Collect CrowdStrike Falcon logs in CEF

Supported in:

This document explains how to collect CrowdStrike Falcon logs in CEF format using Bindplane. The parser extracts key-value pairs and maps them to the Unified Data Model (UDM), handling different delimiters and enriching the data with additional context like severity and event types. It also performs specific transformations for certain event types and fields, such as user logins and security results.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to the CrowdStrike Falcon console.
  • Obtain API credentials for Falcon Stream (Client ID and Client Secret).

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        tcplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:54525"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: SYSLOG
                namespace: cs_falcon
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - tcplog
                exporters:
                    - chronicle/chronicle_w_labels
    
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure and get a CrowdStrike API Key

  1. Sign in to CrowdStrike Falcon with a privileged account.
  2. Go to Menu > Support.
  3. Click API Clients > KeysSelect.
  4. Click Add new API client.
  5. In the API Scopes section, select Event streams and Alerts > enable the Read option.
  6. Click Add.
  7. Copy and save the Client ID, Secret, and Base URL.

Install the Falcon SIEM Connector

  1. Download the RPM installer package for your operating system.
  2. Package installation:

    • CentOS operating system:

      sudo rpm -Uvh <installer package>
      
    • Ubuntu operating system:

      sudo dpkg -i <installer package>
      
  3. Default installation directories:

    • Falcon SIEM Connector - /opt/crowdstrike/.
    • Service - /etc/init.d/cs.falconhoseclientd/.

Configure the SIEM Connector to forward CEF logs to Bindplane

  1. Sign into the machine with installed SIEM Connector as a sudo user.
  2. Go to the /opt/crowdstrike/etc/ directory.
  3. Rename cs.falconhoseclient.cef.cfg to cs.falconhoseclient.cfg.
    • SIEM Connector uses cs.falconhoseclient.cfg configuration by default.
  4. Edit the cs.falconhoseclient.cfg file and modify/set the following parameters:
    • api_url: - your CrowdStrike Falcon Base URL copied from previous step.
    • app_id: - any string as identifier for connecting to Falcon Streaming API (For example, set to app_id: SECOPS-CEF).
    • client_id: - the client_id value copied from previous step.
    • client_secret: - the client_secret value copied from previous step.
    • send_to_syslog_server: true - enable push to Syslog server.
    • host: - the IP or hostname of the Bindplane agent.
    • port: - the port of the Bindplane agent.
  5. Save the cs.falconhoseclient.cfg file.
  6. Start the SIEM Connector service:

