)
`src.process.crossProcessThreadCreateCount`	`additional.fields[src_process_cross_process_thread_create_count]`
`src.process.displayName`	`principal.labels[src_process_display_name]` (deprecated)
`src.process.displayName`	`additional.fields[src_process_display_name]`
`src.process.dnsCount`	`principal.labels[src_process_dns_count]` (deprecated)
`src.process.dnsCount`	`additional.fields[src_process_dns_count]`
`src.process.image.binaryIsExecutable`	`principal.labels[src_process_image_binary_is_executable]` (deprecated)
`src.process.image.binaryIsExecutable`	`additional.fields[src_process_image_binary_is_executable]`
`src.process.indicatorBootConfigurationUpdateCount`	`principal.labels[src_process_indicator_boot_configuration_update_count]` (deprecated)
`src.process.indicatorBootConfigurationUpdateCount`	`additional.fields[src_process_indicator_boot_configuration_update_count]`
`src.process.indicatorEvasionCount`	`principal.labels[src_process_indicator_evasion_count]` (deprecated)
`src.process.indicatorEvasionCount`	`additional.fields[src_process_indicator_evasion_count]`
`src.process.indicatorExploitationCount`	`principal.labels[src_process_indicator_exploitation_count]` (deprecated)
`src.process.indicatorExploitationCount`	`additional.fields[src_process_indicator_exploitation_count]`
`src.process.indicatorGeneralCount`	`principal.labels[src_process_indicator_general_count]` (deprecated)
`src.process.indicatorGeneralCount`	`additional.fields[src_process_indicator_general_count]`
`src.process.indicatorInfostealerCount`	`principal.labels[src_process_indicator_infostealer_count]` (deprecated)
`src.process.indicatorInfostealerCount`	`additional.fields[src_process_indicator_infostealer_count]`
`src.process.indicatorInjectionCount`	`principal.labels[src_process_indicator_injection_count]` (deprecated)
`src.process.indicatorInjectionCount`	`additional.fields[src_process_indicator_injection_count]`
`src.process.indicatorPersistenceCount`	`principal.labels[src_process_indicator_persistence_count]` (deprecated)
`src.process.indicatorPersistenceCount`	`additional.fields[src_process_indicator_persistence_count]`
`src.process.indicatorPostExploitationCount`	`principal.labels[src_process_indicator_post_exploitation_count]` (deprecated)
`src.process.indicatorPostExploitationCount`	`additional.fields[src_process_indicator_post_exploitation_count]`
`src.process.indicatorRansomwareCount`	`principal.labels[src_process_indicator_ransomware_count]` (deprecated)
`src.process.indicatorRansomwareCount`	`additional.fields[src_process_indicator_ransomware_count]`
`src.process.indicatorReconnaissanceCount`	`principal.labels[src_process_indicator_reconnaissance_count]` (deprecated)
`src.process.indicatorReconnaissanceCount`	`additional.fields[src_process_indicator_reconnaissance_count]`
`src.process.integrityLevel`	`principal.labels[src_process_integrity_level]` (deprecated)
`src.process.integrityLevel`	`additional.fields[src_process_integrity_level]`
`src.process.isNative64Bit`	`principal.labels[src_process_is_native_64_bit]` (deprecated)
`src.process.isNative64Bit`	`additional.fields[src_process_is_native_64_bit]`
`src.process.isRedirectCmdProcessor`	`principal.labels[src_process_is_redirect_cmd_processor]` (deprecated)
`src.process.isRedirectCmdProcessor`	`additional.fields[src_process_is_redirect_cmd_processor]`
`src.process.isStorylineRoot`	`principal.labels[src_process_is_storyline_root]` (deprecated)
`src.process.isStorylineRoot`	`additional.fields[src_process_is_storyline_root]`
`src.process.lUserUid`	`principal.labels[src_process_l_user_uid]` (deprecated)
`src.process.lUserUid`	`additional.fields[src_process_l_user_uid]`
`src.process.moduleCount`	`principal.labels[src_process_module_count]` (deprecated)
`src.process.moduleCount`	`additional.fields[src_process_module_count]`
`src.process.netConnCount`	`principal.labels[src_process_net_conn_count]` (deprecated)
`src.process.netConnCount`	`additional.fields[src_process_net_conn_count]`
`src.process.netConnInCount`	`principal.labels[src_process_net_conn_in_count]` (deprecated)
`src.process.netConnInCount`	`additional.fields[src_process_net_conn_in_count]`
`src.process.netConnOutCount`	`principal.labels[src_process_net_conn_out_count]` (deprecated)
`src.process.netConnOutCount`	`additional.fields[src_process_net_conn_out_count]`
`src.process.parent.activeContent.hash`	`principal.labels[src_process_parent_active_content_hash]` (deprecated)
`src.process.parent.activeContent.hash`	`additional.fields[src_process_parent_active_content_hash]`
`src.process.parent.activeContent.id`	`principal.labels[src_process_parent_active_content_id]` (deprecated)
`src.process.parent.activeContent.id`	`additional.fields[src_process_parent_active_content_id]`
`src.process.parent.activeContent.path`	`principal.labels[src_process_parent_active_content_path]` (deprecated)
`src.process.parent.activeContent.path`	`additional.fields[src_process_parent_active_content_path]`
`src.process.parent.activeContent.signedStatus`	`principal.labels[src_process_parent_active_content_signed_status]` (deprecated)
`src.process.parent.activeContent.signedStatus`	`additional.fields[src_process_parent_active_content_signed_status]`
`src.process.parent.activeContentType`	`principal.labels[src_process_parent_active_content_type]` (deprecated)
`src.process.parent.activeContentType`	`additional.fields[src_process_parent_active_content_type]`
