此页面由 Cloud Translation API 翻译。

收集 CrowdStrike Falcon 日志

本文档介绍了如何将 CrowdStrike Falcon 日志注入到 Google Security Operations 中。您可以注入多种类型的 CrowdStrike Falcon 日志，本文档概述了每种日志的具体配置。

如需简要了解 Google Security Operations 中的数据注入，请参阅将数据注入到 Google Security Operations。

支持的 CrowdStrike Falcon 日志类型

Google Security Operations 通过具有以下提取标签的解析器支持以下 CrowdStrike Falcon 日志类型：

端点检测和响应 (EDR)：CS_EDR。此解析器可解析来自 CrowdStrike Falcon Data Replicator (FDR) 的近乎实时的遥测数据，例如文件访问和注册表修改。数据通常从 S3 或 Cloud Storage 存储桶中提取。
检测：CS_DETECTS。此解析器使用 Detect API 解析来自 CrowdStrike 的检测摘要事件。虽然与端点活动相关，但与使用 CS_EDR 解析的原始遥测数据相比，CS_DETECTS 可提供更高级别的检测摘要。

注意： CrowdStrike 已弃用“Detects”端点。我们建议改用 CS_ALERTS 来注入检测日志。
提醒：CS_ALERTS。此解析器使用 Alerts API 解析来自 CrowdStrike 的提醒。CrowdStrike 提醒解析器支持以下产品类型：
- epp
- idp
- overwatch
- xdr
- mobile
- cwpp
- ngsiem
失陷指标 (IoC)：CS_IOC。此解析器使用 CrowdStrike Chronicle Intel Bridge 从 CrowdStrike 威胁情报中解析 IoC 和攻击指标 (IOA)。 CrowdStrike 失陷指标 (IoC) 解析器支持以下指标类型：
- domain
- email_address
- file_name
- file_path
- hash_md5
- hash_sha1
- hash_sha256
- ip_address
- mutex_name
- url

Google SecOps 建议使用 CS_EDR、CS_DETECTS 和 CS_IOC 信息流，以便从 CrowdStrike 全面数据注入。

准备工作

确保您满足以下前提条件：

CrowdStrike 实例的管理员权限，用于安装 CrowdStrike Falcon Host 传感器
部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
目标设备运行在受支持的操作系统上
- 必须是 64 位服务器
- CrowdStrike Falcon Host 传感器版本 6.51 或更高版本支持 Microsoft Windows Server 2008 R2 SP1。
- 旧版操作系统版本必须支持 SHA-2 代码签名。
Google SecOps 服务账号文件和您的客户 ID（来自 Google SecOps 支持团队）

设置 Feed

您可以通过两种不同的入口点在 Google SecOps 平台中设置 Feed：

SIEM 设置 > Feed > 添加新 Feed
内容中心 > 内容包 > 开始

如需详细了解如何为相应产品系列中的不同日志类型配置多个 Feed，请参阅按产品配置 Feed。

注入 CrowdStrike Falcon 日志

本部分介绍了如何为不同类型的 CrowdStrike Falcon 日志配置提取。

提取 EDR 日志 (`CS_EDR`)

您可以根据要将 CrowdStrike 日志发送到何处，使用以下方法之一来注入 CrowdStrike Falcon EDR 日志：

Amazon SQS：使用 Falcon Data Replicator Feed。
Amazon S3：使用为 S3 存储桶配置的 Google Security Operations Feed。
Google Cloud Storage：让 CrowdStrike 将日志推送到 Cloud Storage 存储桶。

选择以下任一流程。

方法 1：从 Amazon SQS 提取 EDR 日志

此方法使用 CrowdStrike Falcon Data Replicator 将 EDR 日志发送到 Amazon SQS 队列，然后 Google Security Operations 会轮询该队列。

点击 CrowdStrike 包。
在 CrowdStrike Falcon 日志类型中，为以下字段指定值：
- 来源：Amazon SQS
- 区域：与 URI 关联的 S3 区域。
- 队列名称：要从中读取日志数据的 SQS 队列的名称。
- S3 URI：S3 存储桶源 URI。
- 账号：SQS 账号。
- 队列访问密钥 ID：20 字符的账号访问密钥 ID。例如 AKIAOSFOODNN7EXAMPLE。
- 队列私有访问密钥：40 字符的私有访问密钥。例如 wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY。
- 源删除选项：用于在转移数据后删除文件和目录的选项。
高级选项
- Feed 名称：用于标识 Feed 的预填充值。
- 资产命名空间：与 Feed 关联的命名空间。
- 注入标签 - 应用于此 Feed 中所有事件的标签。
点击创建 Feed。

