Collect SentinelOne Deep Visibility logs
This document explains how to export SentinelOne Deep Visibility logs to Google Security Operations using Cloud Funnel for exporting logs to Google Cloud Storage. The parser transforms raw JSON formatted security event logs into a structured format conforming to the UDM. It first initializes a set of variables, then extracts the event type and parses the JSON payload, mapping relevant fields to the UDM schema while handling Windows event logs separately.
Before You Begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to Google Cloud.
- Ensure that SentinelOne Deep Visibility is set up in your environment.
- Ensure that you have privileged access to SentinelOne.
Create a Google Cloud Storage Bucket
- Sign in to the Google Cloud console.
Go to the Cloud Storage Buckets page.
Click Create.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
In the Get started section, do the following:
- Enter a unique name that meets the bucket name requirements; for example, sentinelone-deepvisibility.
To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand the Labels section.
Click Add label, and specify a key and a value for your label.
In the Choose where to store your data section, do the following:
- Select a Location type.
Use the location type menu to select a Location where object data within your bucket will be permanently stored.
To set up cross-bucket replication, expand the Set up cross-bucket replication section.
In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.
In the Choose how to protect object data section, do the following:
- Select any of the options under Data protection that you want to set for your bucket.
- To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.
Create a Google Cloud Service Account
- Go to IAM & Admin > Service Accounts.
- Create a new service account.
- Give it a descriptive name; for example, sentinelone-dv-logs.
- Grant the service account with Storage Object Creator role on the Cloud Storage bucket you created in the previous step.
- Create an SSH key for the service account.
- Download a JSON key file for the service account. Keep this file secure.
Configure Cloud Funnel in SentinelOne DeepVisibility
- Sign in to the SentinelOne DeepVisibility.
- Click Configure > Policy & Settings.
- In the Singularity Data Lake section, click Cloud Funnel.
- Provide the following configuration details:
- Cloud Provider: select Google Cloud.
- Bucket Name: enter the name of the Cloud Storage bucket that you created for SentinelOne DeepVisibility log ingestion.
- Telemetry Streaming: select Enable.
- Query Filters: create a query that includes the agents that need to send data to a Cloud Storage bucket.
- Click Validate.
- Fields to include: select all fields.
- Click Save.
Configure a feed in Google SecOps to ingest SentinelOne Deep Visibility logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed; for example, SentinelOne DV Logs.
- Select Google Cloud Storage as the Source type.
- Select SentinelOne Deep Visibility as the Log type.
- Click Get Service Account as the Chronicle Service Account.
- Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Google Cloud Storage bucket URL in
gs://my-bucket/<value>
format. - URI Is A: select Directory which includes subdirectories.
Source deletion options: select the deletion option according to your preference.
Asset namespace: the asset namespace.
Ingestion labels: the label applied to the events from this feed.
- Storage Bucket URI: Google Cloud Storage bucket URL in
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM Mapping Table
Log field | UDM mapping | Logic |
---|---|---|
AdapterName | security_result.about.resource.attribute.labels.value | The value is taken from the 'AdapterName' field in the raw log. |
AdapterSuffixName | security_result.about.resource.attribute.labels.value | The value is taken from the 'AdapterSuffixName' field in the raw log. |
agent_version | read_only_udm.metadata.product_version | The value is taken from the 'meta.agent_version' field in the raw log. |
Channel | security_result.about.resource.attribute.labels.value | The value is taken from the 'Channel' field in the raw log. |
commandLine | read_only_udm.principal.process.command_line | The value is taken from the 'event.Event. |
computer_name | read_only_udm.principal.hostname | The value is taken from the 'meta.computer_name' field in the raw log. |
destinationAddress.address | read_only_udm.target.ip | The value is taken from the 'event.Event.Tcpv4.destinationAddress.address' field in the raw log. |
destinationAddress.port | read_only_udm.target.port | The value is taken from the 'event.Event.Tcpv4.destinationAddress.port' field in the raw log. |
DnsServerList | read_only_udm.principal.ip | The value is taken from the 'DnsServerList' field in the raw log. |
ErrorCode_new | security_result.detection_fields.value | The value is taken from the 'ErrorCode_new' field in the raw log. |
