收集 SentinelOne 快訊記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何設定 Google Security Operations 動態饋給,收集 SentinelOne 快訊記錄,以及記錄欄位如何對應至 Google SecOps Unified Data Model (UDM) 欄位。
詳情請參閱「將資料擷取至 Google Security Operations 總覽」。
一般部署作業包含 SentinelOne 快訊和 Google SecOps 資訊動態,設定為將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
SentinelOne:您要從中收集記錄的產品。
Google SecOps 資訊提供:從 SentinelOne 擷取記錄,並將記錄寫入 Google SecOps 的 Google SecOps 資訊提供。
Google SecOps:Google SecOps 會保留及分析 SentinelOne 的記錄檔。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 SENTINELONE_ALERT 攝入標籤的剖析器。
事前準備
請確認您已完成下列事前準備事項:
- SentinelOne 的有效 Singularity Complete 訂閱方案。詳情請參閱「平台套件」。
- GET Alerts 和 GET Threats API 2.1 版
- 全域或帳戶層級的管理員角色。如要取得管理員角色,請與管理員使用者聯絡。
- 安裝 SentinelOne 代理程式的管理員權限。如要取得管理員權限,請與管理員使用者聯絡。
如何設定 SentinelOne:
如要產生 API 權杖,請按照下列步驟操作: 1. 在 SentinelOne 管理控制台中,前往「設定」,然後按一下「使用者」。 1. 按一下要產生 API 權杖的管理員使用者。 1. 依序點選「動作」 >「API 權杖作業」 >「產生 API 權杖」。 您需要這個 API 權杖,才能在 Google SecOps 平台中填入驗證 HTTP 標頭。
設定動態饋給
在 Google SecOps 平台中,有兩種不同的進入點可設定動態饋給:
- 「SIEM 設定」>「動態消息」
- 內容中心 > 內容包
依序前往「SIEM 設定」>「動態消息」,設定動態消息
如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一個頁面中,按一下「設定單一動態饋給」。
- 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「SentinelOne Alert Logs」。
- 選取「第三方 API」做為「來源類型」,並選取「Sentinelone 警報」做為「記錄類型」。
按一下「下一步」,然後填入 SentinelOne 執行個體的「Authentication HTTP headers」(驗證 HTTP 標頭)、「API hostname」(API 主機名稱)、「Initial start time」(初始開始時間)、「Is alert API subscribed」(是否訂閱快訊 API) 和「Asset namespace」(資產命名空間)。
您需要 API 權杖才能填入驗證 HTTP 標頭。 這項權杖可從 SentinelOne 產生,並重複用於日後的動態饋給建立作業。如要產生 API 權杖,請按照下列步驟操作:
- 在 SentinelOne 管理控制台中,前往「設定」,然後按一下「使用者」。
- 按一下要產生 API 權杖的管理員使用者。
- 依序點選「動作」 >「API 權杖作業」 >「產生 API 權杖」。
- 在「Authentication HTTP headers」中,以
Authorization: APIToken Token Value格式輸入產生的 API 權杖。 - 選取「Is alert API subscribed」核取方塊,即可收集 SentinelOne 警報事件。
- 依序點選「下一步」和「提交」。
從內容中心設定動態饋給
為下列欄位指定值:
- 驗證 HTTP 標頭:用於以
key:value格式驗證 SentinelOne 快訊和威脅與靜態指標 API。 - API 主機名稱:SentinelOne API 的完整網域名稱。
- 初始開始時間:應擷取快訊的時間
- 是否已訂閱快訊 API:客戶是否已訂閱快訊 API
存取金鑰 ID:具備 S3 值區讀取權限的使用者存取金鑰。
存取密鑰:使用者的存取密鑰,具備從 S3 bucket 讀取的權限。
進階選項
- 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
- 來源類型:將記錄收集到 Google SecOps 的方法。
- 資產命名空間:與動態饋給相關聯的命名空間。
- 擷取標籤:套用至這個動態饋給所有事件的標籤。
支援的 SentinelOne 快訊記錄類型
SentinelOne 警示剖析器支援警示和威脅記錄檔類型。
支援的 SentinelOne 快訊記錄格式
SentinelOne Alert 剖析器支援 JSON 和 CEF 格式的記錄。
支援的 SentinelOne 快訊樣本記錄
JSON
{ "accountId": "1235512064263015539", "accountName": "dummy", "agentComputerName": "dummy", "agentDomain": "WORKGROUP", "agentId": "1245680559492378683", "agentInfected": false, "agentIp": "198.51.100.0", "agentIsActive": false, "agentIsDecommissioned": true, "agentMachineType": "server", "agentNetworkStatus": "disconnecting", "agentOsType": "windows", "agentVersion": "21.6.2.272", "annotation": "Automatically resolved by SentinelOne Console", "automaticallyResolved": true, "browserType": null, "certId": "", "classification": "Malware", "classificationSource": "Static", "classifierName": "MANUAL", "cloudVerdict": null, "collectionId": "1251555311751427932", "commandId": "1251555264615838432", "createdAt": "2022-09-03T19:36:59.540349Z", "createdDate": "2021-09-23T19:36:57.867000Z", "description": "malware detected - not mitigated yet (cmd.exe (interactive session))", "engines": [ "manual" ], "external_ticket_id": null, "fileContentHash": "c3d10d8d9fce936e5ca32f930f20c8e703619f71", "fileCreatedDate": null, "fileDisplayName": "Unknown file", "fileExtensionType": "None", "fileIsDotNet": null, "fileIsExecutable": false, "fileIsSystem": false, "fileMaliciousContent": null, "fileObjectId": "3EFA3EFA3EFA3EFA", "filePath": "/home/gitlab-runner/webshell_hits/old.hits-go-here/fedcd896ef45bf145d7e880edd4e5390.dll", "fileSha256": null, "fileVerificationType": "NotSigned", "fromCloud": false, "fromScan": false, "id": "1251555311717873499", "indicators": [ { "categoryName": "test Hiding/Stealthiness", "description": "This binary may have Anti-sandboxing capabilities to evade detection in sandbox tools", "id": 126 }, { "categoryName": "Hiding/Stealthiness", "description": "sample desc There are signs of a backdoor in the PE header", "id": 127 }, { "categoryName": "Test category name Hiding/Stealthiness", "description": "This binary might try to schedule a task or modify a scheduled task", "id": 129 } ], "initiatedBy": "dvCommand", "initiatedByDescription": "Deep Visibility Command", "initiatingUserId": "1245152494739966182", "isCertValid": false, "isInteractiveSession": true, "isPartialStory": false, "maliciousGroupId": "DEA2CA314B3AB7E4", "maliciousProcessArguments": "", "markedAsBenign": true, "mitigationMode": "protect", "mitigationReport": { "kill": { "status": "success" }, "network_quarantine": { "status": null }, "quarantine": { "status": "success" }, "remediate": { "status": null }, "rollback": { "status": null }, "unquarantine": { "status": null } }, "mitigationStatus": "mitigated", "publisher": "", "rank": null, "resolved": true, "siteId": "1235512064330124404", "siteName": "Default site", "threatAgentVersion": "21.6.2.272", "threatName": "cmd.exe (interactive session)", "updatedAt": "2021-10-23T20:34:15.668440Z", "username": "dummy\\\\Administrator", "whiteningOptions": [] }CEF
<86>Nov 5 11:53:06 abcdefg sshd[1475549]: reprocess config line 158: Deprecated option RhostsRSAAuthentication