`src.process.parent.displayName`	`principal.labels[src_process_parent_display_name]` (deprecated)
`src.process.parent.displayName`	`additional.fields[src_process_parent_display_name]`
`src.process.parent.integrityLevel`	`principal.labels[src_process_parent_integrity_level]` (deprecated)
`src.process.parent.integrityLevel`	`additional.fields[src_process_parent_integrity_level]`
`src.process.parent.isNative64Bit`	`principal.labels[src_process_parent_is_native_64_bit]` (deprecated)
`src.process.parent.isNative64Bit`	`additional.fields[src_process_parent_is_native_64_bit]`
`src.process.parent.isRedirectCmdProcessor`	`principal.labels[src_process_parent_is_redirect_cmd_processor]` (deprecated)
`src.process.parent.isRedirectCmdProcessor`	`additional.fields[src_process_parent_is_redirect_cmd_processor]`
`src.process.parent.isStorylineRoot`	`principal.labels[src_process_parent_is_storyline_root]` (deprecated)
`src.process.parent.isStorylineRoot`	`additional.fields[src_process_parent_is_storyline_root]`
`src.process.parent.publisher`	`principal.labels[src_process_parent_publisher]` (deprecated)
`src.process.parent.publisher`	`additional.fields[src_process_parent_publisher]`
`src.process.parent.reasonSignatureInvalid`	`principal.labels[src_process_parent_reason_signature_invalid]` (deprecated)
`src.process.parent.reasonSignatureInvalid`	`additional.fields[src_process_parent_reason_signature_invalid]`
`src.process.parent.sessionId`	`principal.labels[src_process_parent_session_id]` (deprecated)
`src.process.parent.sessionId`	`additional.fields[src_process_parent_session_id]`
`src.process.parent.signedStatus`	`principal.process.parent_process.file.signature_info.sigcheck.verification_message`
`src.process.parent.startTime`	`principal.labels[src_process_parent_start_time]` (deprecated)
`src.process.parent.startTime`	`additional.fields[src_process_parent_start_time]`
`src.process.parent.subsystem`	`principal.labels[src_process_parent_subsystem]` (deprecated)
`src.process.parent.subsystem`	`additional.fields[src_process_parent_subsystem]`
`src.process.publisher`	`principal.labels[src_process_publisher]` (deprecated)
`src.process.publisher`	`additional.fields[src_process_publisher]`
`src.process.reasonSignatureInvalid`	`principal.labels[src_process_reason_signature_invalid]` (deprecated)
`src.process.reasonSignatureInvalid`	`additional.fields[src_process_reason_signature_invalid]`
`src.process.registryChangeCount`	`principal.labels[src_process_registry_change_count]` (deprecated)
`src.process.registryChangeCount`	`additional.fields[src_process_registry_change_count]`
`src.process.rpid`	`principal.labels[src_process_rpid]` (deprecated)
`src.process.rpid`	`additional.fields[src_process_rpid]`
`src.process.sessionId`	`principal.labels[src_process_session_id]` (deprecated)
`src.process.sessionId`	`additional.fields[src_process_session_id]`
`src.process.signedStatus`	`principal.process.file.signature_info.sigcheck.verification_message`
`src.process.startTime`	`principal.labels[src_process_start_time]` (deprecated)
`src.process.startTime`	`additional.fields[src_process_start_time]`
`src.process.storyline.id`	`principal.labels[src_process_storyline_id]` (deprecated)
`src.process.storyline.id`	`additional.fields[src_process_storyline_id]`
`src.process.subsystem`	`principal.labels[src_process_subsystem]` (deprecated)
`src.process.subsystem`	`additional.fields[src_process_subsystem]`
`src.process.tgtFileCreationCount`	`principal.labels[src_process_tgt_file_creation_count]` (deprecated)
`src.process.tgtFileCreationCount`	`additional.fields[src_process_tgt_file_creation_count]`
`src.process.tgtFileDeletionCount`	`principal.labels[src_process_tgt_file_deletion_count]` (deprecated)
`src.process.tgtFileDeletionCount`	`additional.fields[src_process_tgt_file_deletion_count]`
`src.process.tgtFileModificationCount`	`principal.labels[src_process_tgt_file_modification_count]` (deprecated)
`src.process.tgtFileModificationCount`	`additional.fields[src_process_tgt_file_modification_count]`
`src.process.tid`	`principal.labels[src_process_tid]` (deprecated)
`src.process.tid`	`additional.fields[src_process_tid]`
	`principal.process.product_specific_process_id`	If the `src.process.uid` log field value is not empty, then the `SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.uid}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`src.process.verifiedStatus`	`principal.labels[src_process_verified_status]` (deprecated)
`src.process.verifiedStatus`	`additional.fields[src_process_verified_status]`
`site.id`	`principal.labels[site_id]` (deprecated)
`site.id`	`additional.fields[site_id]`
	`principal.platform`	If the `os.name` log field value matches the regular expression pattern `(?i)win`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `os.name` log field value matches the regular expression pattern `(?i)lin`, then the `principal.platform` UDM field is set to `LINUX`.
`src.port.number`	`principal.port`
`osSrc.process.cmdline`	`principal.process_ancestors.command_line`
`osSrc.process.image.path`	`principal.process_ancestors.file.full_path`
`osSrc.process.image.md5`	`principal.process_ancestors.file.md5`	If the `osSrc.process.image.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `osSrc.process.image.md5` log field is mapped to the `principal.process_ancestors.file.md5` UDM field.
