Coletar registros de alertas do SentinelOne
Compatível com:
Google SecOps
SIEM
Neste documento, descrevemos como coletar registros de alertas do SentinelOne configurando um feed do Google Security Operations e como os campos de registro são mapeados para os campos do Modelo de Dados Unificado (UDM) do Google SecOps.
Para mais informações, consulte Visão geral da ingestão de dados no Google Security Operations.
Uma implantação típica consiste em um alerta do SentinelOne e no feed do Google SecOps configurado para enviar registros ao Google SecOps. Cada implantação do cliente pode ser diferente e mais complexa.
A implantação contém os seguintes componentes:
SentinelOne: o produto de que você coleta registros.
Feed do Google SecOps: busca registros do SentinelOne e grava registros no Google SecOps.
Google SecOps: o Google SecOps retém e analisa os registros do SentinelOne.
Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos para o formato UDM estruturado. As informações neste documento se aplicam ao analisador
com o rótulo de ingestão SENTINELONE_ALERT.
Antes de começar
Verifique se você tem os pré-requisitos a seguir:
- Uma assinatura ativa do Singularity Complete para SentinelOne. Consulte Pacotes da plataforma para mais detalhes.
- GET Alerts e GET Threats API v2.1
- Uma função de administrador no nível global ou da conta. Para receber uma função de administrador, entre em contato com seu usuário administrador.
- Direitos de administrador para instalar o agente do SentinelOne. Para ter direitos de administrador, entre em contato com o usuário administrador.
Como configurar o SentinelOne:
Para gerar um token de API, siga estas etapas: 1. No console de gerenciamento do SentinelOne, acesse Configurações e clique em Usuários. 1. Clique no usuário administrador para quem você quer gerar o token de API. 1. Clique em Ações > Operações de token da API > Gerar token da API. Você precisa desse token de API para preencher os cabeçalhos HTTP de autenticação na plataforma Google SecOps.
Configurar feeds
Há dois pontos de entrada diferentes para configurar feeds na plataforma do Google SecOps:
- Configurações do SIEM > Feeds
- Central de conteúdo > Pacotes de conteúdo
Configure feeds em Configurações do SIEM > Feeds
Para configurar vários feeds para diferentes tipos de registros nessa família de produtos, consulte Configurar feeds por produto.
Para configurar um único feed, siga estas etapas:
- Acesse Configurações do SIEM > Feeds.
- Clique em Adicionar novo feed.
- Na próxima página, clique em Configurar um único feed.
- No campo Nome do feed, insira um nome para o feed, por exemplo, Registros de alertas do SentinelOne.
- Selecione API de terceiros como o Tipo de origem e Alertas do Sentinelone como o Tipo de registro.
Clique em Próxima e preencha Cabeçalhos HTTP de autenticação, Nome do host da API, Horário de início inicial, A API de alertas está inscrita? e Namespace do recurso para sua instância do SentinelOne.
Você precisa de um token de API para preencher os cabeçalhos HTTP de autenticação. Ele pode ser gerado no SentinelOne e reutilizado para criações de feed futuras. Para gerar um token de API, siga estas etapas:
- No console de gerenciamento do SentinelOne, acesse Configurações e clique em Usuários.
- Clique no usuário administrador para quem você quer gerar o token de API.
- Clique em Ações > Operações de token da API > Gerar token da API.
- Em Cabeçalhos HTTP de autenticação, insira o token de API gerado no formato
Authorization: APIToken Token Value. - Marque a caixa de seleção A API de alerta está inscrita? para coletar eventos de alerta do SentinelOne.
- Clique em Próxima e em Enviar.
Configurar feeds na Central de conteúdo
Especifique valores para os seguintes campos:
- Cabeçalhos HTTP de autenticação: usados para autenticar em relação à API de alertas e ameaças e indicadores estáticos do SentinelOne no formato
key:value. - Nome do host da API: o nome de domínio totalmente qualificado da API do SentinelOne.
- Horário de início inicial: tempo desde quando os alertas devem ser buscados.
- Is Alert API Subscribed: indica se a API Alerts está inscrita pelo cliente.
ID da chave de acesso: a chave de acesso do usuário com permissões para ler do bucket do S3.
Chave de acesso secreta: a chave secreta do usuário com permissões para ler do bucket do S3.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Tipo de origem: método usado para coletar registros no Google SecOps.
- Namespace do recurso: namespace associado ao feed.
- Rótulos de ingestão: rótulos aplicados a todos os eventos deste feed.
Tipos de registros de alerta do SentinelOne compatíveis
O analisador de alertas do SentinelOne é compatível com tipos de registros de alertas e ameaças.
Formatos de registros de alerta do SentinelOne aceitos
O analisador de alertas do SentinelOne é compatível com registros nos formatos JSON e CEF.