欄位對應參考資料
本節說明 Google SecOps 剖析器如何將 SentinelOne 警報欄位對應至 Google SecOps 統合式資料模型 (UDM) 欄位。
欄位對應參照:事件 ID 對應至事件類型
下表列出SENTINELONE_ALERT 記錄類型及其對應的 UDM 事件類型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
BEHAVIORALINDICATORS |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
DNS |
NETWORK_DNS |
|
DUPLICATEPROCESS |
PROCESS_UNCATEGORIZED |
|
FILECREATION |
FILE_CREATION |
|
FILEDELETION |
FILE_DELETION |
|
FILEMODIFICATION |
FILE_MODIFICATION |
|
FILERENAME |
FILE_MODIFICATION |
|
FILESCAN |
SCAN_FILE |
|
HTTP |
NETWORK_HTTP |
|
MALICIOUSFILE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
OPENPROCESS |
PROCESS_OPEN |
|
PROCESSCREATION |
PROCESS_LAUNCH |
|
REGKEYCREATE |
REGISTRY_CREATION |
|
REGKEYDELETE |
REGISTRY_DELETION |
|
REGVALUECREATE |
REGISTRY_CREATION |
|
REGVALUEDELETE |
REGISTRY_DELETION |
|
REGVALUEMODIFIED |
REGISTRY_MODIFICATION |
|
SCHEDTASKSTART |
SERVICE_START |
|
SCHEDTASKTRIGGER |
SERVICE_START |
|
SCHEDTASKUPDATE |
SERVICE_MODIFICATION |
|
SCRIPTS |
FILE_UNCATEGORIZED |
|
TCPV4 |
NETWORK_UNCATEGORIZED |
|
TCPV4LISTEN |
NETWORK_UNCATEGORIZED |
|
WINLOGONATTEMPT |
USER_LOGIN |
|
If the threatInfo.filePath log field is not empty or the threatInfo.fileSize log field value is not empty, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
FILE_UNCATEGORIZED |
|
欄位對應參考資料:SENTINELONE_ALERT
下表列出 SENTINELONE_ALERT 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
|
|
metadata.product_name |
|
|
metadata.url_back_to_product |
If the threatInfo.threatId log field value is not empty and the source_hostname log field value is not empty, then the https://source_hostname/incidents/threats/threatInfo.threatId/overview log field is mapped to the metadata.url_back_to_product UDM field.Else, if the source_hostname log field value is not empty, then the https://source_hostname log field is mapped to the metadata.url_back_to_product UDM field. |
agentDetectionInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value matches the regular expression pattern laptop, then the principal.asset.type UDM field is set to LAPTOP.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern desktop, then the principal.asset.type UDM field is set to WORKSTATION.Else, if the agentDetectionInfo.machineType log field value matches the regular expression pattern server, then the principal.asset.type UDM field is set to SERVER.Else, the agentDetectionInfo.machineType log field is mapped to the principal.asset.attribute.labels.agent_detection_info_machine_type UDM field. |
agentRealtimeInfo.agentMachineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is not empty , then:
|
agentRealtimeInfo.machineType |
principal.asset.type |
If the agentDetectionInfo.machineType log field value is empty and the agentRealtimeInfo.agentMachineType log field value is empty and the agentRealtimeInfo.machineType log field value is not empty , then:
|
agentDetectionInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentRealtimeInfo.name |
principal.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.hostname UDM field. |
agentDetectionInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.agentComputerName |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentRealtimeInfo.name |
principal.asset.hostname |
If the agentDetectionInfo.name log field value is not empty, then the agentDetectionInfo.name log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.agentComputerName log field value is not empty, then the agentRealtimeInfo.agentComputerName log field is mapped to the principal.asset.hostname UDM field.Else, if the agentRealtimeInfo.name log field value is not empty, then the agentRealtimeInfo.name log field is mapped to the principal.asset.hostname UDM field. |
agentDetectionInfo.osFamily |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX.Else, the agentDetectionInfo.osFamily log field is mapped to the principal.asset.attribute.labels.agent_detection_info_os_family UDM field. |
agentRealtimeInfo.os |
principal.asset.platform_software.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osFamily |
principal.platform |
If the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)win, then the principal.platform UDM field is set to WINDOWS.Else, if the agentDetectionInfo.osFamily log field value matches the regular expression pattern (?i)lin, then the principal.platform UDM field is set to LINUX |
agentRealtimeInfo.os |
principal.platform |
If the agentDetectionInfo.osFamily log field value is empty and the agentRealtimeInfo.os log field value is not empty , then:
|
agentDetectionInfo.osName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentRealtimeInfo.agentOsName |
principal.asset.platform_software.platform_version |
If the agentDetectionInfo.osName log field value is not empty, then the agentDetectionInfo.osName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentDetectionInfo.agentOsName log field value is not empty, then the agentDetectionInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field.Else, if the agentRealtimeInfo.agentOsName log field value is not empty, then the agentRealtimeInfo.agentOsName log field is mapped to the principal.asset.platform_software.platform_version UDM field. |
