Collect SentinelOne Deep Visibility logs

Supported in:

This document explains how to export SentinelOne Deep Visibility logs to Google Security Operations using Cloud Funnel for exporting logs to Google Cloud Storage. The parser transforms raw JSON formatted security event logs into a structured format conforming to the UDM. It first initializes a set of variables, then extracts the event type and parses the JSON payload, mapping relevant fields to the UDM schema while handling Windows event logs separately.

Before You Begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Google Cloud.
  • Ensure that SentinelOne Deep Visibility is set up in your environment.
  • Ensure that you have privileged access to SentinelOne.

Create a Google Cloud Storage Bucket

  1. Sign in to the Google Cloud console.

  2. Go to the Cloud Storage Buckets page.

    Go to Buckets

  3. Click Create.

  4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

    1. In the Get started section, do the following:

      1. Enter a unique name that meets the bucket name requirements; for example, sentinelone-deepvisibility.

      2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.

      3. To add a bucket label, click the expander arrow to expand the Labels section.

      4. Click Add label, and specify a key and a value for your label.

    2. In the Choose where to store your data section, do the following:

      1. Select a Location type.

      2. Use the location type menu to select a Location where object data within your bucket will be permanently stored.

      3. To set up cross-bucket replication, expand the Set up cross-bucket replication section.

    3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

    4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

    5. In the Choose how to protect object data section, do the following:

      1. Select any of the options under Data protection that you want to set for your bucket.
      2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

  5. Click Create.

Create a Google Cloud Service Account

  1. Go to IAM & Admin > Service Accounts.
  2. Create a new service account.
  3. Give it a descriptive name; for example, sentinelone-dv-logs.
  4. Grant the service account with Storage Object Creator role on the Cloud Storage bucket you created in the previous step.
  5. Create an SSH key for the service account.
  6. Download a JSON key file for the service account. Keep this file secure.

Configure Cloud Funnel in SentinelOne DeepVisibility

  1. Sign in to the SentinelOne DeepVisibility.
  2. Click Configure > Policy & Settings.
  3. In the Singularity Data Lake section, click Cloud Funnel.
  4. Provide the following configuration details:
    • Cloud Provider: select Google Cloud.
    • Bucket Name: enter the name of the Cloud Storage bucket that you created for SentinelOne DeepVisibility log ingestion.
    • Telemetry Streaming: select Enable.
    • Query Filters: create a query that includes the agents that need to send data to a Cloud Storage bucket.
    • Click Validate.
    • Fields to include: select all fields.
  5. Click Save.

Configure a feed in Google SecOps to ingest SentinelOne Deep Visibility logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, SentinelOne DV Logs.
  4. Select Google Cloud Storage as the Source type.
  5. Select SentinelOne Deep Visibility as the Log type.
  6. Click Get Service Account as the Chronicle Service Account.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Storage Bucket URI: Google Cloud Storage bucket URL in gs://my-bucket/<value> format.
    • URI Is A: select Directory which includes subdirectories.

