Halaman ini diterjemahkan oleh Cloud Translation API.

Mengumpulkan log CrowdStrike Falcon

Dokumen ini memberikan panduan tentang cara menyerap log CrowdStrike Falcon ke Google Security Operations sebagai berikut:

Kumpulkan log CrowdStrike Falcon dengan menyiapkan feed Google Security Operations.
Memetakan kolom log CrowdStrike Falcon ke kolom Model Data Terpadu (UDM) Google SecOps.
Pahami jenis log dan jenis peristiwa CrowdStrike Falcon yang didukung.

Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google SecOps.

Sebelum memulai

Pastikan Anda memenuhi prasyarat berikut:

Hak administrator pada instance CrowdStrike untuk menginstal sensor Host CrowdStrike Falcon
Semua sistem dalam arsitektur deployment dikonfigurasi dalam zona waktu UTC.
Perangkat target berjalan di sistem operasi yang didukung
- Harus berupa server 64-bit
- Microsoft Windows Server 2008 R2 SP1 didukung untuk sensor Host CrowdStrike Falcon versi 6.51 atau yang lebih baru.
- Versi OS lama harus mendukung penandatanganan kode SHA-2.
File akun layanan Google SecOps dan ID pelanggan Anda dari tim dukungan Google SecOps

Men-deploy CrowdStrike Falcon dengan integrasi feed Google SecOps

Deployment umum terdiri dari CrowdStrike Falcon yang mengirimkan log, dan feed Google SecOps yang mengambil log. Deployment Anda mungkin sedikit berbeda berdasarkan penyiapan Anda.

Deployment biasanya mencakup komponen berikut:

CrowdStrike Falcon Intelligence: Produk CrowdStrike tempat Anda mengumpulkan log.
Feed CrowdStrike. Feed CrowdStrike yang mengambil log dari CrowdStrike dan menuliskannya ke Google SecOps.
CrowdStrike Intel Bridge: Produk CrowdStrike yang mengumpulkan indikator ancaman dari sumber data dan meneruskannya ke Google SecOps.
Google SecOps: Platform yang menyimpan, menormalisasi, dan menganalisis log deteksi CrowdStrike.
Parser label penyerapan yang menormalisasi data log mentah ke dalam format UDM. Informasi dalam dokumen ini berlaku untuk parser CrowdStrike Falcon dengan label penyerapan berikut:
- CS_EDR
- CS_DETECTS
- CS_IOC Parser Indikator Gangguan (IoC) CrowdStrike mendukung jenis indikator berikut:
  - domain
  - email_address
  - file_name
  - file_path
  - hash_md5
  - hash_sha1
  - hash_sha256
  - ip_address
  - mutex_name
  - url
- CS_ALERTS Parser Notifikasi CrowdStrike mendukung jenis produk berikut:
  - epp
  - idp
  - overwatch
  - xdr
  - mobile
  - cwpp
  - ngsiem

Mengonfigurasi feed Google SecOps untuk log CrowdStrike EDR

Prosedur berikut diperlukan untuk mengonfigurasi feed.

Cara mengonfigurasi CrowdStrike

Untuk menyiapkan feed Falcon Data Replicator, ikuti langkah-langkah berikut:

Login ke Konsol CrowdStrike Falcon.
Buka Aplikasi Pendukung > Falcon Data Replicator.
Klik Tambahkan untuk membuat feed Falcon Data Replicator baru dan menghasilkan nilai berikut:
- Feed
- ID S3,
- URL SQS
Rahasia klien. Simpan nilai ini untuk menyiapkan feed di Google SecOps.

Untuk mengetahui informasi selengkapnya, lihat Cara menyiapkan feed replikator data Falcon.