Registros de amostra de alertas do SentinelOne compatíveis
JSON
{ "accountId": "1235512064263015539", "accountName": "dummy", "agentComputerName": "dummy", "agentDomain": "WORKGROUP", "agentId": "1245680559492378683", "agentInfected": false, "agentIp": "198.51.100.0", "agentIsActive": false, "agentIsDecommissioned": true, "agentMachineType": "server", "agentNetworkStatus": "disconnecting", "agentOsType": "windows", "agentVersion": "21.6.2.272", "annotation": "Automatically resolved by SentinelOne Console", "automaticallyResolved": true, "browserType": null, "certId": "", "classification": "Malware", "classificationSource": "Static", "classifierName": "MANUAL", "cloudVerdict": null, "collectionId": "1251555311751427932", "commandId": "1251555264615838432", "createdAt": "2022-09-03T19:36:59.540349Z", "createdDate": "2021-09-23T19:36:57.867000Z", "description": "malware detected - not mitigated yet (cmd.exe (interactive session))", "engines": [ "manual" ], "external_ticket_id": null, "fileContentHash": "c3d10d8d9fce936e5ca32f930f20c8e703619f71", "fileCreatedDate": null, "fileDisplayName": "Unknown file", "fileExtensionType": "None", "fileIsDotNet": null, "fileIsExecutable": false, "fileIsSystem": false, "fileMaliciousContent": null, "fileObjectId": "3EFA3EFA3EFA3EFA", "filePath": "/home/gitlab-runner/webshell_hits/old.hits-go-here/fedcd896ef45bf145d7e880edd4e5390.dll", "fileSha256": null, "fileVerificationType": "NotSigned", "fromCloud": false, "fromScan": false, "id": "1251555311717873499", "indicators": [ { "categoryName": "test Hiding/Stealthiness", "description": "This binary may have Anti-sandboxing capabilities to evade detection in sandbox tools", "id": 126 }, { "categoryName": "Hiding/Stealthiness", "description": "sample desc There are signs of a backdoor in the PE header", "id": 127 }, { "categoryName": "Test category name Hiding/Stealthiness", "description": "This binary might try to schedule a task or modify a scheduled task", "id": 129 } ], "initiatedBy": "dvCommand", "initiatedByDescription": "Deep Visibility Command", "initiatingUserId": "1245152494739966182", "isCertValid": false, "isInteractiveSession": true, "isPartialStory": false, "maliciousGroupId": "DEA2CA314B3AB7E4", "maliciousProcessArguments": "", "markedAsBenign": true, "mitigationMode": "protect", "mitigationReport": { "kill": { "status": "success" }, "network_quarantine": { "status": null }, "quarantine": { "status": "success" }, "remediate": { "status": null }, "rollback": { "status": null }, "unquarantine": { "status": null } }, "mitigationStatus": "mitigated", "publisher": "", "rank": null, "resolved": true, "siteId": "1235512064330124404", "siteName": "Default site", "threatAgentVersion": "21.6.2.272", "threatName": "cmd.exe (interactive session)", "updatedAt": "2021-10-23T20:34:15.668440Z", "username": "dummy\\\\Administrator", "whiteningOptions": [] }CEF
<86>Nov 5 11:53:06 abcdefg sshd[1475549]: reprocess config line 158: Deprecated option RhostsRSAAuthentication
Referência de mapeamento de campos
Esta seção explica como o analisador do Google SecOps mapeia campos de alerta do SentinelOne para campos do modelo de dados unificado (UDM) do Google SecOps.
Referência de mapeamento de campos: identificador de evento para tipo de evento
A tabela a seguir lista os tipos de registrosSENTINELONE_ALERT e os tipos de eventos da UDM correspondentes.
| Event Identifier | Event Type | Security Category |
|---|---|---|
BEHAVIORALINDICATORS |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
DNS |
NETWORK_DNS |
|
DUPLICATEPROCESS |
PROCESS_UNCATEGORIZED |
|
FILECREATION |
FILE_CREATION |
|
FILEDELETION |
FILE_DELETION |
|
FILEMODIFICATION |
FILE_MODIFICATION |
|
FILERENAME |
FILE_MODIFICATION |
|
FILESCAN |
SCAN_FILE |
|
HTTP |
NETWORK_HTTP |
|
MALICIOUSFILE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
OPENPROCESS |
PROCESS_OPEN |
|
PROCESSCREATION |
PROCESS_LAUNCH |
|
REGKEYCREATE |
REGISTRY_CREATION |
|
REGKEYDELETE |
REGISTRY_DELETION |
|
REGVALUECREATE |
REGISTRY_CREATION |
|
REGVALUEDELETE |
REGISTRY_DELETION |
|
REGVALUEMODIFIED |
REGISTRY_MODIFICATION |
|
SCHEDTASKSTART |
SERVICE_START |
|
SCHEDTASKTRIGGER |
SERVICE_START |
|
SCHEDTASKUPDATE |
SERVICE_MODIFICATION |
|
SCRIPTS |
FILE_UNCATEGORIZED |
|
TCPV4 |
NETWORK_UNCATEGORIZED |
|
TCPV4LISTEN |
NETWORK_UNCATEGORIZED |
|
WINLOGONATTEMPT |
USER_LOGIN |
|
If the threatInfo.filePath log field is not empty or the threatInfo.fileSize log field value is not empty, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
FILE_UNCATEGORIZED |
|
Referência de mapeamento de campo: SENTINELONE_ALERT
A tabela a seguir lista os campos de registro do tipo SENTINELONE_ALERT e os campos correspondentes da UDM.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
|
|
metadata.product_name |
|
|
metadata.url_back_to_product |
If the threatInfo.threatId log field value is not empty and the source_hostname log field value is not empty, then the https://source_hostname/incidents/threats/threatInfo.threatId/overview log field is mapped to the metadata.url_back_to_product UDM field.Else, if the source_hostname log field value is not empty, then the https://source_hostname log field is mapped to the metadata.url_back_to_product UDM field. |
agentDetectionInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value matches the regular expression pattern laptop, then the principal.asset.type UDM field is set to LAPTOP.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern desktop, then the principal.asset.type UDM field is set to WORKSTATION.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern server, then the principal.asset.type UDM field is set to SERVER.Else, the agentDetectionInfo.machineType log field is mapped to the principal.asset.attribute.labels.agent_detection_info_machine_type UDM field. |
