Collect CrowdStrike EDR logs
This document describes how you can export CrowdStrike EDR logs to Google Security Operations through Google Security Operations feed, and how CrowdStrike EDR fields map to Google Security Operations Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google Security Operations overview.
A typical deployment consists of CrowdStrike enabled for ingestion to Google Security Operations. Each customer deployment can differ and might be more complex.
The deployment contains the following components:
CrowdStrike Falcon Intelligence: The CrowdStrike product from which you collect logs.
Google Security Operations: Retains and analyzes the CrowdStrike EDR logs.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the CS_EDR
ingestion label.
Before you begin
Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.
Ensure that the device is running on a supported operating system.
- The OS must be running on a 64-bit server. Microsoft Windows server 2008 R2 SP1 is supported for Crowdstrike Falcon Host sensor versions 6.51 or later.
- Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.
Obtain the Google Security Operations service account file and your customer ID from the Google Security Operations support team.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Configure a Falcon Data Replicator Feed
To set up an Falcon Data Replicator feed, follow these steps:
- Click the ADD button to create a new Falcon Data Replicator feed. This will generate S3 identifier, SQS URL and Client secret.
- Use the generated Feed, S3 identifier, SQS URL, and Client secret values to set up feed in Google Security Operations.
Configure a feed in Google Security Operations to ingest CrowdStrike EDR logs
Customer can use SQS or S3 bucket to setup ingestion feed in chronicle. SQS is preferred but S3 is also supported.
To set up an ingestion feed using S3 bucket, follow these steps:
- Log in to your Google Security Operations instance.
- From the application menu, select Settings > Feeds.
- Click ADD NEW.
- In Source type, select Amazon S3 and in Log type, select CrowdStrike Falcon.
- Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
Field Description region The S3 region associated with URI. S3 uri The S3 bucket source URI. uri is a The type of object URI points to. source deletion option Whether to delete files and/or directories after transferring. access key id An account access key that is 20-character alphanumeric string, for exapmple AKIAOSFOODNN7EXAMPLE. secret access key An account access key that is a 40-character alphanumeric string, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY. oauth client id A public, client-specific OAuth identifier. oauth client secret OAuth 2.0 client secret. oauth secret refresh uri OAuth 2.0 client secret refresh URI. asset namespace The namespace the feed will be associated with.
To set up an ingestion feed using SQS, follow the steps:
- Log in to your Google Security Operations instance.
- From the application menu, select Settings > Feeds.
- Click ADD NEW.
- In Source type, select Amazon SQS and in Log type, select CrowdStrike Falcon.
Based on the service account and the Amazon SQS configuration that you created, specify values for the following fields:
Field Description region The S3 region associated with URI. QUEUE NAME The SQS queue name to read from. ACCOUNT NUMBER The SQS account number. source deletion option Whether to delete files and/or directories after transferring. QUEUE ACCESS KEY ID An account access key that is 20-character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLE. QUEUE SECRET ACCESS KEY An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY. asset namespace The namespace that the feed will be associated with.