    • Source deletion options: select the deletion option according to your preference.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log field UDM mapping Logic
AdapterName security_result.about.resource.attribute.labels.value The value is taken from the 'AdapterName' field in the raw log.
AdapterSuffixName security_result.about.resource.attribute.labels.value The value is taken from the 'AdapterSuffixName' field in the raw log.
agent_version read_only_udm.metadata.product_version The value is taken from the 'meta.agent_version' field in the raw log.
Channel security_result.about.resource.attribute.labels.value The value is taken from the 'Channel' field in the raw log.
commandLine read_only_udm.principal.process.command_line The value is taken from the 'event.Event...commandLine' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
computer_name read_only_udm.principal.hostname The value is taken from the 'meta.computer_name' field in the raw log.
destinationAddress.address read_only_udm.target.ip The value is taken from the 'event.Event.Tcpv4.destinationAddress.address' field in the raw log.
destinationAddress.port read_only_udm.target.port The value is taken from the 'event.Event.Tcpv4.destinationAddress.port' field in the raw log.
DnsServerList read_only_udm.principal.ip The value is taken from the 'DnsServerList' field in the raw log.
ErrorCode_new security_result.detection_fields.value The value is taken from the 'ErrorCode_new' field in the raw log.
EventID security_result.about.resource.attribute.labels.value The value is taken from the 'EventID' field in the raw log.
event.Event.Dns.query read_only_udm.network.dns.questions.name The value is taken from the 'event.Event.Dns.query' field in the raw log.
event.Event.Dns.results read_only_udm.network.dns.answers.data The value is taken from the 'event.Event.Dns.results' field in the raw log.
event.Event.Dns.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.Dns.source.fullPid.pid' field in the raw log.
event.Event.Dns.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.Dns.source.user.name' field in the raw log.
event.Event.FileCreation.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.FileCreation.source.fullPid.pid' field in the raw log.
event.Event.FileCreation.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.FileCreation.source.user.name' field in the raw log.
event.Event.FileCreation.targetFile.path read_only_udm.target.file.full_path The value is taken from the 'event.Event.FileCreation.targetFile.path' field in the raw log.
event.Event.FileDeletion.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.FileDeletion.source.fullPid.pid' field in the raw log.
event.Event.FileDeletion.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.FileDeletion.source.user.name' field in the raw log.
event.Event.FileDeletion.targetFile.path read_only_udm.target.file.full_path The value is taken from the 'event.Event.FileDeletion.targetFile.path' field in the raw log.
event.Event.FileModification.file.path read_only_udm.target.file.full_path The value is taken from the 'event.Event.FileModification.file.path' field in the raw log.
event.Event.FileModification.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.FileModification.source.user.name' field in the raw log.
event.Event.FileModification.targetFile.path read_only_udm.target.file.full_path The value is taken from the 'event.Event.FileModification.targetFile.path' field in the raw log.
event.Event.Http.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.Http.source.user.name' field in the raw log.
event.Event.Http.url read_only_udm.target.url The value is taken from the 'event.Event.Http.url' field in the raw log.
event.Event.ProcessCreation.process.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.ProcessCreation.process.user.name' field in the raw log.
event.Event.ProcessCreation.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.ProcessCreation.source.user.name' field in the raw log.
event.Event.ProcessExit.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.ProcessExit.source.user.name' field in the raw log.
event.Event.ProcessTermination.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.ProcessTermination.source.user.name' field in the raw log.
event.Event.RegKeyCreate.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.RegKeyCreate.source.fullPid.pid' field in the raw log.
event.Event.RegKeyCreate.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.RegKeyCreate.source.user.name' field in the raw log.
event.Event.RegKeyDelete.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.RegKeyDelete.source.user.name' field in the raw log.
event.Event.RegValueModified.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.RegValueModified.source.user.name' field in the raw log.
event.Event.SchedTaskDelete.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.SchedTaskDelete.source.user.name' field in the raw log.
event.Event.SchedTaskRegister.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.SchedTaskRegister.source.user.name' field in the raw log.
event.Event.SchedTaskStart.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.SchedTaskStart.source.user.name' field in the raw log.
event.Event.SchedTaskTrigger.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.SchedTaskTrigger.source.fullPid.pid' field in the raw log.
