本頁面由 Cloud Translation API 翻譯而成。

收集 CrowdStrike Falcon 記錄

本文說明如何將 CrowdStrike Falcon 記錄擷取至 Google Security Operations。您可以擷取多種 CrowdStrike Falcon 記錄，本文將說明每種記錄的具體設定。

如需 Google Security Operations 資料擷取作業的高階總覽，請參閱「將資料擷取至 Google Security Operations」。

支援的 CrowdStrike Falcon 記錄類型

Google Security Operations 支援下列 CrowdStrike Falcon 記錄類型，並透過剖析器搭配下列擷取標籤：

端點偵測與應變 (EDR)：CS_EDR。這個剖析器會剖析 CrowdStrike Falcon Data Replicator (FDR) 的近乎即時遙測資料，例如檔案存取和登錄修改。資料通常會從 S3 或 Cloud Storage bucket 擷取。
偵測結果：CS_DETECTS。這個剖析器會使用 Detect API，剖析 CrowdStrike 的偵測摘要事件。CS_DETECTS 與端點活動相關，但相較於使用 CS_EDR 剖析的原始遙測資料，CS_DETECTS 提供的是更高層級的偵測摘要。

注意： CrowdStrike 已淘汰「Detects」端點。建議改用 CS_ALERTS 擷取偵測記錄。
快訊：CS_ALERTS。這個剖析器會使用 Alerts API 剖析 CrowdStrike 的快訊。CrowdStrike Alerts 剖析器支援下列產品類型：
- epp
- idp
- overwatch
- xdr
- mobile
- cwpp
- ngsiem
入侵指標 (IoC)：CS_IOC. 這個剖析器會使用 CrowdStrike Chronicle Intel Bridge，從 CrowdStrike Threat Intelligence 剖析入侵指標 (IoC) 和攻擊指標 (IOA)。CrowdStrike 入侵指標 (IoC) 剖析器支援下列指標類型：
- domain
- email_address
- file_name
- file_path
- hash_md5
- hash_sha1
- hash_sha256
- ip_address
- mutex_name
- url

Google SecOps 建議使用 CS_EDR、CS_DETECTS 和 CS_IOC 的資訊提供，從 CrowdStrike 擷取完整資料。

事前準備

請確認您已完成下列事前準備事項：

CrowdStrike 執行個體的管理員權限，可安裝 CrowdStrike Falcon Host 感應器
部署架構中的所有系統都以世界標準時間設定時區。
目標裝置搭載支援的作業系統
- 必須是 64 位元伺服器
- CrowdStrike Falcon Host 感應器 6.51 以上版本支援 Microsoft Windows Server 2008 R2 SP1。
- 舊版作業系統必須支援 SHA-2 程式碼簽署。
Google SecOps 服務帳戶檔案，以及 Google SecOps 支援團隊提供的客戶 ID

設定動態饋給

在 Google SecOps 平台中，有兩種不同的進入點可設定動態饋給：

依序點選「SIEM Settings」>「Feeds」>「Add New Feed」
依序點選「內容中心」「內容包」「開始使用」

如要進一步瞭解如何為這個產品系列中的不同記錄類型設定多個動態饋給，請參閱「依產品設定動態饋給」。

擷取 CrowdStrike Falcon 記錄

本節說明如何為不同類型的 CrowdStrike Falcon 記錄設定擷取作業。

擷取 EDR 記錄 (`CS_EDR`)

視要從 CrowdStrike 傳送記錄的位置而定，您可以使用下列其中一種方法擷取 CrowdStrike Falcon EDR 記錄：

Amazon SQS：使用 Falcon Data Replicator 動態饋給。
Amazon S3：使用為 S3 儲存桶設定的 Google Security Operations 資訊提供。
Google Cloud Storage：讓 CrowdStrike 將記錄檔推送至 Cloud Storage bucket。

請選擇下列其中一個程序。

方法 1：從 Amazon SQS 擷取 EDR 記錄

這個方法會使用 CrowdStrike Falcon Data Replicator 將 EDR 記錄傳送至 Amazon SQS 佇列，然後 Google Security Operations 會輪詢該佇列。