Field mapping reference
This parser processes CrowdStrike Falcon platform JSON logs, normalizing them into UDM. It extracts fields, handles various timestamp formats, maps event types to UDM event types, and enriches the data with MITRE ATT&CK information and additional context. The parser also handles specific event types and logic for user logins, network connections, and file operations, ensuring comprehensive UDM coverage.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
AccountCreationTimeStamp |
event.idm.read_only_udm.metadata.event_timestamp |
The raw log field AccountCreationTimeStamp is converted to a UDM timestamp and mapped to event_timestamp . |
AccountDomain |
event.idm.read_only_udm.principal.administrative_domain |
Direct mapping. |
AccountObjectGuid |
event.idm.read_only_udm.metadata.product_log_id |
Direct mapping. |
AccountObjectSid |
event.idm.read_only_udm.principal.user.windows_sid |
Direct mapping. |
ActiveDirectoryAuthenticationMethod |
event.idm.read_only_udm.extensions.auth.mechanism |
If ActiveDirectoryAuthenticationMethod is 0, the mechanism is KERBEROS . Otherwise, the mechanism is AUTHTYPE_UNSPECIFIED . |
ActivityId |
event.idm.read_only_udm.additional.fields[ActivityId] |
Added as a key-value pair to the additional_fields array. |
AggregationActivityCount |
event.idm.read_only_udm.additional.fields[AggregationActivityCount] |
Added as a key-value pair to the additional_fields array. |
AgentIdString |
event.idm.read_only_udm.principal.asset_id |
Prefixed with "CS:". |
AgentOnlineMacV13 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AgentVersion |
event.idm.read_only_udm.principal.asset.attribute.labels[AgentVersion] |
Added as a key-value pair to the labels array. |
aid |
event.idm.read_only_udm.principal.asset_id |
Prefixed with "CS:". |
aip |
event.idm.read_only_udm.principal.nat_ip , intermediary.ip |
If _aid_is_target is false, map to principal.nat_ip and intermediary.ip . If _aid_is_target is true and LogonType is 3, map to target.nat_ip and intermediary.ip . |
aipCount |
event.idm.read_only_udm.additional.fields[aipCount] |
Added as a key-value pair to the additional_fields array. |
AppName |
event.idm.read_only_udm.principal.asset.software.name |
Direct mapping. |
ApplicationName |
event.idm.read_only_udm.target.application |
Direct mapping. |
AppVersion |
event.idm.read_only_udm.principal.asset.software.version |
Direct mapping. |
AsepFileChangeMacV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AsepKeyUpdateV6 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AsepValueUpdateV7 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AssociateIndicatorV5 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AssociateTreeIdWithRootV6 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
AssemblyName |
event.idm.read_only_udm.target.resource.attribute.labels[AssemblyName] |
Added as a key-value pair to the labels array. |
AuthenticationId |
event.idm.read_only_udm.principal.user.product_object_id , event.idm.read_only_udm.target.user.product_object_id |
If _aid_is_target is false, map to principal.user.product_object_id . If _aid_is_target is true and LogonType is 3, map to target.user.product_object_id . |
AuthenticationPackage |
event.idm.read_only_udm.target.resource.name |
Direct mapping. |
AuthenticodeHashData |
event.idm.read_only_udm.target.file.authentihash |
Direct mapping. |
AuthenticodeMatch |
event.idm.read_only_udm.security_result.detection_fields[AuthenticodeMatch] |
Added as a key-value pair to the detection_fields array. |
AuthorityKeyIdentifier |
event.idm.read_only_udm.security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid , event.idm.read_only_udm.security_result.about.artifact.last_https_certificate.cert_extensions.fields[authority_key_id.keyid] |
Added as a key-value pair to the cert_extensions.fields array. |
BatchTimestamp |
event.idm.read_only_udm.metadata.event_timestamp |
The raw log field BatchTimestamp is converted to a UDM timestamp and mapped to event_timestamp . |
badResources |
event.idm.read_only_udm.additional.fields[badResource_n] |
For each element in the badResources array, a key-value pair is added to the additional_fields array with the key badResource_n , where n is the index of the element. |
benchmarks |
event.idm.read_only_udm.additional.fields[benchmark_n] |
For each element in the benchmarks array, a key-value pair is added to the additional_fields array with the key benchmark_n , where n is the index of the element. |
BehaviorWhitelistedV3 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
BillingInfoV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
BiosVersion |
event.idm.read_only_udm.principal.asset.attribute.labels[BiosVersion] |