Menyiapkan feed

Ada dua titik entri berbeda untuk menyiapkan feed di platform Google SecOps:

Setelan SIEM > Feed > Tambahkan Feed Baru
Hub Konten > Paket Konten > Mulai

Cara menyiapkan feed CrowdStrike Falcon

Klik paket CrowdStrike.
Pada jenis log CrowdStrike Falcon, tentukan nilai untuk kolom berikut:
- Sumber: Amazon SQS
- Region: Region S3 yang terkait dengan URI.
- Nama Antrean: Nama antrean SQS yang akan dibaca data lognya.
- URI S3: URI sumber bucket S3.
- Nomor Akun: Nomor akun SQS.
- Queue Access Key ID: ID kunci akses akun 20 karakter. Contoh, AKIAOSFOODNN7EXAMPLE.
- Queue Secret Access Key: Kunci akses rahasia 40 karakter. Contoh, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
- Opsi penghapusan sumber: Opsi untuk menghapus file dan direktori setelah mentransfer data.
Opsi lanjutan
- Nama Feed: Nilai yang telah diisi otomatis yang mengidentifikasi feed.
- Namespace Aset: Namespace yang terkait dengan feed.
- Label Penyerapan – Label yang diterapkan ke semua peristiwa dari feed ini.
Klik Buat Feed.

Untuk mengetahui informasi selengkapnya tentang cara mengonfigurasi beberapa feed untuk berbagai jenis log dalam keluarga produk ini, lihat Mengonfigurasi feed menurut produk.

Menyiapkan feed penyerapan dengan bucket Amazon S3

Untuk menyiapkan feed penyerapan menggunakan bucket S3, ikuti langkah-langkah berikut:

Buka Setelan SIEM > Feed.
Klik Tambahkan Feed Baru.
Di halaman berikutnya, klik Konfigurasi satu feed.
Di kolom Feed name, masukkan nama untuk feed; misalnya, Crowdstrike Falcon Logs.
Di Source type, pilih Amazon S3.
Di Log type, pilih CrowdStrike Falcon.

Berdasarkan akun layanan dan konfigurasi bucket Amazon S3 yang Anda buat, tentukan nilai untuk kolom berikut:

Kolom	Deskripsi
`region`	URI region S3.
`S3 uri`	URI sumber bucket S3.
`uri is a`	Jenis objek yang dituju URI (misalnya, file atau folder).
`source deletion option`	Opsi untuk menghapus file dan direktori setelah mentransfer data.
`access key id`	Kunci akses (string alfanumerik 20 karakter). Misalnya, `AKIAOSFOODNN7EXAMPLE`.
`secret access key`	Kunci akses rahasia (string alfanumerik 40 karakter). Misalnya, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`.
`oauth client id`	ID klien OAuth publik.
`oauth client secret`	Rahasia klien OAuth 2.0.
`oauth secret refresh uri`	URI refresh rahasia klien OAuth 2.0.
`asset namespace`	Namespace yang terkait dengan feed.

Mengonfigurasi feed Google SecOps untuk log CrowdStrike

Untuk meneruskan log pemantauan deteksi CrowdStrike, ikuti langkah-langkah berikut:

Login ke Konsol CrowdStrike Falcon.
Buka Support Apps > API Clients and Keys .
Buat pasangan kunci klien API baru di CrowdStrike Falcon. Pasangan kunci ini harus memiliki izin READ untuk Detections dan Alerts dari CrowdStrike Falcon.

Menyerap log menggunakan Cloud Storage untuk log EDR CrowdStrike

Anda dapat mengonfigurasi CrowdStrike untuk mengirim log EDR ke bucket Cloud Storage, lalu menyerap log ini ke Google SecOps menggunakan feed. Proses ini memerlukan koordinasi dengan Dukungan CrowdStrike.

Sebelum memulai

Pastikan Anda memiliki instance CrowdStrike Falcon yang aktif.
Pastikan Anda memiliki project Google Cloud tempat Anda dapat membuat bucket Cloud Storage dan mengelola izin IAM.
Pastikan Anda memiliki instance Google SecOps yang aktif.
Pastikan Anda memiliki hak administrator di Google Cloud lingkungan dan instance Google SecOps Anda.

