Collect CrowdStrike Falcon EDR logs

Supported in:

This document describes how you can export CrowdStrike Falcon EDR logs to Google Security Operations through Google Security Operations feed, and how CrowdStrike Falcon EDR fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of CrowdStrike enabled for ingestion to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • CrowdStrike Falcon Intelligence: The CrowdStrike product from which you collect logs.

  • Google Security Operations: Retains and analyzes the CrowdStrike EDR logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CS_EDR ingestion label.

Before you begin

  • Ensure that you have administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor.

  • Ensure that the device is running on a supported operating system.

    • The OS must be running on a 64-bit server. Microsoft Windows server 2008 R2 SP1 is supported for Crowdstrike Falcon Host sensor versions 6.51 or later.
    • Systems running legacy OS versions (for example, Windows 7 SP1) require SHA-2 code signing support installed on their devices.
  • Obtain the Google Security Operations service account file and your customer ID from the Google Security Operations support team.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

Configure a Falcon Data Replicator Feed

To set up an Falcon Data Replicator feed, follow these steps:

  1. Click the ADD button to create a new Falcon Data Replicator feed. This will generate S3 identifier, SQS URL and Client secret.
  2. Use the generated Feed, S3 identifier, SQS URL, and Client secret values to set up feed in Google Security Operations.

Configure a feed in Google Security Operations to ingest CrowdStrike EDR logs

You can use SQS or S3 bucket to setup ingestion feed in Google Security Operations. SQS is preferred but S3 is also supported.

To set up an ingestion feed using S3 bucket, follow these steps:

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. In Source type, select Amazon S3.
  5. In Log type, select CrowdStrike Falcon.
  6. Click Next.
  7. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    S3 uri The S3 bucket source URI.
    uri is a The type of object URI points to.
    source deletion option Whether to delete files and/or directories after transferring.
    access key id An account access key that is 20-character alphanumeric string, for exapmple AKIAOSFOODNN7EXAMPLE.
    secret access key An account access key that is a 40-character alphanumeric string, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    oauth client id A public, client-specific OAuth identifier.
    oauth client secret OAuth 2.0 client secret.
    oauth secret refresh uri OAuth 2.0 client secret refresh URI.
    asset namespace The namespace the feed will be associated with.
  8. Click Next and then click Submit.

To set up an ingestion feed using SQS, follow the steps:

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. In Source type, select Amazon SQS.
  5. In Log type, select CrowdStrike Falcon.
  6. Click Next.
  7. Based on the service account and the Amazon SQS configuration that you created, specify values for the following fields:
    Field Description
    region The S3 region associated with URI.
    QUEUE NAME The SQS queue name to read from.
    ACCOUNT NUMBER The SQS account number.
    source deletion option Whether to delete files and/or directories after transferring.
    QUEUE ACCESS KEY ID An account access key that is 20-character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLE.
    QUEUE SECRET ACCESS KEY An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
    asset namespace The namespace that the feed will be associated with.
  8. Click Next and then click Submit. Note: You can reach out to the Google Security Operations support team in case of any issues while setting up feeds and sending Crowdstrike EDR Monitoring data to Google Security Operations.

Field mapping reference

This parser processes CrowdStrike Falcon platform JSON logs, normalizing them into UDM. It extracts fields, handles various timestamp formats, maps event types to UDM event types, and enriches the data with MITRE ATT&CK information and additional context. The parser also handles specific event types and logic for user logins, network connections, and file operations, ensuring comprehensive UDM coverage.

