Coletar registros do funil do SentinelOne Cloud

Compatível com:

Este documento descreve como exportar os registros do funil do SentinelOne Cloud configurando um feed do Google Security Operations e como os campos de registro são mapeados para os campos do modelo de dados unificado (UDM, na sigla em inglês) do Google Security Operations.

Para mais informações, consulte Visão geral da ingestão de dados para as Operações de segurança do Google.

Uma implantação típica consiste no SentinelOne Cloud Funnel e no feed do Google Security Operations configurado para enviar logs ao Google Security Operations. Cada implantação do cliente pode ser diferente e mais complexa.

A implantação contém os seguintes componentes:

  • SentinelOne: a plataforma em que você coleta registros.

  • Feed do Google Security Operations: o feed do Google Security Operations que busca registros do SentinelOne e os grava no Google Security Operations.

  • Operações de segurança do Google: retém e analisa os registros.

Um rótulo de ingestão identifica o analisador que normaliza os dados de registro brutos para o formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão SENTINELONE_CF.

Antes de começar

  • Verifique se você está usando o SentinelOne Cloud Funnel v2.0.
  • Confira se você tem acesso ao console do SentinelOne.
  • Verifique se você tem direitos de administrador para instalar o agente do SentinelOne. Para ter direitos de administrador, entre em contato com o usuário administrador.

Configurar o funil do SentinelOne Cloud

  1. Faça login no console de gerenciamento do SentinelOne.
  2. Na barra de ferramentas Configurações, clique em Integrações > Cloud Funnel.
  3. Na lista Provedor de nuvem, selecione Google Cloud.
  4. No campo Nome do armazenamento do GCS, insira o nome do bucket do Cloud Storage.
  5. Clique em Validar para verificar se o bucket existe e se o SentinelOne tem acesso de leitura e gravação a ele.
  6. Selecione Ativar streaming de telemetria para transmitir seus dados de XDR para o bucket.

Configurar um feed de ingestão do Google Security Operations

  1. No menu "Google Security Operations", selecione Settings.
  2. Clique em Feeds.
  3. clique em Add new;
  4. Selecione Google Cloud Storage como o Tipo de origem.
  5. Selecione SentinelOne Singularity Cloud Funnel como o Tipo de registro para criar um feed para o SentinelOne Cloud Funnel.
  6. Clique em Acessar uma conta de serviço.
  7. Clique em Próxima.
  8. Configure os seguintes parâmetros de entrada:
    • URI do bucket do Cloud Storage: o URI de origem do bucket do Google Cloud Storage.
    • URI é um: o tipo de objeto que o URI aponta.
    • Opção de exclusão da origem: se os arquivos ou diretórios serão excluídos após a transferência.
  9. Clique em Próxima e em Enviar.

Para mais informações sobre os feeds do Google Security Operations, consulte a documentação sobre feeds do Google Security Operations. Para informações sobre os requisitos de cada tipo de feed, consulte Configuração de feed por tipo. Se você tiver problemas ao criar feeds, entre em contato com o suporte da Google Security Operations.

Tipos de registro do Cloud Funnel do SentinelOne com suporte

O analisador do Cloud Funnel do SentinelOne é compatível com os seguintes tipos de registro:

Event Type

  • Process Exit
  • Process Modification
  • Process Creation
  • Duplicate Process Handle
  • Duplicate Thread Handle
  • Open Remote Process Handle
  • Remote Thread Creation
  • Remote Process Termination
  • Command Script
  • IP Connect
  • IP Listen
  • File Modification
  • File Creation
  • File Scan
  • File Deletion
  • File Rename
  • Pre Execution Detection
  • Login
  • Logout
  • GET
  • OPTIONS
  • POST
  • PUT
  • DELETE
  • CONNECT
  • HEAD
  • DNS Resolved
  • DNS Unresolved
  • Task Register
  • Task Update
  • Task Start
  • Task Trigger
  • Task Delete
  • Registry Key Create
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Key Import
  • Registry Value Modified
  • Registry Value Create
  • Registry Value Delete
  • Behavioral Indicators
  • Module Load
  • Driver Load
  • Not Reported
  • Group Creation
  • Firmware Test
  • Threat Intelligence Indicators
  • Named Pipe Creation
  • Named Pipe Connection
  • Windows Event Log Creation

Referência de mapeamento de campo

Esta seção explica como o analisador de Operações de segurança do Google mapeia os campos do SentinelOne para os campos do Modelo de dados unificado (UDM) das Operações de segurança do Google.

Referência de mapeamento de campo: identificador de evento para tipo de evento

A tabela a seguir lista os tipos de registro SENTINELONE_CF e os tipos de evento do UDM correspondentes.
Event Identifier Event Type
Process Exit PROCESS_TERMINATION
Process Modification PROCESS_UNCATEGORIZED
Process Creation PROCESS_LAUNCH
Duplicate Process Handle PROCESS_UNCATEGORIZED
Duplicate Thread Handle PROCESS_UNCATEGORIZED
Open Remote Process Handle PROCESS_UNCATEGORIZED
Remote Thread Creation PROCESS_UNCATEGORIZED
Remote Process Termination PROCESS_TERMINATION
Command Script PROCESS_UNCATEGORIZED
IP Connect NETWORK_CONNECTION
IP Listen STATUS_UPDATE
File Modification FILE_MODIFICATION
File Creation FILE_CREATION
File Scan SCAN_FILE
File Deletion FILE_DELETION
File Rename FILE_MOVE
Pre Execution Detection STATUS_UPDATE
Login USER_LOGIN
Logout USER_LOGOUT
GET NETWORK_HTTP
OPTIONS NETWORK_HTTP
POST NETWORK_HTTP
PUT NETWORK_HTTP
DELETE NETWORK_HTTP
CONNECT NETWORK_HTTP
HEAD NETWORK_HTTP
DNS Resolved NETWORK_DNS
DNS Unresolved NETWORK_DNS
Task Register SCHEDULED_TASK_CREATION
Task Update SCHEDULED_TASK_MODIFICATION
Task Start SCHEDULED_TASK_UNCATEGORIZED
Task Trigger SCHEDULED_TASK_UNCATEGORIZED
Task Delete SCHEDULED_TASK_DELETION
Registry Key Create REGISTRY_CREATION
Registry Key Rename REGISTRY_UNCATEGORIZED
Registry Key Delete REGISTRY_DELETION
Registry Key Export REGISTRY_UNCATEGORIZED
Registry Key Security Changed REGISTRY_MODIFICATION
Registry Key Import REGISTRY_UNCATEGORIZED
Registry Value Modified REGISTRY_MODIFICATION
Registry Value Create REGISTRY_CREATION
Registry Value Delete REGISTRY_DELETION
Behavioral Indicators STATUS_UPDATE
Module Load PROCESS_MODULE_LOAD
Driver Load PROCESS_MODULE_LOAD
Not Reported NETWORK_HTTP
Group Creation GROUP_CREATION
Firmware Test STATUS_UPDATE
Threat Intelligence Indicators STATUS_UPDATE
Named Pipe Creation RESOURCE_CREATION
Named Pipe Connection STATUS_UPDATE

Referência de mapeamento de campo: SENTINELONE_CF

A tabela a seguir lista os campos de registro do tipo SENTINELONE_CF e os campos correspondentes do UDM.