Langkah

Hubungi Dukungan CrowdStrike: Buka tiket dukungan dengan CrowdStrike untuk mengaktifkan dan mengonfigurasi fitur untuk mengirimkan log EDR ke bucket Cloud Storage Anda. Dukungan CrowdStrike akan memberikan panduan tentang konfigurasi spesifik yang diperlukan.
Buat dan beri izin pada bucket Cloud Storage:
1. Di konsol Google Cloud , buat bucket baru di Cloud Storage. Catat nama bucket (misalnya, gs://my-crowdstrike-edr-logs/).
2. Berikan izin tulis ke akun layanan atau entitas yang disediakan oleh CrowdStrike. Ikuti petunjuk dari Dukungan CrowdStrike untuk mengizinkan file log ditulis ke dalam bucket ini untuk izin ini.
Konfigurasi feed Google SecOps:
1. Di instance Google SecOps Anda, buka SIEM Settings > Feeds.
2. Klik Add New.
3. Masukkan Nama feed deskriptif (misalnya, CS-EDR-GCS).
4. Untuk Jenis sumber, pilih Google Cloud Storage V2.
5. Untuk Log type, pilih CrowdStrike Falcon.
6. Di bagian akun layanan, klik Dapatkan Akun Layanan. Salin alamat email akun layanan unik yang ditampilkan.
7. Di Google Cloud konsol, buka bucket Cloud Storage Anda. Memberikan peran IAM Storage Object Viewer ke alamat email akun layanan yang disalin dari setelan feed Google SecOps. Izin ini memungkinkan feed membaca file log.
8. Kembali ke halaman konfigurasi Feed Google SecOps.
9. Masukkan URL Bucket Penyimpanan menggunakan nama bucket yang Anda buat (misalnya, gs://my-crowdstrike-edr-logs/). URL ini harus diakhiri dengan garis miring (/).
10. Pilih Opsi Penghapusan Sumber:
  - Jangan pernah menghapus file: Direkomendasikan.
  - Menghapus file yang ditransfer dan direktori kosong: Gunakan dengan hati-hati.
11. Opsional: Tentukan Namespace Aset.
12. Klik Berikutnya, tinjau setelan, lalu klik Kirim.
Verifikasi penyerapan log: Setelah CrowdStrike mengonfirmasi bahwa log sedang dikirim, tunggu beberapa saat hingga data diserap ke Google SecOps. Periksa log masuk dengan menelusuri menggunakan Jenis Log CROWDSTRIKE_EDR di Google SecOps.

Jika Anda mengalami masalah, tinjau izin IAM di bucket Cloud Storage dan konfigurasi feed di Google SecOps. Jika masalah berlanjut, hubungi tim dukungan Google SecOps.

Untuk menerima log pemantauan deteksi CrowdStrike, ikuti langkah-langkah berikut

Login ke instance Google SecOps Anda.
Buka Setelan SIEM > Feed.
Klik Tambahkan Feed Baru.
Di halaman berikutnya, klik Konfigurasi satu feed.
Di kolom Feed name, masukkan nama untuk feed; misalnya, Crowdstrike Falcon Logs.
Di Source type, pilih Third Party API.
Di Log type, pilih CrowdStrike Detection Monitoring.

Jika Anda mengalami masalah, hubungi tim dukungan SecOps Google.

Menyerap log IoC CrowdStrike ke Google SecOps

Untuk mengonfigurasi penyerapan log dari CrowdStrike ke Google SecOps untuk log IoC, selesaikan langkah-langkah berikut:

Buat pasangan kunci klien API baru di Konsol CrowdStrike Falcon. Pasangan kunci ini memungkinkan Google SecOps Intel Bridge mengakses dan membaca peristiwa serta informasi tambahan dari CrowdStrike Falcon. Untuk mengetahui petunjuk penyiapan, lihat CrowdStrike to Google SecOps Intel Bridge.
Berikan izin READ ke Indicators (Falcon Intelligence) saat Anda membuat pasangan kunci.
Siapkan Google SecOps Intel Bridge dengan mengikuti langkah-langkah di CrowdStrike to Google SecOps Intel Bridge.

Jalankan perintah Docker berikut untuk mengirim log dari CrowdStrike ke Google SecOps, dengan sa.json adalah file akun layanan Google SecOps:

docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

Setelah container berhasil berjalan, log IoC akan mulai di-streaming ke Google SecOps.