UDM mapping table

Log Field UDM Mapping Logic
AccountCreationTimeStamp event.idm.read_only_udm.metadata.event_timestamp The raw log field AccountCreationTimeStamp is converted to a UDM timestamp and mapped to event_timestamp.
AccountDomain event.idm.read_only_udm.principal.administrative_domain Direct mapping.
AccountObjectGuid event.idm.read_only_udm.metadata.product_log_id Direct mapping.
AccountObjectSid event.idm.read_only_udm.principal.user.windows_sid Direct mapping.
ActiveDirectoryAuthenticationMethod event.idm.read_only_udm.extensions.auth.mechanism If ActiveDirectoryAuthenticationMethod is 0, the mechanism is KERBEROS. Otherwise, the mechanism is AUTHTYPE_UNSPECIFIED.
ActivityId event.idm.read_only_udm.additional.fields[ActivityId] Added as a key-value pair to the additional_fields array.
AggregationActivityCount event.idm.read_only_udm.additional.fields[AggregationActivityCount] Added as a key-value pair to the additional_fields array.
AgentIdString event.idm.read_only_udm.principal.asset_id Prefixed with "CS:".
AgentOnlineMacV13 event.idm.read_only_udm.metadata.description Direct mapping.
AgentVersion event.idm.read_only_udm.principal.asset.attribute.labels[AgentVersion] Added as a key-value pair to the labels array.
aid event.idm.read_only_udm.principal.asset_id Prefixed with "CS:".
aip event.idm.read_only_udm.principal.nat_ip, intermediary.ip If _aid_is_target is false, map to principal.nat_ip and intermediary.ip. If _aid_is_target is true and LogonType is 3, map to target.nat_ip and intermediary.ip.
aipCount event.idm.read_only_udm.additional.fields[aipCount] Added as a key-value pair to the additional_fields array.
AppName event.idm.read_only_udm.principal.asset.software.name Direct mapping.
ApplicationName event.idm.read_only_udm.target.application Direct mapping.
AppVersion event.idm.read_only_udm.principal.asset.software.version Direct mapping.
AsepFileChangeMacV2 event.idm.read_only_udm.metadata.description Direct mapping.
AsepKeyUpdateV6 event.idm.read_only_udm.metadata.description Direct mapping.
AsepValueUpdateV7 event.idm.read_only_udm.metadata.description Direct mapping.
AssociateIndicatorV5 event.idm.read_only_udm.metadata.description Direct mapping.
AssociateTreeIdWithRootV6 event.idm.read_only_udm.metadata.description Direct mapping.
AssemblyName event.idm.read_only_udm.target.resource.attribute.labels[AssemblyName] Added as a key-value pair to the labels array.
AuthenticationId event.idm.read_only_udm.principal.user.product_object_id, event.idm.read_only_udm.target.user.product_object_id If _aid_is_target is false, map to principal.user.product_object_id. If _aid_is_target is true and LogonType is 3, map to target.user.product_object_id.
AuthenticationPackage event.idm.read_only_udm.target.resource.name Direct mapping.
AuthenticodeHashData event.idm.read_only_udm.target.file.authentihash Direct mapping.
AuthenticodeMatch event.idm.read_only_udm.security_result.detection_fields[AuthenticodeMatch] Added as a key-value pair to the detection_fields array.
AuthorityKeyIdentifier event.idm.read_only_udm.security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid, event.idm.read_only_udm.security_result.about.artifact.last_https_certificate.cert_extensions.fields[authority_key_id.keyid] Added as a key-value pair to the cert_extensions.fields array.
BatchTimestamp event.idm.read_only_udm.metadata.event_timestamp The raw log field BatchTimestamp is converted to a UDM timestamp and mapped to event_timestamp.
badResources event.idm.read_only_udm.additional.fields[badResource_n] For each element in the badResources array, a key-value pair is added to the additional_fields array with the key badResource_n, where n is the index of the element.
benchmarks event.idm.read_only_udm.additional.fields[benchmark_n] For each element in the benchmarks array, a key-value pair is added to the additional_fields array with the key benchmark_n, where n is the index of the element.
BehaviorWhitelistedV3 event.idm.read_only_udm.metadata.description Direct mapping.
BillingInfoV2 event.idm.read_only_udm.metadata.description Direct mapping.
BiosVersion event.idm.read_only_udm.principal.asset.attribute.labels[BiosVersion] Added as a key-value pair to the labels array.