Log field UDM mapping Logic
winEventLog.description about.labels[win_event_log_description] (deprecated)
winEventLog.description additional.fields[win_event_log_description]
event.time metadata.event_timestamp
winEventLog.creationDate about.labels[win_event_log_creation_date] (deprecated)
winEventLog.creationDate additional.fields[win_event_log_creation_date]
account.id metadata.product_deployment_id
event.type metadata.product_event_type
event.id metadata.product_log_id
winEventLog.id about.labels[win_event_log_id] (deprecated)
winEventLog.id additional.fields[win_event_log_id]
metadata.vendor_name The metadata.vendor_name UDM field is set to SentinelOne.
extensions.auth.auth_details If the event.type log field value contain one of the following values, then the event.type log field is mapped to the extensions.auth.auth_details UDM field.
  • Login
  • Logout
extensions.auth.mechanism If the event.login.type log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the event.login.type log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.

Else, if the event.login.type log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the event.login.type log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the event.login.type log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the event.login.type log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the event.login.type log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.

Else, if the event.login.type log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the event.login.type log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.

Else, if the event.login.type log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK.
network.application_protocol If the event.type log field value contain one of the following values, then the network.application_protocol UDM field is set to DNS.
  • DNS Resolved
  • DNS Unresolved
network.direction If the event.network.direction log field value is equal to OUTGOING, then the network.direction UDM field is set to OUTBOUND.

Else, if the event.network.direction log field value is equal to INCOMING, then the network.direction UDM field is set to INBOUND.
event.dns.response network.dns.answers.name
event.dns.response network.dns.answers.type
event.dns.request network.dns.questions.name
event.url.action network.http.method
event.login.sessionId network.session_id
agent.uuid principal.asset.asset_id
agent.uuid principal.asset_id
agent.version principal.asset.attribute.labels[agent_version]
winEventLog.description.accountDomain principal.labels[win_event_log_description_account_domain] (deprecated)
winEventLog.description.accountDomain additional.fields[win_event_log_description_account_domain]
principal.asset.platform_software.platform If the endpoint.os log field value is equal to windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the endpoint.os log field value is equal to linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
principal.asset.type If the endpoint.type log field value is equal to laptop, then the principal.asset.type UDM field is set to LAPTOP.