如需详细了解如何为相应产品系列中的不同日志类型配置多个 Feed，请参阅按产品配置 Feed。

方法 2：从 Amazon S3 存储桶提取 EDR 日志

此方法涉及设置 Google Security Operations Feed，以直接从 Amazon S3 存储桶提取 EDR 日志。

如需使用 S3 存储桶设置提取 Feed，请按以下步骤操作：

依次前往 SIEM 设置 > Feed。
点击添加新 Feed。
在下一页上，点击配置单个 Feed。
在 Feed 名称字段中，输入 Feed 的名称，例如 Crowdstrike Falcon Logs。
在来源类型中，选择 Amazon S3。
在日志类型中，选择 CrowdStrike Falcon。

根据您创建的服务账号和 Amazon S3 存储桶配置，为以下字段指定值：

字段	说明
`region`	S3 区域 URI。
`S3 uri`	S3 存储桶来源 URI。
`uri is a`	URI 指向的对象类型（例如，文件或文件夹）。
`source deletion option`	用于在转移数据后删除文件和目录的选项。
`access key id`	访问密钥（20 个字符的字母数字字符串）。例如 `AKIAOSFOODNN7EXAMPLE`。
`secret access key`	私有访问密钥（40 个字符的字母数字字符串）。例如 `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`。
`oauth client id`	公开 OAuth 客户端 ID。
`oauth client secret`	OAuth 2.0 客户端密钥。
`oauth secret refresh uri`	OAuth 2.0 客户端密钥刷新 URI。
`asset namespace`	与 Feed 关联的命名空间。

点击下一步，然后点击提交。

选项 3：从 Cloud Storage 提取 EDR 日志

您可以配置 CrowdStrike 将 EDR 日志发送到 Cloud Storage 存储桶，然后使用 Feed 将这些日志注入到 Google Security Operations 中。此流程需要与 CrowdStrike 支持团队协调。

联系 CrowdStrike 支持团队：向 CrowdStrike 提交支持服务工单，以启用和配置将 EDR 日志推送到您的 Cloud Storage 存储桶。他们会就所需的配置提供指导。
创建 Cloud Storage 存储桶并为其授予权限：
1. 在 Google Cloud 控制台中，创建一个新的 Cloud Storage 存储桶。记下存储桶名称（例如 gs://my-crowdstrike-edr-logs/）。
2. 向 CrowdStrike 提供的服务账号授予写入权限。按照 CrowdStrike 支持团队提供的说明操作。
配置 Google SecOps Feed：
1. 在 Google SecOps 实例中，依次前往设置 > Feed，然后点击添加新 Feed。
2. 输入一个描述性的 Feed 名称（例如 CS-EDR-GCS）。
3. 对于数据源类型，选择 Google Cloud Storage V2。
4. 对于日志类型，选择 CrowdStrike Falcon。
5. 在服务账号部分，点击获取服务账号。复制显示的唯一服务账号电子邮件地址。
6. 在 Google Cloud 控制台中，前往您的 Cloud Storage 存储桶，然后向您复制的服务账号电子邮件地址授予 Storage Object Viewer IAM 角色。这允许 Feed 读取日志文件。
7. 返回到 Google SecOps Feed 配置页面。
8. 输入 Storage 存储分区网址（例如 gs://my-crowdstrike-edr-logs/）。此网址必须以正斜杠 (/) 结尾。
9. 选择一个来源删除选项。建议选择永不删除文件。
10. 点击下一步，检查设置，然后点击提交。
验证日志注入：在 CrowdStrike 确认日志正在推送后，在 Google SecOps 中检查是否有日志类型为 CROWDSTRIKE_EDR 的传入日志。

注入提醒日志 (`CS_ALERTS`)

如需注入 CrowdStrike Falcon 提醒，请配置使用 CrowdStrike API 的 Feed。

在 CrowdStrike Falcon 控制台中：
1. 登录 CrowdStrike Falcon 控制台。
2. 依次前往支持和资源 > 资源和工具 > API 客户端和密钥，然后点击创建 API 客户端。
3. 输入客户端名称和说明。
4. 对于 API 范围，请选中提醒对应的读取和写入框。
5. 点击创建。记下生成的客户端 ID、客户端密钥和基本网址。
在 Google Security Operations 中：
1. 前往设置 > Feed，然后点击添加新 Feed。
2. 为来源类型选择第三方 API。
3. 对于日志类型，选择 CrowdStrike Alerts API。
4. 点击下一步，然后使用 CrowdStrike API 客户端中的值填充以下字段：
  - OAuth 令牌端点
  - OAuth 客户端 ID
  - OAuth 客户端密钥
  - 基础网址
5. 点击下一步，然后点击提交。

注入检测日志 (`CS_DETECTS`)