    • CentOS operating system

      sudo service cs.falconhoseclientd start
      
    • Ubuntu 16.04 or later operating system

      sudo systemctl start cs.falconhoseclientd.service
      
  7. Optional: Stop the SIEM Connector service:

    • CentOS operating system

      sudo service cs.falconhoseclientd stop
      
    • Ubuntu 16.04 or later operating system

      sudo systemctl stop cs.falconhoseclientd.service
      
  8. Optional: Restart the SIEM Connector service:

    • CentOS operating system

      sudo service cs.falconhoseclientd restart
      
    • Ubuntu 16.04 or later operating system

      sudo systemctl restart cs.falconhoseclientd.service
      

UDM Mapping Table

Log Field UDM Mapping Logic
AccountCreationTimeStamp event.idm.read_only_udm.metadata.event_timestamp The raw log field AccountCreationTimeStamp is renamed to event.idm.read_only_udm.metadata.event_timestamp.
AccountDomain event.idm.read_only_udm.principal.administrative_domain The raw log field AccountDomain is renamed to event.idm.read_only_udm.principal.administrative_domain.
AccountObjectGuid event.idm.read_only_udm.metadata.product_log_id The raw log field AccountObjectGuid is renamed to event.idm.read_only_udm.metadata.product_log_id.
AccountObjectSid event.idm.read_only_udm.principal.user.windows_sid The raw log field AccountObjectSid is renamed to event.idm.read_only_udm.principal.user.windows_sid.
AccessType - Not mapped to the IDM object.
action_taken event.idm.read_only_udm.additional.fields[0].value.string_value Part of AuditKeyValues array.
ActiveCpuCount - Not mapped to the IDM object.
ActiveDirectoryAuthenticationMethod - Not mapped to the IDM object.
ActiveDirectoryDataProtocol - Not mapped to the IDM object.
AddressFamily - Not mapped to the IDM object.
AdminStatus - Not mapped to the IDM object.
AllocateVirtualMemoryCount security_result.detection_fields[0].value Part of EndOfProcess event.
agent-windows event.idm.read_only_udm.target.file.full_path Part of TargetFileName.
AgentIdString event.idm.read_only_udm.principal.asset_id Prefixed with CS:.
AgentLoadFlags - Not mapped to the IDM object.
AgentLocalTime - Not mapped to the IDM object.
AgentOnline AgentTimeOffset - Not mapped to the IDM object.
AgentVersion AggregationActivityCount AggregationEarliestTimestamp - Not mapped to the IDM object.
aid event.idm.read_only_udm.principal.asset_id Prefixed with CS:.
aip event.idm.read_only_udm.principal.nat_ip When _aid_is_target is false, if aip is not null, create an ip entity with the value of aip and add it to event.idm.read_only_udm.principal.nat_ip.
aipCount AllocVmEtw AllocationType - Not mapped to the IDM object.
AllowHardTerminate - Not mapped to the IDM object.
AllowStartOnDemand - Not mapped to the IDM object.
ApcArgument1 - Not mapped to the IDM object.
ApcArgument2 - Not mapped to the IDM object.
ApcContextAddress - Not mapped to the IDM object.
ApcContextFileName - Not mapped to the IDM object.
ApcContext - Not mapped to the IDM object.
ApplicationName ApplicationUniqueIdentifier - Not mapped to the IDM object.
ApplicationVersion - Not mapped to the IDM object.
AppIs64Bit - Not mapped to the IDM object.
AppName AppPath AppPathFlag - Not mapped to the IDM object.
AppProductId - Not mapped to the IDM object.
AppType - Not mapped to the IDM object.
AppUpdateIds - Not mapped to the IDM object.
AppVendor - Not mapped to the IDM object.
AppVersion ArchiveFileWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
AsepClass - Not mapped to the IDM object.
AsepFileChange AsepFlags - Not mapped to the IDM object.
AsepIndex - Not mapped to the IDM object.
AsepKeyUpdate AsepValueUpdate AsepValueType - Not mapped to the IDM object.
AsepWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
AssociateIndicator AssociateTreeIdWithRoot AssemblyFlags - Not mapped to the IDM object.
AssemblyId - Not mapped to the IDM object.
AssemblyName AuthenticationId event.idm.read_only_udm.principal.user.product_object_id Prefixed with CS:.
AuthenticationPackage AuthenticationUuid - Not mapped to the IDM object.
AuthenticationUuidAsString - Not mapped to the IDM object.
AuthenticodeHashData AuthenticodeMatch automated_remediation assessments.automated_remediation Part of ZeroTrustHostAssessment event.
BaseReachableTime - Not mapped to the IDM object.
BaseTime - Not mapped to the IDM object.
BatchDataNumber - Not mapped to the IDM object.
BatchDataTotal - Not mapped to the IDM object.
BatchTimestamp BatteryLevel - Not mapped to the IDM object.
BatteryStatus - Not mapped to the IDM object.
BehaviorWhitelisted benchmarks BenignCount - Not mapped to the IDM object.
beta_build_disabled assessments.beta_build_disabled Part of ZeroTrustHostAssessment event.
BinaryExecutableWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
BillingInfo BillingType - Not mapped to the IDM object.
BiosManufacturer BiosReleaseDate - Not mapped to the IDM object.
BiosVersion BITSJobCreated BootArgs - Not mapped to the IDM object.
BootId - Not mapped to the IDM object.
BootStatusDataAabEnabled - Not mapped to the IDM object.
BootStatusDataBootAttemptCount - Not mapped to the IDM object.
BootStatusDataBootGood - Not mapped to the IDM object.
BootStatusDataBootShutdown - Not mapped to the IDM object.
BootTimeFunctionalityLevel - Not mapped to the IDM object.
BrowserInjectedThread BundleID - Not mapped to the IDM object.
CallStackModuleNames CallStackModuleNamesVersion ChannelId - Not mapped to the IDM object.
ChannelVersion - Not mapped to the IDM object.
ChannelVersionRequired ChasisManufacturer - Not mapped to the IDM object.
ChassisType cid City CLICreationCount security_result.detection_fields[0].value Part of EndOfProcess event.
ClassifiedModuleLoad CloudAssociateTreeIdWithRoot CloudErrorCode - Not mapped to the IDM object.
CNAMERecords CodeIntegrity - Not mapped to the IDM object.
CommandLine CommandSequence - Not mapped to the IDM object.
CompletionEventId - Not mapped to the IDM object.
ComputerName event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname If ComputerName is not null, an empty string or a dash, create a hostname entity with the value of ComputerName and add it to event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname.
ConfigBuild ConfigIDBase - Not mapped to the IDM object.
ConfigIDBuild - Not mapped to the IDM object.
ConfigIDPlatform - Not mapped to the IDM object.
ConfigurationVersion - Not mapped to the IDM object.
ConfigStateData - Not mapped to the IDM object.
ConfigStateHash ConfigStateUpdate ConnectTime - Not mapped to the IDM object.
ConnectType - Not mapped to the IDM object.
Connected - Not mapped to the IDM object.
ConnectionCipher - Not mapped to the IDM object.
ConnectionCipherStrength - Not mapped to the IDM object.
ConnectionDirection - Not mapped to the IDM object.
ConnectionExchange - Not mapped to the IDM object.
ConnectionExchangeStrength - Not mapped to the IDM object.
ConnectionFlags - Not mapped to the IDM object.
ConnectionHash - Not mapped to the IDM object.
ConnectionHashStrength - Not mapped to the IDM object.
ConnectionProtocol - Not mapped to the IDM object.
ConnectionType - Not mapped to the IDM object.
Continent ContentSHA256HashData ContextData - Not mapped to the IDM object.
ContextProcessId event.idm.read_only_udm.principal.process.product_specific_process_id, event.idm.read_only_udm.target.process.product_specific_process_id Prefixed with CS:%{cid}:%{aid}:.
ContextThreadId - Not mapped to the IDM object.
ContextTimeStamp ContextTimeStamp_decimal Country CrashDumpFilePath - Not mapped to the IDM object.
CrashNotification CreateProcessArgs CreateProcessCount security_result.detection_fields[0].value Part of EndOfProcess event.
CreateService CreateThreadNoStartImage CreationTimeStamp - Not mapped to the IDM object.
CriticalFileAccessed CriticalFileModified CsaProcessDataCollectionInstanceId - Not mapped to the IDM object.
CurrentFunctionalityLevel - Not mapped to the IDM object.
CurrentLocalIP - Not mapped to the IDM object.
CurrentSystemTags CustomerIdString CycleTime - Not mapped to the IDM object.
DadState - Not mapped to the IDM object.
DadTransmits - Not mapped to the IDM object.
DcName event.idm.read_only_udm.principal.user.userid The raw log field DcName is renamed to event.idm.read_only_udm.principal.user.userid.
DcNumAttachments - Not mapped to the IDM object.
DcNumBlockingPolicies - Not mapped to the IDM object.
DcOnline DcPropertyIdInterfaceType - Not mapped to the IDM object.
DcPropertyIdInterfaceVersion - Not mapped to the IDM object.
DcSensorInterfaceType - Not mapped to the IDM object.
DcSensorInterfaceVersion - Not mapped to the IDM object.
DcStatus DcUsbConfigurationDescriptor DcUsbDeviceConnected DcUsbDeviceDisconnected DcUsbEndpointDescriptor DcUsbHIDDescriptor DcUsbInterfaceDescriptor DCSyncAttempted Debug - Not mapped to the IDM object.
DefaultGatewayIP4 - Not mapped to the IDM object.
DefaultGatewayIP6 - Not mapped to the IDM object.
DefaultGatewayPhysicalAddress - Not mapped to the IDM object.
DeepHashBlacklistClassification DeepHashBlacklistVersion - Not mapped to the IDM object.
DeliverLocalFXToCloud DesiredAccess detectionId detectionName DetectDescription DetectId - Not mapped to the IDM object.
DetectName DeviceActiveConfigurationNumber - Not mapped to the IDM object.
DeviceConnectionStatus - Not mapped to the IDM object.
DeviceDescriptorNumber - Not mapped to the IDM object.
DeviceDescriptorSetHash - Not mapped to the IDM object.
DeviceDescriptorUniqueIdentifier - Not mapped to the IDM object.
DeviceId - Not mapped to the IDM object.
DeviceInstanceId event.idm.read_only_udm.target.asset_id Prefixed with Device Instance Id:.