EventID | security_result.about.resource.attribute.labels.value | The value is taken from the 'EventID' field in the raw log. |
event.Event.Dns.query | read_only_udm.network.dns.questions.name | The value is taken from the 'event.Event.Dns.query' field in the raw log. |
event.Event.Dns.results | read_only_udm.network.dns.answers.data | The value is taken from the 'event.Event.Dns.results' field in the raw log. |
event.Event.Dns.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.Dns.source.fullPid.pid' field in the raw log. |
event.Event.Dns.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.Dns.source.user.name' field in the raw log. |
event.Event.FileCreation.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.FileCreation.source.fullPid.pid' field in the raw log. |
event.Event.FileCreation.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.FileCreation.source.user.name' field in the raw log. |
event.Event.FileCreation.targetFile.path | read_only_udm.target.file.full_path | The value is taken from the 'event.Event.FileCreation.targetFile.path' field in the raw log. |
event.Event.FileDeletion.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.FileDeletion.source.fullPid.pid' field in the raw log. |
event.Event.FileDeletion.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.FileDeletion.source.user.name' field in the raw log. |
event.Event.FileDeletion.targetFile.path | read_only_udm.target.file.full_path | The value is taken from the 'event.Event.FileDeletion.targetFile.path' field in the raw log. |
event.Event.FileModification.file.path | read_only_udm.target.file.full_path | The value is taken from the 'event.Event.FileModification.file.path' field in the raw log. |
event.Event.FileModification.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.FileModification.source.user.name' field in the raw log. |
event.Event.FileModification.targetFile.path | read_only_udm.target.file.full_path | The value is taken from the 'event.Event.FileModification.targetFile.path' field in the raw log. |
event.Event.Http.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.Http.source.user.name' field in the raw log. |
event.Event.Http.url | read_only_udm.target.url | The value is taken from the 'event.Event.Http.url' field in the raw log. |
event.Event.ProcessCreation.process.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.ProcessCreation.process.user.name' field in the raw log. |
event.Event.ProcessCreation.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.ProcessCreation.source.user.name' field in the raw log. |
event.Event.ProcessExit.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.ProcessExit.source.user.name' field in the raw log. |
event.Event.ProcessTermination.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.ProcessTermination.source.user.name' field in the raw log. |
event.Event.RegKeyCreate.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.RegKeyCreate.source.fullPid.pid' field in the raw log. |
event.Event.RegKeyCreate.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.RegKeyCreate.source.user.name' field in the raw log. |
event.Event.RegKeyDelete.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.RegKeyDelete.source.user.name' field in the raw log. |
event.Event.RegValueModified.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.RegValueModified.source.user.name' field in the raw log. |
event.Event.SchedTaskDelete.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.SchedTaskDelete.source.user.name' field in the raw log. |
event.Event.SchedTaskRegister.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.SchedTaskRegister.source.user.name' field in the raw log. |
event.Event.SchedTaskStart.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.SchedTaskStart.source.user.name' field in the raw log. |
event.Event.SchedTaskTrigger.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.SchedTaskTrigger.source.fullPid.pid' field in the raw log. |
event.Event.SchedTaskTrigger.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.SchedTaskTrigger.source.user.name' field in the raw log. |
event.Event.Tcpv4.source.fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event.Tcpv4.source.fullPid.pid' field in the raw log. |
event.Event.Tcpv4.source.user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event.Tcpv4.source.user.name' field in the raw log. |
event.Event.Tcpv4Listen.local.address | read_only_udm.principal.ip | The value is taken from the 'event.Event.Tcpv4Listen.local.address' field in the raw log. |
event.timestamp.millisecondsSinceEpoch | read_only_udm.metadata.event_timestamp.seconds | The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to seconds. |
event.timestamp.millisecondsSinceEpoch | read_only_udm.metadata.event_timestamp.nanos | The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to nanoseconds. |