Added as a key-value pair to the labels array. |
BITSJobCreatedV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
BrowserInjectedThreadV5 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CallStackModuleNames |
event.idm.read_only_udm.security_result.detection_fields[CallStackModuleNames] |
Added as a key-value pair to the detection_fields array. |
CallStackModuleNamesVersion |
event.idm.read_only_udm.security_result.detection_fields[CallStackModuleNamesVersion] |
Added as a key-value pair to the detection_fields array. |
category |
event.idm.read_only_udm.security_result.category_details |
Direct mapping. |
ChannelVersionRequiredV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
ChassisType |
event.idm.read_only_udm.principal.asset.attribute.labels[ChassisType] |
Added as a key-value pair to the labels array. |
cid |
event.idm.read_only_udm.metadata.product_deployment_id |
Direct mapping. |
City |
event.idm.read_only_udm.principal.location.city |
Direct mapping. |
ClassifiedModuleLoadV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CloudAssociateTreeIdWithRootV3 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CommandLine |
event.idm.read_only_udm.principal.process.command_line , event.idm.read_only_udm.target.process.command_line , event.idm.read_only_udm.principal.process.parent_process.parent_process.command_line |
If event_simpleName is ProcessRollup2 or SyntheticProcessRollup2 , map to target.process.command_line . If event_simpleName is CreateService , map to principal.process.command_line . If event_simpleName is FalconHostFileTamperingInfo , map to principal.process.command_line . If event_simpleName is HostedServiceStarted or ServiceStarted , map to principal.process.command_line . If event_simpleName is ProcessRollup2Stats , map to principal.process.command_line . If event_simpleName is RansomwareCreateFile , map to principal.process.command_line . If event_simpleName is ScreenshotTakenEtw , map to principal.process.command_line . If event_simpleName is ScriptControlDetectInfo , map to target.process.command_line . If event_simpleName is SuspiciousCreateSymbolicLink , map to principal.process.command_line . If event_simpleName is UACExeElevation , map to principal.process.command_line . If event_simpleName is WmiCreateProcess , map to principal.process.command_line . If event_simpleName is WmiFilterConsumerBindingEtw or WmiProviderRegistrationEtw , map to principal.process.command_line . If ExternalApiType is DetectionSummaryEvent , map to target.process.command_line . If event_simpleName is ReflectiveDllOpenProcess , map to principal.process.command_line . If GrandparentCommandLine is not defined, map to event.idm.read_only_udm.principal.process.parent_process.parent_process.command_line . |
CommandHistory |
event.idm.read_only_udm.target.resource.attribute.labels[CommandHistory] |
Added as a key-value pair to the labels array. |
CompanyName |
event.idm.read_only_udm.target.user.company_name |
Direct mapping. |
ComputerName |
event.idm.read_only_udm.principal.hostname , event.idm.read_only_udm.principal.asset.hostname |
If ComputerName is not empty or "-", map to principal.hostname and principal.asset.hostname . |
ConfigBuild |
event.idm.read_only_udm.security_result.detection_fields[ConfigBuild] |
Added as a key-value pair to the detection_fields array. |
ConfigStateHash |
event.idm.read_only_udm.security_result.detection_fields[ConfigStateHash] |
Added as a key-value pair to the detection_fields array. |
ConfigStateUpdateV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
ConnectionDirection |
_network_direction |
If 0, set _network_direction to OUTBOUND . If 1, set _network_direction to INBOUND . If 2, set _network_direction to NEITHER . If 3, set _network_direction to STATUS_UPDATE . |
Continent |
event.idm.read_only_udm.additional.fields[Continent] |
Added as a key-value pair to the additional_fields array. |
ContentSHA256HashData |
event.idm.read_only_udm.security_result.detection_fields[ContentSHA256HashData] |
Added as a key-value pair to the detection_fields array. |
ContextProcessId |
event.idm.read_only_udm.principal.process.product_specific_process_id , event.idm.read_only_udm.target.process.product_specific_process_id |
If _aid_is_target is false, map to principal.process.product_specific_process_id . If _aid_is_target is true and LogonType is 3, map to target.process.product_specific_process_id . |
ContextTimeStamp |
event.idm.read_only_udm.metadata.event_timestamp , event.idm.read_only_udm.security_result.detection_fields[ContextTimeStamp] |
The raw log field ContextTimeStamp is converted to a UDM timestamp and mapped to event_timestamp . Added as a key-value pair to the detection_fields array. |
Country |