agentDetectionInfo.osRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentRealtimeInfo.agentOsRevision |
principal.asset.platform_software.platform_patch_level |
If the agentDetectionInfo.osRevision log field value is not empty, then the agentDetectionInfo.osRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentDetectionInfo.agentOsRevision log field value is not empty, then the agentDetectionInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.Else, if the agentRealtimeInfo.agentOsRevision log field value is not empty, then the agentRealtimeInfo.agentOsRevision log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field. |
agentDetectionInfo.siteId |
principal.labels[agent_detection_info_siteId] (deprecated) |
|
agentDetectionInfo.siteId |
additional.fields[agent_detection_info_siteId] |
|
agentDetectionInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset_id UDM field. |
agentDetectionInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.uuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentRealtimeInfo.agentUuid |
principal.asset.asset_id |
If the agentDetectionInfo.uuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentDetectionInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentDetectionInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.uuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.uuid} log field is mapped to the principal.asset.asset_id UDM field.Else, if the agentRealtimeInfo.agentUuid log field value is not empty, then the SentinelOne:%{agentRealtimeInfo.agentUuid} log field is mapped to the principal.asset.asset_id UDM field. |
agentDetectionInfo.version |
principal.asset.attribute.labels[agent_version] |
|
agentDetectionInfo.agentVersion |
principal.asset.attribute.labels[agent_detection_info_agent_version] |
|
agentRealtimeInfo.agentVersion |
principal.asset.attribute.labels[agent_realtime_info_agent_version] |
|
agentRealtimeInfo.id |
principal.asset.attribute.labels[agent_realtime_info_id] |
|
agentRealtimeInfo.infected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.agentInfected |
principal.asset.attribute.labels[agent_realtime_info_infected] |
|
agentRealtimeInfo.isActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.agentIsActive |
principal.asset.attribute.labels[agent_realtime_info_is_active] |
|
agentRealtimeInfo.isDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
agentRealtimeInfo.agentIsDecommissioned |
principal.asset.attribute.labels[agent_realtime_info_is_decommissioned] |
|
alertInfo.alertId |
metadata.product_log_id |
|
id |
metadata.product_log_id |
|
metadata.product_event_type |
If the log matches the regular expression pattern alertInfo, then the metadata.product_event_type UDM field is set to Alerts.Else, if the log matches the regular expression pattern threatInfo, then the metadata.product_event_type UDM field is set to Threats. |
|
alertInfo.analystVerdict |
security_result.detection_fields[alert_info_analyst_verdict] |
|
alertInfo.createdAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
threatInfo.identifiedAt |
metadata.event_timestamp |
If the alertInfo.createdAt log field value is not empty, then the alertInfo.createdAt log field is mapped to the metadata.event_timestamp UDM field.Else, if the threatInfo.identifiedAt log field value is not empty, then the threatInfo.identifiedAt log field is mapped to the metadata.event_timestamp UDM field. |
|
network.application_protocol |
If the alertInfo.dnsRequest log field value is not empty, then the network.application_protocol UDM field is set to DNS. |
alertInfo.dnsRequest |
network.dns.questions.name |
|
alertInfo.dnsResponse |
network.dns.answers.name |
|
alertInfo.dstIp |
target.ip |
|
alertInfo.dstPort |
target.port |
|
alertInfo.dvEventId |
security_result.detection_fields[alert_info_dv_event_id] |
|
alertInfo.eventType |
security_result.detection_fields[alert_info_event_type] |
|
alertInfo.hitType |
security_result.detection_fields[alert_info_hit_type] |
|
alertInfo.incidentStatus |
security_result.detection_fields[alert_info_incident_status] |
|
alertInfo.indicatorCategory |
security_result.detection_fields[alert_info_indicator_category] |
|
alertInfo.indicatorDescription |
security_result.detection_fields[alert_info_indicator_description] |
|
alertInfo.indicatorName |
security_result.detection_fields[alert_info_indicator_name] |
|
alertInfo.isEdr |
security_result.detection_fields[alert_info_is_edr] |
|
alertInfo.loginAccountDomain |
security_result.detection_fields[alert_info_login_account_domain] |
|
alertInfo.loginAccountSid |
security_result.detection_fields[alert_info_login_account_sid] |
|
alertInfo.loginIsAdministratorEquivalent |
security_result.detection_fields[alert_info_login_is_administrator_equivalent] |
|
|
security_result.action |
If the alertInfo.loginIsSuccessful log field value is equal to true, then the security_result.action UDM field is set to ALLOW. else the alertInfo.loginIsSuccessful log field value is equal to false, then the security_result.action UDM field is set to BLOCK.If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to BLOCK.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.action UDM field is set to ALLOW.