event.timestamp.millisecondsSinceEpoch | security_result.about.resource.attribute.labels.value | The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log and used as the value for a label in the security_result.about.resource.attribute.labels array. |
event_type | read_only_udm.metadata.product_event_type | The value is extracted from the 'message' field in the raw log using a grok pattern. |
executable.hashes.md5 | read_only_udm.principal.process.file.md5 | The value is taken from the 'event.Event. |
executable.hashes.sha1 | read_only_udm.principal.process.file.sha1 | The value is taken from the 'event.Event. |
executable.hashes.sha256 | read_only_udm.principal.process.file.sha256 | The value is taken from the 'event.Event. |
executable.path | read_only_udm.principal.process.file.full_path | The value is taken from the 'event.Event. |
executable.sizeBytes | read_only_udm.principal.process.file.size | The value is taken from the 'event.Event. |
fullPid.pid | read_only_udm.principal.process.pid | The value is taken from the 'event.Event. |
hashes.md5 | read_only_udm.target.file.md5 | The value is taken from the 'event.Event.ProcessCreation.hashes.md5' field in the raw log. |
hashes.sha1 | read_only_udm.target.file.sha1 | The value is taken from the 'event.Event.ProcessCreation.hashes.sha1' field in the raw log. |
hashes.sha256 | read_only_udm.target.file.sha256 | The value is taken from the 'event.Event.ProcessCreation.hashes.sha256' field in the raw log. |
IpAddress | read_only_udm.target.ip | The value is taken from the 'IpAddress' field in the raw log. |
local.address | read_only_udm.principal.ip | The value is taken from the 'event.Event.Tcpv4Listen.local.address' field in the raw log. |
local.port | read_only_udm.principal.port | The value is taken from the 'event.Event.Tcpv4Listen.local.port' field in the raw log. |
log_type | read_only_udm.metadata.log_type | The value is taken from the 'log_type' field in the raw log. |
meta.agent_version | read_only_udm.metadata.product_version | The value is taken from the 'meta.agent_version' field in the raw log. |
meta.computer_name | read_only_udm.principal.hostname | The value is taken from the 'meta.computer_name' field in the raw log. |
meta.os_family | read_only_udm.principal.platform | The value is taken from the 'meta.os_family' field in the raw log and mapped to the corresponding platform (e.g., windows to WINDOWS, osx to MAC, linux to LINUX). |
meta.os_name | read_only_udm.principal.platform_version | The value is taken from the 'meta.os_name' field in the raw log. |
meta.os_revision | read_only_udm.principal.platform_patch_level | The value is taken from the 'meta.os_revision' field in the raw log. |
meta.uuid | read_only_udm.principal.asset_id | The value is taken from the 'meta.uuid' field in the raw log and prepended with SENTINELONE: . |
name | read_only_udm.principal.application | The value is taken from the 'event.Event. |
parent.executable.hashes.md5 | read_only_udm.target.process.parent_process.file.md5 | The value is taken from the 'event.Event. |
parent.executable.hashes.sha1 | read_only_udm.target.process.parent_process.file.sha1 | The value is taken from the 'event.Event. |
parent.executable.hashes.sha256 | read_only_udm.target.process.parent_process.file.sha256 | The value is taken from the 'event.Event. |
parent.executable.path | read_only_udm.target.process.parent_process.file.full_path | The value is taken from the 'event.Event. |
parent.fullPid.pid | read_only_udm.target.process.parent_process.pid | The value is taken from the 'event.Event. |
path | read_only_udm.principal.process.file.full_path | The value is taken from the 'event.Event. |
process.commandLine | read_only_udm.target.process.command_line | The value is taken from the 'event.Event.ProcessCreation.process.commandLine' field in the raw log. |
process.fullPid.pid | read_only_udm.target.process.pid | The value is taken from the 'event.Event.ProcessCreation.process.fullPid.pid' field in the raw log. |
process.parent.fullPid.pid | read_only_udm.target.process.parent_process.pid | The value is taken from the 'event.Event.ProcessCreation.process.parent.fullPid.pid' field in the raw log. |
ProviderGuid | security_result.about.resource.attribute.labels.value | The value is taken from the 'ProviderGuid' field in the raw log, with curly braces removed. |
query | read_only_udm.network.dns.questions.name | The value is taken from the 'event.Event.Dns.query' field in the raw log. |
RecordNumber | security_result.about.resource.attribute.labels.value | The value is taken from the 'RecordNumber' field in the raw log. |
regKey.path | read_only_udm.target.registry.registry_key | The value is taken from the 'event.Event.RegKeyCreate.regKey.path' or 'event.Event.RegKeyDelete.regKey.path' field in the raw log. |
regValue.path | read_only_udm.target.registry.registry_key | The value is taken from the 'event.Event.RegValueDelete.regValue.path' or 'event.Event.RegValueModified.regValue.path' field in the raw log. |