按一下「CrowdStrike」CrowdStrike套件。
在「CrowdStrike Falcon」記錄類型中，為下列欄位指定值：
- 來源：Amazon SQS
- 區域：與 URI 相關聯的 S3 區域。
- 佇列名稱：要從中讀取記錄資料的 SQS 佇列名稱。
- S3 URI：S3 bucket 來源 URI。
- 帳號：SQS 帳號。
- 佇列存取金鑰 ID：20 個字元的帳戶存取金鑰 ID。例如：AKIAOSFOODNN7EXAMPLE。
- 佇列存取密鑰：40 個字元的存取密鑰。例如：wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY。
- 來源刪除選項：可選擇在資料移轉後刪除檔案和目錄。
進階選項
- 動態饋給名稱：系統預先填入的值，用於識別動態饋給。
- 資產命名空間：與動態饋給相關聯的命名空間。
- 擷取標籤：套用至這個動態饋給所有事件的標籤。
按一下「建立動態饋給」。

如要進一步瞭解如何為這個產品系列中的不同記錄類型設定多個動態饋給，請參閱「依產品設定動態饋給」。

方法 2：從 Amazon S3 值區擷取 EDR 記錄

這個方法需要設定 Google Security Operations 資訊提供，直接從 Amazon S3 值區提取 EDR 記錄。

如要使用 S3 bucket 設定擷取動態饋給，請按照下列步驟操作：

依序前往「SIEM 設定」>「動態饋給」。
按一下「新增動態消息」。
在下一個頁面中，按一下「設定單一動態饋給」。
在「動態消息名稱」欄位中，輸入動態消息的名稱，例如「Crowdstrike Falcon Logs」。
在「來源類型」中，選取「Amazon S3」。
在「記錄類型」中，選取「CrowdStrike Falcon」。

根據您建立的服務帳戶和 Amazon S3 值區設定，為下列欄位指定值：

欄位	說明
`region`	S3 區域 URI。
`S3 uri`	S3 bucket 來源 URI。
`uri is a`	URI 指向的物件類型 (例如檔案或資料夾)。
`source deletion option`	可選擇在資料轉移後刪除檔案和目錄。
`access key id`	存取金鑰 (20 個字元的英數字串)。例如 `AKIAOSFOODNN7EXAMPLE`。
`secret access key`	存取密鑰 (40 個字元的英數字串)。例如 `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`。
`oauth client id`	公開 OAuth 用戶端 ID。
`oauth client secret`	OAuth 2.0 用戶端密鑰。
`oauth secret refresh uri`	OAuth 2.0 用戶端密鑰更新 URI。
`asset namespace`	與動態饋給相關聯的命名空間。

依序點選「下一步」和「提交」。

選項 3：從 Cloud Storage 擷取 EDR 記錄

您可以將 CrowdStrike 設為將 EDR 記錄傳送至 Cloud Storage bucket，然後使用資訊提供將這些記錄擷取至 Google Security Operations。這項程序需要與 CrowdStrike 支援團隊協調。

聯絡 CrowdStrike 支援團隊：向 CrowdStrike 建立支援票證，啟用並設定將 EDR 記錄檔推送至 Cloud Storage bucket。並提供必要設定的指引。
建立 Cloud Storage bucket 並授予權限：
1. 在 Google Cloud 控制台中，建立新的 Cloud Storage bucket。請記下 bucket 名稱 (例如 gs://my-crowdstrike-edr-logs/)。
2. 將寫入權限授予 CrowdStrike 提供的服務帳戶。按照 CrowdStrike 支援團隊的指示操作。
設定 Google SecOps 動態饋給：
1. 在 Google SecOps 執行個體中，依序前往「設定」>「動態饋給」，然後按一下「新增」。
2. 輸入描述性動態饋給名稱 (例如 CS-EDR-GCS)。
3. 在「來源類型」部分，選取「Google Cloud Storage V2」。
4. 在「記錄類型」部分，選取「CrowdStrike Falcon」。
5. 在服務帳戶部分，按一下「取得服務帳戶」，複製顯示的專屬服務帳戶電子郵件地址。
6. 在 Google Cloud 控制台中，前往 Cloud Storage 值區，然後將 Storage Object Viewer IAM 角色授予您複製的服務帳戶電子郵件地址。這樣動態消息就能讀取記錄檔。
7. 返回 Google SecOps 資訊動態設定頁面。
8. 輸入「儲存空間值區網址」 (例如 gs://my-crowdstrike-edr-logs/)。這個網址必須以尾端正斜線 (/) 結尾。
9. 選取「來源刪除選項」。建議選取「一律不刪除檔案」。
10. 點選「下一步」，檢查設定，然後點選「提交」。
確認記錄擷取作業：CrowdStrike 確認記錄已推送後，請在 Google SecOps 中檢查是否有 Log Type CROWDSTRIKE_EDR 的傳入記錄。

擷取快訊記錄 (`CS_ALERTS`)