|
|
extensions.auth.mechanism |
If the alertInfo.loginType log field value is equal to NETWORK, then the extensions.auth.mechanism UDM field is set to NETWORK.Else, if the alertInfo.loginType log field value is equal to SYSTEM, then the extensions.auth.mechanism UDM field is set to LOCAL.Else, if the alertInfo.loginType log field value is equal to INTERACTIVE, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to BATCH, then the extensions.auth.mechanism UDM field is set to BATCH.Else, if the alertInfo.loginType log field value is equal to SERVICE, then the extensions.auth.mechanism UDM field is set to SERVICE.Else, if the alertInfo.loginType log field value is equal to UNLOCK, then the extensions.auth.mechanism UDM field is set to UNLOCK.Else, if the alertInfo.loginType log field value is equal to NETWORK_CLEAR_TEXT, then the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT.Else, if the alertInfo.loginType log field value is equal to NEW_CREDENTIALS, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.Else, if the alertInfo.loginType log field value is equal to REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_REMOTE_INTERACTIVE, then the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE.Else, if the alertInfo.loginType log field value is equal to CACHED_UNLOCK, then the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK. |
alertInfo.loginsUserName |
target.user.user_display_name |
|
alertInfo.modulePath |
security_result.detection_fields[alert_info_module_path] |
|
alertInfo.moduleSha1 |
security_result.detection_fields[alert_info_module_sha1] |
|
alertInfo.netEventDirection |
network.direction |
If the alertInfo.netEventDirection log field value matches the regular expression pattern OUTGOING, then the network.direction UDM field is set to OUTBOUND.Else, if the alertInfo.netEventDirection log field value matches the regular expression pattern INCOMING, then the network.direction UDM field is set to INBOUND. |
alertInfo.registryKeyPath |
target.registry.registry_key |
|
alertInfo.registryOldValue |
src.registry.registry_value_data |
|
alertInfo.registryOldValueType |
src.registry.registry_value_name |
|
alertInfo.registryPath |
src.registry.registry_key |
|
alertInfo.registryValue |
target.registry.registry_value_data |
|
alertInfo.reportedAt |
security_result.first_discovered_time |
|
alertInfo.source |
security_result.category_details |
|
alertInfo.srcPort |
principal.port |
|
alertInfo.tiIndicatorComparisonMethod |
security_result.detection_fields[alert_info_tiIndicator_comparison_method] |
|
alertInfo.tiIndicatorSource |
security_result.detection_fields[alert_info_tiIndicator_source] |
|
alertInfo.tiIndicatorType |
security_result.detection_fields[alert_info_tiIndicator_type] |
|
alertInfo.tiIndicatorValue |
security_result.detection_fields[alert_info_tiIndicator_value] |
|
alertInfo.updatedAt |
security_result.detection_fields[alert_info_updated_at] |
|
containerInfo.id |
target.resource.product_object_id |
|
containerInfo.image |
target.resource.attribute.labels[container_image] |
|
containerInfo.labels |
target.resource.attribute.labels[container_labels] |
If the containerInfo.labels log field value is not empty, then the containerInfo.labels log field is mapped to the target.resource.attribute.labels.container_labels UDM field. |
containerInfo.name |
target.resource.name |
|
|
target.resource.resource_type |
If the containerInfo.name log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER. |
kubernetesInfo.cluster |
target.resource_ancestors.name |
|
kubernetesInfo.controllerName |
target.resource_ancestors.name |
|
kubernetesInfo.node |
target.resource_ancestors.name |
|
kubernetesInfo.pod |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
If the kubernetesInfo.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to POD.If the kubernetesInfo.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.isContainerQuarantine log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.controllerName log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the kubernetesInfo.node log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER. |
kubernetesInfo.controllerKind |
target.resource_ancestors.attribute.labels[kubernetes_controller_kind] |
|
kubernetesInfo.controllerLabels |
target.resource_ancestors.attribute.labels[kubernetes_controller_labels] |
If the kubernetesInfo.controllerLabels log field value is not empty, then the kubernetesInfo.controllerLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_controller_labels UDM field. |
kubernetesInfo.namespace |
target.resource_ancestors.attribute.labels[kubernetes_namespace] |
|
kubernetesInfo.namespaceLabels |
target.resource_ancestors.attribute.labels[kubernetes_namespace_labels] |
|
kubernetesInfo.podLabels |
target.resource_ancestors.attribute.labels[kubernetes_pod_labels] |
If the kubernetesInfo.podLabels log field value is not empty, then the kubernetesInfo.podLabels log field is mapped to the target.resource_ancestors.attribute.labels.kubernetes_pod_labels UDM field. |
ruleInfo.description |
security_result.rule_set_display_name |
|
ruleInfo.id |
security_result.rule_id |
|
ruleInfo.name |
security_result.rule_name |
|
ruleInfo.queryLang |
security_result.rule_labels[query_lang] |
|
ruleInfo.queryType |
security_result.rule_labels[query_type] |
|
ruleInfo.s1ql |
security_result.rule_labels[s1ql] |
|
ruleInfo.scopeLevel |
security_result.rule_labels[scope_level] |
|
|
security_result.severity |
If the ruleInfo.severity log field value matches the regular expression pattern (?i)low, then the security_result.severity UDM field is set to LOW.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)critical, then the security_result.severity UDM field is set to CRITICAL.Else, if the ruleInfo.severity log field value matches the regular expression pattern (?i)high, then the security_result.severity UDM field is set to HIGH. |
ruleInfo.severity |
security_result.severity_details |
|
ruleInfo.treatAsThreat |
security_result.rule_type |
|
sourceParentProcessInfo.commandline |
principal.process.parent_process.command_line |
|
sourceParentProcessInfo.fileHashMd5 |
principal.process.parent_process.file.md5 |
If the sourceParentProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceParentProcessInfo.fileHashMd5 log field is mapped to the principal.process.parent_process.file.md5 UDM field. |
sourceParentProcessInfo.fileHashSha1 |
principal.process.parent_process.file.sha1 |