event.Event.SchedTaskTrigger.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.SchedTaskTrigger.source.user.name' field in the raw log.
event.Event.Tcpv4.source.fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event.Tcpv4.source.fullPid.pid' field in the raw log.
event.Event.Tcpv4.source.user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event.Tcpv4.source.user.name' field in the raw log.
event.Event.Tcpv4Listen.local.address read_only_udm.principal.ip The value is taken from the 'event.Event.Tcpv4Listen.local.address' field in the raw log.
event.timestamp.millisecondsSinceEpoch read_only_udm.metadata.event_timestamp.seconds The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to seconds.
event.timestamp.millisecondsSinceEpoch read_only_udm.metadata.event_timestamp.nanos The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to nanoseconds.
event.timestamp.millisecondsSinceEpoch security_result.about.resource.attribute.labels.value The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log and used as the value for a label in the security_result.about.resource.attribute.labels array.
event_type read_only_udm.metadata.product_event_type The value is extracted from the 'message' field in the raw log using a grok pattern.
executable.hashes.md5 read_only_udm.principal.process.file.md5 The value is taken from the 'event.Event...executable.hashes.md5' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
executable.hashes.sha1 read_only_udm.principal.process.file.sha1 The value is taken from the 'event.Event...executable.hashes.sha1' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
executable.hashes.sha256 read_only_udm.principal.process.file.sha256 The value is taken from the 'event.Event...executable.hashes.sha256' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
executable.path read_only_udm.principal.process.file.full_path The value is taken from the 'event.Event...executable.path' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
executable.sizeBytes read_only_udm.principal.process.file.size The value is taken from the 'event.Event...executable.sizeBytes' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
fullPid.pid read_only_udm.principal.process.pid The value is taken from the 'event.Event...fullPid.pid' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
hashes.md5 read_only_udm.target.file.md5 The value is taken from the 'event.Event.ProcessCreation.hashes.md5' field in the raw log.
hashes.sha1 read_only_udm.target.file.sha1 The value is taken from the 'event.Event.ProcessCreation.hashes.sha1' field in the raw log.
hashes.sha256 read_only_udm.target.file.sha256 The value is taken from the 'event.Event.ProcessCreation.hashes.sha256' field in the raw log.
IpAddress read_only_udm.target.ip The value is taken from the 'IpAddress' field in the raw log.
local.address read_only_udm.principal.ip The value is taken from the 'event.Event.Tcpv4Listen.local.address' field in the raw log.
local.port read_only_udm.principal.port The value is taken from the 'event.Event.Tcpv4Listen.local.port' field in the raw log.
log_type read_only_udm.metadata.log_type The value is taken from the 'log_type' field in the raw log.
meta.agent_version read_only_udm.metadata.product_version The value is taken from the 'meta.agent_version' field in the raw log.
meta.computer_name read_only_udm.principal.hostname The value is taken from the 'meta.computer_name' field in the raw log.
meta.os_family read_only_udm.principal.platform The value is taken from the 'meta.os_family' field in the raw log and mapped to the corresponding platform (e.g., windows to WINDOWS, osx to MAC, linux to LINUX).
meta.os_name read_only_udm.principal.platform_version The value is taken from the 'meta.os_name' field in the raw log.
meta.os_revision read_only_udm.principal.platform_patch_level The value is taken from the 'meta.os_revision' field in the raw log.
meta.uuid read_only_udm.principal.asset_id The value is taken from the 'meta.uuid' field in the raw log and prepended with SENTINELONE:.
name read_only_udm.principal.application The value is taken from the 'event.Event...name' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
parent.executable.hashes.md5 read_only_udm.target.process.parent_process.file.md5 The value is taken from the 'event.Event..parent.executable.hashes.md5' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
parent.executable.hashes.sha1 read_only_udm.target.process.parent_process.file.sha1 The value is taken from the 'event.Event..parent.executable.hashes.sha1' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
parent.executable.hashes.sha256 read_only_udm.target.process.parent_process.file.sha256 The value is taken from the 'event.Event..parent.executable.hashes.sha256' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
parent.executable.path read_only_udm.target.process.parent_process.file.full_path The value is taken from the 'event.Event..parent.executable.path' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
parent.fullPid.pid read_only_udm.target.process.parent_process.pid The value is taken from the 'event.Event..parent.fullPid.pid' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
path read_only_udm.principal.process.file.full_path The value is taken from the 'event.Event...path' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