DeviceManufacturer DeviceProduct DeviceProductId - Not mapped to the IDM object.
DevicePropertyClassName - Not mapped to the IDM object.
DevicePropertyClassGuid - Not mapped to the IDM object.
DevicePropertyDeviceDescription DevicePropertyFriendlyName - Not mapped to the IDM object.
DevicePropertyLocationInformation DevicePropertyManufacturer - Not mapped to the IDM object.
DeviceProtocol - Not mapped to the IDM object.
DeviceSerialNumber DeviceTimeStamp DeviceType - Not mapped to the IDM object.
DeviceUsbClass - Not mapped to the IDM object.
DeviceUsbSubclass - Not mapped to the IDM object.
DeviceUsbVersion - Not mapped to the IDM object.
DeviceVendorId - Not mapped to the IDM object.
DeviceVersion - Not mapped to the IDM object.
DirectoryCreate DirectoryCreatedCount security_result.detection_fields[0].value Part of EndOfProcess event.
DirectoryEnumeratedCount security_result.detection_fields[0].value Part of EndOfProcess event.
DisableRealtimeMonitoring DisallowStartIfOnBatteries - Not mapped to the IDM object.
DisallowStartOnRemoteAppSession - Not mapped to the IDM object.
DiskParentDeviceInstanceId DllCharacteristics - Not mapped to the IDM object.
DllInjection DlpPolicy - Not mapped to the IDM object.
DlpVerdict - Not mapped to the IDM object.
DmpFileWritten DnsRequest DnsRequestCount security_result.detection_fields[0].value Part of EndOfProcess event.
DnsResponseType - Not mapped to the IDM object.
DnsResponseTtl - Not mapped to the IDM object.
DocumentFileWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
DomainName event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname, event.idm.read_only_udm.network.dns.questions[0].name If DomainName is not null, create a hostname entity with the value of DomainName and add it to event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname and event.idm.read_only_udm.network.dns.questions[0].name.
DotnetModuleFlags - Not mapped to the IDM object.
DotnetModuleId - Not mapped to the IDM object.
DotnetModuleLoadDetectInfo DownloadPath - Not mapped to the IDM object.
DownloadPort - Not mapped to the IDM object.
DownloadServer DriverLoad DualRequest - Not mapped to the IDM object.
EffectiveTransmissionClass Effective - Not mapped to the IDM object.
EfiSupported - Not mapped to the IDM object.
EfiVariableCustomMode - Not mapped to the IDM object.
EfiVariableCustomModeAttributes - Not mapped to the IDM object.
EfiVariableDbAttributes - Not mapped to the IDM object.
EfiVariableDbxAttributes - Not mapped to the IDM object.
EfiVariableDbxSha256Hash - Not mapped to the IDM object.
EfiVariableKekAttributes - Not mapped to the IDM object.
EfiVariableKekSha256Hash - Not mapped to the IDM object.
EfiVariablePkAttributes - Not mapped to the IDM object.
EfiVariablePkSha256Hash - Not mapped to the IDM object.
EfiVariableSecureBoot - Not mapped to the IDM object.
EfiVariableSecureBootAttributes - Not mapped to the IDM object.
EfiVariableSetupMode - Not mapped to the IDM object.
EfiVariableSetupModeAttributes - Not mapped to the IDM object.
EfiVariableSignatureSupport - Not mapped to the IDM object.
EfiVariableSignatureSupportAttributes - Not mapped to the IDM object.
EndpointDescriptorAddress - Not mapped to the IDM object.
EndpointDescriptorAttributes - Not mapped to the IDM object.
EndpointDescriptorInterval - Not mapped to the IDM object.
EndpointDescriptorMaxPacketSize - Not mapped to the IDM object.
EndOfProcess Entitlements ErrorEvent ErrorCode - Not mapped to the IDM object.
ErrorLocation - Not mapped to the IDM object.
ErrorReason - Not mapped to the IDM object.
ErrorSource - Not mapped to the IDM object.
ErrorStatus - Not mapped to the IDM object.
ErrorText - Not mapped to the IDM object.
EventLogCleared EventMax - Not mapped to the IDM object.
EventMin - Not mapped to the IDM object.
EventOrigin - Not mapped to the IDM object.
EventType event.idm.read_only_udm.metadata.product_event_type If event_simpleName is null and EventType is not null, create a product_event_type entity with the value of EventType and add it to event.idm.read_only_udm.metadata.product_event_type.
EtwErrorEvent EtwRawProcessId - Not mapped to the IDM object.
EtwRawThreadId - Not mapped to the IDM object.
ExecutableDeleted ExecutableDeletedCount security_result.detection_fields[0].value Part of EndOfProcess event.
ExeAndServiceCount security_result.detection_fields[0].value Part of EndOfProcess event.
ExitCode - Not mapped to the IDM object.
Exploit ExternalApiType event.idm.read_only_udm.metadata.product_event_type, event.idm.read_only_udm.extensions.auth.auth_details If message contains event1, ExternalApiType is renamed to event.idm.read_only_udm.metadata.product_event_type. Otherwise, it is renamed to event.idm.read_only_udm.extensions.auth.auth_details.
Facility - Not mapped to the IDM object.
FailedConnectCount - Not mapped to the IDM object.
FalconHostLink FalconServiceComponent - Not mapped to the IDM object.
FalconServiceServletErrors - Not mapped to the IDM object.
FalconServiceServletStarts - Not mapped to the IDM object.
FalconServiceState - Not mapped to the IDM object.
FalconServiceStatus FeatureExtractionVersion - Not mapped to the IDM object.
FeatureVector - Not mapped to the IDM object.
File - Not mapped to the IDM object.
FileAttributes - Not mapped to the IDM object.
FileCreateInfo FileDeletedCount security_result.detection_fields[0].value Part of EndOfProcess event.
FileDeleteInfo FileEcpBitmask - Not mapped to the IDM object.
FileEventType - Not mapped to the IDM object.
FileIdentifier FileObject - Not mapped to the IDM object.
FileName FileOpenInfo FileRenameInfo FileSigningTime - Not mapped to the IDM object.
FirewallAction - Not mapped to the IDM object.
FirewallChangeOption FirewallDeleteRule FirewallDeleteRuleIP4 FirewallDeleteRuleIP6 FirewallEnabled FirewallOption FirewallOptionNumericValue - Not mapped to the IDM object.
FirewallProfile - Not mapped to the IDM object.
FirewallRule FirewallRuleId FirewallSetRule FirewallSetRuleIP4 FirewallSetRuleIP6 FirmwareAnalysisErrorEvent FirmwareAnalysisErrorLocation - Not mapped to the IDM object.
FirmwareAnalysisErrorReason - Not mapped to the IDM object.
FirmwareAnalysisErrorSource - Not mapped to the IDM object.
FirmwareAnalysisHardwareData FirmwareAnalysisStatus FirmwareAnalysisCpuSupported - Not mapped to the IDM object.
FirmwareAnalysisEclControlInterfaceVersion - Not mapped to the IDM object.
FirmwareAnalysisEclConsumerInterfaceVersion - Not mapped to the IDM object.
FirmwareImageAnalyzed FirmwareRegionMeasured FirmwareSize - Not mapped to the IDM object.
FirmwareType - Not mapped to the IDM object.
FirstDiscoveredDate - Not mapped to the IDM object.
FirstIP4Record Flags - Not mapped to the IDM object.
FltCallbackData - Not mapped to the IDM object.
FltCompletionContext - Not mapped to the IDM object.
FltRelatedObjects - Not mapped to the IDM object.
FontBuffer - Not mapped to the IDM object.
FontBufferLength - Not mapped to the IDM object.
FontFileCount - Not mapped to the IDM object.
FontFileName FontLoadOperation - Not mapped to the IDM object.
FsOperationBlocked event1.PatternDispositionFlags.FsOperationBlocked Part of Event_DetectionSummaryEvent.
FsPostOpenSnapshotFile FsVolumeMounted FsVolumeUnmounted FullContext - Not mapped to the IDM object.
FullExceptionRecord - Not mapped to the IDM object.
GcpCreationTimestamp GenericFileWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
GID - Not mapped to the IDM object.
GrandparentCommandLine GrandparentImageFileName GrandParentBaseFileName GroupIdentity GroupRid GzipFileWritten HandleCreated - Not mapped to the IDM object.
HIDDescriptorCountryCode - Not mapped to the IDM object.
HIDDescriptorNumDescriptors - Not mapped to the IDM object.
HIDDescriptorVersion - Not mapped to the IDM object.
HIPHandlers.dll event.idm.read_only_udm.target.file.full_path Part of TargetFileName.
HostGroups - Not mapped to the IDM object.
HostHiddenStatus HostInfo HostnameChanged hostname HostProcessType - Not mapped to the IDM object.
HostUrl HttpRequestDetect HttpRequestHeader HttpUrl IcmpCode - Not mapped to the IDM object.
IcmpType - Not mapped to the IDM object.
id IdleSettings - Not mapped to the IDM object.
ImageFileName ImageSubsystem - Not mapped to the IDM object.
Image - Not mapped to the IDM object.
ImpersonatedUserName InBroadcastOctets - Not mapped to the IDM object.
InContext - Not mapped to the IDM object.
InDiscards - Not mapped to the IDM object.
Indicator event1.PatternDispositionFlags.Indicator Part of Event_DetectionSummaryEvent.
InddetMask event1.PatternDispositionFlags.InddetMask Part of Event_DetectionSummaryEvent.
InErrors - Not mapped to the IDM object.
Information - Not mapped to the IDM object.
InjectedDll InjectedThread InjectedThreadCount security_result.detection_fields[0].value Part of EndOfProcess event.
InjectedThreadFlag - Not mapped to the IDM object.
InMulticastOctets - Not mapped to the IDM object.
InNUcastPkts - Not mapped to the IDM object.
InOctets - Not mapped to the IDM object.
InstallDate - Not mapped to the IDM object.
InstalledApplication InstalledUpdateExtendedStatus - Not mapped to the IDM object.
InstalledUpdateIds - Not mapped to the IDM object.
InstalledUpdates InstanceMetadata InstanceMetadataProvider - Not mapped to the IDM object.
InstanceMetadataRequest - Not mapped to the IDM object.
InstanceMetadataSignature - Not mapped to the IDM object.
InUcastOctets - Not mapped to the IDM object.
InUcastPkts - Not mapped to the IDM object.
InUnknownProtos - Not mapped to the IDM object.
IntegrityLevel - Not mapped to the IDM object.
InterfaceAlias - Not mapped to the IDM object.
InterfaceDescription - Not mapped to the IDM object.