`osSrc.process.name`	`principal.process_ancestors.file.names`
`osSrc.process.image.sha1`	`principal.process_ancestors.file.sha1`	If the `osSrc.process.image.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `osSrc.process.image.sha1` log field is mapped to the `principal.process_ancestors.file.sha1` UDM field.
`osSrc.process.image.sha256`	`principal.process_ancestors.file.sha256`	If the `osSrc.process.image.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `osSrc.process.image.sha256` log field is mapped to the `principal.process_ancestors.file.sha256` UDM field.
`osSrc.process.parent.cmdline`	`principal.process_ancestors.parent_process.command_line`
`osSrc.process.parent.image.path`	`principal.process_ancestors.parent_process.file.full_path`
`osSrc.process.parent.image.md5`	`principal.process_ancestors.parent_process.file.md5`	If the `osSrc.process.parent.image.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `osSrc.process.parent.image.md5` log field is mapped to the `principal.process_ancestors.parent_process.file.md5` UDM field.
`osSrc.process.parent.name`	`principal.process_ancestors.parent_process.file.names`
`osSrc.process.parent.image.sha1`	`principal.process_ancestors.parent_process.file.sha1`	If the `osSrc.process.parent.image.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `osSrc.process.parent.image.sha1` log field is mapped to the `principal.process_ancestors.parent_process.file.sha1` UDM field.
`osSrc.process.parent.image.sha256`	`principal.process_ancestors.parent_process.file.sha256`	If the `osSrc.process.parent.image.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `osSrc.process.parent.image.sha256` log field is mapped to the `principal.process_ancestors.parent_process.file.sha256` UDM field.
`osSrc.process.parent.pid`	`principal.process_ancestors.parent_process.pid`
`osSrc.process.pid`	`principal.process_ancestors.pid`
	`principal.process_ancestors.product_specific_process_id`	If the `osSrc.process.uid` log field value is not empty, then the `SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.uid}` log field is mapped to the `principal.process_ancestors.product_specific_process_id` UDM field.
`src.process.cmdline`	`principal.process.command_line`
`src.process.image.path`	`principal.process.file.full_path`
`src.process.image.md5`	`principal.process.file.md5`	If the `src.process.image.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `src.process.image.md5` log field is mapped to the `principal.process.file.md5` UDM field.
`src.process.name`	`principal.process.file.names`
`src.process.image.sha1`	`principal.process.file.sha1`	If the `src.process.image.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `src.process.image.sha1` log field is mapped to the `principal.process.file.sha1` UDM field.
`src.process.image.sha256`	`principal.process.file.sha256`	If the `src.process.image.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `src.process.image.sha256` log field is mapped to the `principal.process.file.sha256` UDM field.
`src.process.parent.cmdline`	`principal.process.parent_process.command_line`
`src.process.parent.image.md5`	`principal.process.parent_process.file.md5`	If the `src.process.parent.image.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `src.process.parent.image.md5` log field is mapped to the `principal.process.parent_process.file.md5` UDM field.
`src.process.parent.image.path`	`principal.process.parent_process.file.full_path`
`src.process.parent.name`	`principal.process.parent_process.file.names`
`src.process.parent.image.sha1`	`principal.process.parent_process.file.sha1`	If the `src.process.parent.image.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `src.process.parent.image.sha1` log field is mapped to the `principal.process.parent_process.file.sha1` UDM field.
`src.process.parent.image.sha256`	`principal.process.parent_process.file.sha256`	If the `src.process.parent.image.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `src.process.parent.image.sha256` log field is mapped to the `principal.process.parent_process.file.sha256` UDM field.
`src.process.parent.pid`	`principal.process.parent_process.pid`
	`principal.process_ancestors.parent_process.product_specific_process_id`	If the `osSrc.process.parent.uid` log field value is not empty, then the `SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.parent.uid}` log field is mapped to the `principal.process_ancestors.parent_process.product_specific_process_id` UDM field.
	`principal.process.parent_process.product_specific_process_id`	If the `src.process.parent.uid` log field value is not empty, then the `SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.parent.uid}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`src.process.pid`	`principal.process.pid`
`osSrc.process.user`	`principal.user.attribute.labels[os_src_process_user]`
`src.process.eUserUid`	`principal.user.attribute.labels[src_process_e_user_uid]`
`src.process.lUserName`	`principal.user.attribute.labels[src_process_l_user_name]`
`src.process.parent.eUserUid`	`principal.user.attribute.labels[src_process_parent_e_user_uid]`
`src.process.parent.lUserUid`	`principal.user.attribute.labels[src_process_parent_l_user_uid]`
`src.process.parent.rUserUid`	`principal.user.attribute.labels[src_process_parent_r_user_uid]`
`src.process.rUserName`	`principal.user.attribute.labels[src_process_r_user_name]`
`src.process.rUserUid`	`principal.user.attribute.labels[src_process_r_user_uid]`
`src.process.eUserName`	`principal.user.attribute.labels[src_process_e_user_name]`
`src.process.parent.eUserName`	`principal.user.attribute.labels[src_process_parent_e_user_name]`
`src.process.parent.lUserName`	`principal.user.attribute.labels[src_process_parent_l_user_name]`
`src.process.parent.rUserName`	`principal.user.attribute.labels[src_process_parent_r_user_name]`
`osSrc.process.parent.user`	`principal.user.attribute.labels[os_src_process_parent_user]`
`src.process.parent.user`	`principal.user.attribute.labels[src_process_parent_user]`
`src.process.user`	`principal.user.userid`
`tiIndicator.value`	`security_result.about.file.md5`	If the `tiIndicator.type` log field value is equal to `Md5`, then the `tiIndicator.value` log field is mapped to the `security_result.about.file.md5` UDM field.