If the sourceParentProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceParentProcessInfo.fileHashSha1 log field is mapped to the principal.process.parent_process.file.sha1 UDM field. |
sourceParentProcessInfo.fileHashSha256 |
principal.process.parent_process.file.sha256 |
If the sourceParentProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceParentProcessInfo.fileHashSha256 log field is mapped to the principal.process.parent_process.file.sha256 UDM field. |
sourceParentProcessInfo.filePath |
principal.process.parent_process.file.full_path |
|
sourceParentProcessInfo.fileSignerIdentity |
principal.process.parent_process.file.signature_info.sigcheck.signers.name |
|
sourceParentProcessInfo.integrityLevel |
principal.labels[source_parent_process_integrity_level] (deprecated) |
|
sourceParentProcessInfo.integrityLevel |
additional.fields[source_parent_process_integrity_level] |
|
sourceParentProcessInfo.name |
principal.labels[source_parent_process_name] (deprecated) |
|
sourceParentProcessInfo.name |
additional.fields[source_parent_process_name] |
|
sourceParentProcessInfo.pid |
principal.process.parent_process.pid |
|
sourceParentProcessInfo.pidStarttime |
principal.labels[source_parent_process_pid_start_time] (deprecated) |
|
sourceParentProcessInfo.pidStarttime |
additional.fields[source_parent_process_pid_start_time] |
|
sourceParentProcessInfo.storyline |
principal.labels[source_parent_process_storyline] (deprecated) |
|
sourceParentProcessInfo.storyline |
additional.fields[source_parent_process_storyline] |
|
sourceParentProcessInfo.subsystem |
principal.labels[source_parent_process_subsystem] (deprecated) |
|
sourceParentProcessInfo.subsystem |
additional.fields[source_parent_process_subsystem] |
|
|
principal.process.parent_process.product_specific_process_id |
If the sourceParentProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceParentProcessInfo.uniqueId} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
sourceParentProcessInfo.user |
principal.labels[source_parent_process_user] (deprecated) |
|
sourceParentProcessInfo.user |
additional.fields[source_parent_process_user] |
|
sourceProcessInfo.commandline |
principal.process.command_line |
|
sourceProcessInfo.fileHashMd5 |
principal.process.file.md5 |
If the sourceProcessInfo.fileHashMd5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the sourceProcessInfo.fileHashMd5 log field is mapped to the principal.process.file.md5 UDM field. |
sourceProcessInfo.fileHashSha1 |
principal.process.file.sha1 |
If the sourceProcessInfo.fileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the sourceProcessInfo.fileHashSha1 log field is mapped to the principal.process.file.sha1 UDM field. |
sourceProcessInfo.fileHashSha256 |
principal.process.file.sha256 |
If the sourceProcessInfo.fileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the sourceProcessInfo.fileHashSha256 log field is mapped to the principal.process.file.sha256 UDM field. |
sourceProcessInfo.filePath |
principal.process.file.full_path |
|
sourceProcessInfo.fileSignerIdentity |
principal.process.file.signature_info.sigcheck.signers.name |
|
sourceProcessInfo.integrityLevel |
principal.labels[source_process_integrity_level] (deprecated) |
|
sourceProcessInfo.integrityLevel |
additional.fields[source_process_integrity_level] |
|
sourceProcessInfo.name |
principal.labels[source_process_name] (deprecated) |
|
sourceProcessInfo.name |
additional.fields[source_process_name] |
|
sourceProcessInfo.pid |
principal.process.pid |
|
sourceProcessInfo.pidStarttime |
principal.labels[source_process_pid_start_time] (deprecated) |
|
sourceProcessInfo.pidStarttime |
additional.fields[source_process_pid_start_time] |
|
sourceProcessInfo.storyline |
principal.labels[source_process_storyline] (deprecated) |
|
sourceProcessInfo.storyline |
additional.fields[source_process_storyline] |
|
sourceProcessInfo.subsystem |
principal.labels[source_process_subsystem] (deprecated) |
|
sourceProcessInfo.subsystem |
additional.fields[source_process_subsystem] |
|
|
principal.process.product_specific_process_id |
If the sourceProcessInfo.uniqueId log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{sourceProcessInfo.uniqueId} log field is mapped to the principal.process.product_specific_process_id UDM field. |
sourceProcessInfo.user |
principal.user.user_display_name |
|
threatInfo.initiatingUsername |
principal.user.user_display_name |
|
targetProcessInfo.tgtFileCreatedAt |
target.process.file.first_seen_time |
|
targetProcessInfo.tgtFileHashSha1 |
target.process.file.sha1 |
If the targetProcessInfo.tgtFileHashSha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$, then the targetProcessInfo.tgtFileHashSha1 log field is mapped to the target.process.file.sha1 UDM field. |
targetProcessInfo.tgtFileHashSha256 |
target.process.file.sha256 |
If the targetProcessInfo.tgtFileHashSha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the targetProcessInfo.tgtFileHashSha256 log field is mapped to the target.process.file.sha256 UDM field. |
targetProcessInfo.tgtFileId |
target.labels[target_file_id] (deprecated) |
|
targetProcessInfo.tgtFileId |
additional.fields[target_file_id] |
|
targetProcessInfo.tgtFileIsSigned |
target.process.file.signature_info.sigcheck.verification_message |
|
targetProcessInfo.tgtFileModifiedAt |
target.process.file.last_modification_time |
|
targetProcessInfo.tgtFileOldPath |
target.labels[target_file_old_path] (deprecated) |
|
targetProcessInfo.tgtFileOldPath |
additional.fields[target_file_old_path] |
|
targetProcessInfo.tgtFilePath |
target.process.file.full_path |
|
targetProcessInfo.tgtProcCmdLine |
target.process.command_line |
|
targetProcessInfo.tgtProcImagePath |
target.labels[target_process_image_path] (deprecated) |
|
targetProcessInfo.tgtProcImagePath |
additional.fields[target_process_image_path] |
|
targetProcessInfo.tgtProcIntegrityLevel |
target.labels[target_process_integrity_level] (deprecated) |
|
targetProcessInfo.tgtProcIntegrityLevel |
additional.fields[target_process_integrity_level] |
|
targetProcessInfo.tgtProcName |
target.labels[target_process_name] (deprecated) |
|
targetProcessInfo.tgtProcName |
additional.fields[target_process_name] |
|
targetProcessInfo.tgtProcPid |
target.process.pid |
|
targetProcessInfo.tgtProcSignedStatus |
target.labels[target_process_signed_status] (deprecated) |
|
targetProcessInfo.tgtProcSignedStatus |
additional.fields[target_process_signed_status] |
|
targetProcessInfo.tgtProcStorylineId |
