Collect CrowdStrike Falcon logs

This document provides guidance about how to ingest CrowdStrike Falcon logs into Google Security Operations as follows:

  • Collect CrowdStrike Falcon logs by setting up a Google Security Operations feed.
  • Map CrowdStrike Falcon log fields to Google SecOps Unified Data Model (UDM) fields.
  • Understand supported CrowdStrike Falcon log types and event types.

For more information, see the Data ingestion to Google SecOps overview.

Before you begin

Ensure that you have the following prerequisites:

  • Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
  • All systems in the deployment architecture are configured in the UTC time zone.
  • Target device runs on a supported operating system
    • Must be a 64-bit server
    • Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
    • Legacy OS versions must support SHA-2 code signing.
  • Google SecOps service account file and your customer ID from the Google SecOps support team

Deploy CrowdStrike Falcon with Google SecOps feed integration

A typical deployment consists of CrowdStrike Falcon which sends the logs, and the Google SecOps feed which fetches the logs. Your deployment might differ slightly based on your setup.

The deployment typically includes the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product you collect logs from.
  • CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes them to Google SecOps.
  • CrowdStrike Intel Bridge: The CrowdStrike product that collects threat indicators from the data source and forwards them to Google SecOps.
  • Google SecOps: The platform that retains, normalizes and analyzes the CrowdStrike detection logs.
  • An ingestion label parser that normalizes raw log data into the UDM format. The information in this document applies to CrowdStrike Falcon parsers with the following ingestion labels:
    • CS_EDR
    • CS_DETECTS
    • CS_IOC The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:
      • domain
      • email_address
      • file_name
      • file_path
      • hash_md5
      • hash_sha1
      • hash_sha256
      • ip_address
      • mutex_name
      • url
    • CS_ALERTS The CrowdStrike Alerts parser supports the following product types:
      • epp
      • idp
      • overwatch
      • xdr
      • mobile
      • cwpp
      • ngsiem

Configure a Google SecOps feed for CrowdStrike EDR logs

The following procedures are needed to configure the feed.

How to configure CrowdStrike

To set up a Falcon Data Replicator feed, follow these steps:

  1. Sign in to the CrowdStrike Falcon Console.
  2. Go to Support Apps > Falcon Data Replicator.
  3. Click Add to create a new Falcon Data Replicator feed and generate the following values:
    • Feed
    • S3 identifier,
    • SQS URL
  4. Client secret. Keep these values to set up a feed in Google SecOps.

For more information, see How to set up Falcon Data replicator feed.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds > Add New Feed
  • Content Hub > Content Packs > Get Started

How to set up the CrowdStrike Falcon feed

  1. Click the CrowdStrike pack.

  2. In the CrowdStrike Falcon log type, specify values for the following fields:

    • Source: Amazon SQS V2
    • Queue Name: Name of the SQS queue from which to read log data.
    • S3 URI: The S3 bucket source URI.
    • Source deletion option: Option to delete files and directories after transferring the data.
    • Maximum File Age: Include files modified within the last number of days. Default is 180 days.
    • SQS Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE.
    • SQS Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.

    Advanced options

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset Namespace: Namespace associated with the feed.
    • Ingestion Labels – Labels applied to all events from this feed.

  3. Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Set up an ingestion feed with Amazon S3 bucket

To set up an ingestion feed using an S3 bucket, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
  5. In Source type, select Amazon S3.
  6. In Log type, select CrowdStrike Falcon.
  7. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
    Field Description
    region S3 region URI.
    S3 uri S3 bucket source URI.
    uri is a Type of object that the URI points to (for example, file or folder).
    source deletion option Option to delete files and directories after transferring the data.
    access key id Access key (20-character alphanumeric string). For example, AKIAOSFOODNN7EXAMPLE.
    secret access key Secret access key (40-character alphanumeric string). For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    oauth client id Public OAuth client ID.
    oauth client secret OAuth 2.0 client secret.
    oauth secret refresh uri OAuth 2.0 client secret refresh URI.
    asset namespace Namespace associated with the feed.

Configure a Google SecOps feed for CrowdStrike logs

To forward CrowdStrike detection monitoring logs, follow these steps:

  1. Sign in to CrowdStrike Falcon Console.
  2. Go to Support Apps > API Clients and Keys .
  3. Create a new API client key pair at CrowdStrike Falcon. This key pair must have READ permissions for both Detections and Alerts from CrowdStrike Falcon.

Ingest logs using Cloud Storage for CrowdStrike EDR logs

You can configure CrowdStrike to send EDR logs to a Cloud Storage bucket, and then ingest these logs into Google SecOps using a feed. This process requires coordination with CrowdStrike Support.