`tiIndicator.value`	`security_result.about.file.sha1`	If the `tiIndicator.type` log field value is equal to `Sha1`, then the `tiIndicator.value` log field is mapped to the `security_result.about.file.sha1` UDM field.
`tiIndicator.value`	`security_result.about.ip`	If the `tiIndicator.type` log field value contain one of the following values, then the `tiIndicator.value` log field is mapped to the `security_result.about.ip` UDM field. `IPv4` `IPV6`
`tiIndicator.value`	`security_result.about.labels[tiIndicator.value]` (deprecated)	If the `tiIndicator.type` log field value does not contain one of the following values, then the `tiIndicator.value` log field is mapped to the `security_result.about.labels` UDM field. `Md5` `Sha1` `IPV4` `IPV6` `DNS` `URL`
`tiIndicator.value`	`additional.fields[tiIndicator.value]`	If the `tiIndicator.type` log field value does not contain one of the following values, then the `tiIndicator.value` log field is mapped to the `additional.fields` UDM field. `Md5` `Sha1` `IPV4` `IPV6` `DNS` `URL`
`tiIndicator.value`	`network.dns.questions.name`	If the `tiIndicator.type` log field value is equal to `DNS`, then the `tiIndicator.value` log field is mapped to the `network.dns.questions.name` UDM field.
`tiIndicator.value`	`security_result.about.url`	If the `tiIndicator.type` log field value is equal to `URL`, then the `tiIndicator.value` log field is mapped to the `security_result.about.url` UDM field.
`winEventLog.providerName`	`security_result.about.resource.attribute.labels[win_event_log_provider_name]`
`tiIndicator.addedBy`	`security_result.about.user.email_addresses`
`tiIndicator.threatActors`	`security_result.about.user.email_addresses`
	`security_result.action`	If the `event.login.loginIsSuccessful` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, if the `event.login.loginIsSuccessful` log field value is equal to `false`, then the `security_result.action` UDM field is set to `BLOCK`. If the `event.network.connectionStatus` log field value is equal to `SUCCESS`, then the `security_result.action` UDM field is set to `ALLOW`. Else, if the `event.network.connectionStatus` log field value is equal to `FAILURE`, then the `security_result.action` UDM field is set to `FAIL`. Else, if the `event.network.connectionStatus` log field value is equal to `BLOCKED`, then the `security_result.action` UDM field is set to `BLOCK`.
`event.network.connectionStatus`	`security_result.action_details`
`tiIndicator.mitreTactics`	`security_result.attack_details.tactics.name`
	`security_result.category`	If the `indicator.category` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`. `malicious` `Ransomware` `OSX.Malware` `Linux.Malware` `Malware` `Manual` Else, if the `indicator.category` log field value contain one of the following values, then the `security_result.category` UDM field is set to `NETWORK_SUSPICIOUS`. `Lateral Movement` `Remote shell` Else, if the `indicator.category` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `miner` `Trojan` `Virus` `Malicious Office Document` `Malicious PDF` `Worm` `Rootkit` `Infostealer` `Generic.Heuristic` `Downloader` `Backdoor` `Hacktool` `Browser` `Dialer` `Installer` `Packed` `Network` `Spyware` `Interactive shell` Else, if the `indicator.category` log field value contain one of the following values, then the `security_result.category` UDM field is set to `SOFTWARE_PUA`. `Adware` `PUA` Else, if the `indicator.category` log field value is equal to `Exploit`, then the `security_result.category` UDM field is set to `EXPLOIT`.
	`security_result.category`	If the `tiIndicator.categories` log field value matches the regular expression pattern `malware`, then the `security_result.category` UDM field is set to `SOFTWARE_MALICIOUS`.
`indicator.category`	`security_result.category_details`
`tiIndicator.categories`	`security_result.category_details`
`indicator.description`	`security_result.description`
`event.login.failureReason`	`security_result.description`
`tiIndicator.description`	`security_result.descripton`
`indicator.metadata`	`security_result.detection_fields [indicator_metadata]`
`indicator.name`	`security_result.detection_fields [indicator_name]`
`tiIndicator.comparisonMethod`	`security_result.detection_fields [ti_indicator_comparison_method]`
`tiIndicator.creationTime`	`security_result.detection_fields [ti_indicator_creation_time]`
`tiIndicator.externalId`	`security_result.detection_fields [ti_indicator_external_id]`
`tiIndicator.metadata`	`security_result.detection_fields [ti_indicator_metadata]`
`tiIndicator.modificationTime`	`security_result.detection_fields [ti_indicator_modification_time]`
`tiindicator.originalEvent.id`	`security_result.detection_fields [ti_indicator_original_event_id]`
`tiindicator.originalEvent.index`	`security_result.detection_fields [ti_indicator_original_event_index]`
`tiindicator.originalEvent.time`	`security_result.detection_fields [ti_indicator_original_event_time]`
`tiindicator.originalEvent.traceId`	`security_result.detection_fields [ti_indicator_original_event_trace_id]`
`tiIndicator.references`	`security_result.detection_fields [ti_indicator_references]`
`tiIndicator.intrusionSets`	`security_result.detection_fields [ti_indicator_tiIndicator_intrusion_sets]`
`tiIndicator.type`	`security_result.detection_fields [ti_indicator_type]`
`tiIndicator.uid`	`security_result.detection_fields [ti_indicator_uid]`
`tiIndicator.uploadTime`	`security_result.detection_fields [ti_indicator_upload_time]`
`tiIndicator.validUntil`	`security_result.detection_fields [ti_indicator_valid_until]`
`osSrc.process.parent.reasonSignatureInvalid`	`security_result.detection_fields[os_src_process_parent_reason_signature_invalid]`
`osSrc.process.reasonSignatureInvalid`	`security_result.detection_fields[os_src_process_reason_signature_invalid]`
`tgt.process.reasonSignatureInvalid`	`security_result.detection_fields[tgt_process_reason_signature_invalid]`
	`security_result.severity`	If the `winEventLog.level` log field value matches the regular expression pattern `^(INFO\|Informational\|Information\|Normal\|NOTICE)$`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `winEventLog.level` log field value contain one of the following values, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. `Warning` `DEBUG` Else, if the `winEventLog.level` log field value matches the regular expression pattern `Error`, then the `security_result.severity` UDM field is set to `ERROR`. Else, if the `winEventLog.level` log field value matches the regular expression pattern `Critical`, then the `security_result.severity` UDM field is set to `CRITICAL`.