agentRealtimeInfo.agentMachineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is not empty , then:
|
agentRealtimeInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is empty and the agentRealtimeInfo.machineType log field value is not empty , then:
|
agentDetectionInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentDetectionInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentDetectionInfo.osFamily |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX.Else, the agentDetectionInfo.osFamily log field is mapped to the principal.asset.attribute.labels.agent_detection_info_os_family UDM field. |
agentRealtimeInfo.os |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osFamily |
principal.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX |
agentRealtimeInfo.os |
principal.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentRealtimeInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.osRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentRealtimeInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.siteId |
principal.labels[agent_detection_info_siteId] (deprecated) |
|
agentDetectionInfo.siteId |
additional.fields[agent_detection_info_siteId] |
|
agentDetectionInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.version |
principal.asset.attribute.labels[agent_version] |
|
agentDetectionInfo.agentVersion |
principal.asset.attribute.labels[agent_detection_info_agent_version] |
|
agentRealtimeInfo.agentVersion |
principal.asset.attribute.labels[agent_realtime_info_agent_version] |
|
agentRealtimeInfo.id |
principal.asset.attribute.labels[agent_realtime_info_id] |
|
agentRealtimeInfo.infected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.agentInfected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.isActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.agentIsActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.isDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
agentRealtimeInfo.agentIsDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
alertInfo.alertId |
metadata.product_log_id |
|
id |
metadata.product_log_id |
|
metadata.product_event_type |
If the log matches the regular expression pattern alertInfo, then the metadata.product_event_type UDM field is set to Alerts.Else, if the log matches the regular expression pattern threatInfo, then the metadata.product_event_type UDM field is set to Threats. |
|
alertInfo.analystVerdict |
security_result.detection_fields[alert_info_analyst_verdict] |
|
alertInfo.createdAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
threatInfo.identifiedAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
|
network.application_protocol |
If the alertInfo.dnsRequest log field value is not empty, then the network.application_protocol UDM field is set to DNS. |
alertInfo.dnsRequest |
network.dns.questions.name |
|
alertInfo.dnsResponse |
network.dns.answers.name |
|
alertInfo.dstIp |
target.ip |
|
alertInfo.dstPort |
target.port |
|
alertInfo.dvEventId |
security_result.detection_fields[alert_info_dv_event_id] |
|
alertInfo.eventType |
security_result.detection_fields[alert_info_event_type] |
|
alertInfo.hitType |
security_result.detection_fields[alert_info_hit_type] |
|
alertInfo.incidentStatus |
security_result.detection_fields[alert_info_incident_status] |
|
alertInfo.indicatorCategory |
security_result.detection_fields[alert_info_indicator_category] |
|
alertInfo.indicatorDescription |
security_result.detection_fields[alert_info_indicator_description] |
|
alertInfo.indicatorName |
security_result.detection_fields[alert_info_indicator_name] |
|
alertInfo.isEdr |
security_result.detection_fields[alert_info_is_edr] |
|
alertInfo.loginAccountDomain |
security_result.detection_fields[alert_info_login_account_domain] |
|
alertInfo.loginAccountSid |
security_result.detection_fields[alert_info_login_account_sid] |
|
alertInfo.loginIsAdministratorEquivalent |
security_result.detection_fields[alert_info_login_is_administrator_equivalent] |
|
|
security_result.action |
If the alertInfo.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW. else the alertInfo.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to BLOCK.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to ALLOW.
|
|
extensions.auth.mechanism |
If the alertInfo.loginType log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.Else, if the alertInfo.loginType log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.Else, if the alertInfo.loginType log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.Else, if the alertInfo.loginType log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.Else, if the alertInfo.loginType log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.Else, if the alertInfo.loginType log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.Else, if the alertInfo.loginType log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.Else, if the alertInfo.loginType log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK. |
alertInfo.loginsUserName |
target.user.user_display_name |
|
alertInfo.modulePath |
security_result.detection_fields[alert_info_module_path] |
|
alertInfo.moduleSha1 |
security_result.detection_fields[alert_info_module_sha1] |
|
alertInfo.netEventDirection |
network.direction |
If the alertInfo.netEventDirection log field value matches the regular expression pattern OUTGOING, then the network.direction UDM field is set to OUTBOUND.Else, if the alertInfo.netEventDirection log field value matches the regular expression pattern INCOMING, then the network.direction UDM field is set to INBOUND. |
alertInfo.registryKeyPath |
target.registry.registry_key |
|