results | read_only_udm.network.dns.answers.data | The value is taken from the 'event.Event.Dns.results' field in the raw log. |
Sent UpdateServer | intermediary.hostname | The value is taken from the 'Sent UpdateServer' field in the raw log. |
seq_id | This field is not directly mapped to the UDM. | |
signature.Status.Signed.identity | This field is not directly mapped to the UDM. | |
sizeBytes | read_only_udm.principal.process.file.size | The value is taken from the 'event.Event. |
sourceAddress.address | read_only_udm.principal.ip | The value is taken from the 'event.Event.Tcpv4.sourceAddress.address' field in the raw log. |
sourceAddress.port | read_only_udm.principal.port | The value is taken from the 'event.Event.Tcpv4.sourceAddress.port' field in the raw log. |
SourceName | security_result.about.resource.attribute.labels.value | The value is taken from the 'SourceName' field in the raw log. |
status | This field is not directly mapped to the UDM. | |
taskName | read_only_udm.target.resource.name | The value is taken from the 'event.Event.SchedTaskStart.taskName', 'event.Event.SchedTaskTrigger.taskName', or 'event.Event.SchedTaskDelete.taskName' field in the raw log. |
targetFile.hashes.md5 | read_only_udm.target.file.md5 | The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.md5' or 'event.Event.SchedTaskStart.targetFile.hashes.md5' field in the raw log. |
targetFile.hashes.sha1 | read_only_udm.target.file.sha1 | The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.sha1' or 'event.Event.SchedTaskStart.targetFile.hashes.sha1' field in the raw log. |
targetFile.hashes.sha256 | read_only_udm.target.file.sha256 | The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.sha256' or 'event.Event.SchedTaskStart.targetFile.hashes.sha256' field in the raw log. |
targetFile.path | read_only_udm.target.file.full_path | The value is taken from the 'event.Event.FileDeletion.targetFile.path' or 'event.Event.SchedTaskStart.targetFile.path' field in the raw log. |
Task | security_result.about.resource.attribute.labels.value | The value is taken from the 'Task' field in the raw log. |
timestamp.millisecondsSinceEpoch | read_only_udm.metadata.event_timestamp.seconds | The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to seconds. |
timestamp.millisecondsSinceEpoch | read_only_udm.metadata.event_timestamp.nanos | The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to nanoseconds. |
trace_id | This field is not directly mapped to the UDM. | |
triggerType | This field is not directly mapped to the UDM. | |
trueContext | This field is not directly mapped to the UDM. | |
trueContext.key | This field is not directly mapped to the UDM. | |
trueContext.key.value | This field is not directly mapped to the UDM. | |
type | read_only_udm.network.dns.answers.type | The value is taken from the 'event.Event.Dns.results' field in the raw log and extracted using a regular expression. |
url | read_only_udm.target.url | The value is taken from the 'event.Event.Http.url' field in the raw log. |
user.name | read_only_udm.principal.user.userid | The value is taken from the 'event.Event. |
user.sid | read_only_udm.principal.user.windows_sid | The value is taken from the 'event.Event. |
UserID | read_only_udm.target.user.windows_sid | The value is taken from the 'UserID' field in the raw log, only if it matches the Windows SID pattern. |
UserSid | read_only_udm.target.user.windows_sid | The value is taken from the 'UserSid' field in the raw log, only if it matches the Windows SID pattern. |
valueType | This field is not directly mapped to the UDM. | |
winEventLog.channel | security_result.about.resource.attribute.labels.value | The value is taken from the 'winEventLog.channel' field in the raw log. |
winEventLog.description | This field is not directly mapped to the UDM. | |
winEventLog.id | security_result.about.resource.attribute.labels.value | The value is taken from the 'winEventLog.id' field in the raw log. |
winEventLog.level | security_result.severity | The value is taken from the 'winEventLog.level' field in the raw log and mapped to the corresponding severity level (e.g., Warning to MEDIUM). |
winEventLog.providerName | security_result.about.resource.attribute.labels.value | The value is taken from the 'winEventLog.providerName' field in the raw log. |
winEventLog.xml | This field is not directly mapped to the UDM. | |
read_only_udm.metadata.event_type | The value is determined based on the 'event_type' field and mapped to the corresponding UDM event type. | |
read_only_udm.metadata.vendor_name | The value is set to SentinelOne . |
|
read_only_udm.metadata.product_name | The value is set to Deep Visibility . |
|