Else, if the endpoint.type log field value contain one of the following values, then the principal.asset.type UDM field is set to SERVER.
  • server
  • Kubernetes Node
Else, if the endpoint.type log field value is equal to desktop, then the principal.asset.type UDM field is set to WORKSTATION.
endpoint.name principal.hostname
endpoint.name principal.asset.hostname
src.endpoint.ip.address principal.ip
src.ip.address principal.ip
osSrc.process.activeContent.hash principal.labels[os_src_process_active_content_hash] (deprecated)
osSrc.process.activeContent.hash additional.fields[os_src_process_active_content_hash]
osSrc.process.activeContent.id principal.labels[os_src_process_active_content_id] (deprecated)
osSrc.process.activeContent.id additional.fields[os_src_process_active_content_id]
osSrc.process.activeContent.path principal.labels[os_src_process_active_content_path] (deprecated)
osSrc.process.activeContent.path additional.fields[os_src_process_active_content_path]
osSrc.process.activeContent.signedStatus principal.labels[os_src_process_active_content_signed_status] (deprecated)
osSrc.process.activeContent.signedStatus additional.fields[os_src_process_active_content_signed_status]
osSrc.process.activeContentType principal.labels[os_src_process_active_content_type] (deprecated)
osSrc.process.activeContentType additional.fields[os_src_process_active_content_type]
osSrc.process.childProcCount principal.labels[os_src_process_child_proc_count] (deprecated)
osSrc.process.childProcCount additional.fields[os_src_process_child_proc_count]
osSrc.process.crossProcessCount principal.labels[os_src_process_cross_process_count] (deprecated)
osSrc.process.crossProcessCount additional.fields[os_src_process_cross_process_count]
osSrc.process.crossProcessDupRemoteProcessHandleCount principal.labels[os_src_process_cross_process_dup_rmote_process_handle_count] (deprecated)
osSrc.process.crossProcessDupRemoteProcessHandleCount additional.fields[os_src_process_cross_process_dup_rmote_process_handle_count]
osSrc.process.crossProcessDupThreadHandleCount principal.labels[os_src_process_cross_process_dup_thread_handle_count] (deprecated)
osSrc.process.crossProcessDupThreadHandleCount additional.fields[os_src_process_cross_process_dup_thread_handle_count]
osSrc.process.crossProcessOpenProcessCount principal.labels[os_src_process_cross_process_open_process_count] (deprecated)
osSrc.process.crossProcessOpenProcessCount additional.fields[os_src_process_cross_process_open_process_count]
osSrc.process.crossProcessOutOfStorylineCount principal.labels[os_src_process_cross_process_out_of_storyline_count] (deprecated)
osSrc.process.crossProcessOutOfStorylineCount additional.fields[os_src_process_cross_process_out_of_storyline_count]
osSrc.process.crossProcessThreadCreateCount principal.labels[os_src_process_cross_process_thread_create_count] (deprecated)
osSrc.process.crossProcessThreadCreateCount additional.fields[os_src_process_cross_process_thread_create_count]
osSrc.process.displayName principal.labels[os_src_process_display_name] (deprecated)
osSrc.process.displayName additional.fields[os_src_process_display_name]
osSrc.process.dnsCount principal.labels[os_src_process_dns_count] (deprecated)
osSrc.process.dnsCount additional.fields[os_src_process_dns_count]
osSrc.process.image.binaryIsExecutable principal.labels[os_src_process_image_binary_is_executable] (deprecated)
osSrc.process.image.binaryIsExecutable additional.fields[os_src_process_image_binary_is_executable]
osSrc.process.indicatorBootConfigurationUpdateCount principal.labels[os_src_process_indicator_boot_configuration_update_count] (deprecated)
osSrc.process.indicatorBootConfigurationUpdateCount additional.fields[os_src_process_indicator_boot_configuration_update_count]
osSrc.process.indicatorEvasionCount principal.labels[os_src_process_indicator_evasion_count] (deprecated)
osSrc.process.indicatorEvasionCount additional.fields[os_src_process_indicator_evasion_count]
osSrc.process.indicatorExploitationCount principal.labels[os_src_process_indicator_exploitation_count] (deprecated)
osSrc.process.indicatorExploitationCount additional.fields[os_src_process_indicator_exploitation_count]
osSrc.process.indicatorGeneral.count principal.labels[os_src_process_indicator_general_count] (deprecated)
osSrc.process.indicatorGeneral.count additional.fields[os_src_process_indicator_general_count]
osSrc.process.indicatorInfostealerCount principal.labels[os_src_process_indicator_infostealer_count] (deprecated)
osSrc.process.indicatorInfostealerCount additional.fields[os_src_process_indicator_infostealer_count]
osSrc.process.indicatorInjectionCount principal.labels[os_src_process_indicator_injection_count] (deprecated)
osSrc.process.indicatorInjectionCount additional.fields[os_src_process_indicator_injection_count]
osSrc.process.indicatorPersistenceCount principal.labels[os_src_process_indicator_persistence_count] (deprecated)
osSrc.process.indicatorPersistenceCount additional.fields[os_src_process_indicator_persistence_count]
osSrc.process.indicatorPostExploitationCount principal.labels[os_src_process_indicator_post_exploitation_count] (deprecated)
osSrc.process.indicatorPostExploitationCount additional.fields[os_src_process_indicator_post_exploitation_count]
osSrc.process.indicatorRansomwareCount principal.labels[os_src_process_indicator_ransomware_count] (deprecated)
osSrc.process.indicatorRansomwareCount additional.fields[os_src_process_indicator_ransomware_count]
osSrc.process.indicatorReconnaissanceCount principal.labels[os_src_process_indicator_reconnaissance_count] (deprecated)
osSrc.process.indicatorReconnaissanceCount additional.fields[os_src_process_indicator_reconnaissance_count]
osSrc.process.integrityLevel principal.labels[os_src_process_integrity_level] (deprecated)
osSrc.process.integrityLevel additional.fields[os_src_process_integrity_level]
osSrc.process.isNative64Bit principal.labels[os_src_process_is_native_64_bit] (deprecated)
osSrc.process.isNative64Bit additional.fields[os_src_process_is_native_64_bit]
osSrc.process.isRedirectCmdProcessor principal.labels[os_src_process_is_redirect_cmd_processor] (deprecated)
osSrc.process.isRedirectCmdProcessor additional.fields[os_src_process_is_redirect_cmd_processor]
osSrc.process.isStorylineRoot principal.labels[os_src_process_is_storyline_root] (deprecated)
osSrc.process.isStorylineRoot additional.fields[os_src_process_is_storyline_root]
osSrc.process.moduleCount principal.labels[os_src_process_module_count] (deprecated)
osSrc.process.moduleCount additional.fields[os_src_process_module_count]
osSrc.process.netConnCount principal.labels[os_src_process_net_conn_count] (deprecated)
osSrc.process.netConnCount additional.fields[os_src_process_net_conn_count]
osSrc.process.netConnInCount principal.labels[os_src_process_net_conn_in_count] (deprecated)
osSrc.process.netConnInCount additional.fields[os_src_process_net_conn_in_count]
osSrc.process.netConnOutCount principal.labels[os_src_process_net_conn_out_count] (deprecated)
osSrc.process.netConnOutCount additional.fields[os_src_process_net_conn_out_count]
osSrc.process.parent.activeContent.hash principal.labels[os_src_process_parent_active_content_hash] (deprecated)
osSrc.process.parent.activeContent.hash additional.fields[os_src_process_parent_active_content_hash]
osSrc.process.parent.activeContent.id principal.labels[os_src_process_parent_active_content_id] (deprecated)
osSrc.process.parent.activeContent.id additional.fields[os_src_process_parent_active_content_id]
osSrc.process.parent.activeContent.path principal.labels[os_src_process_parent_active_content_path] (deprecated)
osSrc.process.parent.activeContent.path additional.fields[os_src_process_parent_active_content_path]
osSrc.process.parent.activeContent.signedStatus principal.labels[os_src_process_parent_active_content_signed_status] (deprecated)
osSrc.process.parent.activeContent.signedStatus additional.fields[os_src_process_parent_active_content_signed_status]
osSrc.process.parent.activeContentType principal.labels[os_src_process_parent_active_content_type] (deprecated)
osSrc.process.parent.activeContentType additional.fields[os_src_process_parent_active_content_type]
osSrc.process.parent.displayName principal.labels[os_src_process_parent_display_name] (deprecated)
osSrc.process.parent.displayName additional.fields[os_src_process_parent_display_name]
osSrc.process.parent.integrityLevel principal.labels[os_src_process_parent_integrity_level] (deprecated)
osSrc.process.parent.integrityLevel additional.fields[os_src_process_parent_integrity_level]
osSrc.process.parent.isNative64Bit principal.labels[os_src_process_parent_is_native_64_bit] (deprecated)
osSrc.process.parent.isNative64Bit additional.fields[os_src_process_parent_is_native_64_bit]
osSrc.process.parent.isRedirectCmdProcessor principal.labels[os_src_process_parent_is_redirect_cmd_processor] (deprecated)
osSrc.process.parent.isRedirectCmdProcessor additional.fields[os_src_process_parent_is_redirect_cmd_processor]
osSrc.process.parent.isStorylineRoot principal.labels[os_src_process_parent_is_storyline_root] (deprecated)
osSrc.process.parent.isStorylineRoot additional.fields[os_src_process_parent_is_storyline_root]
osSrc.process.parent.publisher principal.labels[os_src_process_parent_publisher] (deprecated)
osSrc.process.parent.publisher additional.fields[os_src_process_parent_publisher]
osSrc.process.parent.sessionId principal.labels[os_src_process_parent_session_id] (deprecated)
osSrc.process.parent.sessionId additional.fields[os_src_process_parent_session_id]
osSrc.process.parent.signedStatus principal.process_ancestors.parent_process.file.signature_info.sigcheck.verification_message
osSrc.process.parent.startTime principal.labels[os_src_process_parent_start_time] (deprecated)
osSrc.process.parent.startTime additional.fields[os_src_process_parent_start_time]
osSrc.process.parent.storyline.id principal.labels[os_src_process_parent_storyline_id] (deprecated)
osSrc.process.parent.storyline.id additional.fields[os_src_process_parent_storyline_id]
src.process.parent.storyline.id principal.labels[src_process_parent_storyline_id] (deprecated)
src.process.parent.storyline.id additional.fields[src_process_parent_storyline_id]
osSrc.process.publisher principal.labels[os_src_process_publisher] (deprecated)
osSrc.process.publisher additional.fields[os_src_process_publisher]
osSrc.process.registryChangeCount principal.labels[os_src_process_registry_change_count] (deprecated)
osSrc.process.registryChangeCount additional.fields[os_src_process_registry_change_count]
osSrc.process.sessionId principal.labels[os_src_process_session_id] (deprecated)
osSrc.process.sessionId additional.fields[os_src_process_session_id]
osSrc.process.signedStatus principal.process_ancestors.file.signature_info.sigcheck.verification_message
osSrc.process.startTime principal.labels[os_src_process_start_time] (deprecated)
osSrc.process.startTime additional.fields[os_src_process_start_time]
osSrc.process.storyline.id principal.labels[os_src_process_storyline_id] (deprecated)
osSrc.process.storyline.id additional.fields[os_src_process_storyline_id]
osSrc.process.subsystem principal.labels[os_src_process_subsystem] (deprecated)
osSrc.process.subsystem additional.fields[os_src_process_subsystem]
osSrc.process.tgtFileCreationCount principal.labels[os_src_process_tgt_file_creation_count] (deprecated)
osSrc.process.tgtFileCreationCount additional.fields[os_src_process_tgt_file_creation_count]
osSrc.process.tgtFileDeletionCount principal.labels[os_src_process_tgt_file_deletion_count] (deprecated)
osSrc.process.tgtFileDeletionCount additional.fields[os_src_process_tgt_file_deletion_count]
osSrc.process.tgtFileModificationCount principal.labels[os_src_process_tgt_file_modification_count] (deprecated)
osSrc.process.tgtFileModificationCount additional.fields[os_src_process_tgt_file_modification_count]
osSrc.process.verifiedStatus principal.labels[os_src_process_verified_status] (deprecated)
osSrc.process.verifiedStatus additional.fields[os_src_process_verified_status]
process.unique.key principal.labels[process_unique_key] (deprecated)