event.idm.read_only_udm.principal.location.country_or_region |
Direct mapping. |
CreateServiceV3 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CreateThreadNoStartImageV12 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CrashNotificationV4 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CriticalFileAccessedLinV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CriticalFileModifiedMacV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
CurrentSystemTagsV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DCSyncAttemptedV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcName |
event.idm.read_only_udm.principal.user.userid |
The backslashes are removed from the DcName field. |
DcOnlineV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcStatusV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbConfigurationDescriptorV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbDeviceConnectedV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbDeviceDisconnectedV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbEndpointDescriptorV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbHIDDescriptorV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DcUsbInterfaceDescriptorV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DeepHashBlacklistClassificationV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DeliverLocalFXToCloudV2 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DeliverLocalFXToCloudV3 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DesiredAccess |
event.idm.read_only_udm.security_result.detection_fields[DesiredAccess] |
Added as a key-value pair to the detection_fields array. |
DetectDescription |
event.idm.read_only_udm.security_result.description |
Direct mapping. |
DetectId |
event.idm.read_only_udm.security_result.about.labels[DetectId] |
Added as a key-value pair to the labels array. |
DetectName |
event.idm.read_only_udm.security_result.threat_name |
Direct mapping. |
detectionId |
event.idm.read_only_udm.security_result.detection_fields[detectionId] |
Added as a key-value pair to the detection_fields array. |
detectionName |
event.idm.read_only_udm.security_result.detection_fields[detectionName] |
Added as a key-value pair to the detection_fields array. |
DeviceInstanceId |
event.idm.read_only_udm.target.asset_id |
Prefixed with "Device Instance Id: ". |
DeviceManufacturer |
event.idm.read_only_udm.target.asset.hardware.manufacturer |
Direct mapping. |
DeviceProduct |
event.idm.read_only_udm.target.asset.hardware.model |
Direct mapping. |
DevicePropertyDeviceDescription |
event.idm.read_only_udm.target.asset.attribute.labels[Device Property Device Description] |
Added as a key-value pair to the labels array. |
DevicePropertyLocationInformation |
event.idm.read_only_udm.target.asset.attribute.labels[Device Property Location Information] |
Added as a key-value pair to the labels array. |
DeviceSerialNumber |
event.idm.read_only_udm.target.asset.hardware.serial_number |
Direct mapping. |
DeviceTimeStamp |
event.idm.read_only_udm.metadata.event_timestamp |
The raw log field DeviceTimeStamp is converted to a UDM timestamp and mapped to event_timestamp . |
DirectoryCreateMacV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DiskParentDeviceInstanceId |
event.idm.read_only_udm.target.resource.id |
Direct mapping. |
DllInjectionV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DmpFileWrittenV11 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DomainName |
event.idm.read_only_udm.target.hostname , event.idm.read_only_udm.target.asset.hostname |
If event_simpleName is DnsRequest or SuspiciousDnsRequest , map to target.hostname and target.asset.hostname . |
DotnetModuleLoadDetectInfoV1 |
event.idm.read_only_udm.metadata.description |
Direct mapping. |
DownloadServer |
`event.id |
Changes
2024-06-06
- Mapped "OriginalFilename" to "target.process.file.exif_info.original_file".
2024-05-31
- Mapped "os_version" to "principal.platform_version".
- Mapped "hostname" to "principal.hostname" and "principal.asset.hostname".
- Mapped "product_type_desc", "host_hidden_status", "scores.os", "scores.sensor", "scores.version", "scores.overall", and "scores.modified_time" to "security_result.detection_fields".
2024-05-23
- Mapped "Version" to "principal.platform_version".
2024-05-21
- When "event_simpleName" is "FileWritten", "NetworkConnect", or "DnsRequest", then mapped "ContextBaseFileName" to "principal.process.file.full_path".
- Mapped "QuarantinedFileName" to "principal.process.file.full_path".
2024-05-15
- Mapped "Version", "BiosVersion" and "ChassisType" to "principal.asset.attribute.labels".
- Mapped "Continent", "OU" and "SiteName" to "additional.fields".
2024-04-17
- Mapped "ModuleILPath" to "target.resource.attribute.labels".