alertInfo.registryOldValue |
src.registry.registry_value_data |
|
alertInfo.registryOldValueType |
src.registry.registry_value_name |
|
alertInfo.registryPath |
src.registry.registry_key |
|
alertInfo.registryValue |
target.registry.registry_value_data |
|
alertInfo.reportedAt |
security_result.first_discovered_time |
|
alertInfo.source |
security_result.category_details |
|
alertInfo.srcPort |
principal.port |
|
alertInfo.tiIndicatorComparisonMethod |
security_result.detection_fields[alert_info_tiIndicator_comparison_method] |
|
alertInfo.tiIndicatorSource |
security_result.detection_fields[alert_info_tiIndicator_source] |
|
alertInfo.tiIndicatorType |
security_result.detection_fields[alert_info_tiIndicator_type] |
|
alertInfo.tiIndicatorValue |
security_result.detection_fields[alert_info_tiIndicator_value] |
|
alertInfo.updatedAt |
security_result.detection_fields[alert_info_updated_at] |
|
containerInfo.id |
target.resource.product_object_id |
|
containerInfo.image |
target.resource.attribute.labels[container_image] |
|
containerInfo.labels |
target.resource.attribute.labels[container_labels] |
If the containerInfo.labels log field value is not empty, then the containerInfo.labels log field is mapped to the target.resource.attribute.labels.container_labels UDM field. |
containerInfo.name |
target.resource.name |
|
|
target.resource.resource_type |
If the containerInfo.name log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER. |
kubernetesInfo.cluster |
target.resource_ancestors.name |
|
kubernetesInfo.controllerName |
target.resource_ancestors.name |
|
kubernetesInfo.node |
target.resource_ancestors.name |
|
kubernetesInfo.pod |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
If the kubernetesInfo.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.If the kubernetesInfo.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.isContainerQuarantine log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.node log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER. |
kubernetesInfo.controllerKind |
target.resource_ancestors.attribute.labels[kubernetes_controller_kind] |
|
kubernetesInfo.controllerLabels |
target.resource_ancestors.attribute.labels[kubernetes_controller_labels] |
If the kubernetesInfo.controllerLabels log field value is not empty, then the kubernetesInfo.controllerLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_controller_labels UDM field. |
kubernetesInfo.namespace |
target.resource_ancestors.attribute.labels[kubernetes_namespace] |
|
kubernetesInfo.namespaceLabels |
target.resource_ancestors.attribute.labels[kubernetes_namespace_labels] |
|
kubernetesInfo.podLabels |
target.resource_ancestors.attribute.labels[kubernetes_pod_labels] |
If the kubernetesInfo.podLabels log field value is not empty, then the kubernetesInfo.podLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_pod_labels UDM field. |
ruleInfo.description |
security_result.rule_set_display_name |
|
ruleInfo.id |
security_result.rule_id |
|
ruleInfo.name |
security_result.rule_name |
|
ruleInfo.queryLang |
security_result.rule_labels[query_lang] |
|
ruleInfo.queryType |
security_result.rule_labels[query_type] |
|
ruleInfo.s1ql |
security_result.rule_labels[s1ql] |
|
ruleInfo.scopeLevel |
security_result.rule_labels[scope_level] |
|
|
security_result.severity |
If the ruleInfo.severity log field value matches the regular expression pattern (?i)low, then the security_result.severity UDM field is set to LOW.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)critical, then the security_result.severity UDM field is set to CRITICAL.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)high, then the security_result.severity UDM field is set to HIGH. |
ruleInfo.severity |
security_result.severity_details |
|
ruleInfo.treatAsThreat |
security_result.rule_type |
|
sourceParentProcessInfo.commandline |
principal.process.parent_process.command_line |
|
sourceParentProcessInfo.fileHashMd5 |
principal.process.parent_process.file.md5 |
If the sourceParentProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceParentProcessInfo.fileHashMd5 log field is mapped to the principal.process.parent_process.file.md5 UDM field. |
sourceParentProcessInfo.fileHashSha1 |
principal.process.parent_process.file.sha1 |
If the sourceParentProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceParentProcessInfo.fileHashSha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field. |
sourceParentProcessInfo.fileHashSha256 |
principal.process.parent_process.file.sha256 |
If the sourceParentProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceParentProcessInfo.fileHashSha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field. |
sourceParentProcessInfo.filePath |
principal.process.parent_process.file.full_path |
|
sourceParentProcessInfo.fileSignerIdentity |
principal.process.parent_process.file.signature_info.sigcheck.signers.name |
|
sourceParentProcessInfo.integrityLevel |
principal.labels[source_parent_process_integrity_level] (deprecated) |
|
sourceParentProcessInfo.integrityLevel |
additional.fields[source_parent_process_integrity_level] |
|
sourceParentProcessInfo.name |
principal.labels[source_parent_process_name] (deprecated) |
|
sourceParentProcessInfo.name |
additional.fields[source_parent_process_name] |
|
sourceParentProcessInfo.pid |
principal.process.parent_process.pid |
|
sourceParentProcessInfo.pidStarttime |
principal.labels[source_parent_process_pid_start_time] (deprecated) |
|
sourceParentProcessInfo.pidStarttime |
additional.fields[source_parent_process_pid_start_time] |
|
sourceParentProcessInfo.storyline |
principal.labels[source_parent_process_storyline] (deprecated) |
|
sourceParentProcessInfo.storyline |
additional.fields[source_parent_process_storyline] |