process.commandLine read_only_udm.target.process.command_line The value is taken from the 'event.Event.ProcessCreation.process.commandLine' field in the raw log.
process.fullPid.pid read_only_udm.target.process.pid The value is taken from the 'event.Event.ProcessCreation.process.fullPid.pid' field in the raw log.
process.parent.fullPid.pid read_only_udm.target.process.parent_process.pid The value is taken from the 'event.Event.ProcessCreation.process.parent.fullPid.pid' field in the raw log.
ProviderGuid security_result.about.resource.attribute.labels.value The value is taken from the 'ProviderGuid' field in the raw log, with curly braces removed.
query read_only_udm.network.dns.questions.name The value is taken from the 'event.Event.Dns.query' field in the raw log.
RecordNumber security_result.about.resource.attribute.labels.value The value is taken from the 'RecordNumber' field in the raw log.
regKey.path read_only_udm.target.registry.registry_key The value is taken from the 'event.Event.RegKeyCreate.regKey.path' or 'event.Event.RegKeyDelete.regKey.path' field in the raw log.
regValue.path read_only_udm.target.registry.registry_key The value is taken from the 'event.Event.RegValueDelete.regValue.path' or 'event.Event.RegValueModified.regValue.path' field in the raw log.
results read_only_udm.network.dns.answers.data The value is taken from the 'event.Event.Dns.results' field in the raw log.
Sent UpdateServer intermediary.hostname The value is taken from the 'Sent UpdateServer' field in the raw log.
seq_id This field is not directly mapped to the UDM.
signature.Status.Signed.identity This field is not directly mapped to the UDM.
sizeBytes read_only_udm.principal.process.file.size The value is taken from the 'event.Event...sizeBytes' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
sourceAddress.address read_only_udm.principal.ip The value is taken from the 'event.Event.Tcpv4.sourceAddress.address' field in the raw log.
sourceAddress.port read_only_udm.principal.port The value is taken from the 'event.Event.Tcpv4.sourceAddress.port' field in the raw log.
SourceName security_result.about.resource.attribute.labels.value The value is taken from the 'SourceName' field in the raw log.
status This field is not directly mapped to the UDM.
taskName read_only_udm.target.resource.name The value is taken from the 'event.Event.SchedTaskStart.taskName', 'event.Event.SchedTaskTrigger.taskName', or 'event.Event.SchedTaskDelete.taskName' field in the raw log.
targetFile.hashes.md5 read_only_udm.target.file.md5 The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.md5' or 'event.Event.SchedTaskStart.targetFile.hashes.md5' field in the raw log.
targetFile.hashes.sha1 read_only_udm.target.file.sha1 The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.sha1' or 'event.Event.SchedTaskStart.targetFile.hashes.sha1' field in the raw log.
targetFile.hashes.sha256 read_only_udm.target.file.sha256 The value is taken from the 'event.Event.FileDeletion.targetFile.hashes.sha256' or 'event.Event.SchedTaskStart.targetFile.hashes.sha256' field in the raw log.
targetFile.path read_only_udm.target.file.full_path The value is taken from the 'event.Event.FileDeletion.targetFile.path' or 'event.Event.SchedTaskStart.targetFile.path' field in the raw log.
Task security_result.about.resource.attribute.labels.value The value is taken from the 'Task' field in the raw log.
timestamp.millisecondsSinceEpoch read_only_udm.metadata.event_timestamp.seconds The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to seconds.
timestamp.millisecondsSinceEpoch read_only_udm.metadata.event_timestamp.nanos The value is taken from the 'event.timestamp.millisecondsSinceEpoch' field in the raw log, converted to nanoseconds.
trace_id This field is not directly mapped to the UDM.
triggerType This field is not directly mapped to the UDM.
trueContext This field is not directly mapped to the UDM.
trueContext.key This field is not directly mapped to the UDM.
trueContext.key.value This field is not directly mapped to the UDM.
type read_only_udm.network.dns.answers.type The value is taken from the 'event.Event.Dns.results' field in the raw log and extracted using a regular expression.
url read_only_udm.target.url The value is taken from the 'event.Event.Http.url' field in the raw log.
user.name read_only_udm.principal.user.userid The value is taken from the 'event.Event...user.name' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
user.sid read_only_udm.principal.user.windows_sid The value is taken from the 'event.Event...user.sid' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
UserID read_only_udm.target.user.windows_sid The value is taken from the 'UserID' field in the raw log, only if it matches the Windows SID pattern.
UserSid read_only_udm.target.user.windows_sid The value is taken from the 'UserSid' field in the raw log, only if it matches the Windows SID pattern.
valueType This field is not directly mapped to the UDM.
winEventLog.channel security_result.about.resource.attribute.labels.value The value is taken from the 'winEventLog.channel' field in the raw log.
winEventLog.description This field is not directly mapped to the UDM.
winEventLog.id security_result.about.resource.attribute.labels.value The value is taken from the 'winEventLog.id' field in the raw log.
winEventLog.level security_result.severity The value is taken from the 'winEventLog.level' field in the raw log and mapped to the corresponding severity level (e.g., Warning to MEDIUM).
