Collect CrowdStrike Falcon logs

This document describes how to ingest CrowdStrike Falcon logs into Google Security Operations. You can ingest several types of CrowdStrike Falcon logs, and this document outlines the specific configuration for each.

For a high-level overview of data ingestion in Google Security Operations, see Data ingestion to Google Security Operations.

Supported CrowdStrike Falcon log types

Google Security Operations supports the following CrowdStrike Falcon log types through the parsers with the following ingestion labels:

Endpoint Detection and Response (EDR): CS_EDR. This parser parses near real-time telemetry data from CrowdStrike Falcon Data Replicator (FDR), such as file access and registry modifications. Data is typically ingested from an S3 or Cloud Storage bucket.
Detections: CS_DETECTS. This parser parses Detection Summary events from CrowdStrike using the Detect API. While related to endpoint activity, CS_DETECTS provides higher-level detection summaries compared to the raw telemetry parsed using CS_EDR.

Note: CrowdStrike has deprecated the 'Detects' endpoint. We recommend using CS_ALERTS instead to ingest detection logs.
Alerts: CS_ALERTS. This parser parses alerts from CrowdStrike using the Alerts API. The CrowdStrike Alerts parser supports the following product types:
- epp
- idp
- overwatch
- xdr
- mobile
- cwpp
- ngsiem
Indicators of Compromise (IoC): CS_IOC. This parser parses IoCs and Indicators of Attack (IOAs) from CrowdStrike Threat Intelligence using the CrowdStrike Chronicle Intel Bridge. The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:
- domain
- email_address
- file_name
- file_path
- hash_md5
- hash_sha1
- hash_sha256
- ip_address
- mutex_name
- url

Google SecOps recommends using feeds for CS_EDR, CS_DETECTS, and CS_IOC for comprehensive data ingestion from CrowdStrike.

Before you begin

Ensure that you have the following prerequisites:

Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
All systems in the deployment architecture are configured in the UTC time zone.
Target device runs on a supported operating system
- Must be a 64-bit server
- Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
- Legacy OS versions must support SHA-2 code signing.
Google SecOps service account file and your customer ID from the Google SecOps support team

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New Feed
Content Hub > Content Packs > Get Started

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Ingest CrowdStrike Falcon logs

This section describes how to configure ingestion for the different types of CrowdStrike Falcon logs.

Ingest EDR logs (`CS_EDR`)

You can ingest CrowdStrike Falcon EDR logs using one of the following methods, depending on where you want to send the logs from CrowdStrike:

Amazon SQS: Using a Falcon Data Replicator feed.
Amazon S3: Using a Google Security Operations feed configured for an S3 bucket.
Google Cloud Storage: By having CrowdStrike push logs to a Cloud Storage bucket.

Choose one of the following procedures.

Option 1: Ingest EDR logs from Amazon SQS

This method uses the CrowdStrike Falcon Data Replicator to send EDR logs to an Amazon SQS queue, which Google Security Operations then polls.

Click the CrowdStrike pack.
In the CrowdStrike Falcon log type, specify values for the following fields:
- Source: Amazon SQS
- Region: The S3 region associated with URI.
- Queue Name: Name of the SQS queue from which to read log data.
- S3 URI: The S3 bucket source URI.
- Account Number: The SQS account number.
- Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE.
- Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
- Source deletion option: Option to delete files and directories after transferring the data.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels – Labels applied to all events from this feed.
Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Option 2: Ingest EDR logs from an Amazon S3 bucket

This method involves setting up a Google Security Operations feed to pull EDR logs directly from an Amazon S3 bucket.

To set up an ingestion feed using an S3 bucket, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Crowdstrike Falcon Logs.
In Source type, select Amazon S3.
In Log type, select CrowdStrike Falcon.

Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:

Field	Description
`region`	S3 region URI.
`S3 uri`	S3 bucket source URI.
`uri is a`	Type of object that the URI points to (for example, file or folder).
`source deletion option`	Option to delete files and directories after transferring the data.
`access key id`	Access key (20-character alphanumeric string). For example, `AKIAOSFOODNN7EXAMPLE`.
`secret access key`	Secret access key (40-character alphanumeric string). For example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`.
`oauth client id`	Public OAuth client ID.
`oauth client secret`	OAuth 2.0 client secret.
`oauth secret refresh uri`	OAuth 2.0 client secret refresh URI.
`asset namespace`	Namespace associated with the feed.