process.unique.key additional.fields[process_unique_key]
site.name principal.labels[site_name] (deprecated)
site.name additional.fields[site_name]
src.process.activeContent.hash principal.labels[src_process_active_content_hash] (deprecated)
src.process.activeContent.hash additional.fields[src_process_active_content_hash]
src.process.activeContent.id principal.labels[src_process_active_content_id] (deprecated)
src.process.activeContent.id additional.fields[src_process_active_content_id]
src.process.activeContent.path principal.labels[src_process_active_content_path] (deprecated)
src.process.activeContent.path additional.fields[src_process_active_content_path]
src.process.activeContent.signedStatus principal.labels[src_process_active_content_signed_status] (deprecated)
src.process.activeContent.signedStatus additional.fields[src_process_active_content_signed_status]
src.process.activeContentType principal.labels[src_process_active_content_type] (deprecated)
src.process.activeContentType additional.fields[src_process_active_content_type]
src.process.childProcCount principal.labels[src_process_child_proc_count] (deprecated)
src.process.childProcCount additional.fields[src_process_child_proc_count]
src.process.crossProcessCount principal.labels[src_process_cross_process_count] (deprecated)
src.process.crossProcessCount additional.fields[src_process_cross_process_count]
src.process.crossProcessDupRemoteProcessHandleCount principal.labels[src_process_cross_process_dup_remote_process_handle_count] (deprecated)
src.process.crossProcessDupRemoteProcessHandleCount additional.fields[src_process_cross_process_dup_remote_process_handle_count]
src.process.crossProcessDupThreadHandleCount principal.labels[src_process_cross_process_dup_thread_handle_count] (deprecated)
src.process.crossProcessDupThreadHandleCount additional.fields[src_process_cross_process_dup_thread_handle_count]
src.process.crossProcessOpenProcessCount principal.labels[src_process_cross_process_open_process_count] (deprecated)
src.process.crossProcessOpenProcessCount additional.fields[src_process_cross_process_open_process_count]
src.process.crossProcessOutOfStorylineCount principal.labels[src_process_cross_process_out_of_storyline_count] (deprecated)
src.process.crossProcessOutOfStorylineCount additional.fields[src_process_cross_process_out_of_storyline_count]
src.process.crossProcessThreadCreateCount principal.labels[src_process_cross_process_thread_create_count] (deprecated)
src.process.crossProcessThreadCreateCount additional.fields[src_process_cross_process_thread_create_count]
src.process.displayName principal.labels[src_process_display_name] (deprecated)
src.process.displayName additional.fields[src_process_display_name]
src.process.dnsCount principal.labels[src_process_dns_count] (deprecated)
src.process.dnsCount additional.fields[src_process_dns_count]
src.process.image.binaryIsExecutable principal.labels[src_process_image_binary_is_executable] (deprecated)
src.process.image.binaryIsExecutable additional.fields[src_process_image_binary_is_executable]
src.process.indicatorBootConfigurationUpdateCount principal.labels[src_process_indicator_boot_configuration_update_count] (deprecated)
src.process.indicatorBootConfigurationUpdateCount additional.fields[src_process_indicator_boot_configuration_update_count]
src.process.indicatorEvasionCount principal.labels[src_process_indicator_evasion_count] (deprecated)
src.process.indicatorEvasionCount additional.fields[src_process_indicator_evasion_count]
src.process.indicatorExploitationCount principal.labels[src_process_indicator_exploitation_count] (deprecated)
src.process.indicatorExploitationCount additional.fields[src_process_indicator_exploitation_count]
src.process.indicatorGeneralCount principal.labels[src_process_indicator_general_count] (deprecated)
src.process.indicatorGeneralCount additional.fields[src_process_indicator_general_count]
src.process.indicatorInfostealerCount principal.labels[src_process_indicator_infostealer_count] (deprecated)
src.process.indicatorInfostealerCount additional.fields[src_process_indicator_infostealer_count]
src.process.indicatorInjectionCount principal.labels[src_process_indicator_injection_count] (deprecated)
src.process.indicatorInjectionCount additional.fields[src_process_indicator_injection_count]
src.process.indicatorPersistenceCount principal.labels[src_process_indicator_persistence_count] (deprecated)
src.process.indicatorPersistenceCount additional.fields[src_process_indicator_persistence_count]
src.process.indicatorPostExploitationCount principal.labels[src_process_indicator_post_exploitation_count] (deprecated)
src.process.indicatorPostExploitationCount additional.fields[src_process_indicator_post_exploitation_count]
src.process.indicatorRansomwareCount principal.labels[src_process_indicator_ransomware_count] (deprecated)
src.process.indicatorRansomwareCount additional.fields[src_process_indicator_ransomware_count]
src.process.indicatorReconnaissanceCount principal.labels[src_process_indicator_reconnaissance_count] (deprecated)
src.process.indicatorReconnaissanceCount additional.fields[src_process_indicator_reconnaissance_count]
src.process.integrityLevel principal.labels[src_process_integrity_level] (deprecated)
src.process.integrityLevel additional.fields[src_process_integrity_level]
src.process.isNative64Bit principal.labels[src_process_is_native_64_bit] (deprecated)
src.process.isNative64Bit additional.fields[src_process_is_native_64_bit]
src.process.isRedirectCmdProcessor principal.labels[src_process_is_redirect_cmd_processor] (deprecated)
src.process.isRedirectCmdProcessor additional.fields[src_process_is_redirect_cmd_processor]
src.process.isStorylineRoot principal.labels[src_process_is_storyline_root] (deprecated)
src.process.isStorylineRoot additional.fields[src_process_is_storyline_root]
src.process.lUserUid principal.labels[src_process_l_user_uid] (deprecated)
src.process.lUserUid additional.fields[src_process_l_user_uid]
src.process.moduleCount principal.labels[src_process_module_count] (deprecated)
src.process.moduleCount additional.fields[src_process_module_count]
src.process.netConnCount principal.labels[src_process_net_conn_count] (deprecated)
src.process.netConnCount additional.fields[src_process_net_conn_count]
src.process.netConnInCount principal.labels[src_process_net_conn_in_count] (deprecated)
src.process.netConnInCount additional.fields[src_process_net_conn_in_count]
src.process.netConnOutCount principal.labels[src_process_net_conn_out_count] (deprecated)
src.process.netConnOutCount additional.fields[src_process_net_conn_out_count]
src.process.parent.activeContent.hash principal.labels[src_process_parent_active_content_hash] (deprecated)
src.process.parent.activeContent.hash additional.fields[src_process_parent_active_content_hash]
src.process.parent.activeContent.id principal.labels[src_process_parent_active_content_id] (deprecated)
src.process.parent.activeContent.id additional.fields[src_process_parent_active_content_id]
src.process.parent.activeContent.path principal.labels[src_process_parent_active_content_path] (deprecated)
src.process.parent.activeContent.path additional.fields[src_process_parent_active_content_path]
src.process.parent.activeContent.signedStatus principal.labels[src_process_parent_active_content_signed_status] (deprecated)
src.process.parent.activeContent.signedStatus additional.fields[src_process_parent_active_content_signed_status]
src.process.parent.activeContentType principal.labels[src_process_parent_active_content_type] (deprecated)
src.process.parent.activeContentType additional.fields[src_process_parent_active_content_type]
src.process.parent.displayName principal.labels[src_process_parent_display_name] (deprecated)
src.process.parent.displayName additional.fields[src_process_parent_display_name]
src.process.parent.integrityLevel principal.labels[src_process_parent_integrity_level] (deprecated)
src.process.parent.integrityLevel additional.fields[src_process_parent_integrity_level]
src.process.parent.isNative64Bit principal.labels[src_process_parent_is_native_64_bit] (deprecated)
src.process.parent.isNative64Bit additional.fields[src_process_parent_is_native_64_bit]
src.process.parent.isRedirectCmdProcessor principal.labels[src_process_parent_is_redirect_cmd_processor] (deprecated)
src.process.parent.isRedirectCmdProcessor additional.fields[src_process_parent_is_redirect_cmd_processor]
src.process.parent.isStorylineRoot principal.labels[src_process_parent_is_storyline_root] (deprecated)
src.process.parent.isStorylineRoot additional.fields[src_process_parent_is_storyline_root]
src.process.parent.publisher principal.labels[src_process_parent_publisher] (deprecated)
src.process.parent.publisher additional.fields[src_process_parent_publisher]
src.process.parent.reasonSignatureInvalid principal.labels[src_process_parent_reason_signature_invalid] (deprecated)
src.process.parent.reasonSignatureInvalid additional.fields[src_process_parent_reason_signature_invalid]
src.process.parent.sessionId principal.labels[src_process_parent_session_id] (deprecated)
src.process.parent.sessionId additional.fields[src_process_parent_session_id]
src.process.parent.signedStatus principal.process.parent_process.file.signature_info.sigcheck.verification_message
src.process.parent.startTime principal.labels[src_process_parent_start_time] (deprecated)
src.process.parent.startTime additional.fields[src_process_parent_start_time]
src.process.parent.subsystem principal.labels[src_process_parent_subsystem] (deprecated)
src.process.parent.subsystem additional.fields[src_process_parent_subsystem]
src.process.publisher principal.labels[src_process_publisher] (deprecated)
src.process.publisher additional.fields[src_process_publisher]
src.process.reasonSignatureInvalid principal.labels[src_process_reason_signature_invalid] (deprecated)
src.process.reasonSignatureInvalid additional.fields[src_process_reason_signature_invalid]
src.process.registryChangeCount principal.labels[src_process_registry_change_count] (deprecated)
src.process.registryChangeCount additional.fields[src_process_registry_change_count]
src.process.rpid principal.labels[src_process_rpid] (deprecated)
src.process.rpid additional.fields[src_process_rpid]
src.process.sessionId principal.labels[src_process_session_id] (deprecated)
src.process.sessionId additional.fields[src_process_session_id]
src.process.signedStatus principal.process.file.signature_info.sigcheck.verification_message
src.process.startTime principal.labels[src_process_start_time] (deprecated)
src.process.startTime additional.fields[src_process_start_time]
src.process.storyline.id principal.labels[src_process_storyline_id] (deprecated)
src.process.storyline.id additional.fields[src_process_storyline_id]
src.process.subsystem principal.labels[src_process_subsystem] (deprecated)
src.process.subsystem additional.fields[src_process_subsystem]
src.process.tgtFileCreationCount principal.labels[src_process_tgt_file_creation_count] (deprecated)
src.process.tgtFileCreationCount additional.fields[src_process_tgt_file_creation_count]
src.process.tgtFileDeletionCount principal.labels[src_process_tgt_file_deletion_count] (deprecated)
src.process.tgtFileDeletionCount additional.fields[src_process_tgt_file_deletion_count]
src.process.tgtFileModificationCount principal.labels[src_process_tgt_file_modification_count] (deprecated)
src.process.tgtFileModificationCount additional.fields[src_process_tgt_file_modification_count]
src.process.tid principal.labels[src_process_tid] (deprecated)
src.process.tid additional.fields[src_process_tid]
principal.process.product_specific_process_id If the src.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.uid} log field is mapped to the principal.process.product_specific_process_id UDM field.
src.process.verifiedStatus principal.labels[src_process_verified_status] (deprecated)
src.process.verifiedStatus additional.fields[src_process_verified_status]
site.id principal.labels[site_id] (deprecated)
site.id additional.fields[site_id]
principal.platform If the os.name log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.