如要擷取 CrowdStrike Falcon 快訊，請設定使用 CrowdStrike API 的動態饋給。

在 CrowdStrike Falcon 控制台中：
1. 登入 CrowdStrike Falcon Console。
2. 依序前往「支援與資源」 >「資源與工具」 >「API 用戶端和金鑰」，然後按一下「建立 API 用戶端」。
3. 輸入「用戶端名稱」和「說明」。
4. 在「API Scopes」(API 範圍) 中，選取「Alerts」(快訊) 的「Read」(讀取) 和「Write」(寫入) 方塊。
5. 點按「Create」(建立)。記下產生的「Client ID」(用戶端 ID)、「Client Secret」(用戶端密鑰) 和「Base URL」(基本網址)。
在 Google Security Operations 中：
1. 依序前往「設定」>「動態消息」，然後按一下「新增」。
2. 在「來源類型」中選取「第三方 API」。
3. 在「記錄類型」中選取「CrowdStrike Alerts API」。
4. 按一下「下一步」，然後使用 CrowdStrike API 用戶端的值填寫下列欄位：
  - OAuth 權杖端點
  - OAuth 用戶端 ID
  - OAuth 用戶端密鑰
  - 基準網址
5. 依序點選「下一步」和「提交」。

擷取偵測記錄 (`CS_DETECTS`)

如要擷取 CrowdStrike Falcon 偵測記錄，您也需要使用 CrowdStrike API。

在 CrowdStrike Falcon 控制台中：
1. 登入 CrowdStrike Falcon Console。
2. 依序前往「支援應用程式」 >「API 用戶端和金鑰」。
3. 建立新的 API 用戶端金鑰組。這個金鑰組必須具備 Detections 的 READ 權限。
在 Google Security Operations 中：
1. 依序前往「設定」>「動態消息」，然後按一下「新增」。
2. 在「來源類型」中選取「第三方 API」。
3. 在「記錄類型」中選取「CrowdStrike Detection Monitoring」。
4. 依序點選「下一步」和「提交」。系統會提示您輸入建立的 API 憑證。

擷取 IoC 記錄 (`CS_IOC`)

如要從 CrowdStrike 擷取入侵指標 (IoC) 記錄，請使用 Google SecOps Intel Bridge。

在 CrowdStrike Falcon 控制台中，建立新的 API 用戶端金鑰組。這個金鑰組必須具有 Indicators (Falcon Intelligence) 的 READ 權限。
按照「CrowdStrike to Google SecOps Intel Bridge」一文中的操作說明，設定 Google SecOps Intel Bridge。

執行下列 Docker 指令，將 CrowdStrike 的記錄傳送至 Google SecOps。sa.json 是您的 Google SecOps 服務帳戶檔案。

docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

容器執行後，IoC 記錄就會開始串流至 Google SecOps。

如果這些設定有任何問題，請與 Google SecOps 支援團隊聯絡。

CrowdStrike 快訊記錄的 UDM 對應差異。

UDM 對應差異參考資料：CS_ALERTS

下表列出 CS ALERTS 的預設剖析器與進階版 CS ALERTS 之間的差異。

Default UDM Mapping	Log Field	Premium Mapping Delta
`about.resource.product_object_id`	`cid`	Removed mapping to avoid duplication, as the `cid` log field is also mapped to `metadata.product_deployment_id`.
`principal.asset.platform_software.platform`	`platform`	If the `device.platform_name` log field value is empty and the `platform` log field value is not empty and if the `platform` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `platform` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `platform` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `platform` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`.
`security_result.detection_fields[agent_id]`	`agent_id`	If the `device.device_id` log field value is empty and the `host_id` log field value is empty and the `mdm_device_id` log field value is empty then, `CS:%{agent_id}` log field is mapped to the `principal.asset_id` UDM field. Else, the `principal.asset.attribute.labels.key` UDM field is set to `agent_id` and `agent_id` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`security_result.detection_fields[idp_policy_account_event_type]`	`idp_policy_account_event_type`	`security_result.rule_labels[idp_policy_account_event_type]`
`security_result.detection_fields[idp_policy_mfa_factor_type]`	`idp_policy_mfa_factor_type`	`security_result.rule_labels[idp_policy_mfa_factor_type]`
`security_result.detection_fields[idp_policy_mfa_provider_name]`	`idp_policy_mfa_provider_name`	`security_result.rule_labels[idp_policy_mfa_provider_name]`
`security_result.detection_fields[idp_policy_mfa_provider]`	`idp_policy_mfa_provider`	`security_result.rule_labels[idp_policy_mfa_provider]`
`security_result.detection_fields[idp_policy_rule_action]`	`idp_policy_rule_action`	`security_result.rule_labels[idp_policy_rule_action]`
`security_result.detection_fields[idp_policy_rule_trigger]`	`idp_policy_rule_trigger`	`security_result.rule_labels[idp_policy_rule_trigger]`
`security_result.detection_fields[idp_policy_rule_id]`	`idp_policy_rule_id`	`security_result.rule_id`
`security_result.detection_fields[idp_policy_rule_name]`	`idp_policy_rule_name`	`security_result.rule_name`
`security_result.detection_fields[status]`	`status`	If the `status` log field value matches the regular expression pattern `(?i)new` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `NEW`. Else, if `status` log field value matches the regular expression pattern `(?i)closed` then, `status` log field is mapped to the `security_result.about.investigation.status` UDM field with the value `CLOSED`. Else, `status` log field is mapped to the `security_result.detection_fields[status]` UDM field.
`target.process.file.mime_type`	`alleged_filetype`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `alleged_filetype` log field is mapped to the `target.file.mime_type` UDM field. Else, `alleged_filetype` log field is mapped to the `target.process.file.mime_type` UDM field.
`principal.resource.product_object_id`	`device.cid`	`principal.asset.attribute.labels[device_cid]`
`security_result.detection_fields[active_directory_dn_display]`	`device.hostinfo.active_directory_dn_display`	Iterate through log field `device.hostinfo.active_directory_dn_display`, then the `security_result.detection_fields.key` UDM field is set to `device_hostinfo_active_directory_dn_display` and `device.hostinfo.active_directory_dn_display` log field is mapped to the `security_result.detection_fields.value` UDM field.
`principal.asset.platform_software.platform`	`device.platform_name`	If the `device.platform_name` log field value is not empty and if the `device.platform_name` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)Mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if `device.platform_name` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. if the `platform` log field value is not empty and the `device.platform_name` log field value is equal to `the platform log field value` then, the `principal.asset.attribute.labels.key` UDM field is set to `platform` and `platform` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`principal.asset.platform_software.platform_version`	`device.system_product_name`	`principal.asset.hardware.model`
`target.process.file.names`	`filename`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filename` log field is mapped to the `target.file.names` UDM field. Else, `filename` log field is mapped to the `target.process.file.names` UDM field.
`target.file.full_path`	`filepath`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `filepath` log field is mapped to the `target.file.full_path` UDM field. Else, `filepath` log field is mapped to the `target.process.file.full_path` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `macros.ioc_description` log field value is not empty then, `macros.ioc_description` log field is mapped to the `target.file.full_path` UDM field and the `security_result.detection_fields.key` UDM field is set to `filepath` and `filepath` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process_ancestors.command_line`	`grandparent_details.cmdline`	`target.process.parent_process.parent_process.command_line`
`target.process_ancestors.file.names`	`grandparent_details.filename`	`target.process.parent_process.parent_process.file.names`
`target.process_ancestors.file.full_path`	`grandparent_details.filepath`	`target.process.parent_process.parent_process.file.full_path`
`target.process_ancestors.file.md5`	`grandparent_details.md5`	`target.process.parent_process.parent_process.file.md5`
`target.process_ancestors.product_specific_process_id`	`grandparent_details.process_graph_id`	If the `grandparent_details.process_graph_id` log field value is not empty then, `PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id}` log field is mapped to the `target.process.parent_process.parent_process.product_specific_process_id` UDM field.