read_only_udm.metadata.product_log_id | The value is taken from the 'trace.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.metadata.product_deployment_id | The value is taken from the 'account.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.metadata.url_back_to_product | The value is taken from the 'mgmt.url' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.metadata.ingestion_labels.key | The value is set to Process eUserUid or Process lUserUid for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.metadata.ingestion_labels.value | The value is taken from the 'src.process.eUserUid' or 'src.process.lUserUid' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.principal.administrative_domain | The domain portion of the 'event.Event. |
|
read_only_udm.target.process.parent_process.command_line | The value is taken from the 'event.Event. |
|
read_only_udm.target.file | An empty object is created if the 'event_type' is not FileCreation , FileDeletion , FileModification , SchedTaskStart , or ProcessCreation . |
|
read_only_udm.network.ip_protocol | The value is set to TCP for events with 'event_type' equal to Tcpv4 , Tcpv4Listen , or Http . |
|
read_only_udm.network.application_protocol | The value is set to DNS for events with 'event_type' equal to Dns . |
|
read_only_udm.target.resource.type | The value is set to TASK for events with 'event_type' equal to SchedTaskStart , SchedTaskTrigger , or SchedTaskDelete . |
|
read_only_udm.target.resource.resource_type | The value is set to TASK for events with 'event_type' equal to SchedTaskStart , SchedTaskTrigger , or SchedTaskDelete . |
|
read_only_udm.principal.process.product_specific_process_id | The value is set to ExecutionThreadID:<ExecutionThreadID> if the 'ExecutionThreadID' field is present in the raw log. |
|
read_only_udm.principal.asset.asset_id | The value is set to Device ID:<agent.uuid> if the 'agent.uuid' field is present in the raw log. |
|
read_only_udm.principal.namespace | The value is taken from the 'site.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.principal.location.name | The value is taken from the 'site.name' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.principal.resource.attribute.labels.key | The value is set to src.process.displayName , src.process.uid , isRedirectCmdProcessor , isNative64Bit , isStorylineRoot , signedStatus , src process subsystem , src process integrityLevel , or childProcCount for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.principal.resource.attribute.labels.value | The value is taken from the corresponding field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.target.user.userid | The value is taken from the 'tgt.process.uid' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.target.user.user_display_name | The value is taken from the 'tgt.process.displayName' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.target.resource.attribute.labels.key | The value is set to isRedirectCmdProcessor , isNative64Bit , isStorylineRoot , signedStatus , file_isSigned , tgt process subsystem , or tgt process integrityLevel for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.target.resource.attribute.labels.value | The value is taken from the corresponding field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.security_result.about.resource.attribute.labels.key | The value is set to tgt.process.storyline.id , endpoint_type , packet_id , src.process.storyline.id , or src.process.parent.storyline.id for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.security_result.about.resource.attribute.labels.value | The value is taken from the corresponding field in the raw log and prepended with ID: for storyline IDs, only for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.security_result.category_details | The value is set to security for events with 'meta.event.name' equal to PROCESSCREATION . |
|
read_only_udm.target.asset.product_object_id | The value is taken from the 'AdapterName' field in the raw log, only for events with 'meta.event.name' equal to EVENTLOG . |
|
security_result.about.resource.attribute.labels.key | The value is set to TimeCreated SystemTime , EventID , Task , Channel , ProviderGuid , RecordNumber , SourceName , endpoint_type , or packet_id for events with 'meta.event.name' equal to EVENTLOG . |
|
security_result.detection_fields.key | The value is set to Activity ID for events with 'meta.event.name' equal to EVENTLOG and a non-empty 'ActivityID' field. |
|
security_result.detection_fields.value | The value is taken from the 'ActivityID' field in the raw log, only for events with 'meta.event.name' equal to EVENTLOG and a non-empty 'ActivityID' field. |
Changes
2023-09-06
Enhancement:
- Modified mapping of
tgt.process.storyline.id
fromtarget.process.product_specific_process_id
tosecurity_result.about.resource.attribute.labels
. - Modified mapping of
src.process.storyline.id
fromprincipal.process.product_specific_process_id
tosecurity_result.about.resource.attribute.labels
. - Modified mapping of
src.process.parent.storyline.id
fromprincipal.parent.process.product_specific_process_id
tosecurity_result.about.resource.attribute.labels
.