InterfaceFlags - Not mapped to the IDM object.
InterfaceGuid - Not mapped to the IDM object.
InterfaceIdentifier - Not mapped to the IDM object.
InterfaceIndex - Not mapped to the IDM object.
InterfaceMtu - Not mapped to the IDM object.
InterfaceType - Not mapped to the IDM object.
InterfaceVersion - Not mapped to the IDM object.
InjectedDllCount security_result.detection_fields[0].value Part of EndOfProcess event.
InjectedThreadFlag - Not mapped to the IDM object.
InkDiv.dll event.idm.read_only_udm.target.file.full_path Part of ExecutablesWritten.
InkObj.dll event.idm.read_only_udm.target.file.full_path Part of ExecutablesWritten.
InMulticastPkts - Not mapped to the IDM object.
InOctets - Not mapped to the IDM object.
InUcastPkts - Not mapped to the IDM object.
IOARuleGroupName IOARuleInstanceID - Not mapped to the IDM object.
IOARuleInstanceVersion - Not mapped to the IDM object.
IOARuleName IOServiceClass - Not mapped to the IDM object.
IOServiceName - Not mapped to the IDM object.
IOServicePath - Not mapped to the IDM object.
IOServiceProperties - Not mapped to the IDM object.
IOServiceRegister IoSessionConnected IoSessionLoggedOn IpEntryFlags - Not mapped to the IDM object.
IrpFlags - Not mapped to the IDM object.
IsCpuDataCommonOnAllCores - Not mapped to the IDM object.
IsNorthBridgeSupported - Not mapped to the IDM object.
IsOnClearCaseMvfs - Not mapped to the IDM object.
IsOnNetwork IsOnRemovableDisk IsOn - Not mapped to the IDM object.
IsRemote - Not mapped to the IDM object.
IsSouthBridgeSupported - Not mapped to the IDM object.
IsTransactedFile - Not mapped to the IDM object.
IsUnique - Not mapped to the IDM object.
JavaInjectedThread JarFileWritten KernelModeLoadImage KernelTime - Not mapped to the IDM object.
KextUnload K8SCreationTimestamp K8SDetectionEvent LanguageId - Not mapped to the IDM object.
LastAdded - Not mapped to the IDM object.
LastDiscoveredBy - Not mapped to the IDM object.
LastDisplayed - Not mapped to the IDM object.
LastLoggedOnHost - Not mapped to the IDM object.
LastUpdateInstalledTime - Not mapped to the IDM object.
LateralMovement - Not mapped to the IDM object.
LdapSearchAttributes - Not mapped to the IDM object.
LdapSearchBaseObjectSample - Not mapped to the IDM object.
LdapSearchFilterSample - Not mapped to the IDM object.
LdapSearchFilterShape - Not mapped to the IDM object.
LdapSearchQueryClassification - Not mapped to the IDM object.
LdapSearchQueryToken - Not mapped to the IDM object.
LdapSearchScope - Not mapped to the IDM object.
LdapSearchSizeLimit - Not mapped to the IDM object.
LdapSecurityType - Not mapped to the IDM object.
LightningLatencyInfo LightningLatencyState - Not mapped to the IDM object.
Line - Not mapped to the IDM object.
LinkLocalAddressBehavior - Not mapped to the IDM object.
LinkLocalAddressTimeout - Not mapped to the IDM object.
LinkName LocalAccount - Not mapped to the IDM object.
LocalAddressIP4 LocalAddressIP6 LocalAddressMaskIP4 - Not mapped to the IDM object.
LocalAddressMaskIP6 - Not mapped to the IDM object.
LocalAdminAccess - Not mapped to the IDM object.
LocalIpAddressIP4 LocalIpAddressIP6 LocalIpAddressRemovedIP4 LocalIpAddressRemovedIP6 LocalPort LocalSession - Not mapped to the IDM object.
localipCount LockScreenEnabled - Not mapped to the IDM object.
LockScreenStatus LogoffTime LogonDomain LogonId - Not mapped to the IDM object.
LogonInfo security_result.summary Sets event_type to USER_LOGIN.
LogonServer LogonTime LogonType event.idm.read_only_udm.extensions.auth.mechanism Mapped to a UDM enum value based on the LogonType value.
LogoffTime LsassHandleFromUnsignedModule MAC event.idm.read_only_udm.principal.mac Converted to lowercase and colons are replaced with hyphens.
MACAddress event.idm.read_only_udm.principal.mac Hyphens are replaced with colons.
MACPrefix - Not mapped to the IDM object.
MachOFileWritten MachOSubType - Not mapped to the IDM object.
MachineDn MachineDomain MajorFunction - Not mapped to the IDM object.
MajorVersion - Not mapped to the IDM object.
Malicious - Not mapped to the IDM object.
ManagedPdbBuildPath MappedFromUserMode - Not mapped to the IDM object.
MaxReassemblySize - Not mapped to the IDM object.
MaxRouterAdvertisementInterval - Not mapped to the IDM object.
MaxThreadCount - Not mapped to the IDM object.
MD5HashData event.idm.read_only_udm.target.file.md5, event.idm.read_only_udm.target.process.file.md5 If MD5HashData is a valid MD5 hash and not all zeros, create an MD5 hash entity with the value of MD5HashData and add it to event.idm.read_only_udm.target.file.md5 and event.idm.read_only_udm.target.process.file.md5.
MD5String MediaConnectState - Not mapped to the IDM object.
MediaType - Not mapped to the IDM object.
MemoryAvailable - Not mapped to the IDM object.
MemoryRegionProtection - Not mapped to the IDM object.
MemoryRegionStart - Not mapped to the IDM object.
MemoryTotal - Not mapped to the IDM object.
MmioDataSmiEn - Not mapped to the IDM object.
MmioDataTco1Cnt - Not mapped to the IDM object.
MLModelVersion - Not mapped to the IDM object.
MobileDetection MobileDetectionId - Not mapped to the IDM object.
MobileOsIntegrityIntact - Not mapped to the IDM object.
MobileOsIntegrityStatus MobilePowerStats MoboManufacturer - Not mapped to the IDM object.
MoboProductName - Not mapped to the IDM object.
ModelPrediction - Not mapped to the IDM object.
ModuleBaseAddress - Not mapped to the IDM object.
ModuleCharacteristics - Not mapped to the IDM object.
ModuleDetectInfo ModuleLoadCount - Not mapped to the IDM object.
ModuleLoadMechanism - Not mapped to the IDM object.
ModuleLoadTelemetryClassification - Not mapped to the IDM object.
ModuleNativePath - Not mapped to the IDM object.
ModuleSize - Not mapped to the IDM object.
ModifyServiceBinary MostRecentActivityTimeStamp - Not mapped to the IDM object.
MotwWritten mskssrv.sys event.idm.read_only_udm.principal.process.file.full_path Part of OriginalFilename.
MultipleInstancesPolicy - Not mapped to the IDM object.
name namespace NativePdbBuildPath - Not mapped to the IDM object.
NegateInterface - Not mapped to the IDM object.
NegateLocalAddress - Not mapped to the IDM object.
NegateRemoteAddress - Not mapped to the IDM object.
NeighborList - Not mapped to the IDM object.
NeighborListIP4 NeighborListIP6 NeighborName NetLuidIndex - Not mapped to the IDM object.
NetShareAdd NetShareDelete NetShareSecurityModify NetworkBindCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkCapableAsepWriteCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkCloseCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkCloseIP4 NetworkCloseIP6 NetworkConnectCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkConnectCountUdp security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkConnectIP4 NetworkConnectIP6 NetworkContainmentState NetworkInterfaceGuid - Not mapped to the IDM object.
NetworkListenCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkListenIP4 NetworkListenIP6 NetworkModuleLoadCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkRecvAcceptCount security_result.detection_fields[0].value Part of EndOfProcess event.
NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6 NewExecutableRenamed NewExecutableWritten NewExecutableWrittenCount security_result.detection_fields[0].value Part of EndOfProcess event.
NewFileIdentifier - Not mapped to the IDM object.
NewScriptWritten NlMtu - Not mapped to the IDM object.
NorthBridgeDeviceId - Not mapped to the IDM object.
NorthBridgeVendorId - Not mapped to the IDM object.
NumberOfMeasurements - Not mapped to the IDM object.
OciContainerId - Not mapped to the IDM object.
OciContainerTelemetry OciContainersStartedCount - Not mapped to the IDM object.
OciContainersStoppedCount - Not mapped to the IDM object.
OleFileWritten OnLinkPrefixLength - Not mapped to the IDM object.
OoxmlFileWritten OperStatus - Not mapped to the IDM object.
OperationFlags - Not mapped to the IDM object.
OperationName OriginalContentLength - Not mapped to the IDM object.
OriginalEventTimeStamp - Not mapped to the IDM object.
OriginalFilename OriginalParentAuthenticationId - Not mapped to the IDM object.
OriginalUserName OriginalUserSid OsfmDownloadComplete OsVersionInfo OU OutBroadcastOctets - Not mapped to the IDM object.
OutDiscards - Not mapped to the IDM object.
OutErrors - Not mapped to the IDM object.
OutMulticastOctets - Not mapped to the IDM object.
OutNUcastPkts - Not mapped to the IDM object.
OutOctets - Not mapped to the IDM object.
OutUcastOctets - Not mapped to the IDM object.
OutUcastPkts - Not mapped to the IDM object.
PackedExecutableWritten Parameter64_1 - Not mapped to the IDM object.
Parameter64_2 - Not mapped to the IDM object.
Parameter64_3 - Not mapped to the IDM object.
ParameterSizedBuffer_1 - Not mapped to the IDM object.
Parameter1 - Not mapped to the IDM object.
Parameter2 - Not mapped to the IDM object.
Parameter3 - Not mapped to the IDM object.
ParentAuthenticationId - Not mapped to the IDM object.
ParentBaseFileName ParentCommandLine event1.ParentCommandLine Part of Event_DetectionSummaryEvent.
ParentHubInstanceId - Not mapped to the IDM object.
ParentHubPort - Not mapped to the IDM object.
ParentImageFileName event.idm.read_only_udm.principal.process.file.full_path, event1.ParentImageFileName Part of Event_DetectionSummaryEvent.
ParentProcessId event.idm.read_only_udm.principal.process.product_specific_process_id, event1.ParentProcessId Prefixed with CS:%{cid}:%{aid}:. Part of Event_DetectionSummaryEvent.
PasswordLastSet - Not mapped to the IDM object.
PathMtuDiscoveryTimeout - Not mapped to the IDM object.
PatternDispositionFlags - Not mapped to the IDM object.
PatternDispositionValue `PatternDisposition