2024-04-08
- Bug-Fix:
- When "event_simpleName" is "ClassifiedModuleLoad", then changed "metadata.event_type" from "STATUS_UPDATE" to "PROCESS_MODULE_LOAD".
2024-02-21
- Mapped "SubjectDN" to "security_result.about.artifact.last_https_certificate.subject".
- Mapped "IssuerDN" to "security_result.about.artifact.last_https_certificate.issuer".
- Mapped "SubjectCertValidTo" to "security_result.about.artifact.last_https_certificate.validity.issue_time"".
- Mapped "SubjectCertValidFrom" to "security_result.about.artifact.last_https_certificate.validity.expiry_time".
- Mapped "SubjectSerialNumber" to "security_result.about.artifact.last_https_certificate.serial_number".
- Mapped "SubjectVersion" to "security_result.about.artifact.last_https_certificate.version".
- Mapped "SubjectCertThumbprint" to "security_result.about.artifact.last_https_certificate.thumbprint".
- Mapped "SignatureDigestAlg" to "security_result.about.artifact.last_https_certificate.signature_algorithm".
- Mapped "SignatureDigestEncryptAlg" to "security_result.about.artifact.last_https_certificate.cert_signature.signature_algorithm".
- Mapped "AuthenticodeHashData" to "target.file.authentihash".
- Mapped "AuthorityKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
- Mapped "SubjectKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.subject_key_id" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
- Mapped "OriginalFilename" to "additional.fields".
- Mapped "SignInfoFlagUnknownError", "SignInfoFlagHasValidSignature", "SignInfoFlagSignHashMismatch",
- "AuthenticodeMatch", "SignInfoFlagMicrosoftSigned", "SignInfoFlagNoSignature", "SignInfoFlagInvalidSignChain",
- "SignInfoFlagNoCodeKeyUsage", "SignInfoFlagNoEmbeddedCert", "SignInfoFlagThirdPartyRoot",
- "SignInfoFlagCatalogSigned", "SignInfoFlagSelfSigned", "SignInfoFlagFailedCertCheck",
- "SignInfoFlagEmbeddedSigned", "IssuerCN", "SubjectCN" to "security_result.detection_fields".
2023-12-22
- Mapped "HostUrl" to "target.url".
- Mapped "ReferrerUrl" to "network.http.referral_url".
2023-11-23
- When "is_alert" is set to "true", then mapped "event.idm.is_significant" to "true".
- When "is_alert" is set to "true", then mapped "event_simpleName" to "security_result.summary".
2023-10-11
- Added a regular expression check to validate SHA-1, MD5 and SHA256 values.
2023-08-22
- Mapped "Technique" to "security_result.attack_details.techniques.name" and corresponding technique and tactic details.
2023-08-03
- Mapped "ReflectiveDllName" to "target.file.full_path".
- Mapped "event_type" to "STATUS_UPDATE" for logs where the field "DomainName" is absent.
2023-08-01
- Mapped "Tactic" to "security_result.attack_details.tactics.name" and corresponding tactics.id.
2023-07-31
- Bug-Fix-
- Added "on_error" check for date filter.
2023-06-19
- Mapped "ParentBaseFileName" to "principal.process.file.full_path".
- Removed mapping of "ImageFileName" to "target.file.full_path" as it is already mapped to "target.process.file.full_path" for events "ProcessRollup2" and "SyntheticProcessRollup2".
2023-05-12
- Enhancement -
- Mapped 'aip' to 'intermediary.ip'.
2023-05-08
- Bugfix - Convert time formats to string and handled nanoseconds time format.
2023-04-14
- Enhancement - Modified "Severity" value of range [0-19] to "security_result.severity" as "INFORMATIONAL".
- Modified "Severity" value of range [20-39] to "security_result.severity" as "LOW".
- Modified "Severity" value of range [40-59] to "security_result.severity" as "MEDIUM".
- Modified "Severity" value of range[60-79] to "security_result.severity" as "HIGH".
- Modified "Severity" value of range[80-100] to "security_result.severity" as "CRITICAL".
- Mapped "PatternId" to "security_result.detection_fields".