|
sourceParentProcessInfo.subsystem |
principal.labels[source_parent_process_subsystem] (deprecated) |
|
sourceParentProcessInfo.subsystem |
additional.fields[source_parent_process_subsystem] |
|
|
principal.process.parent_process.product_specific_process_id |
If the sourceParentProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceParentProcessInfo.uniqueId} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
sourceParentProcessInfo.user |
principal.labels[source_parent_process_user] (deprecated) |
|
sourceParentProcessInfo.user |
additional.fields[source_parent_process_user] |
|
sourceProcessInfo.commandline |
principal.process.command_line |
|
sourceProcessInfo.fileHashMd5 |
principal.process.file.md5 |
If the sourceProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceProcessInfo.fileHashMd5 log field is mapped to the principal.process.file.md5 UDM field. |
sourceProcessInfo.fileHashSha1 |
principal.process.file.sha1 |
If the sourceProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceProcessInfo.fileHashSha1 log field is mapped to the principal.process.file.sha1 UDM field. |
sourceProcessInfo.fileHashSha256 |
principal.process.file.sha256 |
If the sourceProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceProcessInfo.fileHashSha256 log field is mapped to the principal.process.file.sha256 UDM field. |
sourceProcessInfo.filePath |
principal.process.file.full_path |
|
sourceProcessInfo.fileSignerIdentity |
principal.process.file.signature_info.sigcheck.signers.name |
|
sourceProcessInfo.integrityLevel |
principal.labels[source_process_integrity_level] (deprecated) |
|
sourceProcessInfo.integrityLevel |
additional.fields[source_process_integrity_level] |
|
sourceProcessInfo.name |
principal.labels[source_process_name] (deprecated) |
|
sourceProcessInfo.name |
additional.fields[source_process_name] |
|
sourceProcessInfo.pid |
principal.process.pid |
|
sourceProcessInfo.pidStarttime |
principal.labels[source_process_pid_start_time] (deprecated) |
|
sourceProcessInfo.pidStarttime |
additional.fields[source_process_pid_start_time] |
|
sourceProcessInfo.storyline |
principal.labels[source_process_storyline] (deprecated) |
|
sourceProcessInfo.storyline |
additional.fields[source_process_storyline] |
|
sourceProcessInfo.subsystem |
principal.labels[source_process_subsystem] (deprecated) |
|
sourceProcessInfo.subsystem |
additional.fields[source_process_subsystem] |
|
|
principal.process.product_specific_process_id |
If the sourceProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceProcessInfo.uniqueId} log field is mapped to the principal.process.product_specific_process_id UDM field. |
sourceProcessInfo.user |
principal.user.user_display_name |
|
threatInfo.initiatingUsername |
principal.user.user_display_name |
|
targetProcessInfo.tgtFileCreatedAt |
target.process.file.first_seen_time |
|
targetProcessInfo.tgtFileHashSha1 |
target.process.file.sha1 |
If the targetProcessInfo.tgtFileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the targetProcessInfo.tgtFileHashSha1 log field is mapped to the target.process.file.sha1 UDM field. |
targetProcessInfo.tgtFileHashSha256 |
target.process.file.sha256 |
If the targetProcessInfo.tgtFileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the targetProcessInfo.tgtFileHashSha256 log field is mapped to the target.process.file.sha256 UDM field. |
targetProcessInfo.tgtFileId |
target.labels[target_file_id] (deprecated) |
|
targetProcessInfo.tgtFileId |
additional.fields[target_file_id] |
|
targetProcessInfo.tgtFileIsSigned |
target.process.file.signature_info.sigcheck.verification_message |
|
targetProcessInfo.tgtFileModifiedAt |
target.process.file.last_modification_time |
|
targetProcessInfo.tgtFileOldPath |
target.labels[target_file_old_path] (deprecated) |
|
targetProcessInfo.tgtFileOldPath |
additional.fields[target_file_old_path] |
|
targetProcessInfo.tgtFilePath |
target.process.file.full_path |
|
targetProcessInfo.tgtProcCmdLine |
target.process.command_line |
|
targetProcessInfo.tgtProcImagePath |
target.labels[target_process_image_path] (deprecated) |
|
targetProcessInfo.tgtProcImagePath |
additional.fields[target_process_image_path] |
|
targetProcessInfo.tgtProcIntegrityLevel |
target.labels[target_process_integrity_level] (deprecated) |
|
targetProcessInfo.tgtProcIntegrityLevel |
additional.fields[target_process_integrity_level] |
|
targetProcessInfo.tgtProcName |
target.labels[target_process_name] (deprecated) |
|
targetProcessInfo.tgtProcName |
additional.fields[target_process_name] |
|
targetProcessInfo.tgtProcPid |
target.process.pid |
|
targetProcessInfo.tgtProcSignedStatus |
target.labels[target_process_signed_status] (deprecated) |
|
targetProcessInfo.tgtProcSignedStatus |
additional.fields[target_process_signed_status] |
|
targetProcessInfo.tgtProcStorylineId |
target.labels[target_process_storyline_id] (deprecated) |
|
targetProcessInfo.tgtProcStorylineId |
additional.fields[target_process_storyline_id] |
|
|
target.process.product_specific_process_id |
If the targetProcessInfo.tgtProcUid log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{targetProcessInfo.tgtProcUid} log field is mapped to the target.process.product_specific_process_id UDM field. |
targetProcessInfo.tgtProcessStartTime |
target.labels[target_process_start_time] (deprecated) |
|
targetProcessInfo.tgtProcessStartTime |
additional.fields[target_process_start_time] |
|
source_hostname |
intermediary.hostname |
|
agentDetectionInfo.accountId |
metadata.product_deployment_id |
|
agentDetectionInfo.accountName |
principal.labels[agent_detection_info_account_name] (deprecated) |
|
agentDetectionInfo.accountName |
additional.fields[agent_detection_info_account_name] |
|