2023-07-31
Enhancement:
- Handled logs containing
XML
data.
2023-04-09
Enhancement:
- If
event.type
isProcess Creation
mappedmetadata.event_type
toPROCESS_LAUNCH
. - If
event.type
isDuplicate Process Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isDuplicate Thread Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isOpen Remote Process Handle
mappedmetadata.event_type
toPROCESS_OPEN
. - If
event.type
isRemote Thread Creation
mappedmetadata.event_type
toPROCESS_LAUNCH
. - If
event.type
isCommand Script
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isIP Connect
mappedmetadata.event_type
toNETWORK_CONNECTION
. - If
event.type
isIP Listen
mappedmetadata.event_type
toNETWORK_UNCATEGORIZED
. - If
event.type
isFile ModIfication
mappedmetadata.event_type
toFILE_MODIfICATION
. - If
event.type
isFile Creation
mappedmetadata.event_type
toFILE_CREATION
. - If
event.type
isFile Scan
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isFile Deletion
mappedmetadata.event_type
toFILE_DELETION
. - If
event.type
isFile Rename
mappedmetadata.event_type
toFILE_MODIfICATION
. - If
event.type
isPre Execution Detection
mappedmetadata.event_type
toFILE_UNCATEGORIZED
. - If
event.type
isLogin
mappedmetadata.event_type
toUSER_LOGIN
. - If
event.type
isLogout
mappedmetadata.event_type
toUSER_LOGOUT
. - If
event.type
isGET
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isOPTIONS
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isPOST
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isPUT
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isDELETE
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isCONNECT
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isHEAD
mappedmetadata.event_type
toNETWORK_HTTP
. - If
event.type
isNot Reported
mappedmetadata.event_type
toSTATUS_UNCATEGORIZED
. - If
event.type
isDNS Resolved
mappedmetadata.event_type
toNETWORK_DNS
. - If
event.type
isDNS Unresolved
mappedmetadata.event_type
toNETWORK_DNS
. - If
event.type
isTask Register
mappedmetadata.event_type
toSCHEDULED_TASK_CREATION
. - If
event.type
isTask Update
mappedmetadata.event_type
toSCHEDULED_TASK_MODIfICATION
. - If
event.type
isTask Start
mappedmetadata.event_type
toSCHEDULED_TASK_UNCATEGORIZED
. - If
event.type
isTask Trigger
mappedmetadata.event_type
toSCHEDULED_TASK_UNCATEGORIZED
. - If
event.type
isTask Delete
mappedmetadata.event_type
toSCHEDULED_TASK_DELETION
. - If
event.type
isRegistry Key Create
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Key Rename
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Key Delete
mappedmetadata.event_type
toREGISTRY_DELETION
. - If
event.type
isRegistry Key Export
mappedmetadata.event_type
toREGISTRY_UNCATEGORIZED
. - If
event.type
isRegistry Key Security Changed
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Key Import
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Value ModIfied
mappedmetadata.event_type
toREGISTRY_MODIfICATION
. - If
event.type
isRegistry Value Create
mappedmetadata.event_type
toREGISTRY_CREATION
. - If
event.type
isRegistry Value Delete
mappedmetadata.event_type
toREGISTRY_DELETION
. - If
event.type
isBehavioral Indicators
mappedmetadata.event_type
toSCAN_UNCATEGORIZED
. - If
event.type
isModule Load
mappedmetadata.event_type
toPROCESS_MODULE_LOAD
. - If
event.type
isThreat Intelligence Indicators
mappedmetadata.event_type
toSCAN_UNCATEGORIZED
. - If
event.type
isNamed Pipe Creation
mappedmetadata.event_type
toPROCESS_UNCATEGORIZED
. - If
event.type
isNamed Pipe Connection
mappedmetadata.event_type
toPROCESS_UNCATEGORIZED
. - If
event.type
isDriver Load
mappedmetadata.event_type
toPROCESS_MODULE_LOAD
.