target.labels[target_process_storyline_id] (deprecated) |
|
targetProcessInfo.tgtProcStorylineId |
additional.fields[target_process_storyline_id] |
|
|
target.process.product_specific_process_id |
If the targetProcessInfo.tgtProcUid log field value is not empty, then the SO:%{agentDetectionInfo.siteId}:%{agentDetectionInfo.accountId}:%{agentDetectionInfo.uuid}:%{targetProcessInfo.tgtProcUid} log field is mapped to the target.process.product_specific_process_id UDM field. |
targetProcessInfo.tgtProcessStartTime |
target.labels[target_process_start_time] (deprecated) |
|
targetProcessInfo.tgtProcessStartTime |
additional.fields[target_process_start_time] |
|
source_hostname |
intermediary.hostname |
|
agentDetectionInfo.accountId |
metadata.product_deployment_id |
|
agentDetectionInfo.accountName |
principal.labels[agent_detection_info_account_name] (deprecated) |
|
agentDetectionInfo.accountName |
additional.fields[agent_detection_info_account_name] |
|
agentDetectionInfo.agentDetectionState |
principal.asset.attribute.labels[agent_detection_info_detection_state] |
|
agentDetectionInfo.agentDomain |
principal.administrative_domain |
|
agentDetectionInfo.agentIpV4 |
principal.ip |
|
agentDetectionInfo.agentIpV6 |
principal.ip |
|
alertInfo.srcIp |
principal.ip |
|
alertInfo.srcMachineIp |
principal.ip |
|
agentDetectionInfo.agentIpV4 |
principal.asset.ip |
|
agentDetectionInfo.agentIpV6 |
principal.asset.ip |
|
alertInfo.srcIp |
principal.asset.ip |
|
alertInfo.srcMachineIp |
principal.asset.ip |
|
agentDetectionInfo.agentLastLoggedInUpn |
principal.labels[agent_detection_info_last_logged_in_upn] (deprecated) |
|
agentDetectionInfo.agentLastLoggedInUpn |
additional.fields[agent_detection_info_last_logged_in_upn] |
|
agentDetectionInfo.agentLastLoggedInUserMail |
principal.user.email_addresses |
|
agentDetectionInfo.agentLastLoggedInUserName |
principal.user.attribute.labels[agent_last_loggedIn_user_name] |
|
agentDetectionInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_detection_info_mitigation_mode] |
|
agentDetectionInfo.agentRegisteredAt |
principal.asset.first_discover_time |
|
agentDetectionInfo.externalIp |
principal.nat_ip |
|
agentDetectionInfo.groupId |
principal.group.attribute.labels[agent_detection_info_group_id] |
|
agentRealtimeInfo.groupId |
principal.group.attribute.labels[agent_realtime_info_group_id] |
|
agentDetectionInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentRealtimeInfo.groupName |
principal.group.group_display_name |
If the agentDetectionInfo.groupName log field value is not empty, then the agentDetectionInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.If the agentDetectionInfo.groupName log field value is empty and the agentRealtimeInfo.groupName log field value is not empty, then the agentRealtimeInfo.groupName log field is mapped to the principal.group.group_display_name UDM field.Else, the agentRealtimeInfo.groupName log field is mapped to the principal.group.attribute.labels.agent_realtime_info_group_name UDM field. |
agentDetectionInfo.siteName |
principal.labels[agent_detection_info_site_name] (deprecated) |
|
agentDetectionInfo.siteName |
additional.fields[agent_detection_info_site_name] |
|
agentRealtimeInfo.siteName |
principal.labels[agent_realtime_info_site_name] (deprecated) |
|
agentRealtimeInfo.siteName |
additional.fields[agent_realtime_info_site_name] |
|
agentRealtimeInfo.accountId |
principal.labels[agent_realtime_info_account_id] (deprecated) |
|
agentRealtimeInfo.accountId |
additional.fields[agent_realtime_info_account_id] |
|
agentRealtimeInfo.accountName |
principal.labels[agent_realtime_info_account_name] (deprecated) |
|
agentRealtimeInfo.accountName |
additional.fields[agent_realtime_info_account_name] |
|
agentRealtimeInfo.activeThreats |
security_result.detection_fields[agent_realtime_info_active_threats] |
|
agentRealtimeInfo.agentDecommissionedAt |
principal.asset.attribute.labels[agent_realtime_info_agent_decommissioned_at] |
|
agentRealtimeInfo.agentDomain |
principal.labels[agent_realtime_info_domain] (deprecated) |
|
agentRealtimeInfo.agentDomain |
additional.fields[agent_realtime_info_domain] |
|
agentRealtimeInfo.agentId |
principal.asset.attribute.labels[agent_realtime_info_agent_id] |
|
agentRealtimeInfo.agentMitigationMode |
principal.asset.attribute.labels[agent_realtime_info_mitigation_mode] |
|
agentRealtimeInfo.agentNetworkStatus |
principal.labels[agent_realtime_info_network_status] (deprecated) |
|
agentRealtimeInfo.agentNetworkStatus |
additional.fields[agent_realtime_info_network_status] |
|
agentRealtimeInfo.agentOsType |
principal.labels[agent_realtime_info_os_type] (deprecated) |
|
agentRealtimeInfo.agentOsType |
additional.fields[agent_realtime_info_os_type] |
|
agentRealtimeInfo.networkInterfaces.id |
principal.labels[network_interface_id] |
|
agentRealtimeInfo.networkInterfaces.name |
principal.labels[network_interface_name] |
|
agentRealtimeInfo.networkInterfaces.physical |
principal.labels[network_interface_physical] |
|
agentRealtimeInfo.operationalState |
principal.asset.attribute.labels[agent_realtime_info_operational_State] |
|
agentRealtimeInfo.rebootRequired |
principal.labels[agent_realtime_info_reboot_required] (deprecated) |
|
agentRealtimeInfo.rebootRequired |
additional.fields[agent_realtime_info_reboot_required] |
|
agentRealtimeInfo.scanAbortedAt |
security_result.detection_fields[agent_realtime_info_scan_aborted_at] |
|
agentRealtimeInfo.scanFinishedAt |
security_result.detection_fields[agent_realtime_info_scan_finished_at] |
|
agentRealtimeInfo.scanStartedAt |
security_result.detection_fields[agent_realtime_info_scan_started_at] |
|
agentRealtimeInfo.scanStatus |
security_result.detection_fields[agent_realtime_info_scan_status] |
|
agentRealtimeInfo.siteId |
principal.labels[agent_realtime_info_site_id] (deprecated) |
|
agentRealtimeInfo.siteId |
additional.fields[agent_realtime_info_site_id] |
|
agentRealtimeInfo.storageName |
principal.resource.name |
|
|
principal.resource.resource_type |
If the agentRealtimeInfo.storageName log field value is not empty, then the principal.resource.resource_type UDM field is set to STORAGE_OBJECT. |
agentRealtimeInfo.storageType |
principal.resource.resource_subtype |
|
agentRealtimeInfo.userActionsNeeded |
security_result.detection_fields[agent_realtime_info_user_actions_needed] |
If the agentRealtimeInfo.userActionsNeeded log field value is not empty, then the agentRealtimeInfo.userActionsNeeded log field is mapped to the security_result.detection_fields.agent_realtime_info_user_actions_needed UDM field. |