- Mapped "SourceEndpointIpAddress" to "principal.ip".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ userlogonfailed" and user information not present.
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "ExternalApiType = "Event_UserActivityAuditEvent"" and has user information.
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ "ActiveDirectory".
- Mapped "TargetAccountObjectGuid" to "additional.fields".
- Mapped "TargetDomainControllerObjectGuid" to "additional.fields".
- Mapped "TargetDomainControllerObjectSid" to "additional.fields".
- Mapped "AggregationActivityCount" to "additional.fields".
- Mapped "TargetServiceAccessIdentifier" to "additional.fields".
- Mapped "SourceAccountUserPrincipal" to "principal.user.userid".
- Mapped "SourceEndpointAddressIP4" to "principal.ip".
- Mapped "SourceAccountObjectGuid" to "additional.fields".
- Mapped "AccountDomain" to "principal.administrative_domain".
- Mapped "AccountObjectGuid" to "metadata.product_log_id".
- Mapped "AccountObjectSid" to "principal.user.windows_sid".
- Mapped "SamAccountName" to "principal.user.user_display_name".
- Mapped "SourceAccountSamAccountName" to "principal.user.user_display_name".
- Mapped "IOARuleGroupName" to "security_result.detection_fields".
- Mapped "IOARuleName" to "security_result.detection_fields".
- Mapped "RemoteAddressIP4" to "target.ip" for "event_simpleName"="RegCredAccessDetectInfo".
2023-03-24
- Mapped "ID" to "metadata.product_log_id" instead of "target.resource.id".
- Mapped "RegBinaryValue" to "target.registry.registry_value_data" if both "RegNumericValue" and "RegStringValue" are null.
2023-03-21
- Enhancement -
- Mapped "BatchTimestamp", "GcpCreationTimestamp", "K8SCreationTimestamp", "AwsCreationTimestamp" to "metadata.event_timestamp".
- Mapped "FileOperatorSid"to "target.user.windows_sid".
2023-03-13
- Enhancement -
- Mapped "LogonTime", "ProcessStartTime", "ContextTimeStamp", "ContextTimeStamp_decimal", and "AccountCreationTimeStamp" to "metadata.event_timestamp".
2023-03-10
- Enhancement -
- Mapped "CallStackModuleNamesVersion","CallStackModuleNamesVersion" to security_result.detection_fields.
2023-02-28
- Enhancement - Modified the following mappings for field "ParentProcessId" when "event_simpleName" is in ["ProcessRollup2", "SyntheticProcessRollup2"]
- "target.process.parent_process.pid" modified to "target.process.parent_process.product_specific_process_id"
2023-02-16
- Enhancement -
- Mapped the field "AssociatedFile" to "security_result.detection_fields[n].value" and the "security_result.detection_fields[n].key" is mapped to "AssociatedIOCFile".
2023-02-09
- Enhancement -
- Mapped "RegNumericValue" to "target.registry.registry_value_data".
- Mapped "ManagedPdbBuildPath" to "target.labels".
2023-02-09
- Enhancement
- Remapped the fields getting mapped under "target.labels" to "target.resource.attribute.labels".
- Rectified the mapping for "ManagedPdbBuildPath" to "target.resource.attribute.labels".
2023-01-15
- BugFix -
- Remapped "aid" for "UserLogonFailed" event to "target.asset_id" from "principal.asset_id".
2023-01-13
- Enhancement -
- Added mapping for "Severity", mapping it to "security_result.severity".
2023-01-13
- Enhancement -
- User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
- "AssemblyName","ManagedPdbBuildPath","ModuleILPath" mapped to "target.labels" when metadata.product_event_type = "ReflectiveDotnetModuleLoad"
- "VirtualDriveFileName","VolumeName" mapped to "target.labels" when metadata.product_event_type = "RemovableMediaVolumeMounted"
- "ImageFileName" mapped to "target.file.full_path" when metadata.product_event_type = "ClassifiedModuleLoad"
2023-01-02
- Enhancement -
- User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
2022-12-22
- Enhancement -
- Mapped "RemoteAddressIP4" to "principal.ip" for "event_type"="Userlogonfailed2"
2022-11-04
- Enhancement -
- Mapped "GrandparentImageFileName" to "principal.process.parent_process.parent_process.file.full_path".