Mengonfigurasi feed Google SecOps untuk log pemberitahuan CrowdStrike

Untuk menyiapkan feed penyerapan log pemberitahuan CrowdStrike, lakukan langkah-langkah berikut:

Di Konsol CrowdStrike Falcon:

Login ke Konsol CrowdStrike Falcon.
Di halaman API Clients and Keys (Support and resources > Resources and tools > API Clients and Keys), klik Create API client.
Masukkan detail untuk menentukan klien API Anda:
- Nama Klien
- Deskripsi
- Cakupan API : Centang kotak Baca dan Tulis di samping cakupan Pemberitahuan untuk mengaktifkan akses.
Klik Buat untuk menyimpan klien API dan membuat client ID dan secret. Catatan: Client ID, secret, dan Base URL akan digunakan pada langkah-langkah selanjutnya.

Di instance Google SecOps:

Login ke instance Google SecOps Anda.
Dari menu Google SecOps, pilih Setelan, lalu klik Feed.
Klik Tambahkan Feed Baru.
Di Source type, pilih Third Party API.
Di bagian Jenis log, pilih CrowdStrike Alerts API.
Klik Next dan isi kolom berikut menggunakan nilai yang dikumpulkan dari klien CrowdStrike API:
- Endpoint token OAuth
- ID klien OAuth
- Rahasia klien OAuth
- URL Dasar
Klik Berikutnya, lalu klik Kirim.

Jika Anda mengalami masalah, hubungi tim dukungan SecOps Google.

Perubahan Pemetaan UDM untuk log pemberitahuan CrowdStrike

Referensi Delta Pemetaan UDM: CS_ALERTS

Tabel berikut mencantumkan perbedaan antara Parser default CS ALERTS dan versi premium CS ALERTS.