winEventLog.providerName security_result.about.resource.attribute.labels.value The value is taken from the 'winEventLog.providerName' field in the raw log.
winEventLog.xml This field is not directly mapped to the UDM.
read_only_udm.metadata.event_type The value is determined based on the 'event_type' field and mapped to the corresponding UDM event type.
read_only_udm.metadata.vendor_name The value is set to SentinelOne.
read_only_udm.metadata.product_name The value is set to Deep Visibility.
read_only_udm.metadata.product_log_id The value is taken from the 'trace.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.metadata.product_deployment_id The value is taken from the 'account.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.metadata.url_back_to_product The value is taken from the 'mgmt.url' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.metadata.ingestion_labels.key The value is set to Process eUserUid or Process lUserUid for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.metadata.ingestion_labels.value The value is taken from the 'src.process.eUserUid' or 'src.process.lUserUid' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.principal.administrative_domain The domain portion of the 'event.Event...user.name' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit) and is the field containing process information (e.g., process, source, parent).
read_only_udm.target.process.parent_process.command_line The value is taken from the 'event.Event..parent.commandLine' field in the raw log, where is the specific event type (e.g., ProcessCreation, ProcessExit).
read_only_udm.target.file An empty object is created if the 'event_type' is not FileCreation, FileDeletion, FileModification, SchedTaskStart, or ProcessCreation.
read_only_udm.network.ip_protocol The value is set to TCP for events with 'event_type' equal to Tcpv4, Tcpv4Listen, or Http.
read_only_udm.network.application_protocol The value is set to DNS for events with 'event_type' equal to Dns.
read_only_udm.target.resource.type The value is set to TASK for events with 'event_type' equal to SchedTaskStart, SchedTaskTrigger, or SchedTaskDelete.
read_only_udm.target.resource.resource_type The value is set to TASK for events with 'event_type' equal to SchedTaskStart, SchedTaskTrigger, or SchedTaskDelete.
read_only_udm.principal.process.product_specific_process_id The value is set to ExecutionThreadID:<ExecutionThreadID> if the 'ExecutionThreadID' field is present in the raw log.
read_only_udm.principal.asset.asset_id The value is set to Device ID:<agent.uuid> if the 'agent.uuid' field is present in the raw log.
read_only_udm.principal.namespace The value is taken from the 'site.id' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.principal.location.name The value is taken from the 'site.name' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.principal.resource.attribute.labels.key The value is set to src.process.displayName, src.process.uid, isRedirectCmdProcessor, isNative64Bit, isStorylineRoot, signedStatus, src process subsystem, src process integrityLevel, or childProcCount for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.principal.resource.attribute.labels.value The value is taken from the corresponding field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.target.user.userid The value is taken from the 'tgt.process.uid' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.target.user.user_display_name The value is taken from the 'tgt.process.displayName' field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.target.resource.attribute.labels.key The value is set to isRedirectCmdProcessor, isNative64Bit, isStorylineRoot, signedStatus, file_isSigned, tgt process subsystem, or tgt process integrityLevel for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.target.resource.attribute.labels.value The value is taken from the corresponding field in the raw log, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.security_result.about.resource.attribute.labels.key The value is set to tgt.process.storyline.id, endpoint_type, packet_id, src.process.storyline.id, or src.process.parent.storyline.id for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.security_result.about.resource.attribute.labels.value The value is taken from the corresponding field in the raw log and prepended with ID: for storyline IDs, only for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.security_result.category_details The value is set to security for events with 'meta.event.name' equal to PROCESSCREATION.
read_only_udm.target.asset.product_object_id The value is taken from the 'AdapterName' field in the raw log, only for events with 'meta.event.name' equal to EVENTLOG.
security_result.about.resource.attribute.labels.key The value is set to TimeCreated SystemTime, EventID, Task, Channel, ProviderGuid, RecordNumber, SourceName, endpoint_type, or packet_id for events with 'meta.event.name' equal to EVENTLOG.
security_result.detection_fields.key The value is set to Activity ID for events with 'meta.event.name' equal to EVENTLOG and a non-empty 'ActivityID' field.
security_result.detection_fields.value The value is taken from the 'ActivityID' field in the raw log, only for events with 'meta.event.name' equal to EVENTLOG and a non-empty 'ActivityID' field.