containerInfo.isContainerQuarantine |
target.resource.attribute.labels[container_is_container_quarantine] |
|
indicators.category |
security_result.category_details |
|
indicators.categoryId |
security_result.detection_fields[indicators_category_id] |
|
indicators.description |
security_result.description |
|
indicators.ids |
security_result.detection_fields[indicators_ids] |
|
|
security_result.attack_details.tactics.id |
|
indicators.tactics.name |
security_result.attack_details.tactics.name |
If the indicators.tactics.name log field value is not empty, then the indicators.tactics.name log field is mapped to the security_result.attack_details.tactics.name UDM field. |
indicators.tactics.source |
security_result.detection_fields[indicators_tactics_source] |
|
indicators.tactics.techniques.link |
security_result.detection_fields[indicators_tactics_techniques_link] |
|
indicators.tactics.techniques.name |
security_result.attack_details.techniques.id |
If the indicators.tactics.techniques.name log field value is not empty, then the indicators.tactics.techniques.name log field is mapped to the security_result.attack_details.techniques.id UDM field. |
|
security_result.attack_details.techniques.name |
|
|
security_result.attack_details.techniques.subtechnique_id |
|
|
security_result.attack_details.techniques.subtechnique_name |
|
kubernetesInfo.isContainerQuarantine |
target.resource_ancestors.attribute.labels[kubernetes_is_container_quarantine] |
|
kubernetesInfo.nodeLabels |
target.resource_ancestors.attribute.labels[kubernetes_node_labels] |
|
mitigationStatus.action |
security_result.detection_fields[mitigation_status_action] |
|
mitigationStatus.actionsCounters.failed |
security_result.detection_fields[mitigation_status_actions_counters_failed] |
|
mitigationStatus.actionsCounters.notFound |
security_result.detection_fields[mitigation_status_actions_counters_not_Found] |
|
mitigationStatus.actionsCounters.pendingReboot |
security_result.detection_fields[mitigation_status_actions_counters_pending_reboot] |
|
mitigationStatus.actionsCounters.success |
security_result.detection_fields[mitigation_status_actions_counters_success] |
|
mitigationStatus.actionsCounters.total |
security_result.detection_fields[mitigation_status_actions_counters_total] |
|
mitigationStatus.agentSupportsReport |
security_result.detection_fields[mitigation_status_agent_supports_report] |
|
mitigationStatus.groupNotFound |
security_result.detection_fields[mitigation_status_group_not_found] |
|
mitigationStatus.lastUpdate |
security_result.detection_fields[mitigation_status_last_update] |
|
mitigationStatus.latestReport |
security_result.detection_fields[mitigation_status_last_report] |
|
mitigationStatus.mitigationEndedAt |
security_result.detection_fields[mitigation_status_mitigation_ended_at] |
|
mitigationStatus.mitigationStartedAt |
security_result.detection_fields[mitigation_status_mitigation_started_at] |
|
mitigationStatus.status |
security_result.detection_fields[mitigation_status] |
|
threatInfo.analystVerdict |
security_result.detection_fields[analystVerdict] |
|
threatInfo.analystVerdictDescription |
security_result.detection_fields[analyst_verdict_description] |
|
threatInfo.automaticallyResolved |
security_result.detection_fields[automatically_resolved] |
|
threatInfo.browserType |
security_result.detection_fields[browser_type] |
|
threatInfo.certificateId |
security_result.detection_fields[certificate_id] |
|
threatInfo.classification |
security_result.category_details |
|
|
security_result.category |
If the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_SUSPICIOUS.
Else, if the threatInfo.classification log field value contain one of the following values, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
Else, if the threatInfo.classification log field value is equal to Exploit, then the security_result.category UDM field is set to EXPLOIT.
Else, if the threatInfo.classification log field value is equal to Application Control, then the security_result.category UDM field is set to UNKNOWN_CATEGORY.
If the alertInfo.eventType log field value contain one of the following values, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
|
threatInfo.classificationSource |
security_result.detection_fields[classification_source] |
|
threatInfo.cloudFilesHashVerdict |
security_result.detection_fields[cloud_Files_hash_verdict] |
|
threatInfo.collectionId |
security_result.detection_fields[collection_id] |
|
threatInfo.confidenceLevel |
security_result.confidence_details |
|
|
security_result.confidence |
If the threatInfo.confidenceLevel log field value is equal to malicious, then the security_result.confidence UDM field is set to HIGH_CONFIDENCE.Else, if the threatInfo.confidenceLevel log field value is equal to suspicious, then the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. |
threatInfo.createdAt |
metadata.collected_timestamp |
|
threatInfo.detectionEngines |
security_result.detection_fields[detection_engines] |
If the threatInfo.detectionEngines log field value is not empty, then the threatInfo.detectionEngines log field is mapped to the security_result.detection_fields.detection_engines UDM field. |
threatInfo.detectionEngines.key |
security_result.detection_fields[detection_engines_key] |
If the threatInfo.detectionEngines.key log field value is not empty, then the threatInfo.detectionEngines.key log field is mapped to the security_result.detection_fields.detection_engines_key UDM field. |
threatInfo.detectionEngines.title |
security_result.detection_fields[detection_engines_title] |
If the threatInfo.detectionEngines.title log field value is not empty, then the threatInfo.detectionEngines.title log field is mapped to the security_result.detection_fields.detection_engines_title UDM field. |
threatInfo.detectionType |
security_result.detection_fields[detection_type] |
|
threatInfo.engines |
security_result.detection_fields[engines] |
If the threatInfo.engines log field value is not empty, then the threatInfo.engines log field is mapped to the security_result.detection_fields.engines UDM field. |
threatInfo.externalTicketExists |
security_result.detection_fields[external_ticket_exists] |
|
threatInfo.externalTicketExists.description |
security_result.detection_fields[external_ticket_exists_description] |
|
threatInfo.externalTicketExists.readOnly |