BITSJobCreatedV2 event.idm.read_only_udm.metadata.description Direct mapping.
BrowserInjectedThreadV5 event.idm.read_only_udm.metadata.description Direct mapping.
CallStackModuleNames event.idm.read_only_udm.security_result.detection_fields[CallStackModuleNames] Added as a key-value pair to the detection_fields array.
CallStackModuleNamesVersion event.idm.read_only_udm.security_result.detection_fields[CallStackModuleNamesVersion] Added as a key-value pair to the detection_fields array.
category event.idm.read_only_udm.security_result.category_details Direct mapping.
ChannelVersionRequiredV1 event.idm.read_only_udm.metadata.description Direct mapping.
ChassisType event.idm.read_only_udm.principal.asset.attribute.labels[ChassisType] Added as a key-value pair to the labels array.
cid event.idm.read_only_udm.metadata.product_deployment_id Direct mapping.
City event.idm.read_only_udm.principal.location.city Direct mapping.
ClassifiedModuleLoadV1 event.idm.read_only_udm.metadata.description Direct mapping.
CloudAssociateTreeIdWithRootV3 event.idm.read_only_udm.metadata.description Direct mapping.
CommandLine event.idm.read_only_udm.principal.process.command_line, event.idm.read_only_udm.target.process.command_line, event.idm.read_only_udm.principal.process.parent_process.parent_process.command_line If event_simpleName is ProcessRollup2 or SyntheticProcessRollup2, map to target.process.command_line. If event_simpleName is CreateService, map to principal.process.command_line. If event_simpleName is FalconHostFileTamperingInfo, map to principal.process.command_line. If event_simpleName is HostedServiceStarted or ServiceStarted, map to principal.process.command_line. If event_simpleName is ProcessRollup2Stats, map to principal.process.command_line. If event_simpleName is RansomwareCreateFile, map to principal.process.command_line. If event_simpleName is ScreenshotTakenEtw, map to principal.process.command_line. If event_simpleName is ScriptControlDetectInfo, map to target.process.command_line. If event_simpleName is SuspiciousCreateSymbolicLink, map to principal.process.command_line. If event_simpleName is UACExeElevation, map to principal.process.command_line. If event_simpleName is WmiCreateProcess, map to principal.process.command_line. If event_simpleName is WmiFilterConsumerBindingEtw or WmiProviderRegistrationEtw, map to principal.process.command_line. If ExternalApiType is DetectionSummaryEvent, map to target.process.command_line. If event_simpleName is ReflectiveDllOpenProcess, map to principal.process.command_line. If GrandparentCommandLine is not defined, map to event.idm.read_only_udm.principal.process.parent_process.parent_process.command_line.
CommandHistory event.idm.read_only_udm.target.resource.attribute.labels[CommandHistory] Added as a key-value pair to the labels array.
CompanyName event.idm.read_only_udm.target.user.company_name Direct mapping.
ComputerName event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname If ComputerName is not empty or "-", map to principal.hostname and principal.asset.hostname.
ConfigBuild event.idm.read_only_udm.security_result.detection_fields[ConfigBuild] Added as a key-value pair to the detection_fields array.
ConfigStateHash event.idm.read_only_udm.security_result.detection_fields[ConfigStateHash] Added as a key-value pair to the detection_fields array.
ConfigStateUpdateV1 event.idm.read_only_udm.metadata.description Direct mapping.
ConnectionDirection _network_direction If 0, set _network_direction to OUTBOUND. If 1, set _network_direction to INBOUND. If 2, set _network_direction to NEITHER. If 3, set _network_direction to STATUS_UPDATE.
Continent event.idm.read_only_udm.additional.fields[Continent] Added as a key-value pair to the additional_fields array.
ContentSHA256HashData event.idm.read_only_udm.security_result.detection_fields[ContentSHA256HashData] Added as a key-value pair to the detection_fields array.
ContextProcessId event.idm.read_only_udm.principal.process.product_specific_process_id, event.idm.read_only_udm.target.process.product_specific_process_id If _aid_is_target is false, map to principal.process.product_specific_process_id. If _aid_is_target is true and LogonType is 3, map to target.process.product_specific_process_id.