Else, if the os.name log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX.
src.port.number principal.port
osSrc.process.cmdline principal.process_ancestors.command_line
osSrc.process.image.path principal.process_ancestors.file.full_path
osSrc.process.image.md5 principal.process_ancestors.file.md5 If the osSrc.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.image.md5 log field is mapped to the principal.process_ancestors.file.md5 UDM field.
osSrc.process.name principal.process_ancestors.file.names
osSrc.process.image.sha1 principal.process_ancestors.file.sha1 If the osSrc.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.image.sha1 log field is mapped to the principal.process_ancestors.file.sha1 UDM field.
osSrc.process.image.sha256 principal.process_ancestors.file.sha256 If the osSrc.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.image.sha256 log field is mapped to the principal.process_ancestors.file.sha256 UDM field.
osSrc.process.parent.cmdline principal.process_ancestors.parent_process.command_line
osSrc.process.parent.image.path principal.process_ancestors.parent_process.file.full_path
osSrc.process.parent.image.md5 principal.process_ancestors.parent_process.file.md5 If the osSrc.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the osSrc.process.parent.image.md5 log field is mapped to the principal.process_ancestors.parent_process.file.md5 UDM field.
osSrc.process.parent.name principal.process_ancestors.parent_process.file.names
osSrc.process.parent.image.sha1 principal.process_ancestors.parent_process.file.sha1 If the osSrc.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the osSrc.process.parent.image.sha1 log field is mapped to the principal.process_ancestors.parent_process.file.sha1 UDM field.
osSrc.process.parent.image.sha256 principal.process_ancestors.parent_process.file.sha256 If the osSrc.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the osSrc.process.parent.image.sha256 log field is mapped to the principal.process_ancestors.parent_process.file.sha256 UDM field.
osSrc.process.parent.pid principal.process_ancestors.parent_process.pid
osSrc.process.pid principal.process_ancestors.pid
principal.process_ancestors.product_specific_process_id If the osSrc.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.uid} log field is mapped to the principal.process_ancestors.product_specific_process_id UDM field.
src.process.cmdline principal.process.command_line
src.process.image.path principal.process.file.full_path
src.process.image.md5 principal.process.file.md5 If the src.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.image.md5 log field is mapped to the principal.process.file.md5 UDM field.
src.process.name principal.process.file.names
src.process.image.sha1 principal.process.file.sha1 If the src.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.image.sha1 log field is mapped to the principal.process.file.sha1 UDM field.
src.process.image.sha256 principal.process.file.sha256 If the src.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.image.sha256 log field is mapped to the principal.process.file.sha256 UDM field.
src.process.parent.cmdline principal.process.parent_process.command_line
src.process.parent.image.md5 principal.process.parent_process.file.md5 If the src.process.parent.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the src.process.parent.image.md5 log field is mapped to the principal.process.parent_process.file.md5 UDM field.
src.process.parent.image.path principal.process.parent_process.file.full_path
src.process.parent.name principal.process.parent_process.file.names
src.process.parent.image.sha1 principal.process.parent_process.file.sha1 If the src.process.parent.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the src.process.parent.image.sha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field.
src.process.parent.image.sha256 principal.process.parent_process.file.sha256 If the src.process.parent.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the src.process.parent.image.sha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field.
src.process.parent.pid principal.process.parent_process.pid
principal.process_ancestors.parent_process.product_specific_process_id If the osSrc.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{osSrc.process.parent.uid} log field is mapped to the principal.process_ancestors.parent_process.product_specific_process_id UDM field.
principal.process.parent_process.product_specific_process_id If the src.process.parent.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{src.process.parent.uid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
src.process.pid principal.process.pid
osSrc.process.user principal.user.attribute.labels[os_src_process_user]
src.process.eUserUid principal.user.attribute.labels[src_process_e_user_uid]
src.process.lUserName principal.user.attribute.labels[src_process_l_user_name]
src.process.parent.eUserUid principal.user.attribute.labels[src_process_parent_e_user_uid]
src.process.parent.lUserUid principal.user.attribute.labels[src_process_parent_l_user_uid]
src.process.parent.rUserUid principal.user.attribute.labels[src_process_parent_r_user_uid]
src.process.rUserName principal.user.attribute.labels[src_process_r_user_name]
src.process.rUserUid principal.user.attribute.labels[src_process_r_user_uid]
src.process.eUserName principal.user.attribute.labels[src_process_e_user_name]
src.process.parent.eUserName principal.user.attribute.labels[src_process_parent_e_user_name]
src.process.parent.lUserName principal.user.attribute.labels[src_process_parent_l_user_name]
src.process.parent.rUserName principal.user.attribute.labels[src_process_parent_r_user_name]
osSrc.process.parent.user principal.user.attribute.labels[os_src_process_parent_user]
src.process.parent.user principal.user.attribute.labels[src_process_parent_user]
src.process.user principal.user.userid
tiIndicator.value security_result.about.file.md5 If the tiIndicator.type log field value is equal to Md5, then the tiIndicator.value log field is mapped to the security_result.about.file.md5 UDM field.
tiIndicator.value security_result.about.file.sha1 If the tiIndicator.type log field value is equal to Sha1, then the tiIndicator.value log field is mapped to the security_result.about.file.sha1 UDM field.
tiIndicator.value security_result.about.ip If the tiIndicator.type log field value contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.ip UDM field.
  • IPv4
  • IPV6
tiIndicator.value security_result.about.labels[tiIndicator.value] (deprecated) If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the security_result.about.labels UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value additional.fields[tiIndicator.value] If the tiIndicator.type log field value does not contain one of the following values, then the tiIndicator.value log field is mapped to the additional.fields UDM field.
  • Md5
  • Sha1
  • IPV4
  • IPV6
  • DNS
  • URL
tiIndicator.value network.dns.questions.name If the tiIndicator.type log field value is equal to DNS, then the tiIndicator.value log field is mapped to the network.dns.questions.name UDM field.
tiIndicator.value security_result.about.url If the tiIndicator.type log field value is equal to URL, then the tiIndicator.value log field is mapped to the security_result.about.url UDM field.
winEventLog.providerName security_result.about.resource.attribute.labels[win_event_log_provider_name]
tiIndicator.addedBy security_result.about.user.email_addresses
tiIndicator.threatActors security_result.about.user.email_addresses
security_result.action If the event.login.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, if the event.login.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.