Changes

2023-09-06

Enhancement:

  • Modified mapping of tgt.process.storyline.id from target.process.product_specific_process_id to security_result.about.resource.attribute.labels.
  • Modified mapping of src.process.storyline.id from principal.process.product_specific_process_id to security_result.about.resource.attribute.labels.
  • Modified mapping of src.process.parent.storyline.id from principal.parent.process.product_specific_process_id to security_result.about.resource.attribute.labels.

2023-07-31

Enhancement:

  • Handled logs containing XML data.

2023-04-09

Enhancement:

  • If event.type is Process Creation mapped metadata.event_type to PROCESS_LAUNCH.
  • If event.type is Duplicate Process Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Duplicate Thread Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Open Remote Process Handle mapped metadata.event_type to PROCESS_OPEN.
  • If event.type is Remote Thread Creation mapped metadata.event_type to PROCESS_LAUNCH.
  • If event.type is Command Script mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is IP Connect mapped metadata.event_type to NETWORK_CONNECTION.
  • If event.type is IP Listen mapped metadata.event_type to NETWORK_UNCATEGORIZED.
  • If event.type is File ModIfication mapped metadata.event_type to FILE_MODIfICATION.
  • If event.type is File Creation mapped metadata.event_type to FILE_CREATION.
  • If event.type is File Scan mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is File Deletion mapped metadata.event_type to FILE_DELETION.
  • If event.type is File Rename mapped metadata.event_type to FILE_MODIfICATION.
  • If event.type is Pre Execution Detection mapped metadata.event_type to FILE_UNCATEGORIZED.
  • If event.type is Login mapped metadata.event_type to USER_LOGIN.
  • If event.type is Logout mapped metadata.event_type to USER_LOGOUT.
  • If event.type is GET mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is OPTIONS mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is POST mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is PUT mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is DELETE mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is CONNECT mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is HEAD mapped metadata.event_type to NETWORK_HTTP.
  • If event.type is Not Reported mapped metadata.event_type to STATUS_UNCATEGORIZED.
  • If event.type is DNS Resolved mapped metadata.event_type to NETWORK_DNS.
  • If event.type is DNS Unresolved mapped metadata.event_type to NETWORK_DNS.
  • If event.type is Task Register mapped metadata.event_type to SCHEDULED_TASK_CREATION.
  • If event.type is Task Update mapped metadata.event_type to SCHEDULED_TASK_MODIfICATION.
  • If event.type is Task Start mapped metadata.event_type to SCHEDULED_TASK_UNCATEGORIZED.
  • If event.type is Task Trigger mapped metadata.event_type to SCHEDULED_TASK_UNCATEGORIZED.
  • If event.type is Task Delete mapped metadata.event_type to SCHEDULED_TASK_DELETION.
  • If event.type is Registry Key Create mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Key Rename mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Key Delete mapped metadata.event_type to REGISTRY_DELETION.
  • If event.type is Registry Key Export mapped metadata.event_type to REGISTRY_UNCATEGORIZED.
  • If event.type is Registry Key Security Changed mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Key Import mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Value ModIfied mapped metadata.event_type to REGISTRY_MODIfICATION.
  • If event.type is Registry Value Create mapped metadata.event_type to REGISTRY_CREATION.
  • If event.type is Registry Value Delete mapped metadata.event_type to REGISTRY_DELETION.
  • If event.type is Behavioral Indicators mapped metadata.event_type to SCAN_UNCATEGORIZED.
  • If event.type is Module Load mapped metadata.event_type to PROCESS_MODULE_LOAD.
  • If event.type is Threat Intelligence Indicators mapped metadata.event_type to SCAN_UNCATEGORIZED.
  • If event.type is Named Pipe Creation mapped metadata.event_type to PROCESS_UNCATEGORIZED.
  • If event.type is Named Pipe Connection mapped metadata.event_type to PROCESS_UNCATEGORIZED.
  • If event.type is Driver Load mapped metadata.event_type to PROCESS_MODULE_LOAD.