agentDetectionInfo.agentDetectionState |
principal.asset.attribute.labels[agent_detection_info_detection_state] |
|
agentDetectionInfo.agentDomain |
principal.administrative_domain |
|
agentDetectionInfo.agentIpV4 |
principal.ip |
|
agentDetectionInfo.agentIpV6 |
principal.ip |
|
alertInfo.srcIp |
principal.ip |
|
alertInfo.srcMachineIp |
principal.ip |
|
agentDetectionInfo.agentIpV4 |
principal.asset.ip |
|
agentDetectionInfo.agentIpV6 |
principal.asset.ip |
|
alertInfo.srcIp |
principal.asset.ip |
|
alertInfo.srcMachineIp |
principal.asset.ip |
|
agentDetectionInfo.agentLastLoggedInUpn |
principal.labels[agent_detection_info_last_logged_in_upn] (deprecated) |
|
agentDetectionInfo.agentLastLoggedInUpn |
additional.fields[agent_detection_info_last_logged_in_upn] |
|
agentDetectionInfo.agentLastLoggedInUserMail |
principal.user.email_addresses |
|
agentDetectionInfo.agentLastLoggedInUserName |
principal.user.attribute.labels[agent_last_loggedIn_user_name] |
|
agentDetectionInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_detection_info_mitigation_mode] |
|
agentDetectionInfo.agentRegisteredAt |
principal.asset.first_discover_time |
|
agentDetectionInfo.externalIp |
principal.nat_ip |
|
agentDetectionInfo.groupId |
principal.group.attribute.labels[agent_detection_info_group_id] |
|
agentRealtimeInfo.groupId |
principal.group.attribute.labels[agent_realtime_info_group_id] |
|
agentDetectionInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentRealtimeInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentDetectionInfo.siteName |
principal.labels[agent_detection_info_site_name] (deprecated) |
|
agentDetectionInfo.siteName |
additional.fields[agent_detection_info_site_name] |
|
agentRealtimeInfo.siteName |
principal.labels[agent_realtime_info_site_name] (deprecated) |
|
agentRealtimeInfo.siteName |
additional.fields[agent_realtime_info_site_name] |
|
agentRealtimeInfo.accountId |
principal.labels[agent_realtime_info_account_id] (deprecated) |
|
agentRealtimeInfo.accountId |
additional.fields[agent_realtime_info_account_id] |
|
agentRealtimeInfo.accountName |
principal.labels[agent_realtime_info_account_name] (deprecated) |
|
agentRealtimeInfo.accountName |
additional.fields[agent_realtime_info_account_name] |
|
agentRealtimeInfo.activeThreats |
security_result.detection_fields[agent_realtime_info_active_threats] |
|
agentRealtimeInfo.agentDecommissionedAt |
principal.asset.attribute.labels[agent_realtime_info_agent_decommissioned_at] |
|
agentRealtimeInfo.agentDomain |
principal.labels[agent_realtime_info_domain] (deprecated) |
|
agentRealtimeInfo.agentDomain |
additional.fields[agent_realtime_info_domain] |
|
agentRealtimeInfo.agentId |
principal.asset.attribute.labels[agent_realtime_info_agent_id] |
|
agentRealtimeInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_realtime_info_mitigation_mode] |
|
agentRealtimeInfo.agentNetworkStatus |
principal.labels[agent_realtime_info_network_status] (deprecated) |
|
agentRealtimeInfo.agentNetworkStatus |
additional.fields[agent_realtime_info_network_status] |
|
agentRealtimeInfo.agentOsType |
principal.labels[agent_realtime_info_os_type] (deprecated) |
|
agentRealtimeInfo.agentOsType |
additional.fields[agent_realtime_info_os_type] |
|
agentRealtimeInfo.networkInterfaces.id |
principal.labels[network_interface_id] |
|
agentRealtimeInfo.networkInterfaces.name |
principal.labels[network_interface_name] |
|
agentRealtimeInfo.networkInterfaces.physical |
principal.labels[network_interface_physical] |
|
agentRealtimeInfo.operationalState |
principal.asset.attribute.labels[agent_realtime_info_operational_State] |
|
agentRealtimeInfo.rebootRequired |
principal.labels[agent_realtime_info_reboot_required] (deprecated) |
|
agentRealtimeInfo.rebootRequired |
additional.fields[agent_realtime_info_reboot_required] |
|
agentRealtimeInfo.scanAbortedAt |
security_result.detection_fields[agent_realtime_info_scan_aborted_at] |
|
agentRealtimeInfo.scanFinishedAt |
security_result.detection_fields[agent_realtime_info_scan_finished_at] |
|
agentRealtimeInfo.scanStartedAt |
security_result.detection_fields[agent_realtime_info_scan_started_at] |
|
agentRealtimeInfo.scanStatus |
security_result.detection_fields[agent_realtime_info_scan_status] |
|
agentRealtimeInfo.siteId |
principal.labels[agent_realtime_info_site_id] (deprecated) |
|
agentRealtimeInfo.siteId |
additional.fields[agent_realtime_info_site_id] |
|
agentRealtimeInfo.storageName |
principal.resource.name |
|
|
principal.resource.resource_type |
If the agentRealtimeInfo.storageName log field value is not empty, then the principal.resource.resource_type UDM field is set to STORAGE_OBJECT. |
agentRealtimeInfo.storageType |
principal.resource.resource_subtype |
|
agentRealtimeInfo.userActionsNeeded |
security_result.detection_fields[agent_realtime_info_user_actions_needed] |
If the agentRealtimeInfo.userActionsNeeded log field value is not empty, then the agentRealtimeInfo.userActionsNeeded log field is mapped to the security_result.detection_fields.agent_realtime_info_user_actions_needed UDM field. |
containerInfo.isContainerQuarantine |
target.resource.attribute.labels[container_is_container_quarantine] |
|
indicators.category |
security_result.category_details |
|
indicators.categoryId |
security_result.detection_fields[indicators_category_id] |
|
indicators.description |
security_result.description |
|
indicators.ids |
security_result.detection_fields[indicators_ids] |
|
|
security_result.attack_details.tactics.id |
|
indicators.tactics.name |
security_result.attack_details.tactics.name |
If the indicators.tactics.name log field value is not empty, then the indicators.tactics.name log field is mapped to the security_result.attack_details.tactics.name UDM field. |