Changes

2025-02-25

  • Added mapping for event FileIntegrityMonitorRuleMatched as follows: Added mapping of the ObjectName field to the target.file.full_path, target.registry.registry_value_data, and target.registry.registry_key UDM fields, based on the value of the ObjectType field.

2025-02-07

Enhancement:

  • Mapped detectName to security_result.threatname.

2025-01-31

  • Handled the edge case for the large value of integer within the raw log field ProcessId and ParentProcessId.
  • Added the AgendIdString field to the mapping for the UDM field principal.process.product_specific_process_id in the absence of the aid raw log field.
  • Added the AgendIdString field to the mapping for the UDM field principal.process.parent_process.product_specific_process_id in the absence of the aid raw log field.

2025-01-17

  • Added gsub to support the large value of integer within the raw log field ProcessId and ParentProcessId.

2025-01-16

Enhancement:

  • Mapped EventOrigin, id, KerberosRequestTicketCreationTimeSample, ActiveDirectoryDataProtocol, KerberosRequestTicketValidityPeriod, LdapSearchBaseObjectSample, LdapSearchSizeLimit, DebugInfoUnicode, LdapSecurityType, ActiveDirectoryAuthenticationMethod, SourceAccountType, AggregationEarliestTimestamp, AggregationWindowTimestamp, LdapSearchQueryToken, and LdapSearchScope to security_result.detection_fields.
  • Mapped SourceEndpointNetworkTag to security_result.description.
  • Mapped LocalPortSample to principal.port.
  • Mapped RemotePortSample to target.port.
  • Mapped LocalAddressIP4Sample to principal.ip and principal.asset.ip.
  • Mapped LdapSearchFilterShape, TargetAccountType, KerberosAnomaly, LdapSearchQueryClassification, and LdapSearchAttributes to additional.fields.