Click Next and then Submit.

Option 3: Ingest EDR logs from Cloud Storage

You can configure CrowdStrike to send EDR logs to a Cloud Storage bucket, and then ingest these logs into Google Security Operations using a feed. This process requires coordination with CrowdStrike Support.

Contact CrowdStrike Support: Open a support ticket with CrowdStrike to enable and configure pushing EDR logs to your Cloud Storage bucket. They will provide guidance on the required configurations.
Create and permission the Cloud Storage bucket:
1. In the Google Cloud console, create a new Cloud Storage bucket. Note the bucket name (for example, gs://my-crowdstrike-edr-logs/).
2. Grant write permissions to the service account provided by CrowdStrike. Follow the instructions from CrowdStrike Support.
Configure the Google SecOps feed:
1. In your Google SecOps instance, go to Settings > Feeds and click Add New.
2. Enter a descriptive Feed name (for example, CS-EDR-GCS).
3. For Source type, select Google Cloud Storage V2.
4. For Log type, select CrowdStrike Falcon.
5. In the service account section, click Get Service Account. Copy the unique service account email address displayed.
6. In the Google Cloud console, navigate to your Cloud Storage bucket and grant the Storage Object Viewer IAM role to the service account email address you copied. This allows the feed to read the log files.
7. Return to the Google SecOps feed configuration page.
8. Enter the Storage Bucket URL (for example, gs://my-crowdstrike-edr-logs/). This URL must end with a trailing forward slash (/).
9. Select a Source Deletion Option. Never delete files is recommended.
10. Click Next, review the settings, and then click Submit.
Verify log ingestion: After CrowdStrike confirms that logs are being pushed, check for incoming logs in Google SecOps with the Log Type CROWDSTRIKE_EDR.

Ingest Alerts logs (`CS_ALERTS`)

To ingest CrowdStrike Falcon alerts, you configure a feed that uses the CrowdStrike API.

In the CrowdStrike Falcon Console:
1. Sign in to the CrowdStrike Falcon Console.
2. Go to Support and resources > Resources and tools > API Clients and Keys, and click Create API client.
3. Enter a Client Name and Description.
4. For API Scopes, select the Read and Write boxes for Alerts.
5. Click Create. Note the generated Client ID, Client Secret, and Base URL.
In Google Security Operations:
1. Go to Settings > Feeds and click Add New.
2. Select Third Party API for Source type.
3. Select CrowdStrike Alerts API for Log type.
4. Click Next and populate the following fields using the values from the CrowdStrike API client:
  - OAuth token endpoint
  - OAuth client ID
  - OAuth client secret
  - Base URL
5. Click Next and then Submit.

Ingest Detections logs (`CS_DETECTS`)

To ingest CrowdStrike Falcon detection logs, you also use the CrowdStrike API.

In the CrowdStrike Falcon Console:
1. Sign in to the CrowdStrike Falcon Console.
2. Go to Support Apps > API Clients and Keys.
3. Create a new API client key pair. This key pair must have READ permissions for Detections.
In Google Security Operations:
1. Go to Settings > Feeds and click Add New.
2. Select Third Party API for Source type.
3. Select CrowdStrike Detection Monitoring for Log type.
4. Click Next and then Submit. You will be prompted for the API credentials you created.

Ingest IoC logs (`CS_IOC`)

To ingest Indicator of Compromise (IoC) logs from CrowdStrike, you use the Google SecOps Intel Bridge.

In the CrowdStrike Falcon Console, create a new API client key pair. This key pair must have READ permission for Indicators (Falcon Intelligence).
Set up the Google SecOps Intel Bridge by following the instructions at CrowdStrike to Google SecOps Intel Bridge.

Run the following Docker commands to send the logs from CrowdStrike to Google SecOps. sa.json is your Google SecOps service account file.

docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

After the container is running, IoC logs will begin streaming into Google SecOps.