ContextTimeStamp event.idm.read_only_udm.metadata.event_timestamp, event.idm.read_only_udm.security_result.detection_fields[ContextTimeStamp] The raw log field ContextTimeStamp is converted to a UDM timestamp and mapped to event_timestamp. Added as a key-value pair to the detection_fields array.
Country event.idm.read_only_udm.principal.location.country_or_region Direct mapping.
CreateServiceV3 event.idm.read_only_udm.metadata.description Direct mapping.
CreateThreadNoStartImageV12 event.idm.read_only_udm.metadata.description Direct mapping.
CrashNotificationV4 event.idm.read_only_udm.metadata.description Direct mapping.
CriticalFileAccessedLinV1 event.idm.read_only_udm.metadata.description Direct mapping.
CriticalFileModifiedMacV2 event.idm.read_only_udm.metadata.description Direct mapping.
CurrentSystemTagsV1 event.idm.read_only_udm.metadata.description Direct mapping.
DCSyncAttemptedV1 event.idm.read_only_udm.metadata.description Direct mapping.
DcName event.idm.read_only_udm.principal.user.userid The backslashes are removed from the DcName field.
DcOnlineV1 event.idm.read_only_udm.metadata.description Direct mapping.
DcStatusV1 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbConfigurationDescriptorV2 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbDeviceConnectedV2 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbDeviceDisconnectedV2 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbEndpointDescriptorV2 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbHIDDescriptorV2 event.idm.read_only_udm.metadata.description Direct mapping.
DcUsbInterfaceDescriptorV2 event.idm.read_only_udm.metadata.description Direct mapping.
DeepHashBlacklistClassificationV1 event.idm.read_only_udm.metadata.description Direct mapping.
DeliverLocalFXToCloudV2 event.idm.read_only_udm.metadata.description Direct mapping.
DeliverLocalFXToCloudV3 event.idm.read_only_udm.metadata.description Direct mapping.
DesiredAccess event.idm.read_only_udm.security_result.detection_fields[DesiredAccess] Added as a key-value pair to the detection_fields array.
DetectDescription event.idm.read_only_udm.security_result.description Direct mapping.
DetectId event.idm.read_only_udm.security_result.about.labels[DetectId] Added as a key-value pair to the labels array.
DetectName event.idm.read_only_udm.security_result.threat_name Direct mapping.
detectionId event.idm.read_only_udm.security_result.detection_fields[detectionId] Added as a key-value pair to the detection_fields array.
detectionName event.idm.read_only_udm.security_result.detection_fields[detectionName] Added as a key-value pair to the detection_fields array.
DeviceInstanceId event.idm.read_only_udm.target.asset_id Prefixed with "Device Instance Id: ".
DeviceManufacturer event.idm.read_only_udm.target.asset.hardware.manufacturer Direct mapping.
DeviceProduct event.idm.read_only_udm.target.asset.hardware.model Direct mapping.
DevicePropertyDeviceDescription event.idm.read_only_udm.target.asset.attribute.labels[Device Property Device Description] Added as a key-value pair to the labels array.
DevicePropertyLocationInformation event.idm.read_only_udm.target.asset.attribute.labels[Device Property Location Information] Added as a key-value pair to the labels array.
DeviceSerialNumber event.idm.read_only_udm.target.asset.hardware.serial_number Direct mapping.
DeviceTimeStamp event.idm.read_only_udm.metadata.event_timestamp The raw log field DeviceTimeStamp is converted to a UDM timestamp and mapped to event_timestamp.
DirectoryCreateMacV1 event.idm.read_only_udm.metadata.description Direct mapping.
DiskParentDeviceInstanceId event.idm.read_only_udm.target.resource.id Direct mapping.
DllInjectionV1 event.idm.read_only_udm.metadata.description Direct mapping.
DmpFileWrittenV11 event.idm.read_only_udm.metadata.description Direct mapping.
DomainName event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname If event_simpleName is DnsRequest or SuspiciousDnsRequest, map to target.hostname and target.asset.hostname.
DotnetModuleLoadDetectInfoV1 event.idm.read_only_udm.metadata.description Direct mapping.
DownloadServer `event.id