2025-01-09

Enhancement:

  • Added the support for the new event InstalledBrowserExtension.

2024-12-19

Enhancement:

  • When FileOperatorSid is valid windows sid, then mapped it to target.user.windows_sid.

2024-12-18

Enhancement:

  • Changed the mapping of OriginalFilename from principal.process.file.full_path to target.process.file.exif_info.original_file.
  • Changed the mapping of ParentBaseFileName from principal.process.file.full_path to principal.process.file.names.
  • Changed the mapping of OriginalFilename from principal.process.file.exif_info.original_file to target.process.file.exif_info.original_file.

2024-12-04

Enhancement:

  • Mapped ConfigurationDescriptorName, DeviceDescriptorUniqueIdentifier, DeviceVendorId, DeviceUsbClass, ConfigurationDescriptorNumInterfaces, ConfigurationDescriptorMaxPowerDraw, and ConfigurationDescriptorAttributes to security_result.detection_fields.
  • Mapped DeviceDescriptorSetHash to target.file.sha256.

2024-10-29

Bug fix:

  • Removed the mapping of SourceFileName to principal.process.file.full_path for FILE_MOVE, FILE_MODIFICATION, and FILE_READ events, as it is already mapped to src.file.full_path.

2024-10-09

Enhancement:

  • Mapped SmbNamedPipeName to security_result.detection_fields.
  • Mapped RequestType to network.dns.question.type.
  • Mapped QueryStatus to network.dns.response_code.
  • Mapped IP4Records, IP6Records and CNAMERecords to network.dns.answer.name.

2024-09-24

Enhancement:

  • Added a Grok pattern to stop parsing IP addresses as principal.hostname.

2024-09-19

Enhancement:

  • Mapped HttpRequest to target.ip.
  • Mapped HttpHost to target.hostname.
  • Mapped HttpPath to target.url.

2024-09-19

Enhancement:

  • Mapped HttpRequest to target.ip.
  • Mapped HttpHost to target.hostname.
  • Mapped HttpPath to target.url.

2024-09-12

Enhancement:

  • For FILE_CREATION events when ContextImageFileName is not null, then mapped ContextImageFileName to principal.process.file.full_path.
  • Changed mapping of OriginalFilename from target.process.file.exif_info.original_file to principal.process.file.exif_info.original_file.

2024-09-10

  • Added support for a new pattern of JSON logs.
  • Mapped FileVersion and FixedFileVersion to additional.fields.

2024-09-03

Enhancement:

  • Mapped timestamp to metadata.event_timestamp.

2024-08-29

Bug fix:

  • Added on_error to handle case when TaskExecCommand is null.

2024-08-20

Enhancement:

  • Mapped IsOnRemovableDisk, RegOperationType, and RegType to additional.fields.

2024-08-06

Enhancement:

  • Mapped tar_user to target.user.userid.

2024-07-24

Enhancement:

  • Changed LocalAddressIP4 mapping from target.ip to principal.ip.
  • When direction is INBOUND, then changed RemoteAddressIP4 mapping from principal.ip to src.ip.
  • When direction is OUTBOUND, then changed RemoteAddressIP4 mapping from principal.ip to target.ip.

2024-07-08

Enhancement:

  • Mapped Description to security_result.description.
  • Mapped Name to security_result.threat_name.
  • Mapped CompositeId to additional.fields.
  • Mapped id to metadata.product_log_id.

2024-06-25

Enhancement:

  • Mapped SourceFileName to principal.process.file.full_path.
  • Mapped OdsFileName and ImageFileName to target.process.file.full_path.
  • When event_simpleName is MotwWritten, then mapped metadata.event_type to FILE_CREATION.

2024-06-06

Enhancement:

  • Mapped OriginalFilename to target.process.file.exif_info.original_file.

2024-05-31

Enhancement:

  • Mapped os_version to principal.platform_version.
  • Mapped hostname to principal.hostname and principal.asset.hostname.
  • Mapped product_type_desc, host_hidden_status, scores.os, scores.sensor, scores.version, scores.overall, and scores.modified_time to security_result.detection_fields.

2024-05-23

Enhancement:

  • Mapped Version to principal.platform_version.

2024-05-21

Enhancement:

  • When event_simpleName is FileWritten, NetworkConnect, or DnsRequest, then mapped ContextBaseFileName to principal.process.file.full_path.
  • Mapped QuarantinedFileName to principal.process.file.full_path.

2024-05-15

Enhancement:

  • Mapped Version, BiosVersion and ChassisType to principal.asset.attribute.labels.
  • Mapped Continent, OU and SiteName to additional.fields.

2024-04-17

Enhancement:

  • Mapped ModuleILPath to target.resource.attribute.labels.

2024-04-08

Bug fix:

  • When event_simpleName is ClassifiedModuleLoad, then changed metadata.event_type from STATUS_UPDATE to PROCESS_MODULE_LOAD.

2024-02-21

Enhancement:

  • Mapped SubjectDN to security_result.about.artifact.last_https_certificate.subject.
  • Mapped IssuerDN to security_result.about.artifact.last_https_certificate.issuer.
  • Mapped SubjectCertValidTo to security_result.about.artifact.last_https_certificate.validity.issue_time`.
  • Mapped SubjectCertValidFrom to security_result.about.artifact.last_https_certificate.validity.expiry_time.
  • Mapped SubjectSerialNumber to security_result.about.artifact.last_https_certificate.serial_number.
  • Mapped SubjectVersion to security_result.about.artifact.last_https_certificate.version.
  • Mapped SubjectCertThumbprint to security_result.about.artifact.last_https_certificate.thumbprint.
  • Mapped SignatureDigestAlg to security_result.about.artifact.last_https_certificate.signature_algorithm.
  • Mapped SignatureDigestEncryptAlg to security_result.about.artifact.last_https_certificate.cert_signature.signature_algorithm.
  • Mapped AuthenticodeHashData to target.file.authentihash.
  • Mapped AuthorityKeyIdentifier to security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid and security_result.about.artifact.last_https_certificate.cert_extensions.fields.
  • Mapped SubjectKeyIdentifier to security_result.about.artifact.last_https_certificate.extension.subject_key_id and security_result.about.artifact.last_https_certificate.cert_extensions.fields.
  • Mapped OriginalFilename to additional.fields.
  • Mapped SignInfoFlagUnknownError, SignInfoFlagHasValidSignature, SignInfoFlagSignHashMismatch, AuthenticodeMatch, SignInfoFlagMicrosoftSigned, SignInfoFlagNoSignature, SignInfoFlagInvalidSignChain, SignInfoFlagNoCodeKeyUsage, SignInfoFlagNoEmbeddedCert, SignInfoFlagThirdPartyRoot, SignInfoFlagCatalogSigned, SignInfoFlagSelfSigned, SignInfoFlagFailedCertCheck, SignInfoFlagEmbeddedSigned, IssuerCN, SubjectCN to security_result.detection_fields.