`winEventLog.level`	`security_result.severity_details`
`tiIndicator.name`	`security_result.threat_name`
`tiIndicator.source`	`security_result.threat_feed_name`
`tgt.file.oldPath`	`src.file.full_path`
`tgt.file.oldMd5`	`src.file.md5`	If the `tgt.file.oldMd5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `tgt.file.oldMd5` log field is mapped to the `src.file.md5` UDM field.
`driver.peSha1`	`target.process.file.sha1`	If the `driver.peSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `driver.peSha1` log field is mapped to the `target.process.file.sha1` UDM field.
`tgt.file.oldSha1`	`src.file.sha1`	If the `tgt.file.oldSha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `tgt.file.oldSha1` log field is mapped to the `src.file.sha1` UDM field.
`driver.peSha256`	`target.process.file.sha256`	If the `driver.peSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `driver.peSha256` log field is mapped to the `target.process.file.sha256` UDM field.
`tgt.file.oldSha256`	`src.file.sha256`	If the `tgt.file.oldSha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `tgt.file.oldSha256` log field is mapped to the `src.file.sha256` UDM field.
`driver.certificate.thumbprintAlgorithm`	`target.labels[driver_certificate_thumbprint_algorithm]` (deprecated)
`driver.certificate.thumbprintAlgorithm`	`additional.fields[driver_certificate_thumbprint_algorithm]`
`driver.certificate.thumbprint`	`target.labels[driver_certificate_thumbprint]` (deprecated)
`driver.certificate.thumbprint`	`additional.fields[driver_certificate_thumbprint]`
`driver.isLoadedBeforeMonitor`	`target.labels[driver_is_loaded_before_monitor]` (deprecated)
`driver.isLoadedBeforeMonitor`	`additional.fields[driver_is_loaded_before_monitor]`
`driver.loadVerdict`	`target.labels[driver_load_verdict]` (deprecated)
`driver.loadVerdict`	`additional.fields[driver_load_verdict]`
`driver.startType`	`target.labels[driver_start_type]` (deprecated)
`driver.startType`	`additional.fields[driver_start_type]`
`registry.oldValueFullSize`	`src.labels[registry_old_value_full_size]` (deprecated)
`registry.oldValueFullSize`	`additional.fields[registry_old_value_full_size]`
`registry.oldValueIsComplete`	`src.labels[registry_old_valueIs_complete]` (deprecated)
`registry.oldValueIsComplete`	`additional.fields[registry_old_valueIs_complete]`
`registry.oldValue`	`src.registry.registry_value_data`
`registry.oldValueType`	`src.registry.registry_value_name`
`tgt.file.location`	`target.labels[tgt_file_location]` (deprecated)
`tgt.file.location`	`additional.fields[tgt_file_location]`
`cmdScript.applicationName`	`target.application`
`event.login.accountDomain`	`target.domain.name`
`tgt.file.path`	`target.file.full_path`
`tgt.file.modificationTime`	`target.file.last_modification_time`
`tgt.file.md5`	`target.file.md5`	If the `tgt.file.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `tgt.file.md5` log field is mapped to the `target.file.md5` UDM field.
`tgt.file.extension`	`target.file.mime_type`
`tgt.file.id`	`target.file.names`
`tgt.file.internalName`	`target.file.names`
`tgt.file.sha1`	`target.file.sha1`	If the `tgt.file.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `tgt.file.sha1` log field is mapped to the `target.file.sha1` UDM field.
`tgt.file.sha256`	`target.file.sha256`	If the `tgt.file.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `tgt.file.sha256` log field is mapped to the `target.file.sha256` UDM field.
`tgt.file.size`	`target.file.size`
	`target.file.file_type`	If the `tgt.file.type` log field value is equal to `PE`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PE_EXE`. Else, if the `tgt.file.type` log field value is equal to `ELF`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_ELF`. Else, if the `tgt.file.type` log field value is equal to `MACH`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_MACH_O`. Else, if the `tgt.file.type` log field value is equal to `PDF`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PDF`. Else, if the `tgt.file.type` log field value is equal to `COM`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_DOS_COM`. Else, if the `tgt.file.type` log field value is equal to `COM`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_DOS_COM`. Else, if the `tgt.file.type` log field value is equal to `OPENXML`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_XML`. Else, if the `tgt.file.type` log field value is equal to `PKZIP`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_ZIP`. Else, if the `tgt.file.type` log field value is equal to `RAR`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_RAR`. Else, if the `tgt.file.type` log field value is equal to `BZIP2`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_BZIP`. Else, if the `tgt.file.type` log field value is equal to `TAR`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_TAR`. Else, if the `tgt.file.type` log field value is equal to `LNK`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_LNK`.
`url.address`	`target.hostname`	The `protocol` and `hostname` field is extracted from `url.address` log field using the Grok pattern, and the `hostname` extracted field is mapped to the `target.hostname` UDM field.