Changes

2024-06-06

  • Mapped "OriginalFilename" to "target.process.file.exif_info.original_file".

2024-05-31

  • Mapped "os_version" to "principal.platform_version".
  • Mapped "hostname" to "principal.hostname" and "principal.asset.hostname".
  • Mapped "product_type_desc", "host_hidden_status", "scores.os", "scores.sensor", "scores.version", "scores.overall", and "scores.modified_time" to "security_result.detection_fields".

2024-05-23

  • Mapped "Version" to "principal.platform_version".

2024-05-21

  • When "event_simpleName" is "FileWritten", "NetworkConnect", or "DnsRequest", then mapped "ContextBaseFileName" to "principal.process.file.full_path".
  • Mapped "QuarantinedFileName" to "principal.process.file.full_path".

2024-05-15

  • Mapped "Version", "BiosVersion" and "ChassisType" to "principal.asset.attribute.labels".
  • Mapped "Continent", "OU" and "SiteName" to "additional.fields".

2024-04-17

  • Mapped "ModuleILPath" to "target.resource.attribute.labels".

2024-04-08

  • Bug-Fix:
  • When "event_simpleName" is "ClassifiedModuleLoad", then changed "metadata.event_type" from "STATUS_UPDATE" to "PROCESS_MODULE_LOAD".

2024-02-21

  • Mapped "SubjectDN" to "security_result.about.artifact.last_https_certificate.subject".
  • Mapped "IssuerDN" to "security_result.about.artifact.last_https_certificate.issuer".
  • Mapped "SubjectCertValidTo" to "security_result.about.artifact.last_https_certificate.validity.issue_time"".
  • Mapped "SubjectCertValidFrom" to "security_result.about.artifact.last_https_certificate.validity.expiry_time".
  • Mapped "SubjectSerialNumber" to "security_result.about.artifact.last_https_certificate.serial_number".
  • Mapped "SubjectVersion" to "security_result.about.artifact.last_https_certificate.version".
  • Mapped "SubjectCertThumbprint" to "security_result.about.artifact.last_https_certificate.thumbprint".
  • Mapped "SignatureDigestAlg" to "security_result.about.artifact.last_https_certificate.signature_algorithm".
  • Mapped "SignatureDigestEncryptAlg" to "security_result.about.artifact.last_https_certificate.cert_signature.signature_algorithm".
  • Mapped "AuthenticodeHashData" to "target.file.authentihash".
  • Mapped "AuthorityKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
  • Mapped "SubjectKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.subject_key_id" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
  • Mapped "OriginalFilename" to "additional.fields".
  • Mapped "SignInfoFlagUnknownError", "SignInfoFlagHasValidSignature", "SignInfoFlagSignHashMismatch",
  • "AuthenticodeMatch", "SignInfoFlagMicrosoftSigned", "SignInfoFlagNoSignature", "SignInfoFlagInvalidSignChain",
  • "SignInfoFlagNoCodeKeyUsage", "SignInfoFlagNoEmbeddedCert", "SignInfoFlagThirdPartyRoot",
  • "SignInfoFlagCatalogSigned", "SignInfoFlagSelfSigned", "SignInfoFlagFailedCertCheck",
  • "SignInfoFlagEmbeddedSigned", "IssuerCN", "SubjectCN" to "security_result.detection_fields".

2023-12-22

  • Mapped "HostUrl" to "target.url".
  • Mapped "ReferrerUrl" to "network.http.referral_url".

2023-11-23

  • When "is_alert" is set to "true", then mapped "event.idm.is_significant" to "true".
  • When "is_alert" is set to "true", then mapped "event_simpleName" to "security_result.summary".

2023-10-11

  • Added a regular expression check to validate SHA-1, MD5 and SHA256 values.

2023-08-22

  • Mapped "Technique" to "security_result.attack_details.techniques.name" and corresponding technique and tactic details.

2023-08-03

  • Mapped "ReflectiveDllName" to "target.file.full_path".
  • Mapped "event_type" to "STATUS_UPDATE" for logs where the field "DomainName" is absent.

2023-08-01

  • Mapped "Tactic" to "security_result.attack_details.tactics.name" and corresponding tactics.id.

2023-07-31

  • Bug-Fix-
  • Added "on_error" check for date filter.

2023-06-19

  • Mapped "ParentBaseFileName" to "principal.process.file.full_path".
  • Removed mapping of "ImageFileName" to "target.file.full_path" as it is already mapped to "target.process.file.full_path" for events "ProcessRollup2" and "SyntheticProcessRollup2".

2023-05-12

  • Enhancement -
  • Mapped 'aip' to 'intermediary.ip'.

2023-05-08

  • Bugfix - Convert time formats to string and handled nanoseconds time format.