2023-02-13

Enhancement:

  • Mapped endpoint.os to principal.platform.
  • Mapped endpoint.name to target.hostname.
  • Mapped src.process.pid to principal.process.pid.
  • Mapped src.process.cmdline to principal.process.command_line.
  • Mapped src.process.image.path to principal.process.file.full_path.
  • Mapped src.process.image.sha1 to principal.process.file.sha1.
  • Mapped src.process.eUserUid to metadata.ingestion_labels.
  • Mapped src.process.lUserUid to metadata.ingestion_labels.
  • Mapped src.process.uid to principal.user.userid.
  • Mapped src.process.displayName to principal.user.user_display_name.
  • Mapped src.process.isRedirectCmdProcessor, src.process.isNative64Bit, src.process.isStorylineRoot, src.process.signedStatus, src.file.isSigned, src.process.subsystem, src.process.integrityLevel, src.process.tgtFileCreationCount, src.process.childProcCount, src.process.indicatorBootConfigurationUpdateCount, src.process.indicatorEvasionCount, src.process.indicatorExploitationCount, src.process.indicatorGeneralCount, src.process.indicatorInfostealerCount, src.process.moduleCount to principal.resource.attribute.labels.
  • Mapped src.process.image.md5 to principal.process.file.md5.
  • Mapped agent.uuid to principal.asset.asset_id.
  • Mapped agent.version to metadata.product_version.
  • Mapped site.id to principal.namespace.
  • Mapped site.name to principal.location.name.
  • Mapped trace.id to metadata.product_log_id.
  • Mapped dataSource.category to security_result.category_details.
  • Mapped packet.id to about.resource.attribute.labels.
  • Mapped mgmt.url, endpoint.type to metadata.url_back_to_product.
  • Mapped tgt.process.image.sha1 to target.process.file.sha1.
  • Mapped tgt.process.image.path to target.process.file.full_path.
  • Mapped tgt.process.pid to target.process.pid.
  • Mapped tgt.process.uid to target.user.userid.
  • Mapped tgt.process.cmdline to target.process.command_line.
  • Mapped tgt.process.displayName to target.user.user_display_name.
  • Mapped tgt.process.image.md5 to target.process.file.md5.
  • Mapped src.process.parent.image.sha256 to principal.process.file.sha256.
  • Mapped tgt.process.image.sha256 to target.process.file.sha256.
  • Mapped tgt.process.sessionId to network.session_id.
  • Mapped tgt.process.storyline.id to target.process.product_specific_process_id.
  • Mapped tgt.process.isRedirectCmdProcessor, tgt.process.isNative64Bit, tgt.process.isStorylineRoot, tgt.process.signedStatus, tgt.file.isSigned, tgt.process.subsystem, tgt.process.integrityLevel, tgt.process.publisher to target.resource.attribute.labels.
  • Mapped prod_event_type to metadata.product_event_type.

2022-09-09

Enhancement:

  • Undropped the logs with event_type = null.
  • Provided null checks for meta.os_version, meta.os_name, meta.uuid, meta.computer_name, meta.os_revision.
  • Reduced the size of *.targetFile.hashes.sha1 and *.source.executable.hashes.sha1 to 64 bytes when exceeding the limit of 64 bytes.

Need more help? Get answers from Community members and Google SecOps professionals.