indicators.tactics.source |
security_result.detection_fields[indicators_tactics_source] |
|
indicators.tactics.techniques.link |
security_result.detection_fields[indicators_tactics_techniques_link] |
|
indicators.tactics.techniques.name |
security_result.attack_details.techniques.id |
If the indicators.tactics.techniques.name log field value is not empty, then the indicators.tactics.techniques.name log field is mapped to the security_result.attack_details.techniques.id UDM field. |
|
security_result.attack_details.techniques.name |
|
|
security_result.attack_details.techniques.subtechnique_id |
|
|
security_result.attack_details.techniques.subtechnique_name |
|
kubernetesInfo.isContainerQuarantine |
target.resource_ancestors.attribute.labels[kubernetes_is_container_quarantine] |
|
kubernetesInfo.nodeLabels |
target.resource_ancestors.attribute.labels[kubernetes_node_labels] |
|
mitigationStatus.action |
security_result.detection_fields[mitigation_status_action] |
|
mitigationStatus.actionsCounters.failed |
security_result.detection_fields[mitigation_status_actions_counters_failed] |
|
mitigationStatus.actionsCounters.notFound |
security_result.detection_fields[mitigation_status_actions_counters_not_Found] |
|
mitigationStatus.actionsCounters.pendingReboot |
security_result.detection_fields[mitigation_status_actions_counters_pending_reboot] |
|
mitigationStatus.actionsCounters.success |
security_result.detection_fields[mitigation_status_actions_counters_success] |
|
mitigationStatus.actionsCounters.total |
security_result.detection_fields[mitigation_status_actions_counters_total] |
|
mitigationStatus.agentSupportsReport |
security_result.detection_fields[mitigation_status_agent_supports_report] |
|
mitigationStatus.groupNotFound |
security_result.detection_fields[mitigation_status_group_not_found] |
|
mitigationStatus.lastUpdate |
security_result.detection_fields[mitigation_status_last_update] |
|
mitigationStatus.latestReport |
security_result.detection_fields[mitigation_status_last_report] |
|
mitigationStatus.mitigationEndedAt |
security_result.detection_fields[mitigation_status_mitigation_ended_at] |
|
mitigationStatus.mitigationStartedAt |
security_result.detection_fields[mitigation_status_mitigation_started_at] |
|
mitigationStatus.status |
security_result.detection_fields[mitigation_status] |
|
threatInfo.analystVerdict |
security_result.detection_fields[analystVerdict] |
|
threatInfo.analystVerdictDescription |
security_result.detection_fields[analyst_verdict_description] |
|
threatInfo.automaticallyResolved |
security_result.detection_fields[automatically_resolved] |
|
threatInfo.browserType |
security_result.detection_fields[browser_type] |
|
threatInfo.certificateId |
security_result.detection_fields[certificate_id] |
|
threatInfo.classification |
security_result.category_details |
|
|
security_result.category |
If the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
Else, if the threatInfo.classification log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
Else, if the threatInfo.classification log field value is equal to Application Control, then the security_result.category UDM field is set to UNKNOWN_CATEGORY.
If the alertInfo.eventType log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
threatInfo.classificationSource |
security_result.detection_fields[classification_source] |
|
threatInfo.cloudFilesHashVerdict |
security_result.detection_fields[cloud_Files_hash_verdict] |
|
threatInfo.collectionId |
security_result.detection_fields[collection_id] |
|
threatInfo.confidenceLevel |
security_result.confidence_details |
|
|
security_result.confidence |
If the threatInfo.confidenceLevel log field value is equal to malicious, then the security_result.confidence UDM field is set to HIGH_CONFIDENCE.Else, if the threatInfo.confidenceLevel log field value is equal to suspicious, then the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. |
threatInfo.createdAt |
metadata.collected_timestamp |
|
threatInfo.detectionEngines |
security_result.detection_fields[detection_engines] |
If the threatInfo.detectionEngines log field value is not empty, then the threatInfo.detectionEngines log field is mapped to the security_result.detection_fields.detection_engines UDM field. |
threatInfo.detectionEngines.key |
security_result.detection_fields[detection_engines_key] |
If the threatInfo.detectionEngines.key log field value is not empty, then the threatInfo.detectionEngines.key log field is mapped to the security_result.detection_fields.detection_engines_key UDM field. |
threatInfo.detectionEngines.title |
security_result.detection_fields[detection_engines_title] |
If the threatInfo.detectionEngines.title log field value is not empty, then the threatInfo.detectionEngines.title log field is mapped to the security_result.detection_fields.detection_engines_title UDM field. |
threatInfo.detectionType |
security_result.detection_fields[detection_type] |
|
threatInfo.engines |
security_result.detection_fields[engines] |
If the threatInfo.engines log field value is not empty, then the threatInfo.engines log field is mapped to the security_result.detection_fields.engines UDM field. |
threatInfo.externalTicketExists |
security_result.detection_fields[external_ticket_exists] |
|
threatInfo.externalTicketExists.description |
security_result.detection_fields[external_ticket_exists_description] |
|
threatInfo.externalTicketExists.readOnly |
security_result.detection_fields[external_ticket_exists_readOnly] |
|
threatInfo.externalTicketId |
security_result.detection_fields[external_ticket_id] |
|
threatInfo.failedActions |
security_result.detection_fields[failed_actions] |
|
threatInfo.fileExtension |
target.file.mime_type |
|