If you encounter issues with any of these configurations, contact the Google SecOps support team.

UDM Mapping Delta for CrowdStrike alerts logs.

UDM Mapping Delta reference: CS_ALERTS

The following table lists delta between Default parser of CS ALERTS and premium version of CS ALERTS.

Default UDM Mapping	Log Field	Premium Mapping Delta
`about.resource.product_object_id`	`cid`	Removed mapping to avoid duplication, as the `cid` log field is also mapped to `metadata.product_deployment_id`.
`principal.asset.platform_software.platform`	`platform`	If the `device.platform_name` log field value is empty and the `platform` log field value is not empty and if the `platform` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `platform` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `platform` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `platform` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`.
`security_result.detection_fields[agent_id]`	`agent_id`	If the `device.device_id` log field value is empty and the `host_id` log field value is empty and the `mdm_device_id` log field value is empty then, `CS:%{agent_id}` log field is mapped to the `principal.asset_id` UDM field. Else, the `principal.asset.attribute.labels.key` UDM field is set to `agent_id` and `agent_id` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`security_result.detection_fields[idp_policy_account_event_type]`	`idp_policy_account_event_type`	`security_result.rule_labels[idp_policy_account_event_type]`
`security_result.detection_fields[idp_policy_mfa_factor_type]`	`idp_policy_mfa_factor_type`	`security_result.rule_labels[idp_policy_mfa_factor_type]`
`security_result.detection_fields[idp_policy_mfa_provider_name]`	`idp_policy_mfa_provider_name`	`security_result.rule_labels[idp_policy_mfa_provider_name]`
`security_result.detection_fields[idp_policy_mfa_provider]`	`idp_policy_mfa_provider`	`security_result.rule_labels[idp_policy_mfa_provider]`
`security_result.detection_fields[idp_policy_rule_action]`	`idp_policy_rule_action`	`security_result.rule_labels[idp_policy_rule_action]`
`security_result.detection_fields[idp_policy_rule_trigger]`	`idp_policy_rule_trigger`	`security_result.rule_labels[idp_policy_rule_trigger]`
`security_result.detection_fields[idp_policy_rule_id]`	`idp_policy_rule_id`	`security_result.rule_id`
`security_result.detection_fields[idp_policy_rule_name]`	`idp_policy_rule_name`	`security_result.rule_name`
`security_result.detection_fields[status]`	`status`	If the `status` log field value matches the regular expression pattern `(?i)new` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `NEW`. Else, if `status` log field value matches the regular expression pattern `(?i)closed` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `CLOSED`. Else, `status` log field is mapped to the `security_result.detection_fields[status]` UDM field.
`target.process.file.mime_type`	`alleged_filetype`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `alleged_filetype` log field is mapped to the `target.file.mime_type` UDM field. Else, `alleged_filetype` log field is mapped to the `target.process.file.mime_type` UDM field.
`principal.resource.product_object_id`	`device.cid`	`principal.asset.attribute.labels[device_cid]`
`security_result.detection_fields[active_directory_dn_display]`	`device.hostinfo.active_directory_dn_display`	Iterate through log field `device.hostinfo.active_directory_dn_display`, then the `security_result.detection_fields.key` UDM field is set to `device_hostinfo_active_directory_dn_display` and `device.hostinfo.active_directory_dn_display` log field is mapped to the `security_result.detection_fields.value` UDM field.
`principal.asset.platform_software.platform`	`device.platform_name`	If the `device.platform_name` log field value is not empty and if the `device.platform_name` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. if the `platform` log field value is not empty and the `device.platform_name` log field value is equal to `the platform log field value` then, the `principal.asset.attribute.labels.key` UDM field is set to `platform` and `platform` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`principal.asset.platform_software.platform_version`	`device.system_product_name`	`principal.asset.hardware.model`
`target.process.file.names`	`filename`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filename` log field is mapped to the `target.file.names` UDM field. Else, `filename` log field is mapped to the `target.process.file.names` UDM field.