2023-04-14

  • Enhancement - Modified "Severity" value of range [0-19] to "security_result.severity" as "INFORMATIONAL".
  • Modified "Severity" value of range [20-39] to "security_result.severity" as "LOW".
  • Modified "Severity" value of range [40-59] to "security_result.severity" as "MEDIUM".
  • Modified "Severity" value of range[60-79] to "security_result.severity" as "HIGH".
  • Modified "Severity" value of range[80-100] to "security_result.severity" as "CRITICAL".
  • Mapped "PatternId" to "security_result.detection_fields".
  • Mapped "SourceEndpointIpAddress" to "principal.ip".
  • Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ userlogonfailed" and user information not present.
  • Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "ExternalApiType = "Event_UserActivityAuditEvent"" and has user information.
  • Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ "ActiveDirectory".
  • Mapped "TargetAccountObjectGuid" to "additional.fields".
  • Mapped "TargetDomainControllerObjectGuid" to "additional.fields".
  • Mapped "TargetDomainControllerObjectSid" to "additional.fields".
  • Mapped "AggregationActivityCount" to "additional.fields".
  • Mapped "TargetServiceAccessIdentifier" to "additional.fields".
  • Mapped "SourceAccountUserPrincipal" to "principal.user.userid".
  • Mapped "SourceEndpointAddressIP4" to "principal.ip".
  • Mapped "SourceAccountObjectGuid" to "additional.fields".
  • Mapped "AccountDomain" to "principal.administrative_domain".
  • Mapped "AccountObjectGuid" to "metadata.product_log_id".
  • Mapped "AccountObjectSid" to "principal.user.windows_sid".
  • Mapped "SamAccountName" to "principal.user.user_display_name".
  • Mapped "SourceAccountSamAccountName" to "principal.user.user_display_name".
  • Mapped "IOARuleGroupName" to "security_result.detection_fields".
  • Mapped "IOARuleName" to "security_result.detection_fields".
  • Mapped "RemoteAddressIP4" to "target.ip" for "event_simpleName"="RegCredAccessDetectInfo".

2023-03-24

  • Mapped "ID" to "metadata.product_log_id" instead of "target.resource.id".
  • Mapped "RegBinaryValue" to "target.registry.registry_value_data" if both "RegNumericValue" and "RegStringValue" are null.

2023-03-21

  • Enhancement -
  • Mapped "BatchTimestamp", "GcpCreationTimestamp", "K8SCreationTimestamp", "AwsCreationTimestamp" to "metadata.event_timestamp".
  • Mapped "FileOperatorSid"to "target.user.windows_sid".

2023-03-13

  • Enhancement -
  • Mapped "LogonTime", "ProcessStartTime", "ContextTimeStamp", "ContextTimeStamp_decimal", and "AccountCreationTimeStamp" to "metadata.event_timestamp".

2023-03-10

  • Enhancement -
  • Mapped "CallStackModuleNamesVersion","CallStackModuleNamesVersion" to security_result.detection_fields.

2023-02-28

  • Enhancement - Modified the following mappings for field "ParentProcessId" when "event_simpleName" is in ["ProcessRollup2", "SyntheticProcessRollup2"]
  • "target.process.parent_process.pid" modified to "target.process.parent_process.product_specific_process_id"

2023-02-16

  • Enhancement -
  • Mapped the field "AssociatedFile" to "security_result.detection_fields[n].value" and the "security_result.detection_fields[n].key" is mapped to "AssociatedIOCFile".

2023-02-09

  • Enhancement -
  • Mapped "RegNumericValue" to "target.registry.registry_value_data".
  • Mapped "ManagedPdbBuildPath" to "target.labels".

2023-02-09

  • Enhancement
  • Remapped the fields getting mapped under "target.labels" to "target.resource.attribute.labels".
  • Rectified the mapping for "ManagedPdbBuildPath" to "target.resource.attribute.labels".

2023-01-15

  • BugFix -
  • Remapped "aid" for "UserLogonFailed" event to "target.asset_id" from "principal.asset_id".

2023-01-13

  • Enhancement -
  • Added mapping for "Severity", mapping it to "security_result.severity".

2023-01-13

  • Enhancement -
  • User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
  • "AssemblyName","ManagedPdbBuildPath","ModuleILPath" mapped to "target.labels" when metadata.product_event_type = "ReflectiveDotnetModuleLoad"
  • "VirtualDriveFileName","VolumeName" mapped to "target.labels" when metadata.product_event_type = "RemovableMediaVolumeMounted"
  • "ImageFileName" mapped to "target.file.full_path" when metadata.product_event_type = "ClassifiedModuleLoad"

2023-01-02

  • Enhancement -
  • User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".