threatInfo.fileExtensionType |
security_result.detection_fields[file_extension_type] |
|
threatInfo.filePath |
target.file.full_path |
|
threatInfo.filePath.description |
security_result.detection_fields[file_path_description] |
|
threatInfo.filePath.readOnly |
security_result.detection_fields[file_path_readOnly] |
|
threatInfo.fileSize |
target.file.size |
|
threatInfo.fileVerificationType |
security_result.detection_fields[file_verification_type] |
|
threatInfo.incidentStatus |
security_result.detection_fields[incident_status] |
|
threatInfo.incidentStatusDescription |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.description |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.readOnly |
security_result.detection_fields[incident_status_description_readOnly] |
|
threatInfo.initiatedBy |
security_result.detection_fields[initiatedBy] |
|
threatInfo.initiatedByDescription |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.description |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.readOnly |
security_result.detection_fields[initiatedBy_description_readOnly] |
|
threatInfo.initiatingUserId |
principal.user.attribute.labels[initiating_user_id] |
|
threatInfo.isFileless |
security_result.detection_fields[is_fileless] |
|
threatInfo.isFileless.description |
security_result.detection_fields[is_fileless_description] |
|
threatInfo.isFileless.readOnly |
security_result.detection_fields[is_fileless_readOnly] |
|
threatInfo.isValidCertificate |
security_result.detection_fields[is_valid_certificate] |
|
threatInfo.maliciousProcessArguments |
security_result.detection_fields[malicious_process_arguments] |
|
threatInfo.md5 |
target.file.md5 |
If the threatInfo.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the threatInfo.md5 log field is mapped to the target.file.md5 UDM field. |
threatInfo.mitigatedPreemptively |
security_result.detection_fields[mitigated_preemptively] |
|
threatInfo.mitigationStatus |
security_result.action_details |
|
|
security_result.threat_status |
If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to CLEARED.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to ACTIVE.
|
threatInfo.mitigationStatusDescription |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.description |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.readOnly |
security_result.detection_fields[mitigation_status_description_readOnly] |
|
threatInfo.originatorProcess |
principal.process.parent_process.file.names |
|
threatInfo.pendingActions |
security_result.detection_fields[pending_actions] |
|
threatInfo.processUser |
principal.user.userid |
|
threatInfo.publisherName |
security_result.threat_feed_name |
|
threatInfo.reachedEventsLimit |
security_result.detection_fields[reached_events_limit] |
|
threatInfo.rebootRequired |
security_result.detection_fields[reboot_required] |
|
threatInfo.sha1 |
target.file.sha1 |
If the threatInfo.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$", then the threatInfo.sha1 log field is mapped to the target.file.sha1 UDM field. |
threatInfo.sha256 |
target.file.sha256 |
If the threatInfo.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$", then the threatInfo.sha256 log field is mapped to the target.file.sha256 UDM field. |
threatInfo.storyline |
security_result.detection_fields[storyline] |
|
threatInfo.threatId |
security_result.threat_id |
|
threatInfo.threatName |
security_result.threat_name |
|
threatInfo.threatName |
target.file.names |
|
threatInfo.updatedAt |
security_result.detection_fields[updatedAt] |
|
whiteningOptions |
about.labels[whitening_options] |
If the whiteningOptions log field value is not empty, then the whiteningOptions log field is mapped to the about.labels.whitening_options UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsRole |
principal.resource.attribute.roles.name |
|
agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups |
principal.resource.attribute.labels[cloud_providers_AWS_security_groups] |
If the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_security_groups UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsSubnetIds |
principal.resource.attribute.labels[cloud_providers_AWS_subnet_ids] |
If the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_subnet_ids UDM field. |
agentDetectionInfo.cloudProviders.AWS.cloudAccount |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_account] |
|
agentDetectionInfo.cloudProviders.AWS.cloudImage |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_image] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceId |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_id] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceSize |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_size] |
|
agentDetectionInfo.cloudProviders.AWS.cloudLocation |
principal.resource.attribute.cloud.availability_zone |
|
agentDetectionInfo.cloudProviders.AWS.cloudNetwork |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_network] |
|
agentDetectionInfo.cloudProviders.AWS.cloudTags |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_tags] |
If the agentDetectionInfo.cloudProviders.AWS.cloudTags log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.cloudTags log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_cloud_tags UDM field. |
modular_input_consumption_time |
about.labels[modular_input_consumption_time] (deprecated) |
|
modular_input_consumption_time |
additional.fields[modular_input_consumption_time] |
|
timestamp |
about.labels[timestamp] (deprecated) |
|
timestamp |
additional.fields[timestamp] |
|
updatedAt |
about.labels[updatedAt] (deprecated) |
|
updatedAt |
additional.fields[updatedAt] |
A seguir
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais do Google SecOps.