2023-02-13
Enhancement:
- Mapped
endpoint.os
toprincipal.platform
. - Mapped
endpoint.name
totarget.hostname
. - Mapped
src.process.pid
toprincipal.process.pid
. - Mapped
src.process.cmdline
toprincipal.process.command_line
. - Mapped
src.process.image.path
toprincipal.process.file.full_path
. - Mapped
src.process.image.sha1
toprincipal.process.file.sha1
. - Mapped
src.process.eUserUid
tometadata.ingestion_labels
. - Mapped
src.process.lUserUid
tometadata.ingestion_labels
. - Mapped
src.process.uid
toprincipal.user.userid
. - Mapped
src.process.displayName
toprincipal.user.user_display_name
. - Mapped
src.process.isRedirectCmdProcessor
,src.process.isNative64Bit
,src.process.isStorylineRoot
,src.process.signedStatus
,src.file.isSigned
,src.process.subsystem
,src.process.integrityLevel
,src.process.tgtFileCreationCount
,src.process.childProcCount
,src.process.indicatorBootConfigurationUpdateCount
,src.process.indicatorEvasionCount
,src.process.indicatorExploitationCount
,src.process.indicatorGeneralCount
,src.process.indicatorInfostealerCount
,src.process.moduleCount
toprincipal.resource.attribute.labels
. - Mapped
src.process.image.md5
toprincipal.process.file.md5
. - Mapped
agent.uuid
toprincipal.asset.asset_id
. - Mapped
agent.version
tometadata.product_version
. - Mapped
site.id
toprincipal.namespace
. - Mapped
site.name
toprincipal.location.name
. - Mapped
trace.id
tometadata.product_log_id
. - Mapped
dataSource.category
tosecurity_result.category_details
. - Mapped
packet.id
toabout.resource.attribute.labels
. - Mapped
mgmt.url
,endpoint.type
tometadata.url_back_to_product
. - Mapped
tgt.process.image.sha1
totarget.process.file.sha1
. - Mapped
tgt.process.image.path
totarget.process.file.full_path
. - Mapped
tgt.process.pid
totarget.process.pid
. - Mapped
tgt.process.uid
totarget.user.userid
. - Mapped
tgt.process.cmdline
totarget.process.command_line
. - Mapped
tgt.process.displayName
totarget.user.user_display_name
. - Mapped
tgt.process.image.md5
totarget.process.file.md5
. - Mapped
src.process.parent.image.sha256
toprincipal.process.file.sha256
. - Mapped
tgt.process.image.sha256
totarget.process.file.sha256
. - Mapped
tgt.process.sessionId
tonetwork.session_id
. - Mapped
tgt.process.storyline.id
totarget.process.product_specific_process_id
. - Mapped
tgt.process.isRedirectCmdProcessor
,tgt.process.isNative64Bit
,tgt.process.isStorylineRoot
,tgt.process.signedStatus
,tgt.file.isSigned
,tgt.process.subsystem
,tgt.process.integrityLevel
,tgt.process.publisher
totarget.resource.attribute.labels
. - Mapped
prod_event_type
tometadata.product_event_type
.
2022-09-09
Enhancement:
- Undropped the logs with
event_type
= null. - Provided null checks for
meta.os_version
,meta.os_name
,meta.uuid
,meta.computer_name
,meta.os_revision
. - Reduced the size of
*.targetFile.hashes.sha1
and*.source.executable.hashes.sha1
to 64 bytes when exceeding the limit of 64 bytes.
Need more help? Get answers from Community members and Google SecOps professionals.