Before you begin

  • Ensure you have an active CrowdStrike Falcon instance.
  • Ensure you have a Google Cloud project where you can create Cloud Storage buckets and manage IAM permissions.
  • Ensure you have an active Google SecOps instance.
  • Ensure you have administrator rights in both your Google Cloud environment and your Google SecOps instance.

Steps

  1. Contact CrowdStrike Support: Open a support ticket with CrowdStrike to enable and configure the feature to push EDR logs to your Cloud Storage bucket. CrowdStrike Support will provide guidance on the specific required configurations.

  2. Create and permission the Cloud Storage bucket:

    1. In the Google Cloud console, create a new bucket in Cloud Storage. Note the bucket name (for example, gs://my-crowdstrike-edr-logs/).
    2. Grant write permissions to the service account or entity provided by CrowdStrike. Follow the instructions from CrowdStrike Support to allow log files to be written into this bucket for this permission.

  3. Configure the Google SecOps feed:

    1. In your Google SecOps instance, go to SIEM Settings > Feeds.
    2. Click Add New.
    3. Enter a descriptive Feed name (for example, CS-EDR-GCS).
    4. For Source type, select Google Cloud Storage V2.
    5. For Log type, select CrowdStrike Falcon.
    6. In the service account section, click Get Service Account. Copy the unique service account email address displayed.
    7. In the Google Cloud console, navigate to your Cloud Storage bucket. Grant the Storage Object Viewer IAM role to the service account email address copied from the Google SecOps feed settings. This permission allows the feed to read the log files.
    8. Return to the Google SecOps Feed configuration page.
    9. Enter the Storage Bucket URL using the name of the bucket you created (for example, gs://my-crowdstrike-edr-logs/). This URL must end with a trailing forward slash (/).
    10. Select a Source Deletion Option:
      • Never delete files: Recommended.
      • Delete transferred files and empty directories: Use with caution.
    11. Optional: Specify an Asset Namespace.
    12. Click Next, review the settings, and then click Submit.

  4. Verify log ingestion: After CrowdStrike confirms that logs are being pushed, allow some time for data to be ingested into Google SecOps. Check for incoming logs by searching with the Log Type CROWDSTRIKE_EDR in Google SecOps.

If you encounter issues, review the IAM permissions on the Cloud Storage bucket and the feed configuration in Google SecOps. If issues persist, contact the Google SecOps support team.

To receive CrowdStrike detection monitoring logs, follow these steps

  1. Sign in to your Google SecOps instance.
  2. Go to SIEM Settings > Feeds.
  3. Click Add New Feed.
  4. On the next page, click Configure a single feed.
  5. In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
  6. In Source type, select Third Party API.
  7. In Log type, select CrowdStrike Detection Monitoring.

If you encounter issues, contact the Google SecOps support team.

Ingest CrowdStrike IoC logs into Google SecOps

To configure log ingestion from CrowdStrike into Google SecOps for IoC logs, complete the following steps:

  1. Create a new API client key pair at CrowdStrike Falcon Console. This key pair allows Google SecOps Intel Bridge to access and read events and supplementary information from CrowdStrike Falcon. For setup instructions, see CrowdStrike to Google SecOps Intel Bridge.
  2. Provide READ permission to Indicators (Falcon Intelligence) when you create the key pair.
  3. Set up the Google SecOps Intel Bridge by following the steps in CrowdStrike to Google SecOps Intel Bridge.

  4. Run the following Docker commands to send the logs from CrowdStrike to Google SecOps, where sa.json is the Google SecOps service account file:

    docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

  5. After the container runs successfully, IoC logs will begin streaming into Google SecOps.

Configure a Google SecOps feed for CrowdStrike alerts logs

To set up an ingestion feed for CrowdStrike alerts logs, perform the following steps:

In the CrowdStrike Falcon Console:

  1. Sign in to the CrowdStrike Falcon Console.
  2. On the API Clients and Keys page (Support and resources > Resources and tools > API Clients and Keys), click Create API client.
  3. Enter details to define your API client:
    • Client Name
    • Description
    • API Scopes : Select the Read and Write boxes next to Alerts scope to enable access.
  4. Click Create to save the API client and generate the client ID and secret. Note: The Client ID, secret, and Base URL will be used in further steps.

In the Google SecOps instance:

  1. Sign in to your Google SecOps instance.
  2. From the Google SecOps menu, select Settings, and then click Feeds.
  3. Click Add New Feed.
  4. In Source type, select Third Party API.
  5. In Log type, select CrowdStrike Alerts API.
  6. Click Next and populate the following fields using the values collected from the CrowdStrike API client:
    • OAuth token endpoint
    • OAuth client ID
    • OAuth client secret
    • Base URL
  7. Click Next and then click Submit.