如需注入 CrowdStrike Falcon 检测日志，您还需要使用 CrowdStrike API。

在 CrowdStrike Falcon 控制台中：
1. 登录 CrowdStrike Falcon 控制台。
2. 前往 Support Apps（支持应用）> API Clients and Keys（API 客户端和密钥）。
3. 创建新的 API 客户端密钥对。此密钥对必须具有 Detections 的 READ 权限。
在 Google Security Operations 中：
1. 前往设置 > Feed，然后点击添加新 Feed。
2. 为来源类型选择第三方 API。
3. 为日志类型选择 CrowdStrike 检测监控。
4. 点击下一步，然后点击提交。系统会提示您输入已创建的 API 凭据。

注入 IoC 日志 (`CS_IOC`)

如需注入来自 CrowdStrike 的失陷指标 (IoC) 日志，您可以使用 Google SecOps Intel Bridge。

在 CrowdStrike Falcon 控制台中，创建新的 API 客户端密钥对。此密钥对必须具有 Indicators (Falcon Intelligence) 的 READ 权限。
按照 CrowdStrike 到 Google SecOps Intel Bridge 中的说明设置 Google SecOps Intel Bridge。

运行以下 Docker 命令，将 CrowdStrike 中的日志发送到 Google SecOps。sa.json 是您的 Google SecOps 服务账号文件。

docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

容器运行后，IoC 日志将开始流式传输到 Google SecOps。

如果您在配置上述任何设置时遇到问题，请与 Google SecOps 支持团队联系。

CrowdStrike 提醒日志的 UDM 映射增量。

UDM 映射增量参考信息：CS_ALERTS

下表列出了 CS ALERTS 的默认解析器与 CS ALERTS 的高级版本之间的差异。

Default UDM Mapping	Log Field	Premium Mapping Delta
`about.resource.product_object_id`	`cid`	Removed mapping to avoid duplication, as the `cid` log field is also mapped to `metadata.product_deployment_id`.
`principal.asset.platform_software.platform`	`platform`	If the `device.platform_name` log field value is empty and the `platform` log field value is not empty and if the `platform` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `platform` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `platform` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `platform` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`.
`security_result.detection_fields[agent_id]`	`agent_id`	If the `device.device_id` log field value is empty and the `host_id` log field value is empty and the `mdm_device_id` log field value is empty then, `CS:%{agent_id}` log field is mapped to the `principal.asset_id` UDM field. Else, the `principal.asset.attribute.labels.key` UDM field is set to `agent_id` and `agent_id` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`security_result.detection_fields[idp_policy_account_event_type]`	`idp_policy_account_event_type`	`security_result.rule_labels[idp_policy_account_event_type]`
`security_result.detection_fields[idp_policy_mfa_factor_type]`	`idp_policy_mfa_factor_type`	`security_result.rule_labels[idp_policy_mfa_factor_type]`
`security_result.detection_fields[idp_policy_mfa_provider_name]`	`idp_policy_mfa_provider_name`	`security_result.rule_labels[idp_policy_mfa_provider_name]`
`security_result.detection_fields[idp_policy_mfa_provider]`	`idp_policy_mfa_provider`	`security_result.rule_labels[idp_policy_mfa_provider]`
`security_result.detection_fields[idp_policy_rule_action]`	`idp_policy_rule_action`	`security_result.rule_labels[idp_policy_rule_action]`
`security_result.detection_fields[idp_policy_rule_trigger]`	`idp_policy_rule_trigger`	`security_result.rule_labels[idp_policy_rule_trigger]`
`security_result.detection_fields[idp_policy_rule_id]`	`idp_policy_rule_id`	`security_result.rule_id`
`security_result.detection_fields[idp_policy_rule_name]`	`idp_policy_rule_name`	`security_result.rule_name`
`security_result.detection_fields[status]`	`status`	If the `status` log field value matches the regular expression pattern `(?i)new` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `NEW`. Else, if `status` log field value matches the regular expression pattern `(?i)closed` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `CLOSED`. Else, `status` log field is mapped to the `security_result.detection_fields[status]` UDM field.
`target.process.file.mime_type`	`alleged_filetype`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `alleged_filetype` log field is mapped to the `target.file.mime_type` UDM field. Else, `alleged_filetype` log field is mapped to the `target.process.file.mime_type` UDM field.
`principal.resource.product_object_id`	`device.cid`	`principal.asset.attribute.labels[device_cid]`
`security_result.detection_fields[active_directory_dn_display]`	`device.hostinfo.active_directory_dn_display`	Iterate through log field `device.hostinfo.active_directory_dn_display`, then the `security_result.detection_fields.key` UDM field is set to `device_hostinfo_active_directory_dn_display` and `device.hostinfo.active_directory_dn_display` log field is mapped to the `security_result.detection_fields.value` UDM field.
`principal.asset.platform_software.platform`	`device.platform_name`	If the `device.platform_name` log field value is not empty and if the `device.platform_name` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. if the `platform` log field value is not empty and the `device.platform_name` log field value is equal to `the platform log field value` then, the `principal.asset.attribute.labels.key` UDM field is set to `platform` and `platform` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`principal.asset.platform_software.platform_version`	`device.system_product_name`	`principal.asset.hardware.model`
`target.process.file.names`	`filename`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filename` log field is mapped to the `target.file.names` UDM field. Else, `filename` log field is mapped to the `target.process.file.names` UDM field.
`target.file.full_path`	`filepath`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filepath` log field is mapped to the `target.file.full_path` UDM field. Else, `filepath` log field is mapped to the `target.process.file.full_path` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `macros.ioc_description` log field value is not empty then, `macros.ioc_description` log field is mapped to the `target.file.full_path` UDM field and the `security_result.detection_fields.key` UDM field is set to `filepath` and `filepath` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process_ancestors.command_line`	`grandparent_details.cmdline`	`target.process.parent_process.parent_process.command_line`
`target.process_ancestors.file.names`	`grandparent_details.filename`	`target.process.parent_process.parent_process.file.names`
`target.process_ancestors.file.full_path`	`grandparent_details.filepath`	`target.process.parent_process.parent_process.file.full_path`
`target.process_ancestors.file.md5`	`grandparent_details.md5`	`target.process.parent_process.parent_process.file.md5`
`target.process_ancestors.product_specific_process_id`	`grandparent_details.process_graph_id`	If the `grandparent_details.process_graph_id` log field value is not empty then, `PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id}` log field is mapped to the `target.process.parent_process.parent_process.product_specific_process_id` UDM field.
`target.process_ancestors.pid`	`grandparent_details.process_id`	`target.process.parent_process.parent_process.pid`
`target.process_ancestors.file.sha256`	`grandparent_details.sha256`	`target.process.parent_process.parent_process.file.sha256`
`security_result.detection_fields[ioc_description]`	`ioc_context.ioc_description`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_description` and `ioc_context.ioc_description` log field is mapped to the `security_result.detection_fields.value` UDM field.
`security_result.detection_fields[ioc_source]`	`ioc_context.ioc_source`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_source` and `ioc_context.ioc_source` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process.file.md5`	`md5`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `md5` log field is mapped to the `target.file.md5` UDM field. Else, `md5` log field is mapped to the `target.process.file.md5` UDM field.
`target.process.file.sha1`	`sha1`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha1` log field is mapped to the `target.file.sha1` UDM field. Else, `sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`target.file.sha256`	`sha256`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha256` log field is mapped to the `target.file.sha256` UDM field. Else, `sha256` log field is mapped to the `target.process.file.sha256` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `ioc_type` log field value is equal to `hash_sha256` and the `macros.ioc_value` log field value is not empty then, `macros.ioc_value` log field is mapped to the `target.file.sha256` UDM field and the `security_result.detection_fields.key` UDM field is set to `sha256` and `sha256` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.asset.platform_software.platform`	`operating_system`	If the `operating_system` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`.
`security_result.detection_fields[agent_version]`	`agent_version`	`principal.asset.attribute.labels[agent_version]`
`about.email`	`enrollment_email`	`principal.user.email_addresses`
`principal.asset.type`		If the `mdm_device_id` log field value is not empty or the `mobile_hardware` log field value is not empty or the `mobile_manufacturer` log field value is not empty or the `mobile_serial` log field value is not empty then, the `principal.asset.type` UDM field is set to `MOBILE`.
`security_result.detection_fields[detection_context_user_is_admin]`	`detection_context.user_is_admin`	`security_result.about.user.attribute.label[detection_context_user_is_admin]`
`security_result.detection_fields[detection_context_user_sid]`	`detection_context.user_sid`	`security_result.about.user.attribute.label[detection_context_user_sid]`
`principal.asset.attribute.labels[pod_id]`	`device.pod_id`	`principal.resource.product_object_id`
`principal.asset.attribute.labels[pod_labels]`	`device.pod_labels`	`principal.resource.attribute.labels[pod_labels]`
`principal.asset.attribute.labels[pod_name]`	`device.pod_name`	`principal.resource.name`
`principal.asset.attribute.labels[pod_namespace]`	`device.pod_namespace`	`principal.resource.attribute.labels[pod_namespace]`
`principal.asset.attribute.labels[pod_service_account_name]`	`device.pod_service_account_name`	`principal.resource.attribute.labels[pod_service_account_name]`

支持的 CrowdStrike 日志格式

CrowdStrike 解析器支持 JSON 格式的日志。