Default UDM Mapping	Log Field	Premium Mapping Delta
`about.resource.product_object_id`	`cid`	Removed mapping to avoid duplication, as the `cid` log field is also mapped to `metadata.product_deployment_id`.
`principal.asset.platform_software.platform`	`platform`	If the `device.platform_name` log field value is empty and the `platform` log field value is not empty and if the `platform` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `platform` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `platform` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `platform` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`.
`security_result.detection_fields[agent_id]`	`agent_id`	If the `device.device_id` log field value is empty and the `host_id` log field value is empty and the `mdm_device_id` log field value is empty then, `CS:%{agent_id}` log field is mapped to the `principal.asset_id` UDM field. Else, the `principal.asset.attribute.labels.key` UDM field is set to `agent_id` and `agent_id` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`security_result.detection_fields[idp_policy_account_event_type]`	`idp_policy_account_event_type`	`security_result.rule_labels[idp_policy_account_event_type]`
`security_result.detection_fields[idp_policy_mfa_factor_type]`	`idp_policy_mfa_factor_type`	`security_result.rule_labels[idp_policy_mfa_factor_type]`
`security_result.detection_fields[idp_policy_mfa_provider_name]`	`idp_policy_mfa_provider_name`	`security_result.rule_labels[idp_policy_mfa_provider_name]`
`security_result.detection_fields[idp_policy_mfa_provider]`	`idp_policy_mfa_provider`	`security_result.rule_labels[idp_policy_mfa_provider]`
`security_result.detection_fields[idp_policy_rule_action]`	`idp_policy_rule_action`	`security_result.rule_labels[idp_policy_rule_action]`
`security_result.detection_fields[idp_policy_rule_trigger]`	`idp_policy_rule_trigger`	`security_result.rule_labels[idp_policy_rule_trigger]`
`security_result.detection_fields[idp_policy_rule_id]`	`idp_policy_rule_id`	`security_result.rule_id`
`security_result.detection_fields[idp_policy_rule_name]`	`idp_policy_rule_name`	`security_result.rule_name`
`target.process.file.mime_type`	`alleged_filetype`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `alleged_filetype` log field is mapped to the `target.file.mime_type` UDM field. Else, `alleged_filetype` log field is mapped to the `target.process.file.mime_type` UDM field.
`principal.resource.product_object_id`	`device.cid`	`principal.asset.attribute.labels[device_cid]`
`security_result.detection_fields[active_directory_dn_display]`	`device.hostinfo.active_directory_dn_display`	Iterate through log field `device.hostinfo.active_directory_dn_display`, then the `security_result.detection_fields.key` UDM field is set to `device_hostinfo_active_directory_dn_display` and `device.hostinfo.active_directory_dn_display` log field is mapped to the `security_result.detection_fields.value` UDM field.
`principal.asset.platform_software.platform`	`device.platform_name`	If the `device.platform_name` log field value is not empty and if the `device.platform_name` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. if the `platform` log field value is not empty and the `device.platform_name` log field value is equal to `the platform log field value` then, the `principal.asset.attribute.labels.key` UDM field is set to `platform` and `platform` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`principal.asset.platform_software.platform_version`	`device.system_product_name`	`principal.asset.hardware.model`
`target.process.file.names`	`filename`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filename` log field is mapped to the `target.file.names` UDM field. Else, `filename` log field is mapped to the `target.process.file.names` UDM field.
`target.file.full_path`	`filepath`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filepath` log field is mapped to the `target.file.full_path` UDM field. Else, `filepath` log field is mapped to the `target.process.file.full_path` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `macros.ioc_description` log field value is not empty then, `macros.ioc_description` log field is mapped to the `target.file.full_path` UDM field and the `security_result.detection_fields.key` UDM field is set to `filepath` and `filepath` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process_ancestors.command_line`	`grandparent_details.cmdline`	`target.process.parent_process.parent_process.command_line`
`target.process_ancestors.file.names`	`grandparent_details.filename`	`target.process.parent_process.parent_process.file.names`
`target.process_ancestors.file.full_path`	`grandparent_details.filepath`	`target.process.parent_process.parent_process.file.full_path`
`target.process_ancestors.file.md5`	`grandparent_details.md5`	`target.process.parent_process.parent_process.file.md5`
`target.process_ancestors.product_specific_process_id`	`grandparent_details.process_graph_id`	If the `grandparent_details.process_graph_id` log field value is not empty then, `PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id}` log field is mapped to the `target.process.parent_process.parent_process.product_specific_process_id` UDM field.
`target.process_ancestors.pid`	`grandparent_details.process_id`	`target.process.parent_process.parent_process.pid`
`target.process_ancestors.file.sha256`	`grandparent_details.sha256`	`target.process.parent_process.parent_process.file.sha256`
`security_result.detection_fields[ioc_description]`	`ioc_context.ioc_description`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_description` and `ioc_context.ioc_description` log field is mapped to the `security_result.detection_fields.value` UDM field.
`security_result.detection_fields[ioc_source]`	`ioc_context.ioc_source`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_source` and `ioc_context.ioc_source` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process.file.md5`	`md5`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `md5` log field is mapped to the `target.file.md5` UDM field. Else, `md5` log field is mapped to the `target.process.file.md5` UDM field.
`target.process.file.sha1`	`sha1`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha1` log field is mapped to the `target.file.sha1` UDM field. Else, `sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`target.file.sha256`	`sha256`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha256` log field is mapped to the `target.file.sha256` UDM field. Else, `sha256` log field is mapped to the `target.process.file.sha256` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `ioc_type` log field value is equal to `hash_sha256` and the `macros.ioc_value` log field value is not empty then, `macros.ioc_value` log field is mapped to the `target.file.sha256` UDM field and the `security_result.detection_fields.key` UDM field is set to `sha256` and `sha256` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.asset.platform_software.platform`	`operating_system`	If the `operating_system` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`.
`security_result.detection_fields[agent_version]`	`agent_version`	`principal.asset.attribute.labels[agent_version]`
`about.email`	`enrollment_email`	`principal.user.email_addresses`
`principal.asset.type`		If the `mdm_device_id` log field value is not empty or the `mobile_hardware` log field value is not empty or the `mobile_manufacturer` log field value is not empty or the `mobile_serial` log field value is not empty then, the `principal.asset.type` UDM field is set to `MOBILE`.

Format log CrowdStrike yang didukung

Parser CrowdStrike mendukung log dalam format JSON.

Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.