If the event.network.connectionStatus log field value is equal to SUCCESS, then the security_result.action UDM field is set to ALLOW.

Else, if the event.network.connectionStatus log field value is equal to FAILURE, then the security_result.action UDM field is set to FAIL.

Else, if the event.network.connectionStatus log field value is equal to BLOCKED, then the security_result.action UDM field is set to BLOCK.
event.network.connectionStatus security_result.action_details
tiIndicator.mitreTactics security_result.attack_details.tactics.name
security_result.category If the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
  • malicious
  • Ransomware
  • OSX.Malware
  • Linux.Malware
  • Malware
  • Manual
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
  • Lateral Movement
  • Remote shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
  • miner
  • Trojan
  • Virus
  • Malicious Office Document
  • Malicious PDF
  • Worm
  • Rootkit
  • Infostealer
  • Generic.Heuristic
  • Downloader
  • Backdoor
  • Hacktool
  • Browser
  • Dialer
  • Installer
  • Packed
  • Network
  • Spyware
  • Interactive shell
Else, if the indicator.category log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_PUA.
  • Adware
  • PUA
Else, if the indicator.category log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
security_result.category If the tiIndicator.categories log field value matches the regular expression pattern malware, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
indicator.category security_result.category_details
tiIndicator.categories security_result.category_details
indicator.description security_result.description
event.login.failureReason security_result.description
tiIndicator.description security_result.descripton
indicator.metadata security_result.detection_fields [indicator_metadata]
indicator.name security_result.detection_fields [indicator_name]
tiIndicator.comparisonMethod security_result.detection_fields [ti_indicator_comparison_method]
tiIndicator.creationTime security_result.detection_fields [ti_indicator_creation_time]
tiIndicator.externalId security_result.detection_fields [ti_indicator_external_id]
tiIndicator.metadata security_result.detection_fields [ti_indicator_metadata]
tiIndicator.modificationTime security_result.detection_fields [ti_indicator_modification_time]
tiindicator.originalEvent.id security_result.detection_fields [ti_indicator_original_event_id]
tiindicator.originalEvent.index security_result.detection_fields [ti_indicator_original_event_index]
tiindicator.originalEvent.time security_result.detection_fields [ti_indicator_original_event_time]
tiindicator.originalEvent.traceId security_result.detection_fields [ti_indicator_original_event_trace_id]
tiIndicator.references security_result.detection_fields [ti_indicator_references]
tiIndicator.intrusionSets security_result.detection_fields [ti_indicator_tiIndicator_intrusion_sets]
tiIndicator.type security_result.detection_fields [ti_indicator_type]
tiIndicator.uid security_result.detection_fields [ti_indicator_uid]
tiIndicator.uploadTime security_result.detection_fields [ti_indicator_upload_time]
tiIndicator.validUntil security_result.detection_fields [ti_indicator_valid_until]
osSrc.process.parent.reasonSignatureInvalid security_result.detection_fields[os_src_process_parent_reason_signature_invalid]
osSrc.process.reasonSignatureInvalid security_result.detection_fields[os_src_process_reason_signature_invalid]
tgt.process.reasonSignatureInvalid security_result.detection_fields[tgt_process_reason_signature_invalid]
security_result.severity If the winEventLog.level log field value matches the regular expression pattern ^(INFO|Informational|Information|Normal|NOTICE)$, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the winEventLog.level log field value contain one of the following values, then the security_result.severity UDM field is set to INFORMATIONAL.
  • Warning
  • DEBUG
Else, if the winEventLog.level log field value matches the regular expression pattern Error, then the security_result.severity UDM field is set to ERROR.

Else, if the winEventLog.level log field value matches the regular expression pattern Critical, then the security_result.severity UDM field is set to CRITICAL.
winEventLog.level security_result.severity_details
tiIndicator.name security_result.threat_name
tiIndicator.source security_result.threat_feed_name
tgt.file.oldPath src.file.full_path
tgt.file.oldMd5 src.file.md5 If the tgt.file.oldMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.oldMd5 log field is mapped to the src.file.md5 UDM field.
driver.peSha1 target.process.file.sha1 If the driver.peSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the driver.peSha1 log field is mapped to the target.process.file.sha1 UDM field.
tgt.file.oldSha1 src.file.sha1 If the tgt.file.oldSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.oldSha1 log field is mapped to the src.file.sha1 UDM field.
driver.peSha256 target.process.file.sha256 If the driver.peSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the driver.peSha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.file.oldSha256 src.file.sha256 If the tgt.file.oldSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.oldSha256 log field is mapped to the src.file.sha256 UDM field.
driver.certificate.thumbprintAlgorithm target.labels[driver_certificate_thumbprint_algorithm] (deprecated)
driver.certificate.thumbprintAlgorithm additional.fields[driver_certificate_thumbprint_algorithm]
driver.certificate.thumbprint target.labels[driver_certificate_thumbprint] (deprecated)
driver.certificate.thumbprint additional.fields[driver_certificate_thumbprint]
driver.isLoadedBeforeMonitor target.labels[driver_is_loaded_before_monitor] (deprecated)
driver.isLoadedBeforeMonitor additional.fields[driver_is_loaded_before_monitor]
driver.loadVerdict target.labels[driver_load_verdict] (deprecated)
driver.loadVerdict additional.fields[driver_load_verdict]
driver.startType target.labels[driver_start_type] (deprecated)
driver.startType additional.fields[driver_start_type]
registry.oldValueFullSize src.labels[registry_old_value_full_size] (deprecated)
registry.oldValueFullSize additional.fields[registry_old_value_full_size]
registry.oldValueIsComplete src.labels[registry_old_valueIs_complete] (deprecated)
registry.oldValueIsComplete additional.fields[registry_old_valueIs_complete]
registry.oldValue src.registry.registry_value_data
registry.oldValueType src.registry.registry_value_name
tgt.file.location target.labels[tgt_file_location] (deprecated)
tgt.file.location additional.fields[tgt_file_location]
cmdScript.applicationName target.application
event.login.accountDomain target.domain.name
tgt.file.path target.file.full_path
tgt.file.modificationTime target.file.last_modification_time
tgt.file.md5 target.file.md5 If the tgt.file.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.file.md5 log field is mapped to the target.file.md5 UDM field.
tgt.file.extension target.file.mime_type
tgt.file.id target.file.names
tgt.file.internalName target.file.names
tgt.file.sha1 target.file.sha1 If the tgt.file.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.file.sha1 log field is mapped to the target.file.sha1 UDM field.
tgt.file.sha256 target.file.sha256 If the tgt.file.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.file.sha256 log field is mapped to the target.file.sha256 UDM field.
tgt.file.size target.file.size
target.file.file_type If the tgt.file.type log field value is equal to PE, then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.