`url.address`	`target.asset.hostname`	The `protocol` and `hostname` field is extracted from `url.address` log field using the Grok pattern, and the `hostname` extracted field is mapped to the `target.hostname` UDM field.
`dst.ip.address`	`target.ip`
`cmdScript.isComplete`	`target.labels[cmd_script_is_complete]` (deprecated)
`cmdScript.isComplete`	`additional.fields[cmd_script_is_complete]`
`registry.keyUid`	`target.labels[registry_key_uid]` (deprecated)
`registry.keyUid`	`additional.fields[registry_key_uid]`
`registry.valueFullSize`	`target.labels[registry_value_full_size]` (deprecated)
`registry.valueFullSize`	`additional.fields[registry_value_full_size]`
`registry.valueIsComplete`	`target.labels[registry_value_is_complete]` (deprecated)
`registry.valueIsComplete`	`additional.fields[registry_value_is_complete]`
`tgt.file.convictedBy`	`target.labels[tgt_file_convicted_by]` (deprecated)
`tgt.file.convictedBy`	`additional.fields[tgt_file_convicted_by]`
`tgt.file.creationTime`	`target.labels[tgt_file_creation_time]` (deprecated)
`tgt.file.creationTime`	`additional.fields[tgt_file_creation_time]`
`tgt.file.description`	`target.labels[tgt_file_description]` (deprecated)
`tgt.file.description`	`additional.fields[tgt_file_description]`
`tgt.file.isExecutable`	`target.labels[tgt_file_is_executable]` (deprecated)
`tgt.file.isExecutable`	`additional.fields[tgt_file_is_executable]`
`tgt.file.isSigned`	`target.labels[tgt_file_is_signed]` (deprecated)
`tgt.file.isSigned`	`additional.fields[tgt_file_is_signed]`
`tgt.process.accessRights`	`target.labels[tgt_process_access_rights]` (deprecated)
`tgt.process.accessRights`	`additional.fields[tgt_process_access_rights]`
`tgt.process.activeContent.hash`	`target.labels[tgt_process_active_content_hash]` (deprecated)
`tgt.process.activeContent.hash`	`additional.fields[tgt_process_active_content_hash]`
`tgt.process.activeContent.id`	`target.labels[tgt_process_active_content_id]` (deprecated)
`tgt.process.activeContent.id`	`additional.fields[tgt_process_active_content_id]`
`tgt.process.activeContent.path`	`target.labels[tgt_process_active_content_path]` (deprecated)
`tgt.process.activeContent.path`	`additional.fields[tgt_process_active_content_path]`
`tgt.process.activeContent.signedStatus`	`target.labels [tgt_process_active_content_signed_status]` (deprecated)
`tgt.process.activeContent.signedStatus`	`additional.fields [tgt_process_active_content_signed_status]`
`tgt.process.activeContentType`	`target.labels[tgt_process_active_content_type]` (deprecated)
`tgt.process.activeContentType`	`additional.fields[tgt_process_active_content_type]`
`tgt.process.displayName`	`target.labels[tgt_process_display_name]` (deprecated)
`tgt.process.displayName`	`additional.fields[tgt_process_display_name]`
`tgt.process.image.binaryIsExecutable`	`target.labels[tgt_process_image_binary_is_executable]` (deprecated)
`tgt.process.image.binaryIsExecutable`	`additional.fields[tgt_process_image_binary_is_executable]`
`tgt.process.integrityLevel`	`target.labels[tgt_process_integrity_level]` (deprecated)
`tgt.process.integrityLevel`	`additional.fields[tgt_process_integrity_level]`
`tgt.process.isNative64Bit`	`target.labels[tgt_process_is_native_64_bit]` (deprecated)
`tgt.process.isNative64Bit`	`additional.fields[tgt_process_is_native_64_bit]`
`tgt.process.isRedirectCmdProcessor`	`target.labels[tgt_process_is_redirect_cmd_processor]` (deprecated)
`tgt.process.isRedirectCmdProcessor`	`additional.fields[tgt_process_is_redirect_cmd_processor]`
`tgt.process.isStorylineRoot`	`target.labels[tgt_process_is_storyline_root]` (deprecated)
`tgt.process.isStorylineRoot`	`additional.fields[tgt_process_is_storyline_root]`
`tgt.process.publisher`	`target.labels[tgt_process_publisher]` (deprecated)
`tgt.process.publisher`	`additional.fields[tgt_process_publisher]`
`tgt.process.relation`	`target.labels[tgt_process_relation]` (deprecated)
`tgt.process.relation`	`additional.fields[tgt_process_relation]`
`tgt.process.sessionId`	`target.labels[tgt_process_session_id]` (deprecated)
`tgt.process.sessionId`	`additional.fields[tgt_process_session_id]`
`tgt.process.signedStatus`	`target.process.file.signature_info.sigcheck.verification_message`
`tgt.process.startTime`	`target.labels[tgt_process_start_time]` (deprecated)
`tgt.process.startTime`	`additional.fields[tgt_process_start_time]`
`tgt.process.storyline.id`	`target.labels[tgt_process_storyline_id]` (deprecated)
`tgt.process.storyline.id`	`additional.fields[tgt_process_storyline_id]`
`tgt.process.subsystem`	`target.labels[tgt_process_subsystem]` (deprecated)
`tgt.process.subsystem`	`additional.fields[tgt_process_subsystem]`
`tgt.process.verifiedStatus`	`target.labels[tgt_process_verified_status]` (deprecated)
`tgt.process.verifiedStatus`	`additional.fields[tgt_process_verified_status]`
`dst.port.number`	`target.port`
`cmdScript.content`	`target.process.command_line`
`tgt.process.cmdline`	`target.process.command_line`
`tgt.process.image.path`	`target.process.file.full_path`
`tgt.process.image.md5`	`target.process.file.md5`	If the `tgt.process.image.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `tgt.process.image.md5` log field is mapped to the `target.process.file.md5` UDM field.