2023-12-22

  • Mapped HostUrl to target.url.
  • Mapped ReferrerUrl to network.http.referral_url.

2023-11-23

  • When is_alert is set to true, then mapped event.idm.is_significant to true.
  • When is_alert is set to true, then mapped event_simpleName to security_result.summary.

2023-10-11

  • Added a regular expression check to validate SHA1, MD5 and SHA256 values.

2023-08-22

  • Mapped Technique to security_result.attack_details.techniques.name and corresponding technique and tactic details.

2023-08-03

Enhancement:

  • Mapped ReflectiveDllName to target.file.full_path.
  • Mapped event_type to STATUS_UPDATE for logs where the field DomainName is absent.

2023-08-01

  • Mapped Tactic to security_result.attack_details.tactics.name and corresponding tactics.id.

2023-07-31

Bug fix:

  • Added on_error check for date filter.

2023-06-19

  • Mapped ParentBaseFileName to principal.process.file.full_path.
  • Removed mapping of ImageFileName to target.file.full_path as it is already mapped to target.process.file.full_path for events ProcessRollup2 and SyntheticProcessRollup2.

2023-05-12

Enhancement:

  • Mapped 'aip' to 'intermediary.ip'.

2023-05-08

Bug fix:

  • Convert time formats to string and handled nanoseconds time format.

2023-04-14

Enhancement:

  • Modified Severity value of range[0-19] to security_result.severity as INFORMATIONAL.
  • Modified Severity value of range[20-39] to security_result.severity as LOW.
  • Modified Severity value of range[40-59] to security_result.severity as MEDIUM.
  • Modified Severity value of range[60-79] to security_result.severity as HIGH.
  • Modified Severity value of range[80-100] to security_result.severity as CRITICAL.
  • Mapped PatternId to security_result.detection_fields.
  • Mapped SourceEndpointIpAddress to principal.ip.
  • Mapped metadata.event_type to USER_UNCATEGORIZED when event_simpleName =~ userlogonfailed and user information not present.
  • Mapped metadata.event_type to USER_UNCATEGORIZED when ExternalApiType =Event_UserActivityAuditEvent`` and has user information.
  • Mapped metadata.event_type to USER_UNCATEGORIZED when event_simpleName =~ActiveDirectory`.
  • Mapped TargetAccountObjectGuid to additional.fields.
  • Mapped TargetDomainControllerObjectGuid to additional.fields.
  • Mapped TargetDomainControllerObjectSid to additional.fields.
  • Mapped AggregationActivityCount to additional.fields.
  • Mapped TargetServiceAccessIdentifier to additional.fields.
  • Mapped SourceAccountUserPrincipal to principal.user.userid.
  • Mapped SourceEndpointAddressIP4 to principal.ip.
  • Mapped SourceAccountObjectGuid to additional.fields.
  • Mapped AccountDomain to principal.administrative_domain.
  • Mapped AccountObjectGuid to metadata.product_log_id.
  • Mapped AccountObjectSid to principal.user.windows_sid.
  • Mapped SamAccountName to principal.user.user_display_name.
  • Mapped SourceAccountSamAccountName to principal.user.user_display_name.
  • Mapped IOARuleGroupName to security_result.detection_fields.
  • Mapped IOARuleName to security_result.detection_fields.
  • Mapped RemoteAddressIP4 to target.ip for event_simpleName=RegCredAccessDetectInfo.

2023-03-24

  • Mapped id to metadata.product_log_id instead of target.resource.id.
  • Mapped RegBinaryValue to target.registry.registry_value_data if both RegNumericValue and RegStringValue are null.

2023-03-21

Enhancement:

  • Mapped BatchTimestamp, GcpCreationTimestamp, K8SCreationTimestamp, AwsCreationTimestamp to metadata.event_timestamp.
  • Mapped FileOperatorSidto target.user.windows_sid.

2023-03-13

Enhancement:

  • Mapped LogonTime, ProcessStartTime, ContextTimeStamp, ContextTimeStamp_decimal, and AccountCreationTimeStamp to metadata.event_timestamp.

2023-03-10

Enhancement:

  • Mapped CallStackModuleNamesVersion,CallStackModuleNamesVersion to security_result.detection_fields.

2023-02-28

Enhancement:

  • Modified the following mappings for field ParentProcessId when event_simpleName is in [ProcessRollup2, SyntheticProcessRollup2]
  • target.process.parent_process.pid modified to target.process.parent_process.product_specific_process_id

2023-02-16

Enhancement:

  • Mapped the field AssociatedFile to security_result.detection_fields[n].value and the security_result.detection_fields[n].key is mapped to AssociatedIOCFile.

2023-02-09

Enhancement:

  • Remapped the fields getting mapped under target.labels to target.resource.attribute.labels.
  • Rectified the mapping for ManagedPdbBuildPath to target.resource.attribute.labels.

2023-02-09

Enhancement:

  • Remapped the fields getting mapped under target.labels to target.resource.attribute.labels.
  • Rectified the mapping for ManagedPdbBuildPath to target.resource.attribute.labels.

2023-01-15

Bug fix:

  • Remapped aid for UserLogonFailed event to target.asset_id from principal.asset_id.

2023-01-13

Enhancement:

  • User name mapped to principal.user.userid for event_type ScheduledTaskModified and ScheduledTaskRegistered.
  • AssemblyName,ManagedPdbBuildPath,ModuleILPath mapped to target.labels when metadata.product_event_type = ReflectiveDotnetModuleLoad
  • VirtualDriveFileName,VolumeName mapped to target.labels when metadata.product_event_type = RemovableMediaVolumeMounted
  • ImageFileName mapped to target.file.full_path when metadata.product_event_type = ClassifiedModuleLoad

2023-01-13

Enhancement:

  • User name mapped to principal.user.userid for event_type ScheduledTaskModified and ScheduledTaskRegistered.
  • AssemblyName,ManagedPdbBuildPath,ModuleILPath mapped to target.labels when metadata.product_event_type = ReflectiveDotnetModuleLoad
  • VirtualDriveFileName,VolumeName mapped to target.labels when metadata.product_event_type = RemovableMediaVolumeMounted
  • ImageFileName mapped to target.file.full_path when metadata.product_event_type = ClassifiedModuleLoad

2023-01-02

Enhancement:

  • User name mapped to principal.user.userid for event_type ScheduledTaskModified and ScheduledTaskRegistered.

2022-12-22

Enhancement:

  • Mapped RemoteAddressIP4 to principal.ip for event_type=Userlogonfailed2

2022-11-04

Enhancement:

  • Mapped GrandparentImageFileName to principal.process.parent_process.parent_process.file.full_path.
  • Mapped GrandparentCommandLine to principal.process.parent_process.parent_process.commamdLine

2022-11-03

Bug fix:

  • When event_simpleName is InstalledApplication then below parameters are mapped.
  • Mapped AppName to principal.asset.software.name.
  • Mapped AppVersion to principal.asset.software.version.

2022-10-12

Bug fix:

  • Mapped discoverer_aid to resource.attribute.labels.
  • Mapped NeighborName to intermediary.hostname.
  • Mapped subnet to additional.fields.
  • Mapped localipCount to additional.fields.
  • Mapped aipCount to additional.fields.
  • Added conditional check for LogonServer

2022-10-07

Bug fix:

  • Changed CommandLine mapping from principal.process.command_line to target.process.command_line.