`target.process_ancestors.pid`	`grandparent_details.process_id`	`target.process.parent_process.parent_process.pid`
`target.process_ancestors.file.sha256`	`grandparent_details.sha256`	`target.process.parent_process.parent_process.file.sha256`
`security_result.detection_fields[ioc_description]`	`ioc_context.ioc_description`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_description` and `ioc_context.ioc_description` log field is mapped to the `security_result.detection_fields.value` UDM field.
`security_result.detection_fields[ioc_source]`	`ioc_context.ioc_source`	Iterate through log field `ioc_context`, then the `security_result.detection_fields.key` UDM field is set to `ioc_context_ioc_source` and `ioc_context.ioc_source` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.process.file.md5`	`md5`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `md5` log field is mapped to the `target.file.md5` UDM field. Else, `md5` log field is mapped to the `target.process.file.md5` UDM field.
`target.process.file.sha1`	`sha1`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha1` log field is mapped to the `target.file.sha1` UDM field. Else, `sha1` log field is mapped to the `target.process.file.sha1` UDM field.
`target.file.sha256`	`sha256`	If the `technique_name` log field value contain one of the following values `Archive via Library` `Ingress Tool Transfer` `Remote File Copy` `File Transfer Protocols` `Credentials from Web Browsers` `Credentials In Files` `Proc Filesystem` `Unsecured Credentials` `File Deletion` `Obfuscated Files or Information` `Compile After Delivery` `Compiled HTML File` `Deobfuscate/Decode Files or Information` `Double File Extension` `File and Directory Permissions Modification` `File System Logical Offsets` `Hidden Files and Directories` `Install Root Certificate` `Archive Collected Data` `Archive via Custom Method` `Archive via Utility` `Linux and Mac File and Directory Permissions Modification` `MMC` `NTFS File Attributes` `PubPrn` `Resource Forking` `Rundll32` `Scripting` `Space after Filename` `System Script Proxy Execution` `XSL Script Processing` `Intelligence Indicator - Hash` `Known Hash` `Malicious File` `File and Directory Discovery` `AppleScript` `Command and Scripting Interpreter` `JavaScript` `JavaScript/JScript` `Malicious Image` `PowerShell` `Python` `Service Execution` `Unix Shell` `User Execution` `Data Destruction` `Spearphishing Attachment` `.bash_profile and .bashrc` `Change Default File Association` `Ccache Files` `Chat Messages` `Multi-Factor Authentication` `TCC Manipulation` `Application Versioning` `Fileless Storage` `Embedded Payloads` `File/Path Exclusions` `Encrypted/Encoded File` `Match Legitimate Resource Name or Location` `Masquerade File Type` `Stripped Payloads` `Clear Network Connection History and Configurations` `Disable or Modify Linux Audit System` `Junk Code Insertion` `Extended Attributes` `SVG Smuggling` `Indicator Removal` `LNK Icon Smuggling` `Polymorphic Code` `Relocate Malware` `Clear Persistence` `Compression` `Compromise Host Software Binary` `Conceal Multimedia Files` `Browser Information Discovery` `Taint Shared Content` `Shared Webroot` then, `sha256` log field is mapped to the `target.file.sha256` UDM field. Else, `sha256` log field is mapped to the `target.process.file.sha256` UDM field. If the `product` log field value is equal to `epp` and the `type` log field value is equal to `ofp` and if the `ioc_type` log field value is equal to `hash_sha256` and the `macros.ioc_value` log field value is not empty then, `macros.ioc_value` log field is mapped to the `target.file.sha256` UDM field and the `security_result.detection_fields.key` UDM field is set to `sha256` and `sha256` log field is mapped to the `security_result.detection_fields.value` UDM field.
`target.asset.platform_software.platform`	`operating_system`	If the `operating_system` log field value matches the regular expression pattern `(?i)Windows` then, the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)linux` then, the `principal.asset.platform_software.platform` UDM field is set to `LINUX`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)ios` then, the `principal.asset.platform_software.platform` UDM field is set to `IOS`. Else, if `operating_system` log field value matches the regular expression pattern `(?i)mac` then, the `principal.asset.platform_software.platform` UDM field is set to `MAC`.
`security_result.detection_fields[agent_version]`	`agent_version`	`principal.asset.attribute.labels[agent_version]`
`about.email`	`enrollment_email`	`principal.user.email_addresses`
`principal.asset.type`		If the `mdm_device_id` log field value is not empty or the `mobile_hardware` log field value is not empty or the `mobile_manufacturer` log field value is not empty or the `mobile_serial` log field value is not empty then, the `principal.asset.type` UDM field is set to `MOBILE`.
`security_result.detection_fields[detection_context_user_is_admin]`	`detection_context.user_is_admin`	`security_result.about.user.attribute.label[detection_context_user_is_admin]`
`security_result.detection_fields[detection_context_user_sid]`	`detection_context.user_sid`	`security_result.about.user.attribute.label[detection_context_user_sid]`
`principal.asset.attribute.labels[pod_id]`	`device.pod_id`	`principal.resource.product_object_id`
`principal.asset.attribute.labels[pod_labels]`	`device.pod_labels`	`principal.resource.attribute.labels[pod_labels]`
`principal.asset.attribute.labels[pod_name]`	`device.pod_name`	`principal.resource.name`
`principal.asset.attribute.labels[pod_namespace]`	`device.pod_namespace`	`principal.resource.attribute.labels[pod_namespace]`
`principal.asset.attribute.labels[pod_service_account_name]`	`device.pod_service_account_name`	`principal.resource.attribute.labels[pod_service_account_name]`

支援的 CrowdStrike 記錄格式

CrowdStrike 剖析器支援 JSON 格式的記錄。

還有其他問題嗎？向社群成員和 Google SecOps 專業人員尋求答案。