`tgt.process.name`	`target.process.file.names`
`tgt.process.image.sha1`	`target.process.file.sha1`	If the `tgt.process.image.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `tgt.process.image.sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`cmdScript.sha256`	`target.process.file.sha256`	If the `cmdScript.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `cmdScript.sha256` log field is mapped to the `target.process.file.sha256` UDM field.
`tgt.process.image.sha256`	`target.process.file.sha256`	If the `tgt.process.image.sha256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `tgt.process.image.sha256` log field is mapped to the `target.process.file.sha256` UDM field.
`cmdScript.originalSize`	`target.process.file.size`
`tgt.process.pid`	`target.process.pid`
	`target.process.product_specific_process_id`	If the `tgt.process.uid` log field value is not empty, then the `SO:%{site.id}:%{account.id}:%{agent.uuid}:%{tgt.process.uid}` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`registry.keyPath`	`target.registry.registry_key`
`registry.value`	`target.registry.registry_value_data`
`registry.valueType`	`target.registry.registry_value_name`
`k8sCluster.namespaceLabels`	`target.resource_ancestors.attribute.labels[k8s_cluster_namespace_labels]`
`k8sCluster.namespace`	`target.resource_ancestors.attribute.labels[k8s_cluster_namespace]`
`k8sCluster.name`	`target.resource_ancestors.name`
	`target.resource_ancestors.resource_type`	If the `k8sCluster.name` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`.
`k8sCluster.controllerName`	`target.resource_ancestors.name`
`k8sCluster.controllerLabels`	`target.resource_ancestors.attribute.labels[k8s_cluster_controller_labels]`
	`target.resource_ancestors.resource_type`	If the `k8sCluster.controllerName` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`.
`k8sCluster.controllerType`	`target.resource_ancestors.resource_subtype`
`k8sCluster.podName`	`target.resource_ancestors.name`
`k8sCluster.podLabels`	`target.resource_ancestors.attribute.labels[k8s_cluster_pod_labels]`
	`target.resource_ancestors.resource_type`	If the `k8sCluster.podName` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `POD`.
`k8sCluster.nodeName`	`target.resource_ancestors.name`
	`target.resource_ancestors.resource_type`	If the `k8sCluster.nodeName` log field value is not empty, then the `target.resource_ancestors.resource_type` UDM field is set to `CLUSTER`.
	`target.resource_ancestors.resource_subtype`	If the `k8sCluster.nodeName` log field value is not empty, then the `target.resource_ancestors.resource_subtype` UDM field is set to `NODE`.
`k8sCluster.containerName`	`target.resource.name`
`k8sCluster.containerId`	`target.resource.product_object_id`
	`target.resource.resource_type`	If the `k8sCluster.containerName` log field value is not empty or the `k8sCluster.containerId` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `CONTAINER`.
`k8sCluster.containerImage.sha256`	`target.resource.attribute.labels[k8s_cluster_container_image_sha256]`
`k8sCluster.containerImage`	`target.resource.attribute.labels[k8s_cluster_container_image]`
`k8sCluster.containerLabels`	`target.resource.attribute.labels[k8s_cluster_container_labels]`
`namedPipe.name`	`target.resource.name`
`namedPipe.accessMode`	`target.resource.attribute.permission.name`
`namedPipe.connectionType`	`target.resource.attribute.labels[named_pipe_connection_type]`
`namedPipe.isFirstInstance`	`target.resource.attribute.labels[named_pipe_is_first_instance]`
`namedPipe.isOverlapped`	`target.resource.attribute.labels[named_pipe_is_overlapped]`
`namedPipe.isWriteThrough`	`target.resource.attribute.labels[named_pipe_is_write_through]`
`namedPipe.maxInstances`	`target.resource.attribute.labels[named_pipe_max_instances]`
`namedPipe.readMode`	`target.resource.attribute.labels[named_pipe_read_mode]`
`namedPipe.remoteClients`	`target.resource.attribute.labels[named_pipe_remote_clients]`
`namedPipe.securityGroups`	`target.resource.attribute.labels[named_pipe_security_groups]`
`namedPipe.securityOwner`	`target.resource.attribute.labels[named_pipe_security_owner]`
`namedPipe.typeMode`	`target.resource.attribute.labels[named_pipe_type_mode]`
`namedPipe.waitMode`	`target.resource.attribute.labels[named_pipe_wait_mode]`
`task.name`	`target.resource.name`
`task.path`	`target.resource.attribute.labels[task_path]`
	`target.resource.resource_type`	If the `event.category` log field value is equal to `scheduled_task`, then the `target.resource.resource_type` UDM field is set to `TASK`. If the `event.type` log field value contain one of the following values, then the `target.resource.resource_type` UDM field is set to `PIPE`. `Named Pipe Creation` `Named Pipe Connection`
`url.address`	`target.url`
`tgt.process.eUserName`	`target.user.attribute.labels[tgt_process_e_user_name]`
`tgt.process.eUserUid`	`target.user.attribute.labels[tgt_process_e_user_uid]`
`tgt.process.lUserName`	`target.user.attribute.labels[tgt_process_l_user_name]`
`tgt.process.lUserUid`	`target.user.attribute.labels[tgt_process_l_user_uid]`
`tgt.process.rUserName`	`target.user.attribute.labels[tgt_process_r_user_name]`
`tgt.process.rUserUid`	`target.user.attribute.labels[tgt_process_r_user_uid]`
`tgt.process.user`	`target.user.userid`
`event.login.accountName`	`target.user.user_display_name`
	`target.user.user_role`	If the `event.login.isAdministratorEquivalent` log field value is equal to `true`, then the `target.user.user_role` UDM field is set to `ADMINISTRATOR`.