If you encounter issues, contact the Google SecOps support team.

UDM Mapping Delta for CrowdStrike alerts logs

UDM Mapping Delta reference: CS_ALERTS

The following table lists delta between Default parser of CS ALERTS and premium version of CS ALERTS.

Default UDM Mapping Log Field Premium Mapping Delta
about.resource.product_object_id cid Removed mapping to avoid duplication, as the cid log field is also mapped to metadata.product_deployment_id.
principal.asset.platform_software.platform platform If the device.platform_name log field value is empty and the platform log field value is not empty and if the platform log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if platform log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if platform log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if platform log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS.
security_result.detection_fields[agent_id] agent_id If the device.device_id log field value is empty and the host_id log field value is empty and the mdm_device_id log field value is empty then, CS:%{agent_id} log field is mapped to the principal.asset_id UDM field.
Else, the principal.asset.attribute.labels.key UDM field is set to agent_id and agent_id log field is mapped to the principal.asset.attribute.labels.value UDM field.
security_result.detection_fields[idp_policy_account_event_type] idp_policy_account_event_type security_result.rule_labels[idp_policy_account_event_type]
security_result.detection_fields[idp_policy_mfa_factor_type] idp_policy_mfa_factor_type security_result.rule_labels[idp_policy_mfa_factor_type]
security_result.detection_fields[idp_policy_mfa_provider_name] idp_policy_mfa_provider_name security_result.rule_labels[idp_policy_mfa_provider_name]
security_result.detection_fields[idp_policy_mfa_provider] idp_policy_mfa_provider security_result.rule_labels[idp_policy_mfa_provider]
security_result.detection_fields[idp_policy_rule_action] idp_policy_rule_action security_result.rule_labels[idp_policy_rule_action]
security_result.detection_fields[idp_policy_rule_trigger] idp_policy_rule_trigger security_result.rule_labels[idp_policy_rule_trigger]
security_result.detection_fields[idp_policy_rule_id] idp_policy_rule_id security_result.rule_id
security_result.detection_fields[idp_policy_rule_name] idp_policy_rule_name security_result.rule_name
target.process.file.mime_type alleged_filetype If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, alleged_filetype log field is mapped to the target.file.mime_type UDM field.
Else, alleged_filetype log field is mapped to the target.process.file.mime_type UDM field.
principal.resource.product_object_id device.cid principal.asset.attribute.labels[device_cid]
security_result.detection_fields[active_directory_dn_display] device.hostinfo.active_directory_dn_display Iterate through log field device.hostinfo.active_directory_dn_display, then
the security_result.detection_fields.key UDM field is set to device_hostinfo_active_directory_dn_display and device.hostinfo.active_directory_dn_display log field is mapped to the security_result.detection_fields.value UDM field.
principal.asset.platform_software.platform device.platform_name If the device.platform_name log field value is not empty and if the device.platform_name log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.platform_name log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.platform_name log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.platform_name log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS. if the platform log field value is not empty and the device.platform_name log field value is equal to the platform log field value then, the principal.asset.attribute.labels.key UDM field is set to platform and platform log field is mapped to the principal.asset.attribute.labels.value UDM field.
principal.asset.platform_software.platform_version device.system_product_name principal.asset.hardware.model
target.process.file.names filename If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, filename log field is mapped to the target.file.names UDM field.
Else, filename log field is mapped to the target.process.file.names UDM field.
target.file.full_path filepath If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, filepath log field is mapped to the target.file.full_path UDM field.
Else, filepath log field is mapped to the target.process.file.full_path UDM field.
If the product log field value is equal to epp and the type log field value is equal to ofp and if the macros.ioc_description log field value is not empty then, macros.ioc_description log field is mapped to the target.file.full_path UDM field and the security_result.detection_fields.key UDM field is set to filepath and filepath log field is mapped to the security_result.detection_fields.value UDM field.
target.process_ancestors.command_line grandparent_details.cmdline target.process.parent_process.parent_process.command_line
target.process_ancestors.file.names grandparent_details.filename target.process.parent_process.parent_process.file.names
target.process_ancestors.file.full_path grandparent_details.filepath target.process.parent_process.parent_process.file.full_path
target.process_ancestors.file.md5 grandparent_details.md5 target.process.parent_process.parent_process.file.md5