security_result.detection_fields[external_ticket_exists_readOnly] |
|
threatInfo.externalTicketId |
security_result.detection_fields[external_ticket_id] |
|
threatInfo.failedActions |
security_result.detection_fields[failed_actions] |
|
threatInfo.fileExtension |
target.file.mime_type |
|
threatInfo.fileExtensionType |
security_result.detection_fields[file_extension_type] |
|
threatInfo.filePath |
target.file.full_path |
|
threatInfo.filePath.description |
security_result.detection_fields[file_path_description] |
|
threatInfo.filePath.readOnly |
security_result.detection_fields[file_path_readOnly] |
|
threatInfo.fileSize |
target.file.size |
|
threatInfo.fileVerificationType |
security_result.detection_fields[file_verification_type] |
|
threatInfo.incidentStatus |
security_result.detection_fields[incident_status] |
|
threatInfo.incidentStatusDescription |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.description |
security_result.detection_fields[incident_status_description] |
|
threatInfo.incidentStatusDescription.readOnly |
security_result.detection_fields[incident_status_description_readOnly] |
|
threatInfo.initiatedBy |
security_result.detection_fields[initiatedBy] |
|
threatInfo.initiatedByDescription |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.description |
security_result.detection_fields[initiatedBy_description] |
|
threatInfo.initiatedByDescription.readOnly |
security_result.detection_fields[initiatedBy_description_readOnly] |
|
threatInfo.initiatingUserId |
principal.user.attribute.labels[initiating_user_id] |
|
threatInfo.isFileless |
security_result.detection_fields[is_fileless] |
|
threatInfo.isFileless.description |
security_result.detection_fields[is_fileless_description] |
|
threatInfo.isFileless.readOnly |
security_result.detection_fields[is_fileless_readOnly] |
|
threatInfo.isValidCertificate |
security_result.detection_fields[is_valid_certificate] |
|
threatInfo.maliciousProcessArguments |
security_result.detection_fields[malicious_process_arguments] |
|
threatInfo.md5 |
target.file.md5 |
If the threatInfo.md5 log field value matches the regular expression pattern ^[a-f0-9]{32}$, then the threatInfo.md5 log field is mapped to the target.file.md5 UDM field. |
threatInfo.mitigatedPreemptively |
security_result.detection_fields[mitigated_preemptively] |
|
threatInfo.mitigationStatus |
security_result.action_details |
|
|
security_result.threat_status |
If the threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to CLEARED.
threatInfo.mitigationStatus log field value contain one of the following values, then the security_result.threat_status UDM field is set to ACTIVE.
|
threatInfo.mitigationStatusDescription |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.description |
security_result.detection_fields[mitigation_status_description] |
|
threatInfo.mitigationStatusDescription.readOnly |
security_result.detection_fields[mitigation_status_description_readOnly] |
|
threatInfo.originatorProcess |
principal.process.parent_process.file.names |
|
threatInfo.pendingActions |
security_result.detection_fields[pending_actions] |
|
threatInfo.processUser |
principal.user.userid |
|
threatInfo.publisherName |
security_result.threat_feed_name |
|
threatInfo.reachedEventsLimit |
security_result.detection_fields[reached_events_limit] |
|
threatInfo.rebootRequired |
security_result.detection_fields[reboot_required] |
|
threatInfo.sha1 |
target.file.sha1 |
If the threatInfo.sha1 log field value matches the regular expression pattern ^[a-f0-9]{40}$", then the threatInfo.sha1 log field is mapped to the target.file.sha1 UDM field. |
threatInfo.sha256 |
target.file.sha256 |
If the threatInfo.sha256 log field value matches the regular expression pattern ^[a-f0-9]{64}$", then the threatInfo.sha256 log field is mapped to the target.file.sha256 UDM field. |
threatInfo.storyline |
security_result.detection_fields[storyline] |
|
threatInfo.threatId |
security_result.threat_id |
|
threatInfo.threatName |
security_result.threat_name |
|
threatInfo.threatName |
target.file.names |
|
threatInfo.updatedAt |
security_result.detection_fields[updatedAt] |
|
whiteningOptions |
about.labels[whitening_options] |
If the whiteningOptions log field value is not empty, then the whiteningOptions log field is mapped to the about.labels.whitening_options UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsRole |
principal.resource.attribute.roles.name |
|
agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups |
principal.resource.attribute.labels[cloud_providers_AWS_security_groups] |
If the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSecurityGroups log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_security_groups UDM field. |
agentDetectionInfo.cloudProviders.AWS.awsSubnetIds |
principal.resource.attribute.labels[cloud_providers_AWS_subnet_ids] |
If the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.awsSubnetIds log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_subnet_ids UDM field. |
agentDetectionInfo.cloudProviders.AWS.cloudAccount |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_account] |
|
agentDetectionInfo.cloudProviders.AWS.cloudImage |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_image] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceId |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_id] |
|
agentDetectionInfo.cloudProviders.AWS.cloudInstanceSize |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_instance_size] |
|
agentDetectionInfo.cloudProviders.AWS.cloudLocation |
principal.resource.attribute.cloud.availability_zone |
|
agentDetectionInfo.cloudProviders.AWS.cloudNetwork |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_network] |
|
agentDetectionInfo.cloudProviders.AWS.cloudTags |
principal.resource.attribute.labels[cloud_providers_AWS_cloud_tags] |
If the agentDetectionInfo.cloudProviders.AWS.cloudTags log field value is not empty, then the agentDetectionInfo.cloudProviders.AWS.cloudTags log field is mapped to the principal.resource.attribute.labels.cloud_providers_AWS_cloud_tags UDM field. |
modular_input_consumption_time |
about.labels[modular_input_consumption_time] (deprecated) |
|
modular_input_consumption_time |
additional.fields[modular_input_consumption_time] |
|
timestamp |
about.labels[timestamp] (deprecated) |
|
timestamp |
additional.fields[timestamp] |
|
updatedAt |
about.labels[updatedAt] (deprecated) |
|
updatedAt |
additional.fields[updatedAt] |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。