`event.login.userName`	`target.user.userid`
`event.login.accountSid`	`target.user.windows_sid`
`module.path`	`target.process.file.full_path`
`module.md5`	`target.process.file.md5`	If the `module.md5` log field value matches the regular expression pattern `^[a-f0-9]{32}$`, then the `module.md5` log field is mapped to the `target.process.file.md5` UDM field.
`module.sha1`	`target.process.file.sha1`	If the `module.sha1` log field value matches the regular expression pattern `^[a-f0-9]{40}$`, then the `module.sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`mgmt.url`	`about.url`
`dataSource.category`	`about.labels[data_source_category]` (deprecated)
`dataSource.category`	`additional.fields[data_source_category]`
`dataSource.name`	`about.labels[data_source_name]` (deprecated)
`dataSource.name`	`additional.fields[data_source_name]`
`dataSource.vendor`	`about.labels[data_source_vendor]` (deprecated)
`dataSource.vendor`	`additional.fields[data_source_vendor]`
`event.category`	`about.labels[event_category]` (deprecated)
`event.category`	`additional.fields[event_category]`
`event.login.baseType`	`about.labels[event_login_base_type]` (deprecated)
`event.login.baseType`	`additional.fields[event_login_base_type]`
`event.network.protocolName`	`about.labels[event_network_protocol_name]` (deprecated)
`event.network.protocolName`	`additional.fields[event_network_protocol_name]`
`event.repetitionCount`	`about.labels[event_repetition_count]` (deprecated)
`event.repetitionCount`	`additional.fields[event_repetition_count]`
`event.login.isAdministratorEquivalent`	`about.labels[event_login_is_administrator_equivalent]` (deprecated)
`event.login.isAdministratorEquivalent`	`additional.fields[event_login_is_administrator_equivalent]`
`group.id`	`about.labels[group_id]` (deprecated)	If the `event.type` log field value is equal to `Group Creation`, then the `group.id` log field is mapped to the `target.group.product_object_id` UDM field. Else, the `group.id` log field is mapped to the `about.labels` UDM field.
`group.id`	`additional.fields[group_id]`	If the `event.type` log field value is equal to `Group Creation`, then the `group.id` log field is mapped to the `target.group.product_object_id` UDM field. Else, the `group.id` log field is mapped to the `additional.fields` UDM field.
`i.scheme`	`about.labels[i_scheme]` (deprecated)
`i.scheme`	`additional.fields[i_scheme]`
`i.version`	`about.labels[i_version]` (deprecated)
`i.version`	`additional.fields[i_version]`
`meta.event.name`	`about.labels[meta_event_name]` (deprecated)
`meta.event.name`	`additional.fields[meta_event_name]`
`mgmt.id`	`about.labels[mgmt_id]` (deprecated)
`mgmt.id`	`additional.fields[mgmt_id]`
`mgmt.osRevision`	`about.labels[mgmt_os_revision]` (deprecated)
`mgmt.osRevision`	`additional.fields[mgmt_os_revision]`
`packet.id`	`about.labels[packet_id]` (deprecated)
`packet.id`	`additional.fields[packet_id]`
`sca:atlantisIngestTime`	`about.labels[sca_atlantis_ingest_time]` (deprecated)
`sca:atlantisIngestTime`	`additional.fields[sca_atlantis_ingest_time]`
`sca:ingestTime`	`about.labels[sca_ingest_time]` (deprecated)
`sca:ingestTime`	`additional.fields[sca_ingest_time]`
`timestamp`	`about.labels[timestamp]` (deprecated)
`timestamp`	`additional.fields[timestamp]`
`trace.id`	`about.labels[trace_id]` (deprecated)
`trace.id`	`additional.fields[trace_id]`
`winEventLog.channel`	`about.labels[win_event_log_channel]` (deprecated)
`winEventLog.channel`	`additional.fields[win_event_log_channel]`
`winEventLog.description.additionalInformation`	`about.labels[win_event_log_description_additional_information]` (deprecated)
`winEventLog.description.additionalInformation`	`additional.fields[win_event_log_description_additional_information]`
`winEventLog.description.objectName`	`about.labels[win_event_log_description_object_name]` (deprecated)
`winEventLog.description.objectName`	`additional.fields[win_event_log_description_object_name]`
`winEventLog.description.objectServer`	`about.labels[win_event_log_description_object_server]` (deprecated)
`winEventLog.description.objectServer`	`additional.fields[win_event_log_description_object_server]`
`winEventLog.description.objectType`	`about.labels[win_event_log_description_object_type]` (deprecated)
`winEventLog.description.objectType`	`additional.fields[win_event_log_description_object_type]`
`winEventLog.description.operationType`	`about.labels[win_event_log_description_operation_type]` (deprecated)
`winEventLog.description.operationType`	`additional.fields[win_event_log_description_operation_type]`
`winEventLog.description.securityId`	`about.labels[win_event_log_description_security_id]` (deprecated)
`winEventLog.description.securityId`	`additional.fields[win_event_log_description_security_id]`
`winEventLog.description.userId`	`about.labels[win_event_log_description_user_id]` (deprecated)
`winEventLog.description.userId`	`additional.fields[win_event_log_description_user_id]`
`winEventLog.xml`	`about.labels[win_event_log_xml]` (deprecated)
`winEventLog.xml`	`additional.fields[win_event_log_xml]`

Nächste Schritte

Datenaufnahme in Google Security Operations