target.process_ancestors.product_specific_process_id grandparent_details.process_graph_id If the grandparent_details.process_graph_id log field value is not empty then, PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id} log field is mapped to the target.process.parent_process.parent_process.product_specific_process_id UDM field.
target.process_ancestors.pid grandparent_details.process_id target.process.parent_process.parent_process.pid
target.process_ancestors.file.sha256 grandparent_details.sha256 target.process.parent_process.parent_process.file.sha256
security_result.detection_fields[ioc_description] ioc_context.ioc_description Iterate through log field ioc_context, then
the security_result.detection_fields.key UDM field is set to ioc_context_ioc_description and ioc_context.ioc_description log field is mapped to the security_result.detection_fields.value UDM field.
security_result.detection_fields[ioc_source] ioc_context.ioc_source Iterate through log field ioc_context, then
the security_result.detection_fields.key UDM field is set to ioc_context_ioc_source and ioc_context.ioc_source log field is mapped to the security_result.detection_fields.value UDM field.
target.process.file.md5 md5 If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, md5 log field is mapped to the target.file.md5 UDM field.
Else, md5 log field is mapped to the target.process.file.md5 UDM field.
target.process.file.sha1 sha1 If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, sha1 log field is mapped to the target.file.sha1 UDM field.
Else, sha1 log field is mapped to the target.process.file.sha1 UDM field.
target.file.sha256 sha256 If the technique_name log field value contain one of the following values
  • Archive via Library
  • Ingress Tool Transfer
  • Remote File Copy
  • File Transfer Protocols
  • Credentials from Web Browsers
  • Credentials In Files
  • Proc Filesystem
  • Unsecured Credentials
  • File Deletion
  • Obfuscated Files or Information
  • Compile After Delivery
  • Compiled HTML File
  • Deobfuscate/Decode Files or Information
  • Double File Extension
  • File and Directory Permissions Modification
  • File System Logical Offsets
  • Hidden Files and Directories
  • Install Root Certificate
  • Archive Collected Data
  • Archive via Custom Method
  • Archive via Utility
  • Linux and Mac File and Directory Permissions Modification
  • MMC
  • NTFS File Attributes
  • PubPrn
  • Resource Forking
  • Rundll32
  • Scripting
  • Space after Filename
  • System Script Proxy Execution
  • XSL Script Processing
  • Intelligence Indicator - Hash
  • Known Hash
  • Malicious File
  • File and Directory Discovery
  • AppleScript
  • Command and Scripting Interpreter
  • JavaScript
  • JavaScript/JScript
  • Malicious Image
  • PowerShell
  • Python
  • Service Execution
  • Unix Shell
  • User Execution
  • Data Destruction
  • Spearphishing Attachment
  • .bash_profile and .bashrc
  • Change Default File Association
  • Ccache Files
  • Chat Messages
  • Multi-Factor Authentication
  • TCC Manipulation
  • Application Versioning
  • Fileless Storage
  • Embedded Payloads
  • File/Path Exclusions
  • Encrypted/Encoded File
  • Match Legitimate Resource Name or Location
  • Masquerade File Type
  • Stripped Payloads
  • Clear Network Connection History and Configurations
  • Disable or Modify Linux Audit System
  • Junk Code Insertion
  • Extended Attributes
  • SVG Smuggling
  • Indicator Removal
  • LNK Icon Smuggling
  • Polymorphic Code
  • Relocate Malware
  • Clear Persistence
  • Compression
  • Compromise Host Software Binary
  • Conceal Multimedia Files
  • Browser Information Discovery
  • Taint Shared Content
  • Shared Webroot
then, sha256 log field is mapped to the target.file.sha256 UDM field.
Else, sha256 log field is mapped to the target.process.file.sha256 UDM field.
If the product log field value is equal to epp and the type log field value is equal to ofp and if the ioc_type log field value is equal to hash_sha256 and the macros.ioc_value log field value is not empty then, macros.ioc_value log field is mapped to the target.file.sha256 UDM field and the security_result.detection_fields.key UDM field is set to sha256 and sha256 log field is mapped to the security_result.detection_fields.value UDM field.
target.asset.platform_software.platform operating_system If the operating_system log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS.
Else, if operating_system log field value matches the regular expression pattern (?i)linux then, the principal.asset.platform_software.platform UDM field is set to LINUX.
Else, if operating_system log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS.
Else, if operating_system log field value matches the regular expression pattern (?i)mac then, the principal.asset.platform_software.platform UDM field is set to MAC.
security_result.detection_fields[agent_version] agent_version principal.asset.attribute.labels[agent_version]
about.email enrollment_email principal.user.email_addresses
principal.asset.type If the mdm_device_id log field value is not empty or the mobile_hardware log field value is not empty or the mobile_manufacturer log field value is not empty or the mobile_serial log field value is not empty then, the principal.asset.type UDM field is set to MOBILE.

Supported CrowdStrike log formats

The CrowdStrike parser supports logs in JSON format.

Need more help? Get answers from Community members and Google SecOps professionals.