Else, if the tgt.file.type log field value is equal to ELF, then the target.file.file_type UDM field is set to FILE_TYPE_ELF.

Else, if the tgt.file.type log field value is equal to MACH, then the target.file.file_type UDM field is set to FILE_TYPE_MACH_O.

Else, if the tgt.file.type log field value is equal to PDF, then the target.file.file_type UDM field is set to FILE_TYPE_PDF.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to COM, then the target.file.file_type UDM field is set to FILE_TYPE_DOS_COM.

Else, if the tgt.file.type log field value is equal to OPENXML, then the target.file.file_type UDM field is set to FILE_TYPE_XML.

Else, if the tgt.file.type log field value is equal to PKZIP, then the target.file.file_type UDM field is set to FILE_TYPE_ZIP.

Else, if the tgt.file.type log field value is equal to RAR, then the target.file.file_type UDM field is set to FILE_TYPE_RAR.

Else, if the tgt.file.type log field value is equal to BZIP2, then the target.file.file_type UDM field is set to FILE_TYPE_BZIP.

Else, if the tgt.file.type log field value is equal to TAR, then the target.file.file_type UDM field is set to FILE_TYPE_TAR.

Else, if the tgt.file.type log field value is equal to LNK, then the target.file.file_type UDM field is set to FILE_TYPE_LNK.
url.address target.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
url.address target.asset.hostname The protocol and hostname field is extracted from url.address log field using the Grok pattern, and the hostname extracted field is mapped to the target.hostname UDM field.
dst.ip.address target.ip
cmdScript.isComplete target.labels[cmd_script_is_complete] (deprecated)
cmdScript.isComplete additional.fields[cmd_script_is_complete]
registry.keyUid target.labels[registry_key_uid] (deprecated)
registry.keyUid additional.fields[registry_key_uid]
registry.valueFullSize target.labels[registry_value_full_size] (deprecated)
registry.valueFullSize additional.fields[registry_value_full_size]
registry.valueIsComplete target.labels[registry_value_is_complete] (deprecated)
registry.valueIsComplete additional.fields[registry_value_is_complete]
tgt.file.convictedBy target.labels[tgt_file_convicted_by] (deprecated)
tgt.file.convictedBy additional.fields[tgt_file_convicted_by]
tgt.file.creationTime target.labels[tgt_file_creation_time] (deprecated)
tgt.file.creationTime additional.fields[tgt_file_creation_time]
tgt.file.description target.labels[tgt_file_description] (deprecated)
tgt.file.description additional.fields[tgt_file_description]
tgt.file.isExecutable target.labels[tgt_file_is_executable] (deprecated)
tgt.file.isExecutable additional.fields[tgt_file_is_executable]
tgt.file.isSigned target.labels[tgt_file_is_signed] (deprecated)
tgt.file.isSigned additional.fields[tgt_file_is_signed]
tgt.process.accessRights target.labels[tgt_process_access_rights] (deprecated)
tgt.process.accessRights additional.fields[tgt_process_access_rights]
tgt.process.activeContent.hash target.labels[tgt_process_active_content_hash] (deprecated)
tgt.process.activeContent.hash additional.fields[tgt_process_active_content_hash]
tgt.process.activeContent.id target.labels[tgt_process_active_content_id] (deprecated)
tgt.process.activeContent.id additional.fields[tgt_process_active_content_id]
tgt.process.activeContent.path target.labels[tgt_process_active_content_path] (deprecated)
tgt.process.activeContent.path additional.fields[tgt_process_active_content_path]
tgt.process.activeContent.signedStatus target.labels [tgt_process_active_content_signed_status] (deprecated)
tgt.process.activeContent.signedStatus additional.fields [tgt_process_active_content_signed_status]
tgt.process.activeContentType target.labels[tgt_process_active_content_type] (deprecated)
tgt.process.activeContentType additional.fields[tgt_process_active_content_type]
tgt.process.displayName target.labels[tgt_process_display_name] (deprecated)
tgt.process.displayName additional.fields[tgt_process_display_name]
tgt.process.image.binaryIsExecutable target.labels[tgt_process_image_binary_is_executable] (deprecated)
tgt.process.image.binaryIsExecutable additional.fields[tgt_process_image_binary_is_executable]
tgt.process.integrityLevel target.labels[tgt_process_integrity_level] (deprecated)
tgt.process.integrityLevel additional.fields[tgt_process_integrity_level]
tgt.process.isNative64Bit target.labels[tgt_process_is_native_64_bit] (deprecated)
tgt.process.isNative64Bit additional.fields[tgt_process_is_native_64_bit]
tgt.process.isRedirectCmdProcessor target.labels[tgt_process_is_redirect_cmd_processor] (deprecated)
tgt.process.isRedirectCmdProcessor additional.fields[tgt_process_is_redirect_cmd_processor]
tgt.process.isStorylineRoot target.labels[tgt_process_is_storyline_root] (deprecated)
tgt.process.isStorylineRoot additional.fields[tgt_process_is_storyline_root]
tgt.process.publisher target.labels[tgt_process_publisher] (deprecated)
tgt.process.publisher additional.fields[tgt_process_publisher]
tgt.process.relation target.labels[tgt_process_relation] (deprecated)
tgt.process.relation additional.fields[tgt_process_relation]
tgt.process.sessionId target.labels[tgt_process_session_id] (deprecated)
tgt.process.sessionId additional.fields[tgt_process_session_id]
tgt.process.signedStatus target.process.file.signature_info.sigcheck.verification_message
tgt.process.startTime target.labels[tgt_process_start_time] (deprecated)
tgt.process.startTime additional.fields[tgt_process_start_time]
tgt.process.storyline.id target.labels[tgt_process_storyline_id] (deprecated)
tgt.process.storyline.id additional.fields[tgt_process_storyline_id]
tgt.process.subsystem target.labels[tgt_process_subsystem] (deprecated)
tgt.process.subsystem additional.fields[tgt_process_subsystem]
tgt.process.verifiedStatus target.labels[tgt_process_verified_status] (deprecated)
tgt.process.verifiedStatus additional.fields[tgt_process_verified_status]
dst.port.number target.port
cmdScript.content target.process.command_line
tgt.process.cmdline target.process.command_line
tgt.process.image.path target.process.file.full_path
tgt.process.image.md5 target.process.file.md5 If the tgt.process.image.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the tgt.process.image.md5 log field is mapped to the target.process.file.md5 UDM field.
tgt.process.name target.process.file.names
tgt.process.image.sha1 target.process.file.sha1 If the tgt.process.image.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the tgt.process.image.sha1 log field is mapped to the target.process.file.sha1 UDM field.
cmdScript.sha256 target.process.file.sha256 If the cmdScript.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the cmdScript.sha256 log field is mapped to the target.process.file.sha256 UDM field.
tgt.process.image.sha256 target.process.file.sha256 If the tgt.process.image.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the tgt.process.image.sha256 log field is mapped to the target.process.file.sha256 UDM field.
cmdScript.originalSize target.process.file.size
tgt.process.pid target.process.pid
target.process.product_specific_process_id If the tgt.process.uid log field value is not empty, then the SO:%{site.id}:%{account.id}:%{agent.uuid}:%{tgt.process.uid} log field is mapped to the target.process.product_specific_process_id UDM field.
registry.keyPath target.registry.registry_key
registry.value target.registry.registry_value_data
registry.valueType target.registry.registry_value_name
k8sCluster.namespaceLabels target.resource_ancestors.attribute.labels[k8s_cluster_namespace_labels]
k8sCluster.namespace target.resource_ancestors.attribute.labels[k8s_cluster_namespace]
k8sCluster.name target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerName target.resource_ancestors.name
k8sCluster.controllerLabels target.resource_ancestors.attribute.labels[k8s_cluster_controller_labels]
target.resource_ancestors.resource_type If the k8sCluster.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
k8sCluster.controllerType target.resource_ancestors.resource_subtype
k8sCluster.podName target.resource_ancestors.name
k8sCluster.podLabels target.resource_ancestors.attribute.labels[k8s_cluster_pod_labels]
target.resource_ancestors.resource_type If the k8sCluster.podName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.
k8sCluster.nodeName target.resource_ancestors.name
target.resource_ancestors.resource_type If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
target.resource_ancestors.resource_subtype If the k8sCluster.nodeName log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to NODE.
k8sCluster.containerName target.resource.name
k8sCluster.containerId target.resource.product_object_id
target.resource.resource_type If the k8sCluster.containerName log field value is not empty or the k8sCluster.containerId log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER.
k8sCluster.containerImage.sha256 target.resource.attribute.labels[k8s_cluster_container_image_sha256]
k8sCluster.containerImage target.resource.attribute.labels[k8s_cluster_container_image]
k8sCluster.containerLabels target.resource.attribute.labels[k8s_cluster_container_labels]
namedPipe.name target.resource.name
namedPipe.accessMode target.resource.attribute.permission.name
namedPipe.connectionType target.resource.attribute.labels[named_pipe_connection_type]
namedPipe.isFirstInstance target.resource.attribute.labels[named_pipe_is_first_instance]
namedPipe.isOverlapped target.resource.attribute.labels[named_pipe_is_overlapped]
namedPipe.isWriteThrough target.resource.attribute.labels[named_pipe_is_write_through]
namedPipe.maxInstances target.resource.attribute.labels[named_pipe_max_instances]
namedPipe.readMode target.resource.attribute.labels[named_pipe_read_mode]
namedPipe.remoteClients target.resource.attribute.labels[named_pipe_remote_clients]
namedPipe.securityGroups target.resource.attribute.labels[named_pipe_security_groups]
namedPipe.securityOwner target.resource.attribute.labels[named_pipe_security_owner]
namedPipe.typeMode target.resource.attribute.labels[named_pipe_type_mode]
namedPipe.waitMode target.resource.attribute.labels[named_pipe_wait_mode]
task.name target.resource.name
task.path target.resource.attribute.labels[task_path]
target.resource.resource_type If the event.category log field value is equal to scheduled_task, then the target.resource.resource_type UDM field is set to TASK.