- Mapped "GrandparentCommandLine" to "principal.process.parent_process.parent_process.commamdLine"
2022-11-03
- Bug -
- When "event_simpleName" is "InstalledApplication" then following parameters are mapped.
- Mapped "AppName" to "principal.asset.software.name".
- Mapped "AppVersion" to "principal.asset.software.version".
2022-10-12
- Bug -
- Mapped "discoverer_aid" to "resource.attribute.labels".
- Mapped "NeighborName" to "intermediary.hostname".
- Mapped "subnet" to "additional.fields".
- Mapped "localipCount" to "additional.fields".
- Mapped "aipCount" to "additional.fields".
- Added conditional check for "LogonServer"
2022-10-07
- Bug-Fix:
- Changed "CommandLine" mapping from "principal.process.command_line" to "target.process.command_line".
2022-09-13
- Fix:
- Mapped metadata.event_type to REGISTRY_CREATION where RegOperationType is "3".
- Mapped event_type to REGISTRY_DELETION where RegOperationType is "4" or "102".
- Mapped event_type to REGISTRY_MODIFICATION where RegOperationType is "5","7","9","101" or "1".
- Mapped event_type to REGISTRY_UNCATEGORIZED where RegOperationType is not null and not in all the preceding cases.
2022-09-02
- Define field "UserPrincipal" in the statedata.
2022-08-21
- Mapped "ActivityId" to "additional.fields".
- Mapped "SourceEndpointHostName" to "principal.hostname".
- Mapped "SourceAccountObjectSid" to "principal.user.windows_sid".
- Added condition to parse "LocalAddressIP4" and "aip".
- Mapped "metadata.event_type" to "STATUS_UPDATE" where "ComputerName" and "LocalAddressIP4" is not null.
- Mapped "SourceEndpointAccountObjectGuid" to "metadata.product_log_id".
- Mapped "SourceEndpointAccountObjectSid" to "target.user.windows_sid".
- Mapped "SourceEndpointHostName" to "principal.hostname".
2022-08-18
- Fix:
- Mapped the following fields:
- "event.PatternDispositionValue" to "security_result.about.labels".
- "event.ProcessId" to "principal.process.product_specific_process_id".
- "event.ParentProcessId" to "target.process.parent_process.pid".
- "event.ProcessStartTime" to "security_result.detection_fields".
- "event.ProcessEndTime" to "security_result.detection_fields".
- "event.ComputerName" to "principal.hostname".
- "event.UserName" to "principal.user.userid".
- "event.DetectName" to "security_result.threat_name".
- "event.DetectDescription" to "security_result.description".
- "event.SeverityName" to "security_result.severity".
- "event.FileName" to "target.file.full_path".
- "event.FilePath" to "target.file.full_path".
- "event.CommandLine" to "principal.process.command_line".
- "event.SHA256String" to "target.file.sha256".
- "event.MD5String" to "security_result.about.file.md5".
- "event.MachineDomain" to "principal.administrative_domain".
- "event.FalconHostLink" to "intermediary.url".
- "event.LocalIP" to "principal.ip".
- "event.MACAddress" to "principal.mac".
- "event.Tactic" to "security_result.detection_fields".
- "event.Technique" to "security_result.detection_fields".
- "event.Objective" to "security_result.rule_name".
- "event.PatternDispositionDescription" to "security_result.summary".
- "event.ParentImageFileName" to "principal.process.parent_process.file.full_path".
- "event.ParentCommandLine" to "principal.process.parent_process.command_line".
2022-08-30
- Buganized Ids: 243245623
- Enahancement:
- Defined the field "UserPrincipal" in the statedata.
2022-07-29
- Mapped "event_category,event_module,Hmac" to "additional.fields".
- Mapped "user_name" to "principal.user.userid".
- Mapped "event_source" to "target.application".
- Added grok for "auth_group and new logs".