2022-09-13

Bug fix:

  • Mapped metadata.event_type to REGISTRY_CREATION where RegOperationType is 3.
  • Mapped event_type to REGISTRY_DELETION where RegOperationType is 4 or 102.
  • Mapped event_type to REGISTRY_MODIFICATION where RegOperationType is 5,7,9,101 or 1.
  • Mapped event_type to REGISTRY_UNCATEGORIZED where RegOperationType is not null and not in all the above cases.

2022-09-02

Enhancement:

  • Define field UserPrincipal in the statedata.

2022-08-30

Enhancement:

  • Defined the field UserPrincipal in the statedata.

2022-08-21

Enhancement:

  • Mapped ActivityId to additional.fields.
  • Mapped SourceEndpointHostName to principal.hostname.
  • Mapped SourceAccountObjectSid to principal.user.windows_sid.
  • Added condition to parse LocalAddressIP4 and aip.
  • Mapped metadata.event_type to STATUS_UPDATE where ComputerName and LocalAddressIP4 is not null.
  • Mapped SourceEndpointAccountObjectGuid to metadata.product_log_id.
  • Mapped SourceEndpointAccountObjectSid to target.user.windows_sid.
  • Mapped SourceEndpointHostName to principal.hostname.

2022-08-18

Bug fix:

  • Mapped the following fields:
  • event.PatternDispositionValue to security_result.about.labels.
  • event.ProcessId to principal.process.product_specific_process_id.
  • event.ParentProcessId to target.process.parent_process.pid.
  • event.ProcessStartTime to security_result.detection_fields.
  • event.ProcessEndTime to security_result.detection_fields.
  • event.ComputerName to principal.hostname.
  • event.UserName to principal.user.userid.
  • event.DetectName to security_result.threat_name.
  • event.DetectDescription to security_result.description.
  • event.SeverityName to security_result.severity.
  • event.FileName to target.file.full_path.
  • event.FilePath to target.file.full_path.
  • event.CommandLine to principal.process.command_line.
  • event.SHA256String to target.file.sha256.
  • event.MD5String to security_result.about.file.md5.
  • event.MachineDomain to principal.administrative_domain.
  • event.FalconHostLink to intermediary.url.
  • event.LocalIP to principal.ip.
  • event.MACAddress to principal.mac.
  • event.Tactic to security_result.detection_fields.
  • event.Technique to security_result.detection_fields.
  • event.Objective to security_result.rule_name.
  • event.PatternDispositionDescription to security_result.summary.
  • event.ParentImageFileName to principal.process.parent_process.file.full_path.
  • event.ParentCommandLine to principal.process.parent_process.command_line.

2022-07-29

Enhancement:

  • Mapped event_category,event_module,Hmac to additional.fields.
  • Mapped user_name to principal.user.userid.
  • Mapped event_source to target.application.
  • Added grok for auth_group and new logs.
  • Added check for principal_ip,target_ip and event_type.

2022-07-25

Bug fix:

  • Mapped metadata.event_type to USER_RESOURCE_ACCESS where eventType is K8SDetectionEvent
  • Mapped metadata.event_type to STATUS_UPDATE where metadata.event_type is null and principal.asset_id is not null.
  • Mapped SourceAccountDomain to principal.administrative_domain
  • Mapped SourceAccountName to principal.user.userid
  • Mapped metadata.event_type to STATUS_UPDATE where EventType is Event_ExternalApiEvent and OperationName in [quarantined_file_update, detection_update, update_rule]
  • Mapped metadata.event_type to USER_RESOURCE_ACCESS where FilePath is null and FileName is null or AgentIdString is null.
  • Mapped metadata.event_type to STATUS_UPDATE where Protocol is null.
  • Added conditional check for MD5String,SHA256String,CommandLine,AgentIdString,ProcessId,ParentProcessId,FilePath,FileName.

2022-07-12

Enhancement:

  • For event_simpleName - DriverLoad,ProcessRollup,PeVersionInfo,PeFileWritten,TemplateDetectAnalysis,ScriptControlDetectInfo.
  • Mapped OriginalFilename to principal.process.file.full_path

2022-06-20

Enhancement:

  • Mapped ConfigBuild to security_result.detection_fields.
  • Mapped EffectiveTransmissionClass to security_result.detection_fields.
  • Mapped Entitlements to security_result.detection_fields.

2022-06-14

Enhancement:

  • Mapped CompanyName to target.user.company_name
  • Mapped AccountType to target.user.role_description
  • Mapped ProductVersion to metadata.product_version
  • Mapped LogonInfo to principal.ip
  • Mapped MAC to principal.mac
  • Mapped UserSid_readable to target.user.windows_sid
  • Mapped FileName to target.file.full_path
  • Mapped _time to metadata.event_timestamp
  • Added Conditional check for MD5HashData, SHA256HashData, UserName, id, RegObjectName, RegStringValue, RegValueName, UserSid, TargetFileName, aid

2022-06-02

Bug fix:

  • Removed key name and colon character from security_result.detection_fields.value.

2022-05-27

Enhancement:

  • Additional mapping: SHA256String and MD5String to security_result.about.file to show up as Alert event.

2022-05-20

Enhancement:

  • Mapped LinkName to target.resource.attribute.labels.
  • Switched possible GENERIC_EVENTS occurrences to STATUS_UPDATE.
  • Added Backslash between the process and its parent root directory.
  • Parsed platform if the event_platform is iOS.
  • Changed resource.type to resource_type.

2022-05-12

Enhancement:

  • resourceName mapped to target.resource.name
  • resourceId mapped to target.resource.product_object_id
  • Namespace mapped to target.namespace
  • Category mapped to security_result.category_details
  • description mapped to security_result.description
  • sourceAgent mapped to network.http.user_agent
  • Severity mapped to security_result.severity
  • resourceKind mapped to target.resource.type
  • detectionName mapped to target.resource.name
  • clusterName mapped to target.resource.attribute.labels
  • clusterId mapped to target.resource.attribute.labels
  • detectionId mapped to target.resource.attribute.labels
  • Type mapped to additional.fields
  • Remediation to additional.fields
  • Benchmarks to additional.fields
  • badResources to additional.fields

2022-04-27

Bug fix:

  • Changed udm event_type from GENERIC_EVENT to USER_LOGIN for logs with ExternalApiType = Event_AuthActivityAuditEvent.
  • Changed mappings for target_user,actor_user, actor_user_uuid from additional.fields to target.user.email_addresses, target.user.user_display_name, target.user.userid respectively.

2022-04-25

Enhancement:

  • Mapped RemoteAddressIP4 to principal.ip.

2022-04-14

Bug fix:

  • Added Support for ScriptContent field for all type of logs

2022-04-13

Enhancement:

  • Added mappings for new fields
  • Added new event mappings - AuthenticationPackage mapped to target.resource.name

2022-04-04

Bug fix:

  • Mapped OriginatingURL to principal.url for NetworkConnect events.

Need more help? Get answers from Community members and Google SecOps professionals.