If the event.type log field value contain one of the following values, then the target.resource.resource_type UDM field is set to PIPE.
  • Named Pipe Creation
  • Named Pipe Connection
url.address target.url
tgt.process.eUserName target.user.attribute.labels[tgt_process_e_user_name]
tgt.process.eUserUid target.user.attribute.labels[tgt_process_e_user_uid]
tgt.process.lUserName target.user.attribute.labels[tgt_process_l_user_name]
tgt.process.lUserUid target.user.attribute.labels[tgt_process_l_user_uid]
tgt.process.rUserName target.user.attribute.labels[tgt_process_r_user_name]
tgt.process.rUserUid target.user.attribute.labels[tgt_process_r_user_uid]
tgt.process.user target.user.userid
event.login.accountName target.user.user_display_name
target.user.user_role If the event.login.isAdministratorEquivalent log field value is equal to true, then the target.user.user_role UDM field is set to ADMINISTRATOR.
event.login.userName target.user.userid
event.login.accountSid target.user.windows_sid
module.path target.process.file.full_path
module.md5 target.process.file.md5 If the module.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the module.md5 log field is mapped to the target.process.file.md5 UDM field.
module.sha1 target.process.file.sha1 If the module.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the module.sha1 log field is mapped to the target.process.file.sha1 UDM field.
mgmt.url about.url
dataSource.category about.labels[data_source_category] (deprecated)
dataSource.category additional.fields[data_source_category]
dataSource.name about.labels[data_source_name] (deprecated)
dataSource.name additional.fields[data_source_name]
dataSource.vendor about.labels[data_source_vendor] (deprecated)
dataSource.vendor additional.fields[data_source_vendor]
event.category about.labels[event_category] (deprecated)
event.category additional.fields[event_category]
event.login.baseType about.labels[event_login_base_type] (deprecated)
event.login.baseType additional.fields[event_login_base_type]
event.network.protocolName about.labels[event_network_protocol_name] (deprecated)
event.network.protocolName additional.fields[event_network_protocol_name]
event.repetitionCount about.labels[event_repetition_count] (deprecated)
event.repetitionCount additional.fields[event_repetition_count]
event.login.isAdministratorEquivalent about.labels[event_login_is_administrator_equivalent] (deprecated)
event.login.isAdministratorEquivalent additional.fields[event_login_is_administrator_equivalent]
group.id about.labels[group_id] (deprecated) If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the about.labels UDM field.
group.id additional.fields[group_id] If the event.type log field value is equal to Group Creation, then the group.id log field is mapped to the target.group.product_object_id UDM field.

Else, the group.id log field is mapped to the additional.fields UDM field.
i.scheme about.labels[i_scheme] (deprecated)
i.scheme additional.fields[i_scheme]
i.version about.labels[i_version] (deprecated)
i.version additional.fields[i_version]
meta.event.name about.labels[meta_event_name] (deprecated)
meta.event.name additional.fields[meta_event_name]
mgmt.id about.labels[mgmt_id] (deprecated)
mgmt.id additional.fields[mgmt_id]
mgmt.osRevision about.labels[mgmt_os_revision] (deprecated)
mgmt.osRevision additional.fields[mgmt_os_revision]
packet.id about.labels[packet_id] (deprecated)
packet.id additional.fields[packet_id]
sca:atlantisIngestTime about.labels[sca_atlantis_ingest_time] (deprecated)
sca:atlantisIngestTime additional.fields[sca_atlantis_ingest_time]
sca:ingestTime about.labels[sca_ingest_time] (deprecated)
sca:ingestTime additional.fields[sca_ingest_time]
timestamp about.labels[timestamp] (deprecated)
timestamp additional.fields[timestamp]
trace.id about.labels[trace_id] (deprecated)
trace.id additional.fields[trace_id]
winEventLog.channel about.labels[win_event_log_channel] (deprecated)
winEventLog.channel additional.fields[win_event_log_channel]
winEventLog.description.additionalInformation about.labels[win_event_log_description_additional_information] (deprecated)
winEventLog.description.additionalInformation additional.fields[win_event_log_description_additional_information]
winEventLog.description.objectName about.labels[win_event_log_description_object_name] (deprecated)
winEventLog.description.objectName additional.fields[win_event_log_description_object_name]
winEventLog.description.objectServer about.labels[win_event_log_description_object_server] (deprecated)
winEventLog.description.objectServer additional.fields[win_event_log_description_object_server]
winEventLog.description.objectType about.labels[win_event_log_description_object_type] (deprecated)
winEventLog.description.objectType additional.fields[win_event_log_description_object_type]
winEventLog.description.operationType about.labels[win_event_log_description_operation_type] (deprecated)
winEventLog.description.operationType additional.fields[win_event_log_description_operation_type]
winEventLog.description.securityId about.labels[win_event_log_description_security_id] (deprecated)
winEventLog.description.securityId additional.fields[win_event_log_description_security_id]
winEventLog.description.userId about.labels[win_event_log_description_user_id] (deprecated)
winEventLog.description.userId additional.fields[win_event_log_description_user_id]
winEventLog.xml about.labels[win_event_log_xml] (deprecated)
winEventLog.xml additional.fields[win_event_log_xml]

A seguir