- Added check for "principal_ip,target_ip and event_type".
2022-07-25
Bug-Fix:
Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where "eventType" is "K8SDetectionEvent"
Mapped "metadata.event_type" to "STATUS_UPDATE" where "metadata.event_type" is null and "principal.asset_id" is not null.
Mapped "SourceAccountDomain" to "principal.administrative_domain"
Mapped "SourceAccountName" to "principal.user.userid"
Mapped "metadata.event_type" to "STATUS_UPDATE" where "EventType" is "Event_ExternalApiEvent" and "OperationName" in ["quarantined_file_update", "detection_update", "update_rule"]
Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where Path is null and FileName is null or AgentIdString is null.
Mapped "metadata.event_type" to "STATUS_UPDATE" where Protocol is null.
Added conditional check for MD5String,SHA256String,CommandLine,AgentIdString,ProcessId,ParentProcessId,FilePath,FileName.
2022-07-12
- for event_simpleName - DriverLoad,ProcessRollup,PeVersionInfo,PeFileWritten,TemplateDetectAnalysis,ScriptControlDetectInfo.
- Mapped OriginalFilename to principal.process.file.full_path
2022-06-14
- Mapped "CompanyName" to "target.user.company_name"
- Mapped "AccountType" to "target.user.role_description"
- Mapped "ProductVersion" to "metadata.product_version"
- Mapped "LogonInfo" to "principal.ip"
- Mapped "MAC" to "principal.mac"
- Mapped "UserSid_readable" to "target.user.windows_sid"
- Mapped "FileName" to "target.file.full_path"
- Mapped "_time" to "metadata.event_timestamp"
- Added Conditional check for "MD5HashData", "SHA256HashData", "UserName", "ID", "RegObjectName", "RegStringValue", "RegValueName", "UserSid", "TargetFileName", "aid"
2022-06-20
- Mapped "ConfigBuild" to "security_result.detection_fields".
- Mapped "EffectiveTransmissionClass" to "security_result.detection_fields".
- Mapped "Entitlements" to "security_result.detection_fields".
2022-06-02
- Bug-Fix: Removed key name and colon character from "security_result.detection_fields.value".
2022-05-27
- Enhancement - Additional mapping: SHA256String and MD5String to security_result.about.file to show up as Alert event.
2022-05-20
- Mapped "LinkName" to "target.resource.attribute.labels".
- Switched possible "GENERIC_EVENTS" occurrences to "STATUS_UPDATE".
- Added Backslash between the process and its parent root directory.
- Parsed platform if the "event_platform" is iOS.
- Changed resource.type to resource_type.
2022-05-12
- Enhancement - resourceName mapped to target.resource.name
- resourceId mapped to target.resource.product_object_id
- Namespace mapped to target.namespace
- Category mapped to security_result.category_details
- description mapped to security_result.description
- sourceAgent mapped to network.http.user_agent
- Severity mapped to security_result.severity
- resourceKind mapped to target.resource.type
- detectionName mapped to target.resource.name
- clusterName mapped to target.resource.attribute.labels
- clusterId mapped to target.resource.attribute.labels
- detectionId mapped to target.resource.attribute.labels
- Type mapped to additional.fields
- Remediation to additional.fields
- Benchmarks to additional.fields
- badResources to additional.fields
2022-04-27
- Bug - Fix: 1. Changed udm event_type from GENERIC_EVENT to USER_LOGIN for logs with ExternalApiType = Event_AuthActivityAuditEvent.
- 2. Changed mappings for target_user,actor_user, actor_user_uuid from additional.fields to target.user.email_addresses, target.user.user_display_name, target.user.userid respectively.
2022-04-25
- Enhancement - Mapped "RemoteAddressIP4" to principal.ip.
2022-04-14
- Bug - Added Support for ScriptContent field for all type of logs
2022-04-13
- Enhancement-Added mappings for new fields
- Added new event mappings - AuthenticationPackage mapped to target.resource.name
2022-04-04
- Bug - Mapped "OriginatingURL" to principal.url for NetworkConnect events.