`target.file.full_path`	`filepath`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filepath` log field is mapped to the `target.file.full_path` UDM field. Else, `filepath` log field is mapped to the `target.process.file.full_path` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `macros.ioc_description` log field value is not empty then, `macros.ioc_description` log field is mapped to the `target.file.full_path` UDM field and the `security_result.detection_fields.key` UDM field is set to `filepath` and `filepath` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process_ancestors.command_line`	`grandparent_details.cmdline`	`target.process.parent_process.parent_process.command_line`
`target.process_ancestors.file.names`	`grandparent_details.filename`	`target.process.parent_process.parent_process.file.names`
`target.process_ancestors.file.full_path`	`grandparent_details.filepath`	`target.process.parent_process.parent_process.file.full_path`
`target.process_ancestors.file.md5`	`grandparent_details.md5`	`target.process.parent_process.parent_process.file.md5`
`target.process_ancestors.product_specific_process_id`	`grandparent_details.process_graph_id`	If the `grandparent_details.process_graph_id` log field value is not empty then, `PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id}` log field is mapped to the `target.process.parent_process.parent_process.product_specific_process_id` UDM field.
`target.process_ancestors.pid`	`grandparent_details.process_id`	`target.process.parent_process.parent_process.pid`
`target.process_ancestors.file.sha256`	`grandparent_details.sha256`	`target.process.parent_process.parent_process.file.sha256`
`security_result.detection_fields[ioc_description]`	`ioc_context.ioc_description`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_description` and `ioc_context.ioc_description` log field is mapped to the `security_result.detection_fields.value` UDM field.
`security_result.detection_fields[ioc_source]`	`ioc_context.ioc_source`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_source` and `ioc_context.ioc_source` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process.file.md5`	`md5`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `md5` log field is mapped to the `target.file.md5` UDM field. Else, `md5` log field is mapped to the `target.process.file.md5` UDM field.
`target.process.file.sha1`	`sha1`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha1` log field is mapped to the `target.file.sha1` UDM field. Else, `sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`target.file.sha256`	`sha256`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha256` log field is mapped to the `target.file.sha256` UDM field. Else, `sha256` log field is mapped to the `target.process.file.sha256` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `ioc_type` log field value is equal to `hash_sha256` and the `macros.ioc_value` log field value is not empty then, `macros.ioc_value` log field is mapped to the `target.file.sha256` UDM field and the `security_result.detection_fields.key` UDM field is set to `sha256` and `sha256` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.asset.platform_software.platform`	`operating_system`	If the `operating_system` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`.
`security_result.detection_fields[agent_version]`	`agent_version`	`principal.asset.attribute.labels[agent_version]`
`about.email`	`enrollment_email`	`principal.user.email_addresses`
`principal.asset.type`		If the `mdm_device_id` log field value is not empty or the `mobile_hardware` log field value is not empty or the `mobile_manufacturer` log field value is not empty or the `mobile_serial` log field value is not empty then, the `principal.asset.type` UDM field is set to `MOBILE`.
`security_result.detection_fields[detection_context_user_is_admin]`	`detection_context.user_is_admin`	`security_result.about.user.attribute.label[detection_context_user_is_admin]`
`security_result.detection_fields[detection_context_user_sid]`	`detection_context.user_sid`	`security_result.about.user.attribute.label[detection_context_user_sid]`
`principal.asset.attribute.labels[pod_id]`	`device.pod_id`	`principal.resource.product_object_id`
`principal.asset.attribute.labels[pod_labels]`	`device.pod_labels`	`principal.resource.attribute.labels[pod_labels]`
`principal.asset.attribute.labels[pod_name]`	`device.pod_name`	`principal.resource.name`
`principal.asset.attribute.labels[pod_namespace]`	`device.pod_namespace`	`principal.resource.attribute.labels[pod_namespace]`
`principal.asset.attribute.labels[pod_service_account_name]`	`device.pod_service_account_name`	`principal.resource.attribute.labels[pod_service_account_name]`

Supported CrowdStrike log formats

The CrowdStrike parser supports logs in JSON format.

Need more help? Get answers from Community members and Google SecOps professionals.