2022-12-22

  • Enhancement -
  • Mapped "RemoteAddressIP4" to "principal.ip" for "event_type"="Userlogonfailed2"

2022-11-04

  • Enhancement -
  • Mapped "GrandparentImageFileName" to "principal.process.parent_process.parent_process.file.full_path".
  • Mapped "GrandparentCommandLine" to "principal.process.parent_process.parent_process.commamdLine"

2022-11-03

  • Bug -
  • When "event_simpleName" is "InstalledApplication" then following parameters are mapped.
  • Mapped "AppName" to "principal.asset.software.name".
  • Mapped "AppVersion" to "principal.asset.software.version".

2022-10-12

  • Bug -
  • Mapped "discoverer_aid" to "resource.attribute.labels".
  • Mapped "NeighborName" to "intermediary.hostname".
  • Mapped "subnet" to "additional.fields".
  • Mapped "localipCount" to "additional.fields".
  • Mapped "aipCount" to "additional.fields".
  • Added conditional check for "LogonServer"

2022-10-07

  • Bug-Fix:
  • Changed "CommandLine" mapping from "principal.process.command_line" to "target.process.command_line".

2022-09-13

  • Fix:
  • Mapped metadata.event_type to REGISTRY_CREATION where RegOperationType is "3".
  • Mapped event_type to REGISTRY_DELETION where RegOperationType is "4" or "102".
  • Mapped event_type to REGISTRY_MODIFICATION where RegOperationType is "5","7","9","101" or "1".
  • Mapped event_type to REGISTRY_UNCATEGORIZED where RegOperationType is not null and not in all the preceding cases.

2022-09-02

  • Define field "UserPrincipal" in the statedata.

2022-08-21

  • Mapped "ActivityId" to "additional.fields".
  • Mapped "SourceEndpointHostName" to "principal.hostname".
  • Mapped "SourceAccountObjectSid" to "principal.user.windows_sid".
  • Added condition to parse "LocalAddressIP4" and "aip".
  • Mapped "metadata.event_type" to "STATUS_UPDATE" where "ComputerName" and "LocalAddressIP4" is not null.
  • Mapped "SourceEndpointAccountObjectGuid" to "metadata.product_log_id".
  • Mapped "SourceEndpointAccountObjectSid" to "target.user.windows_sid".
  • Mapped "SourceEndpointHostName" to "principal.hostname".

2022-08-18

  • Fix:
  • Mapped the following fields:
  • "event.PatternDispositionValue" to "security_result.about.labels".
  • "event.ProcessId" to "principal.process.product_specific_process_id".
  • "event.ParentProcessId" to "target.process.parent_process.pid".
  • "event.ProcessStartTime" to "security_result.detection_fields".
  • "event.ProcessEndTime" to "security_result.detection_fields".
  • "event.ComputerName" to "principal.hostname".
  • "event.UserName" to "principal.user.userid".
  • "event.DetectName" to "security_result.threat_name".
  • "event.DetectDescription" to "security_result.description".
  • "event.SeverityName" to "security_result.severity".
  • "event.FileName" to "target.file.full_path".
  • "event.FilePath" to "target.file.full_path".
  • "event.CommandLine" to "principal.process.command_line".
  • "event.SHA256String" to "target.file.sha256".
  • "event.MD5String" to "security_result.about.file.md5".
  • "event.MachineDomain" to "principal.administrative_domain".
  • "event.FalconHostLink" to "intermediary.url".
  • "event.LocalIP" to "principal.ip".
  • "event.MACAddress" to "principal.mac".
  • "event.Tactic" to "security_result.detection_fields".
  • "event.Technique" to "security_result.detection_fields".
  • "event.Objective" to "security_result.rule_name".
  • "event.PatternDispositionDescription" to "security_result.summary".
  • "event.ParentImageFileName" to "principal.process.parent_process.file.full_path".
  • "event.ParentCommandLine" to "principal.process.parent_process.command_line".

2022-08-30

  • Buganized Ids: 243245623
  • Enahancement:
  • Defined the field "UserPrincipal" in the statedata.

2022-07-29

  • Mapped "event_category,event_module,Hmac" to "additional.fields".
  • Mapped "user_name" to "principal.user.userid".
  • Mapped "event_source" to "target.application".
  • Added grok for "auth_group and new logs".
  • Added check for "principal_ip,target_ip and event_type".

2022-07-25

  • Bug-Fix:

  • Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where "eventType" is "K8SDetectionEvent"

  • Mapped "metadata.event_type" to "STATUS_UPDATE" where "metadata.event_type" is null and "principal.asset_id" is not null.

  • Mapped "SourceAccountDomain" to "principal.administrative_domain"

  • Mapped "SourceAccountName" to "principal.user.userid"

  • Mapped "metadata.event_type" to "STATUS_UPDATE" where "EventType" is "Event_ExternalApiEvent" and "OperationName" in ["quarantined_file_update", "detection_update", "update_rule"]

  • Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where Path is null and FileName is null or AgentIdString is null.

  • Mapped "metadata.event_type" to "STATUS_UPDATE" where Protocol is null.

  • Added conditional check for MD5String,SHA256String,CommandLine,AgentIdString,ProcessId,ParentProcessId,FilePath,FileName.

2022-07-12

  • for event_simpleName - DriverLoad,ProcessRollup,PeVersionInfo,PeFileWritten,TemplateDetectAnalysis,ScriptControlDetectInfo.
  • Mapped OriginalFilename to principal.process.file.full_path

2022-06-14

  • Mapped "CompanyName" to "target.user.company_name"
  • Mapped "AccountType" to "target.user.role_description"
  • Mapped "ProductVersion" to "metadata.product_version"
  • Mapped "LogonInfo" to "principal.ip"
  • Mapped "MAC" to "principal.mac"
  • Mapped "UserSid_readable" to "target.user.windows_sid"
  • Mapped "FileName" to "target.file.full_path"
  • Mapped "_time" to "metadata.event_timestamp"
  • Added Conditional check for "MD5HashData", "SHA256HashData", "UserName", "ID", "RegObjectName", "RegStringValue", "RegValueName", "UserSid", "TargetFileName", "aid"

2022-06-20

  • Mapped "ConfigBuild" to "security_result.detection_fields".
  • Mapped "EffectiveTransmissionClass" to "security_result.detection_fields".
  • Mapped "Entitlements" to "security_result.detection_fields".

2022-06-02

  • Bug-Fix: Removed key name and colon character from "security_result.detection_fields.value".

2022-05-27

  • Enhancement - Additional mapping: SHA256String and MD5String to security_result.about.file to show up as Alert event.

2022-05-20

  • Mapped "LinkName" to "target.resource.attribute.labels".
  • Switched possible "GENERIC_EVENTS" occurrences to "STATUS_UPDATE".
  • Added Backslash between the process and its parent root directory.
  • Parsed platform if the "event_platform" is iOS.
  • Changed resource.type to resource_type.

2022-05-12

  • Enhancement - resourceName mapped to target.resource.name
  • resourceId mapped to target.resource.product_object_id
  • Namespace mapped to target.namespace
  • Category mapped to security_result.category_details
  • description mapped to security_result.description
  • sourceAgent mapped to network.http.user_agent
  • Severity mapped to security_result.severity
  • resourceKind mapped to target.resource.type
  • detectionName mapped to target.resource.name
  • clusterName mapped to target.resource.attribute.labels
  • clusterId mapped to target.resource.attribute.labels
  • detectionId mapped to target.resource.attribute.labels
  • Type mapped to additional.fields
  • Remediation to additional.fields
  • Benchmarks to additional.fields
  • badResources to additional.fields

2022-04-27

  • Bug - Fix: 1. Changed udm event_type from GENERIC_EVENT to USER_LOGIN for logs with ExternalApiType = Event_AuthActivityAuditEvent.
  • 2. Changed mappings for target_user,actor_user, actor_user_uuid from additional.fields to target.user.email_addresses, target.user.user_display_name, target.user.userid respectively.

2022-04-25

  • Enhancement - Mapped "RemoteAddressIP4" to principal.ip.

2022-04-14

  • Bug - Added Support for ScriptContent field for all type of logs

2022-04-13

  • Enhancement-Added mappings for new fields
  • Added new event mappings - AuthenticationPackage mapped to target.resource.name

2022-04-04

  • Bug - Mapped "OriginatingURL" to principal.url for NetworkConnect events.